Missouri Governor Seeks to Prosecute Journalist for Responsibly Reporting Flaw in State's Website

Joint fed advisory warns of ongoing attacks on water facilities, White House ends ransomware meeting with statement, 'White Hat' hacker cops to running mass fake news operations, more

Oct 15, 2021

The St. Louis Post-Dispatch discovered a vulnerability in a web application on a website maintained by the Missouri Department of Elementary and Secondary Education (DESE) that left exposed more than 100,000 Social Security numbers of school teachers, administrators, and counselors across the state.

The newspaper responsibly delayed the publication of its report to give the department time to take steps to protect teachers’ private information and allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.

However, instead of thanking the newspapers for discovering the flaw, Republican governor Michael Parson called a news conference to rail about a plot against a teachers’ database by the newspaper’s reporter. The consensus among cybersecurity professionals is that no “hack” occurred. Instead, the reporter merely used a standard web browser technique known as “View Source” to make his discovery.

Parson referred the reporting to state prosecutors and the Missouri State Highway Patrol’s digital forensics laboratory for an investigation that could cost $50 million. Parson also vowed to prosecute the journalist and anyone who helped the newspaper its “attempt to embarrass the state and sell headlines for their news outlet,” sparking an uproar in the cybersecurity community.

The Post-Dispatch published a statement saying that “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.” (Josh Renaud / St. Louis-Post Dispatch)

Robᵉʳᵗ Graham @ErrataRob

The tech community is exploding over this. It demonstrates how those ignorant of technology suspect techies of witchcraft. The governor is using violence, the vast power of the state, to crack down on somebody who committed no crime.

Governor Mike Parson @GovParsonMO

Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate. https://t.co/2hkZNI1wXE

🆘 @SwiftOnSecurity

Sometimes you just need people hitting F12 and seeing if there's a hidden column for social security numbers on your site. Computer security, especially data disclosure, is hugely about assurance against mistakes.

St. Louis Post-Dispatch @stltoday

ICYMI: The Social Security numbers of teachers, administrators and counselors across Missouri were vulnerable to public exposure due to flaws on a website maintained by the state’s Department of Elementary and Secondary Education, reports @Kirkman. https://t.co/lLRA9e3PEo

Tony Webster @webster

Gov. Parson is threatening to prosecute a journalist who 100% did the ethical thing by telling the state they were publishing teacher SSNs online, then holding publication of the story until after the state fixed it. That's the gold standard for reporting security failures.

Governor Mike Parson @GovParsonMO

Joe Helle, Mayor of Hacktown, First of His Name @joehelle

Why in the shit were social security numbers in source code?

Governor Mike Parson @GovParsonMO

A joint advisory by the FBI, the Cybersecurity Infrastructure and Security Agency, the Environmental Protection Agency, and the National Security Agency warned of “ongoing malicious cyber activity — both by known and unknown actors,” targeting information technology and operational technology networks, systems, and devices” in water and wastewater facilities.

The advisory highlighted incidents in five states between March 2019 and August 2021 where malicious actors targeted systems by either ransomware attacks or other hacks, including one previously unreported incident. That incident involved a former employee of a Kansas-based facility who tried to “threaten drinking water safety by using his user credentials…to remotely access a facility computer.” (AJ Vicens / Cyberscoop)

Kevin Collier @kevincollier

CISA's new report on threats to wastewater facilities includes references to three more ransomware attacks on US water this year, plus a fourth from last year, that I believe we didn't know about: us-cert.cisa.gov/ncas/alerts/aa…

The White House ended its two-day meeting on ransomware with a statement among 30 countries agreeing to cooperate across various areas: countering illicit finance; disruption of ransomware networks through law enforcement; diplomacy to encourage states to hold criminals accountable; and strengthening cybersecurity.

Although Russia was not invited to the meeting, the meeting participants hinted at the country's role in harboring ransomware criminals. “We will leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cyber criminals,” the statement read. (Ellen Nakashima / Washington Post)

Hacker Robert Willis, best known for founding the Sakura Samurai ethical hacking group and previously dubbed Hacker X in a book by former White House CIO Theresa Payton, went public with his story of building a secret misinformation network of self-reinforcing sites to promote Donald Trump and denigrate Hillary Clinton during the 2016 presidential campaign.

A well-known media company, dubbed with a fake name Koala Media, hired Willis to concoct increasingly bizarre and fabricated stories that eventually circulated among 30 million readers through a massive syndication network of hundreds of specialty "news" websites. (Ax Sharma / Ars Technica)

Related: Raw Story, Robert Willis Hacking

Dr. Farkenstein @fark

Jackwagon who greatly contributed to the hellscape we're living in now wants to put things right. So, we're all cool, yeah?

Jackwagon who greatly contributed to the hellscape we’re living in now wants to put things right. So, we’re all cool, yeah?Jackwagon who greatly contributed to the hellscape we’re living in now wants to put things right. So, we’re all cool, yeah?fark.com

In a 46-page study, more than a dozen cybersecurity experts slammed Apple and the European Union for their push to monitor people’s phones for illicit child sexual abuse material. The experts say that such client-side scanning would embolden state surveillance.

It “should be a national-security priority to resist attempts to spy on and influence law-abiding citizens,” the researchers said in their paper. (Kellen Browning / New York Times)

Google’s Threat Analysis Group said its security researchers track more than 270 different government-backed threat actors activating from inside more than 50 countries.

The company said it had sent over 50,000 warnings, a nearly 33% increase from this time in 2020. Google attributed the spike primarily to a Russian actor known as APT28 or Fancy Bear. (Catalin Cimpanu / The Record)

"malware" - Google News

The European Parliament awarded its inaugural prize top European journalism prize of 20,000 euros (around $23,000) to the consortium of journalists behind the Pegasus Project investigation into malware from Israel-based NSO Group.

Using a list of more than 50,000 people targeted for surveillance using NSO’s Pegasus spyware, the Pegasus Project journalists were able to identify more than 1,000 individuals in 50 countries. (Associated Press)

Facebook-owned WhatsApp is rolling out end-to-end encrypted chat backups on iOS and Android to prevent anyone from accessing user chats, regardless of where they are stored.

With this feature, users will be able to assign a password that only they know to encrypt backups before they are uploaded to iCloud or Google Drive. (Lawrence Abrams / Bleeping Computer)

In a scheme that researchers at Sophos call CryptoRom, crooks are exploiting Apple’s Enterprise Developer Program to get bogus trading apps onto their marks’ iPhones in a new twist on web-based romance scams.

The scammers convince targets cultivated through dating apps to enroll their devices into a cryptocurrency trading program that promises big profits but is a mobile device management program compatible with Apple’s platform. The scammers then install the supposed cryptocurrency-related app, a fake version of the Bitfinex cryptocurrency trading application. After getting the victims’ money, the crooks post fake trades and profits to persuade the victim to deposit more funds. (Tara Seals / Threatpost)

Related: AppleInsider, Times of India, Sophos, ZDNet, AMBCrypto

The University of Cambridge in the UK has broken off talks with the United Arab Emirates over a record £400m (around $550 million) collaboration after claims about the Gulf state’s use of controversial Pegasus hacking software.

The Cambridge-UAE project was to have included a joint innovation institute and a plan to improve and overhaul the emirates education system, as well as work on climate change and energy transition. (Richard Adams, Georgia Goble and Nick Bartlett / The Guardian)

Related: Varsity

Teen hacker Minh Duong rickrolled the entirety of Township High School District 214, the second-largest high school district in Illinois, to document the school system’s inadequate cybersecurity.

The District’s director of technology thanked Duong and his team for their findings and asked the group to debrief them on their stunt and how they could fix the security holes they found. (Minh Duong / The Next Web)

Photo by Brittney Butler on Unsplash

Metacurity

Missouri Governor Seeks to Prosecute Journalist for Responsibly Reporting Flaw in State's Website

Joint fed advisory warns of ongoing attacks on water facilities, White House ends ransomware meeting with statement, 'White Hat' hacker cops to running mass fake news operations, more

In a 46-page study, more than a dozen cybersecurity experts slammed Apple and the European Union for their push to monitor people’s phones for illicit child sexual abuse material. The experts say that such client-side scanning would embolden state surveillance.

Google’s Threat Analysis Group said its security researchers track more than 270 different government-backed threat actors activating from inside more than 50 countries.

The European Parliament awarded its inaugural prize top European journalism prize of 20,000 euros (around $23,000) to the consortium of journalists behind the Pegasus Project investigation into malware from Israel-based NSO Group.

Facebook-owned ​WhatsApp is rolling out end-to-end encrypted chat backups on iOS and Android to prevent anyone from accessing user chats, regardless of where they are stored.

In a scheme that researchers at Sophos call CryptoRom, crooks are exploiting Apple’s Enterprise Developer Program to get bogus trading apps onto their marks’ iPhones in a new twist on web-based romance scams.

The University of Cambridge in the UK has broken off talks with the United Arab Emirates over a record £400m (around $550 million) collaboration after claims about the Gulf state’s use of controversial Pegasus hacking software.

Teen hacker Minh Duong rickrolled the entirety of Township High School District 214, the second-largest high school district in Illinois, to document the school system’s inadequate cybersecurity.

Ready for more?

Facebook-owned WhatsApp is rolling out end-to-end encrypted chat backups on iOS and Android to prevent anyone from accessing user chats, regardless of where they are stored.