Missouri Governor Seeks to Prosecute Journalist for Responsibly Reporting Flaw in State's Website

Joint fed advisory warns of ongoing attacks on water facilities, White House ends ransomware meeting with statement, 'White Hat' hacker cops to running mass fake news operations, more

The St. Louis Post-Dispatch discovered a vulnerability in a web application on a website maintained by the Missouri Department of Elementary and Secondary Education (DESE) that left exposed more than 100,000 Social Security numbers of school teachers, administrators, and counselors across the state.

The newspaper responsibly delayed the publication of its report to give the department time to take steps to protect teachers’ private information and allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.

However, instead of thanking the newspapers for discovering the flaw, Republican governor Michael Parson called a news conference to rail about a plot against a teachers’ database by the newspaper’s reporter. The consensus among cybersecurity professionals is that no “hack” occurred. Instead, the reporter merely used a standard web browser technique known as “View Source” to make his discovery.

Parson referred the reporting to state prosecutors and the Missouri State Highway Patrol’s digital forensics laboratory for an investigation that could cost $50 million. Parson also vowed to prosecute the journalist and anyone who helped the newspaper its “attempt to embarrass the state and sell headlines for their news outlet,” sparking an uproar in the cybersecurity community.

The Post-Dispatch published a statement saying that “A hacker is someone who subverts computer security with malicious or criminal intent. Here, there was no breach of any firewall or security and certainly no malicious intent. For DESE to deflect its failures by referring to this as ‘hacking’ is unfounded. Thankfully, these failures were discovered.” (Josh Renaud / St. Louis-Post Dispatch)

Related: Washington Post, NPR, Mashable, Raw Story, Ars Technica, Pixel Envy, AlterNet.org, Krebs on Security, Boing Boing, Daily Dot, Engadget, Motherboard, The Verge, Slashdot, StateScoop, Mediaite, Reddit - cybersecurity, Motherboard, Ars Technica, Mediaite, Pixel Envy, Raw Story, Engadget, AlterNet.org, Law & Crime, Krebs on Security, AlterNet.org, ZDNet, Mashable, News : NPR,DataBreachToday.com, SiliconANGLE, Security News | Tech Times, Mercury News, Reddit - cybersecurity, Infosecurity Magazine, Law & Crime, Statescoop, Missouri Independent, NBC News

A joint advisory by the FBI, the Cybersecurity Infrastructure and Security Agency, the Environmental Protection Agency, and the National Security Agency warned of “ongoing malicious cyber activity — both by known and unknown actors,” targeting information technology and operational technology networks, systems, and devices” in water and wastewater facilities.

The advisory highlighted incidents in five states between March 2019 and August 2021 where malicious actors targeted systems by either ransomware attacks or other hacks, including one previously unreported incident. That incident involved a former employee of a Kansas-based facility who tried to “threaten drinking water safety by using his user credentials…to remotely access a facility computer.” (AJ Vicens / Cyberscoop)

Related: SC Magazine, CISA, isssource.com, Dark Reading, The Hill: Cybersecurity, ZDNet, Digital Journal, The Record by Recorded Future, US-CERT Current Activity, Reuters

The White House ended its two-day meeting on ransomware with a statement among 30 countries agreeing to cooperate across various areas: countering illicit finance; disruption of ransomware networks through law enforcement; diplomacy to encourage states to hold criminals accountable; and strengthening cybersecurity.

Although Russia was not invited to the meeting, the meeting participants hinted at the country's role in harboring ransomware criminals. “We will leverage diplomacy through coordination of action in response to states whenever they do not address the activities of cyber criminals,” the statement read. (Ellen Nakashima / Washington Post)

Related: Tech Xplore, ZDNet Security, The Hill: Cybersecurity, Cyberscoop, The Record by Recorded Future, Meritalk, Defense Daily Network, Yohnap News, The Block, New York Times, Decrypt

Hacker Robert Willis, best known for founding the Sakura Samurai ethical hacking group and previously dubbed Hacker X in a book by former White House CIO Theresa Payton, went public with his story of building a secret misinformation network of self-reinforcing sites to promote Donald Trump and denigrate Hillary Clinton during the 2016 presidential campaign.

A well-known media company, dubbed with a fake name Koala Media, hired Willis to concoct increasingly bizarre and fabricated stories that eventually circulated among 30 million readers through a massive syndication network of hundreds of specialty "news" websites. (Ax Sharma / Ars Technica)

Related: Raw Story, Robert Willis Hacking

In a 46-page study, more than a dozen cybersecurity experts slammed Apple and the European Union for their push to monitor people’s phones for illicit child sexual abuse material. The experts say that such client-side scanning would embolden state surveillance.

It “should be a national-security priority to resist attempts to spy on and influence law-abiding citizens,” the researchers said in their paper. (Kellen Browning / New York Times)

Related: The Register, The Guardian, Technology - CBSNews.com, MacRumors, Bugs in Our Pockets

Google’s Threat Analysis Group said its security researchers track more than 270 different government-backed threat actors activating from inside more than 50 countries.

The company said it had sent over 50,000 warnings, a nearly 33% increase from this time in 2020. Google attributed the spike primarily to a Russian actor known as APT28 or Fancy Bear. (Catalin Cimpanu / The Record)

Related: The Hacker News, IT Pro, Cybersecurity Insiders, The State of Security, The Sun, ZDNet, Bleeping Computer, ComputerWeekly.com, Security Affairs, The Hacker News, Google

"malware" - Google News

The European Parliament awarded its inaugural prize top European journalism prize of 20,000 euros (around $23,000) to the consortium of journalists behind the Pegasus Project investigation into malware from Israel-based NSO Group.

Using a list of more than 50,000 people targeted for surveillance using NSO’s Pegasus spyware, the Pegasus Project journalists were able to identify more than 1,000 individuals in 50 countries. (Associated Press)

Related: Jerusalem Post, Nasdaq, The Independent, Jerusalem Post, The European Sting, European Parliament, Deutsche Welle, euronews, Associated Press, Haaretz.com

Facebook-owned ​WhatsApp is rolling out end-to-end encrypted chat backups on iOS and Android to prevent anyone from accessing user chats, regardless of where they are stored.

With this feature, users will be able to assign a password that only they know to encrypt backups before they are uploaded to iCloud or Google Drive. (Lawrence Abrams / Bleeping Computer)

Related: Business Standard, 9to5Mac, NDTV Gadgets360.com, Times of India, PhoneArena, The Register - Security, The Verge, Tom's Guide, MSPoweruser, The Mac Observer, iPhone in Canada Blog, Android Central, Engadget, TechCrunch, The Next Web, The Register - Security, The Verge, ZDNet Security, Security Affairs, gHacks, MSPoweruser, SlashGear » security, Ad Week, Tom's Guide, Business Standard, PhoneArena, iPhone in Canada Blog, Engadget, Facebook

In a scheme that researchers at Sophos call CryptoRom, crooks are exploiting Apple’s Enterprise Developer Program to get bogus trading apps onto their marks’ iPhones in a new twist on web-based romance scams.

The scammers convince targets cultivated through dating apps to enroll their devices into a cryptocurrency trading program that promises big profits but is a mobile device management program compatible with Apple’s platform. The scammers then install the supposed cryptocurrency-related app, a fake version of the Bitfinex cryptocurrency trading application. After getting the victims’ money, the crooks post fake trades and profits to persuade the victim to deposit more funds. (Tara Seals / Threatpost)

Related: AppleInsider, Times of India, Sophos, ZDNet, AMBCrypto

The University of Cambridge in the UK has broken off talks with the United Arab Emirates over a record £400m (around $550 million) collaboration after claims about the Gulf state’s use of controversial Pegasus hacking software.

The Cambridge-UAE project was to have included a joint innovation institute and a plan to improve and overhaul the emirates education system, as well as work on climate change and energy transition. (Richard Adams, Georgia Goble and Nick Bartlett / The Guardian)

Related: Varsity

Teen hacker Minh Duong rickrolled the entirety of Township High School District 214, the second-largest high school district in Illinois, to document the school system’s inadequate cybersecurity.

The District’s director of technology thanked Duong and his team for their findings and asked the group to debrief them on their stunt and how they could fix the security holes they found. (Minh Duong / The Next Web)

Related: My TechDecisions, Mashable, Futurism, WhiteHoodHacker

Photo by Brittney Butler on Unsplash