Arkansas Can't Secure Financial Assistance Site So Governor Decides To Call The Person Discovering The Breach A Criminal
from the bless-your-soul,-Governor-Fuckwit dept
The best place for a messenger is six feet under, according to the governor of Arkansas, Asa Hutchinson. Despite being a founding chair of Governors for CS [Computer Science] (according to Slashdot), Hutchinson has decided to blame a security researcher for the state's inability to properly secure one of its websites. Lindsey Millar, who reported the breach exposing the sensitive information of the site's users, reports that Governor Hutchinson is trying to villainize the person who stumbled upon the unexpected data flow.
It all started innocently enough when a programmer, who had attempted to apply for financial aid via Arkansas' Pandemic Unemployment Assistance website, discovered it was exposing Social Security numbers and bank account numbers. This person got in touch with Millar, who brought it to the attention of the state.
That's where things went extremely wrong.
Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been “exploited.”
Wat...
"Exploited" how? By informing the press after the state had ignored efforts by the programmer to get the government to fix the problem? Millar says the programmer reached out to two state agencies and received nothing in response. Obviously concerned about this very dangerous data leak, the programmer talked to the press. That's "exploitation?" I guess it is, if you're the governor and co-founder of a foundation that claims to be all about that tech stuff and whatnot.
The governor offered up a nonsensical statement that was supposed to reassure assistance applicants that their private financial stuff hadn't actually been compromised. I'm sorry, but I cannot explain the following:
“We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do..."
WHAT EVEN THE FUCK
No one needs to alter actual, useful, goddamn usable routing numbers to do damage... especially when they have the Social Security numbers to work with as well. The governor followed up this bizarre explanation with one that was even worse: a justification for calling someone, who discovered a data breach, a criminal.
Asked about his rationale for framing the programmer’s actions as illegal, the governor said, “When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think.”
THINK HARDER.
This is baseline CFAA thinking -- the kind the federal government engages in when it's convenient. A person who gains access to data on a website an entity thought was secure is a criminal because it's assumed that, just because someone browsing the front page of a website wouldn't stumble across the data breach, any other discovery method must be unethical... if not actually illegal.
Adding "I would think" doesn't mean the person saying those words is actually thinking. It just means that if they decided to engage in actual thinking, it wouldn't lead to much insight. The fact of the matter is the applicant only had to alter the URL to gain access to information the website should have locked down tight. This isn't "manipulation." It's Pen Test 101 -- something the government should have engaged in before allowing a site collecting bank account and Social Security info to go live.
Trying to kill the messenger doesn't make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news -- with the added benefit that it make others think twice before coming forward with information that might embarrass the State.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: arksansas, asa hutchinson, blaming the messenger, breach, breach notification, lindsey millar
Reader Comments
Subscribe: RSS
View by: Time | Thread
Go loud or don't bother
Trying to kill the messenger doesn't make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news -- with the added benefit that it make others think twice before coming forward with information that might embarrass the State.
Not to mention further reinforces the idea that if you find something bad do not attach your name to it, simply dump it anonymously with the loudest press outlet you can find and let those responsible scramble to fix the problem once it's gone public and can't be ignored any more.
Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.
[ link to this | view in chronology ]
...Or go black-hat
Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.
Or quietly tell more mischievous entities where the proverbial loose threads are.
[ link to this | view in chronology ]
Deflection
Asa Hutchinson appears to be trying to create a shitstorm where none exists to hide the failure of Arkansas' Pandemic Unemployment Assistance program to create a secure website, which is a shitstorm. It's a classic 'hey, look over there' scenario, and ripe for a Streisand Effect nomination, with Asa playing the wizard behind the curtain.
[ link to this | view in chronology ]
Making matters worse: Not a single ounce of blame (and the tangible consequences thereof) will ever land in the laps of the people responsible for making that website.
[ link to this | view in chronology ]
Bless his heart, Techdirt, not his soul. His soul's a bit too doomed.
[ link to this | view in chronology ]
'bless your/his/her heart'
I'm southern, and we say 'bless you/his/her heart' a lot. The best translation for 'bless your heart' that I've heard is my mom's; "you poor idiot!" So, as for this so-called governor, yes, bless his heart and the heart of anyone that would accept his explanations.
Mc
[ link to this | view in chronology ]
As a fellow Southerner, I can confirm: “Bless your heart” is one of the region’s best (and favorite) stealth insults.
[ link to this | view in chronology ]
Re:
I'm a northerner, but I had it explained to me once that the whole quote is, "Bless your heart... because your head ain't any good". And southerners just stop after the first bit.
[ link to this | view in chronology ]
Re: Re:
According to the internet, the Germans have an equivalent to "Bless your heart... because your head ain't any good."
"Herr, wirf Hirn vom Himmel...
oder Steine, Haupstache er trifft."
[ link to this | view in chronology ]
Re: Re: Re:
"Herr, wirf Hirn vom Himmel...
oder Steine, Haupstache er trifft."
Oh lord, throw brains from heaven...
Or rocks, As long as he hits.
It's a wonderful saying.
[ link to this | view in chronology ]
Re:
It's not much of a stealth insult when everyone on the internet has spent the last 20 years telling everyone it's a stealth insult.
[ link to this | view in chronology ]
Re: Re:
... I must not get out much.
[ link to this | view in chronology ]
Re: Re: Re:
I think you have that backwards.
If you didn't get out much implies you have had plenty of time on the internet. Possibly in a parent's basement.
[ link to this | view in chronology ]
Re: 'bless your/his/her heart'
As I heard it put once, 'Inside every 'bless your heart' is a teeny tiny 'fuck you'.'
[ link to this | view in chronology ]
Re: Re: 'bless your/his/her heart'
Oooh! I like your definition better! I'll share that one next time playing cards at Mom's!
[ link to this | view in chronology ]
It depends on the kind of damage one wants to do. Hypothetically, someone who wanted to obtain money to which he was not entitled might do so by exploiting the system to change the bank account numbers for legitimately entitled users to point to an account over which the fraudster has control. Once the state deposits the money, the fraudster transfers it elsewhere and walks away richer. This may be a safer exploit than the one Techdirt implied, since the victim's injury is failure to receive payment, rather than an obviously unauthorized withdrawal. That failure-to-receive might be not be reported as soon, since the victim needs to wait long enough to be sure the state is not merely slow. Once reported, it may be misdiagnosed as "State incompetently sends money to wrong account"; such a diagnosis wouldn't immediately trigger a criminal inquiry, and the fraudster might never be indicted. An investigation might still be opened when the attempt to reverse the payment fails due to insufficient funds, but that might well be a lower priority investigation and thus easier to evade.
By contrast, if the fraudster uses the exploit to obtain the victim's account data and withdraw money from the victim's account, that will be noticed more quickly and, once noticed, be correctly categorized as theft. The banks then get involved and trace the money. Evading prosecution for that would require the fraudster to have the money handled in a way that precludes tracing, which is presumably more trouble than just talking the state into sending money to the wrong account.
[ link to this | view in chronology ]
Re:
No criminal would do this as it would give the investigators a LOT more info on tracking them down. You can't just walk into a bank and set up an account that you can point the system to, you have to provide ID and your social security number at a minimum so the bank can keep the government aware of your transactions as necessary for tax purposes and the like. It's been this way for decades. The only way you could set up an account this way would be to have legitimate faked ID good enough to stand up to the IRS (not likely), or the cooperation of a bank employee (also not likely). So changing the account info to point to another account is highly unlikely, while having the account info and social security number is enough to spend money from that account without much fuss, and little to no paper trail.
[ link to this | view in chronology ]
Re: Re:
This is not unlikely, it is a high volume tactic targeting large organizations, mainly Accounts Payable rather than payroll, but both can be targeted (but AP payments are often much greater than individual paychecks).
When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear (the account used first is often stolen or 'borrowed' from someone else, the old we will deposit X and you get to keep Y, but they drain the account, they can also transfer the funds again, with this chain possibly repeating until it gets to an offshore bank with no obligation to return the funds or investigate the fraud issues..
[ link to this | view in chronology ]
Re: Re: Re:
"When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear..."
...which is why the first Red Flag shown in any AML (anti-moneylaundering) training is to consider any account change requests the basis for a due diligence-check. It should be standard practice for any company handling any sizeable form of revenue.
The probable target for schemes like this will be those companies who already engage in shady practices and thus don't have slipshod internal controls to begin with.
[ link to this | view in chronology ]
Re:
There was this hacker, who found a site who didnt Protect their data..
He did something very interesting, as he redirected all Payments to goto an Account, and he made it so NO ONE could open it without a password. then he sat, until the State came to him. AFTER him. And he HAD to make a deal.. That he was NOT to be charged for anything, and he would give them the password.
the outcome I do not know, as that part was never recorded/posted/printed...
[ link to this | view in chronology ]
Re:
In cases like this where political heads may roll due to the piss poor planning & design of the much publicised assistance scheme it may be the politician's best call to blame it all on an administrative oversight & let it die in the 24 hour news cycle. It's taxpayers money after all so they wouldn't give a rat's bottom.
Banks on the other hand would find it coming out of their own pockets & bonuses may be in jeopardy so a bit more investigation into the issue would be called for. Inaction versus action.
[ link to this | view in chronology ]
" I would think."
There for your are, WHAT?>???
STUPID!!
[ link to this | view in chronology ]
The data was exploited! (Accusation)
The data wasn't manipulated. (Excuse)
They don't even try anymore, do they?
The stupid, it burns.
[ link to this | view in chronology ]
So long as they're shooting at white hats,
...it will stay a good era for black hats.
When hello.jpg is splashed across all the billboards in your district, and your primary ISPs are being ddosed by record numbers of zombie IoT bots, just think of it as another rainy day.
[ link to this | view in chronology ]
Re: So long as they're shooting at white hats,
That is probably the dumbest part of the 'shoot/sue the messenger' tactic, yes.
The flaws exist no matter who finds them, but if you punish those that find and expose them who aren't doing so for malicious reasons then the only people left are those that are malicious, and the first time you find out that a system has been compromised will not be when someone tells you in the hopes that you will fix it, but after it's been exploited, potentially in highly damaging ways.
[ link to this | view in chronology ]
I wonder if there's a way to nudge exploits...
...toward highly damaging yet sublimely artistic ways.
[ link to this | view in chronology ]
Does anyone know how I can join
Scattered Canary? I mean, if I'm unemployed and the government makes it this easy....[ link to this | view in chronology ]
What did they expect?
Honestly, we live in the age of never ever ever make your betters look bad or else.
I am sure they awarded the contract to make the leaky thing to someones sisters cousins brother for a hefty fee & thought they were done. Now you DARE suggest we screwed up?
Well fsck you buddy, we will tell the media you are the bad guy & people will believe me because I'm better than you...
(just not better at hiring competent coders or having a system where this could have been reported & I could have avoided looking like a jackbooted fsckboy).
Its easier to blame the invisible enemies than to accept perhaps maybe you are the problem.
[ link to this | view in chronology ]
So, what Hutchinson is saying is that now white hats are demotivated from helping them fix their security problems, the black hats can now have free range?
[ link to this | view in chronology ]
It sounds like the issue here is a classic insecure direct object reference. It's been be apart of OWASP's top 10 list for a long time, and there no excuse for any modern site to be vulnerable to this type of flaw.
Perhaps Millar needs to release his own press release.
[ link to this | view in chronology ]