Arkansas Can't Secure Financial Assistance Site So Governor Decides To Call The Person Discovering The Breach A Criminal

from the bless-your-soul,-Governor-Fuckwit dept

The best place for a messenger is six feet under, according to the governor of Arkansas, Asa Hutchinson. Despite being a founding chair of Governors for CS [Computer Science] (according to Slashdot), Hutchinson has decided to blame a security researcher for the state's inability to properly secure one of its websites. Lindsey Millar, who reported the breach exposing the sensitive information of the site's users, reports that Governor Hutchinson is trying to villainize the person who stumbled upon the unexpected data flow.

It all started innocently enough when a programmer, who had attempted to apply for financial aid via Arkansas' Pandemic Unemployment Assistance website, discovered it was exposing Social Security numbers and bank account numbers. This person got in touch with Millar, who brought it to the attention of the state.

That's where things went extremely wrong.

Beginning on Saturday at a news conference and continuing Monday, Hutchinson has framed the applicant who sounded the alarm as acting illegally. He announced Monday that the FBI was investigating the matter. He said he understood personal information had been “exploited.”

Wat...

"Exploited" how? By informing the press after the state had ignored efforts by the programmer to get the government to fix the problem? Millar says the programmer reached out to two state agencies and received nothing in response. Obviously concerned about this very dangerous data leak, the programmer talked to the press. That's "exploitation?" I guess it is, if you're the governor and co-founder of a foundation that claims to be all about that tech stuff and whatnot.

The governor offered up a nonsensical statement that was supposed to reassure assistance applicants that their private financial stuff hadn't actually been compromised. I'm sorry, but I cannot explain the following:

“We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do..."

WHAT EVEN THE FUCK

No one needs to alter actual, useful, goddamn usable routing numbers to do damage... especially when they have the Social Security numbers to work with as well. The governor followed up this bizarre explanation with one that was even worse: a justification for calling someone, who discovered a data breach, a criminal.

Asked about his rationale for framing the programmer’s actions as illegal, the governor said, “When you go in and manipulate a system in order to gain an access that you’re not allowed to have permission to access, that is a violation of the security that we want to have in place in these systems, and it would be a violation of the law as well, I would think.”

THINK HARDER.

This is baseline CFAA thinking -- the kind the federal government engages in when it's convenient. A person who gains access to data on a website an entity thought was secure is a criminal because it's assumed that, just because someone browsing the front page of a website wouldn't stumble across the data breach, any other discovery method must be unethical... if not actually illegal.

Adding "I would think" doesn't mean the person saying those words is actually thinking. It just means that if they decided to engage in actual thinking, it wouldn't lead to much insight. The fact of the matter is the applicant only had to alter the URL to gain access to information the website should have locked down tight. This isn't "manipulation." It's Pen Test 101 -- something the government should have engaged in before allowing a site collecting bank account and Social Security info to go live.

Trying to kill the messenger doesn't make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news -- with the added benefit that it make others think twice before coming forward with information that might embarrass the State.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: arksansas, asa hutchinson, blaming the messenger, breach, breach notification, lindsey millar


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 26 May 2020 @ 8:34am

    Go loud or don't bother

    Trying to kill the messenger doesn't make you look any less culpable. It just makes you look like a tin pot dictator trying to execute news-makers before it can become news -- with the added benefit that it make others think twice before coming forward with information that might embarrass the State.

    Not to mention further reinforces the idea that if you find something bad do not attach your name to it, simply dump it anonymously with the loudest press outlet you can find and let those responsible scramble to fix the problem once it's gone public and can't be ignored any more.

    Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.

    link to this | view in chronology ]

    • icon
      Uriel-238 (profile), 26 May 2020 @ 12:47pm

      ...Or go black-hat

      Tactics like that may make people hesitate to call the emperor on his choice of clothing, but it also means that those that do decide to do so are much more likely to do so in a manner loud enough for everyone to hear, rather than keeping it quiet.

      Or quietly tell more mischievous entities where the proverbial loose threads are.

      link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 26 May 2020 @ 8:39am

    Deflection

    Asa Hutchinson appears to be trying to create a shitstorm where none exists to hide the failure of Arkansas' Pandemic Unemployment Assistance program to create a secure website, which is a shitstorm. It's a classic 'hey, look over there' scenario, and ripe for a Streisand Effect nomination, with Asa playing the wizard behind the curtain.

    link to this | view in chronology ]

  • icon
    Stephen T. Stone (profile), 26 May 2020 @ 9:54am

    Making matters worse: Not a single ounce of blame (and the tangible consequences thereof) will ever land in the laps of the people responsible for making that website.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2020 @ 10:22am

    Bless his heart, Techdirt, not his soul. His soul's a bit too doomed.

    link to this | view in chronology ]

    • identicon
      mcinsand, 26 May 2020 @ 10:43am

      'bless your/his/her heart'

      I'm southern, and we say 'bless you/his/her heart' a lot. The best translation for 'bless your heart' that I've heard is my mom's; "you poor idiot!" So, as for this so-called governor, yes, bless his heart and the heart of anyone that would accept his explanations.

      Mc

      link to this | view in chronology ]

      • icon
        Stephen T. Stone (profile), 26 May 2020 @ 10:51am

        As a fellow Southerner, I can confirm: “Bless your heart” is one of the region’s best (and favorite) stealth insults.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 May 2020 @ 11:04am

          Re:

          I'm a northerner, but I had it explained to me once that the whole quote is, "Bless your heart... because your head ain't any good". And southerners just stop after the first bit.

          link to this | view in chronology ]

          • icon
            Toom1275 (profile), 26 May 2020 @ 7:15pm

            Re: Re:

            According to the internet, the Germans have an equivalent to "Bless your heart... because your head ain't any good."

            "Herr, wirf Hirn vom Himmel...
            oder Steine, Haupstache er trifft."

            link to this | view in chronology ]

            • icon
              Scary Devil Monastery (profile), 27 May 2020 @ 6:16am

              Re: Re: Re:

              "Herr, wirf Hirn vom Himmel...
              oder Steine, Haupstache er trifft."

              Oh lord, throw brains from heaven...
              Or rocks, As long as he hits.

              It's a wonderful saying.

              link to this | view in chronology ]

        • identicon
          Anonymous Coward, 26 May 2020 @ 1:57pm

          Re:

          It's not much of a stealth insult when everyone on the internet has spent the last 20 years telling everyone it's a stealth insult.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 26 May 2020 @ 7:13pm

            Re: Re:

            everyone on the internet has spent the last 20 years telling everyone it's a stealth insult.

            ... I must not get out much.

            link to this | view in chronology ]

            • identicon
              Annonymouse, 27 May 2020 @ 8:20am

              Re: Re: Re:

              I think you have that backwards.

              If you didn't get out much implies you have had plenty of time on the internet. Possibly in a parent's basement.

              link to this | view in chronology ]

      • icon
        That One Guy (profile), 26 May 2020 @ 11:22am

        Re: 'bless your/his/her heart'

        As I heard it put once, 'Inside every 'bless your heart' is a teeny tiny 'fuck you'.'

        link to this | view in chronology ]

        • identicon
          mcinsand, 26 May 2020 @ 11:26am

          Re: Re: 'bless your/his/her heart'

          Oooh! I like your definition better! I'll share that one next time playing cards at Mom's!

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2020 @ 10:55am

    > “We don’t believe that the data was manipulated,” Hutchinson said. “In other words, where someone would go in and change a bank account number, which is what criminals would do..."

    No one needs to alter actual, useful, goddamn usable routing numbers to do damage...

    It depends on the kind of damage one wants to do. Hypothetically, someone who wanted to obtain money to which he was not entitled might do so by exploiting the system to change the bank account numbers for legitimately entitled users to point to an account over which the fraudster has control. Once the state deposits the money, the fraudster transfers it elsewhere and walks away richer. This may be a safer exploit than the one Techdirt implied, since the victim's injury is failure to receive payment, rather than an obviously unauthorized withdrawal. That failure-to-receive might be not be reported as soon, since the victim needs to wait long enough to be sure the state is not merely slow. Once reported, it may be misdiagnosed as "State incompetently sends money to wrong account"; such a diagnosis wouldn't immediately trigger a criminal inquiry, and the fraudster might never be indicted. An investigation might still be opened when the attempt to reverse the payment fails due to insufficient funds, but that might well be a lower priority investigation and thus easier to evade.

    By contrast, if the fraudster uses the exploit to obtain the victim's account data and withdraw money from the victim's account, that will be noticed more quickly and, once noticed, be correctly categorized as theft. The banks then get involved and trace the money. Evading prosecution for that would require the fraudster to have the money handled in a way that precludes tracing, which is presumably more trouble than just talking the state into sending money to the wrong account.

    link to this | view in chronology ]

    • icon
      JoeCool (profile), 26 May 2020 @ 11:14am

      Re:

      Hypothetically, someone who wanted to obtain money to which he was not entitled might do so by exploiting the system to change the bank account numbers for legitimately entitled users to point to an account over which the fraudster has control. Once the state deposits the money, the fraudster transfers it elsewhere and walks away richer.

      No criminal would do this as it would give the investigators a LOT more info on tracking them down. You can't just walk into a bank and set up an account that you can point the system to, you have to provide ID and your social security number at a minimum so the bank can keep the government aware of your transactions as necessary for tax purposes and the like. It's been this way for decades. The only way you could set up an account this way would be to have legitimate faked ID good enough to stand up to the IRS (not likely), or the cooperation of a bank employee (also not likely). So changing the account info to point to another account is highly unlikely, while having the account info and social security number is enough to spend money from that account without much fuss, and little to no paper trail.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 26 May 2020 @ 3:06pm

        Re: Re:

        This is not unlikely, it is a high volume tactic targeting large organizations, mainly Accounts Payable rather than payroll, but both can be targeted (but AP payments are often much greater than individual paychecks).

        When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear (the account used first is often stolen or 'borrowed' from someone else, the old we will deposit X and you get to keep Y, but they drain the account, they can also transfer the funds again, with this chain possibly repeating until it gets to an offshore bank with no obligation to return the funds or investigate the fraud issues..

        link to this | view in chronology ]

        • icon
          Scary Devil Monastery (profile), 27 May 2020 @ 6:21am

          Re: Re: Re:

          "When you have construction contracts with multi-million dollar payments regularly for progress, they only have to re-direct one of those to an account they control to make a healthy gain before they disappear..."

          ...which is why the first Red Flag shown in any AML (anti-moneylaundering) training is to consider any account change requests the basis for a due diligence-check. It should be standard practice for any company handling any sizeable form of revenue.

          The probable target for schemes like this will be those companies who already engage in shady practices and thus don't have slipshod internal controls to begin with.

          link to this | view in chronology ]

    • icon
      ECA (profile), 26 May 2020 @ 11:39am

      Re:

      There was this hacker, who found a site who didnt Protect their data..
      He did something very interesting, as he redirected all Payments to goto an Account, and he made it so NO ONE could open it without a password. then he sat, until the State came to him. AFTER him. And he HAD to make a deal.. That he was NOT to be charged for anything, and he would give them the password.

      the outcome I do not know, as that part was never recorded/posted/printed...

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 May 2020 @ 12:17am

      Re:

      In cases like this where political heads may roll due to the piss poor planning & design of the much publicised assistance scheme it may be the politician's best call to blame it all on an administrative oversight & let it die in the 24 hour news cycle. It's taxpayers money after all so they wouldn't give a rat's bottom.
      Banks on the other hand would find it coming out of their own pockets & bonuses may be in jeopardy so a bit more investigation into the issue would be called for. Inaction versus action.

      link to this | view in chronology ]

  • icon
    ECA (profile), 26 May 2020 @ 11:40am

    " I would think."

    There for your are, WHAT?>???
    STUPID!!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2020 @ 11:50am

    The data was exploited! (Accusation)

    The data wasn't manipulated. (Excuse)

    They don't even try anymore, do they?

    The stupid, it burns.

    link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 26 May 2020 @ 12:19pm

    So long as they're shooting at white hats,

    ...it will stay a good era for black hats.

    When hello.jpg is splashed across all the billboards in your district, and your primary ISPs are being ddosed by record numbers of zombie IoT bots, just think of it as another rainy day.

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 26 May 2020 @ 1:51pm

      Re: So long as they're shooting at white hats,

      That is probably the dumbest part of the 'shoot/sue the messenger' tactic, yes.

      The flaws exist no matter who finds them, but if you punish those that find and expose them who aren't doing so for malicious reasons then the only people left are those that are malicious, and the first time you find out that a system has been compromised will not be when someone tells you in the hopes that you will fix it, but after it's been exploited, potentially in highly damaging ways.

      link to this | view in chronology ]

      • icon
        Uriel-238 (profile), 27 May 2020 @ 2:12am

        I wonder if there's a way to nudge exploits...

        ...toward highly damaging yet sublimely artistic ways.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 May 2020 @ 5:27pm

    Does anyone know how I can join Scattered Canary? I mean, if I'm unemployed and the government makes it this easy....

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 26 May 2020 @ 7:41pm

    What did they expect?
    Honestly, we live in the age of never ever ever make your betters look bad or else.
    I am sure they awarded the contract to make the leaky thing to someones sisters cousins brother for a hefty fee & thought they were done. Now you DARE suggest we screwed up?
    Well fsck you buddy, we will tell the media you are the bad guy & people will believe me because I'm better than you...
    (just not better at hiring competent coders or having a system where this could have been reported & I could have avoided looking like a jackbooted fsckboy).

    Its easier to blame the invisible enemies than to accept perhaps maybe you are the problem.

    link to this | view in chronology ]

  • icon
    PaulT (profile), 26 May 2020 @ 11:55pm

    So, what Hutchinson is saying is that now white hats are demotivated from helping them fix their security problems, the black hats can now have free range?

    link to this | view in chronology ]

  • identicon
    Jamie, 27 May 2020 @ 2:39pm

    It sounds like the issue here is a classic insecure direct object reference. It's been be apart of OWASP's top 10 list for a long time, and there no excuse for any modern site to be vulnerable to this type of flaw.

    Perhaps Millar needs to release his own press release.

    The so-called "hacker" did nothing wrong. They simply modified the page location to change a "2" to a "1" and was presented with someone else's personal data. I tried contacting 2 separate state agencies but neither took any action. The governor is trying to misdirect from the state's inability to protect your privacy.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.