Turns Out It Was Actually The Missouri Governor's Office Who Was Responsible For The Security Vulnerability Exposing Teacher Data

from the will-you-look-at-that dept

The story of Missouri's Department of Elementary and Secondary Education (DESE) leaking the Social Security Numbers of hundreds of thousands of current and former teachers and administrators could have been a relatively small story of yet another botched government technology implementation -- there are plenty of those every year. But then Missouri Governor Mike Parson insisted that the reporter who reported on the flaw was a hacker and demanded he be prosecuted. After a months' long investigation, prosecutors declined to press charges, but Parson doubled down and insisted that he would "protect state data and prevent unauthorized hacks."

You had to figure another shoe was going to drop and here it is. As Brian Krebs notes, it has now come out that it was actually the Governor's own IT team that was in charge of the website that leaked the data. That is, even though it was the DESE website, that was controlled by the Governor's own IT team. This is from the now released Missouri Highway Patrol investigation document. As Krebs summarizes:

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state’s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE’s website was developed and maintained by the Office of Administration’s Information Technology Services Division (ITSD) — which the governor’s office controls directly.

“I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,” the Highway Patrol investigator wrote. “I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.”

Now, it's important to note that the massive, mind-bogglingly bad, security flaw that exposed all those SSNs in the source code of publicly available websites was coded long before Parson was the governor, but it's still his IT team that was who was on the hook here. And perhaps that explains his nonsensical reaction to all of this?

For what it's worth, the report also goes into greater detail about just how dumb this vulnerability was:

Ms. Keep and Mr. Durnow told me once on the screen with this specific data about any teacher listed in the DESE system, if a user of the webpage selected to view the Hyper Text Markup Language (HTML) source code, they were allowed to see additional data available to the webpage, but not necessarily displayed to the typical end-user. This HTML source code included data about the selected teacher which was Base64 encoded. There was information about other teachers, who were within the same district as the selected teacher, on this same page; however, the data about these other teachers was encrypted.

Ms. Keep said the data which was encoded should have been encrypted. Ms. Keep told me Mr. Durnow was reworking the web application to encrypt the data prior to putting the web application back online for the public. Ms. Keep told me the DESE application was about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.

This explains why Parson kept insisting that it wasn't simply "view source" that was the issue here, and that it was hacking because it was "decoded." But Base64 decoding isn't hacking. If it was, anyone figuring out what this says would be a "hacker."

TWlrZSBQYXJzb24gaXMgYSB2ZXJ5IGJhZCBnb3Zlcm5vciB3aG8gYmVpZXZlcyB0aGF0IGhpcyBvd24gSVQgdGVhbSdzIHZlcnkgYmFkIGNvZGluZyBwcmFjdGljZXMgc2hvdWxkIG5vdCBiZSBibGFtZWQsIGFuZCBpbnN0ZWFkIHRoYXQgaGUgY2FuIGF0dGFjayBqb3VybmFsaXN0cyB3aG8gZXRoaWNhbGx5IGRpc2Nsb3NlZCB0aGUgdnVsbmVyYWJpbGl0eSBhcyAiaGFja2VycyIgcmF0aGVyIHRoYW4gdGFrZSBldmVuIHRoZSBzbGlnaHRlc3QgYml0IG9mIHJlc3BvbnNpYmlsaXR5Lg==

That's not hacking. That's just looking at what's there and knowing how to read it. Not understanding the difference between encoding and encrypting is the kind of thing that is maybe forgivable for a non-techie in a confused moment, but Parson has people around him who could surely explain it -- the same people who clearly explained it to the Highway Patrol investigating. But instead, he still insists it was hacking and is still making journalist Jon Renaud's life a living hell from all this nonsense.

The investigation also confirms exactly as we had been saying all along that Renaud and the St. Louis Post-Dispatch did everything in the most ethical way possible. It found the vulnerability, checked to make sure it was real, confirmed it with an expert, then notified DESE about it, including the details of the vulnerability, and while Renaud noted that the newspaper was going to run a story about it, made it clear that it wanted to make sure the vulnerability was locked down before the story would run.

So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dese, hacking, jon renaud, mike parson, missouri, vulnerability
Companies: st. louis post-dispatch


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Stephen T. Stone (profile), 25 Feb 2022 @ 12:19pm

    In re: Mike Parson…

    …an evergreen retort is needed:

    Christ, what an asshole.

    link to this | view in chronology ]

  • icon
    Mononymous Tim (profile), 25 Feb 2022 @ 12:20pm

    I'm a hacker!

    Mike Parson is a very bad governor who beieves [sic] that his own IT team's very bad coding practices should not be blamed, and instead that he can attack journalists who ethically disclosed the vulnerability as "hackers" rather than take even the slightest bit of responsibility.

    link to this | view in chronology ]

  • icon
    Toom1275 (profile), 25 Feb 2022 @ 12:23pm

    Remember, a Republican only makes an accusation if they're guilty of it.

    link to this | view in chronology ]

    • identicon
      Bobvious, 25 Feb 2022 @ 2:20pm

      Re: a Republican only makes an accusation

      Ah! To paraphrase a previous Funny winner, "Projecting so hard they can see their own face on Uranus"

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2022 @ 12:27pm

    Even if it was encrypted, still doesn't explain why SSN were being sent...

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2022 @ 12:54pm

      Re:

      Even if it was encrypted, still doesn't explain why data on other teachers was being sent.

      If it is being sent to the client (browser), it's going to get decrypted at some point. And if the web page itself is decrypting it on the client side, they've also (at some point) sent the key. Having sent the client both the encrypted data, and the key to everything, you expect the encryption to be worth anything at all?

      They say it was "10 years old", so perhaps the site wasn't using HTTPS ... which is another strike against it. (The HTTPS-Everywhere extension was created in 2014, only a couple years after the "10 years", and HTTPS itself dates back to 1994...

      link to this | view in chronology ]

      • icon
        TKnarr (profile), 25 Feb 2022 @ 5:00pm

        Re: Re:

        A modern webapp might do that, but "10 years ago" pretty much precludes a Javascript-based client-side React-type application. I'm trying to think of any sort of design that'd result in anything other than the record being viewed appearing in the rendered page, and frankly the only thing that comes to mind is something as stupid as the server code being powered by an Excel spreadsheet using VBA to translate the sheet into HTML (which would require a degree of deliberation and malice that I really don't want to think about).

        link to this | view in chronology ]

    • identicon
      Ven'Tatsu, 25 Feb 2022 @ 1:33pm

      Re:

      Exactly this, it does not matter if it was encrypted, encoded, clear text, or in any other form, if it's data you don't want public you should not have let it outside your security boundary.

      link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 25 Feb 2022 @ 12:38pm

    IkEgbWFuIG9uY2UgZHJlYW1lZCBoZSB3YXMgaW1wb3J0YW50LiBXaGVuIGhlIGF3b2tlLCBoZSBubyBsb25nZXIga25ldyBpZiBo ZSB3YXMgYSBpZGlvdCBkcmVhbWluZyBoZSB3YXMgYSBzYXZpb3IsIG9yIGEgamFja2FzcyB3aG8gaGFkIGRyZWFtZWQgaGUgd2Fz IGEgc21hcnQuIg==

    link to this | view in chronology ]

    • icon
      ECA (profile), 25 Feb 2022 @ 1:11pm

      Re:

      "A man once dreamed he was important. When he awoke, he no longer knew if he was a idiot dreaming he was a savior, or a jackass who had dreamed he was a smart."

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2022 @ 12:55pm

    So here goes...

    ✅ ~ % echo TWlrZSBQYXJzb24gaXMgYSB2ZXJ5IGJhZCBnb3Zlcm5vciB3aG8gYmVpZXZlcyB0aGF0IGhpcyBvd24gSVQgdGVhbSdzIHZlcnkg YmFkIGNvZGluZyBwcmFjdGljZXMgc2hvdWxkIG5vdCBiZSBibGFtZWQsIGFuZCBpbnN0ZWFkIHRoYXQgaGUgY2FuIGF0dGFjayBq b3VybmFsaXN0cyB3aG8gZXRoaWNhbGx5IGRpc2Nsb3NlZCB0aGUgdnVsbmVyYWJpbGl0eSBhcyAiaGFja2VycyIgcmF0aGVyIHRo YW4gdGFrZSBldmVuIHRoZSBzbGlnaHRlc3QgYml0IG9mIHJlc3BvbnNpYmlsaXR5Lg== | base64 -d

    Mike Parson is a very bad governor who beieves that his own IT team's very bad coding practices should not be blamed, and instead that he can attack journalists who ethically disclosed the vulnerability as "hackers" rather than take even the slightest bit of responsibility.

    ✅ ~ % whereis base64
    /usr/bin/base64

    ✅ ~ % uname -a
    Darwin macMini.flat 19.6.0 Darwin Kernel Version 19.6.0: Thu Jan 13 01:26:33 PST 2022; root:xnu-6153.141.51~3/RELEASE_X86_64 x86_64

    So it appears that macOS has hacker tools built into it's OS. Good to know that macOS is now illegal in Parson's view.

    (Also, can somebody explain how to create a proper MD code block on this site? It appears that 3 backticks nor 4 spaces seem to properly work. Inline code block works with a single backtick)

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Feb 2022 @ 2:16pm

      Re:

      There are, or at least used to be, browser extensions that would en/de-code base 64 and usually a host of other things.

      Of course, any bloody email client would decode it transparently.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Feb 2022 @ 1:00pm

    Email attachments are illegal now too!!

    I would also like to point out that the most common means of encoding binary data for sending files as an email attachment is base64.

    Base64 is also widely used for sending e-mail attachments. This is required because SMTP—in its original form—was designed to transport 7-bit ASCII characters only. This encoding causes an overhead of 33–36% (33% by the encoding itself; up to 3% more by the inserted line breaks).

    Source: https://en.wikipedia.org/wiki/Base64

    link to this | view in chronology ]

  • icon
    That One Guy (profile), 25 Feb 2022 @ 1:18pm

    Imagine that...

    Looks like the highway patrol investigation found the guilty party after all, bet he's rather regretting setting them on the trail only to have it point right back to his office.

    Still, this does nicely explain why he was so dedicated in blaming the reporters, with the blame right on his own IT team he must have figured that even the slightest amount of digging would lay the blame at his feet and so he tried to pre-emtpively shift it to someone else.

    link to this | view in chronology ]

  • icon
    ECA (profile), 25 Feb 2022 @ 1:20pm

    If'

    If' it werent for FB, YT, and many other sites and the idiots posting on them, I would Never laugh again.

    Anyone remember when the Crooks were posting and showing off all their gains on FB, and finding out that Cops could ID and track them? Knock on the door and arrest them?
    Anyone watch the Sparkle bombs set out for people to steal Amazon packages?
    How about tracking Scammers that have people send them money with UPS?
    HOW about Hackers hacking the OTHER hackers. remote view from their OWN SERVERS AND COMPUTERS? Then call them up and describe whats going on in the office the other hackers are sitting in, talk to them about the Girl next to them.

    link to this | view in chronology ]

  • icon
    Jim Duchek (profile), 25 Feb 2022 @ 3:06pm

    Republican loudly blames <insert problem here> on <insert something Republicans hate>. Turns out, problem was <insert Republican person, group, or policy> all along.

    Not really news. Just fill out the madlib and you can read it a couple hundred times a year. The louder any right-wing source yells about a problem, you more you can be sure it's a problem caused by the right.

    link to this | view in chronology ]

  • icon
    z! (profile), 25 Feb 2022 @ 5:20pm

    Encryption? We're using the well-understood double ROT13 algorithm.

    link to this | view in chronology ]

  • identicon
    David, 25 Feb 2022 @ 5:30pm

    You are outvoted.

    So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

    Experts make up a tiny percentage of the populace. The truth is a really hard barrier to success. But it takes experts to verify the intricacies of the truth.

    If you want to make it in politics, improving the factual state of things is much harder than making people distrust the experts. And more and more politicians are adopting the latter strategy.

    Mike Parson may look incredibly ignorant to you. But you are not part of a nondisposable majority. And in a nation where education boards tell teachers regularly that they have to treat the knowledge about God's creation in writeups from 3000 years ago as equivalent to knowledge about God's creation gained since then, mistrusting experts is quite natural.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.