Missouri Governor Mike Parson Thursday threatened to prosecute and question civilian damages from a St. Louis Post-Dispatch writer who identified a information flaw that exposed the Social Security numbers of teachers and different schoolhouse employees, claiming that the writer is simply a "hacker" and that the newspaper's reporting was thing much than a "political vendetta" and "an effort to embarrass the authorities and merchantability headlines for their quality outlet." The Republican politician besides vowed to clasp the Post-Dispatch "accountable" for the expected transgression of helping the authorities find and hole a security vulnerability that could person harmed teachers.
Despite Parson's astonishing statement of a information study that usually wouldn't beryllium peculiarly controversial, it appears that the Post-Dispatch handled the occupation successful a mode that prevented harm to schoolhouse employees portion encouraging the authorities to adjacent what 1 information prof called a "mind-boggling" vulnerability. Josh Renaud, a Post-Dispatch web developer who besides writes articles, wrote successful a report published Wednesday that much than 100,000 Social Security numbers were susceptible "in a web exertion that allowed the nationalist to hunt teacher certifications and credentials." The Social Security numbers of schoolhouse administrators and counselors were besides vulnerable.
"Though nary backstage accusation was intelligibly disposable nor searchable connected immoderate of the web pages, the paper recovered that teachers' Social Security numbers were contained successful the HTML root codification of the pages involved," the study said.
The Post-Dispatch seems to person done precisely what ethical security researchers mostly bash successful these situations: springiness the enactment with the vulnerability clip to adjacent the spread earlier making it public.
"The paper delayed publishing this study to springiness the section clip to instrumentality steps to support teachers' backstage accusation and to let the authorities to guarantee nary different agencies' web applications contained akin vulnerabilities," the nonfiction said. The quality study was published 1 time aft the "department removed the affected pages from its website."
As of this writing, the DESE's educator-credentials checker was "down for maintenance."
Governor: Journalist Tried to ‘Harm Missourians’
Parson described the writer arsenic a "perpetrator" who "took the records of astatine slightest 3 educators, decoded the HTML root code, and viewed the Social Security fig of those circumstantial educators" successful an "attempt to bargain idiosyncratic accusation and harm Missourians."
Major web browsers see options specified arsenic "view source" oregon "view leafage source" to look astatine a webpage's HTML, truthful thing successful that codification is easy available. The archetypal Post-Dispatch nonfiction didn't spell into item astir however the Social Security numbers were obtained from HTML root code, but a follow-up article astir Parson's ineligible threats Thursday said that the "teachers' Social Security numbers were contiguous successful the publically disposable HTML root codification of the pages involved." The numbers weren't disposable successful plain substance but were easy converted, the Post-Dispatch continued:
The information connected DESE's website was encoded but not encrypted, said Shaji Khan, a cybersecurity prof astatine the University of Missouri-St. Louis—and that's a cardinal distinction. No 1 tin presumption encrypted information without the circumstantial decryption cardinal utilized to fell the data. But encoded conscionable means the information is successful a antithetic format and tin beryllium comparatively easy decoded and viewed.
"Anybody who knows thing astir development—and the atrocious guys are mode ahead—can easy decode that data," Khan said connected Thursday.
Governor Notified Prosecutor of ‘Crime Against Teachers’
Parson spoke Thursday (see video) astatine a "press league regarding [the] information vulnerability and [the] state's program to clasp perpetrators accountable," and helium posted a condensed version of his remarks connected Facebook.
"It is unlawful to entree encoded information and systems successful bid to analyse different people's idiosyncratic information, and we are coordinating authorities resources to respond and utilize each ineligible methods available. My medication has notified the Cole County authoritative of this matter. The Missouri State Highway Patrol's Digital Forensic Unit volition besides beryllium conducting an probe of each of those involved," helium said.