Nov 7, 2021
0 0

Missouri 'Hacking' Controversy: Here's How InfoSec Pros Are Responding

Written by

“Opinions are like demo tapes. I don’t want to hear yours,” Stephen Colbert, The Late Show host, once said. 
Government officials, on the other hand, do not get this privilege as much as they may want it.
Missouri Governor Mike Parson (R-MO) and his office are likely seeing a huge outpouring of letters, emails, phone calls, and certainly social media comments in this latest controversial matter related to cybersecurity.  
When it comes to Governor Parson’s explosive reaction to a reporter “hacking” the state’s web application, there is an outpouring of public figures, InfoSec professionals, and other tech experts telling the governor what they think. Also, this case is furthering a recent study’s findings that more and more Americans are seeing cybersecurity as a bipartisan effort. 
The overwhelming consensus? SecureWorld News has compiled a few of the reactions from notable people, the majority of which are letting Gov. Parson know their thoughts. And most of the responders are not coming to his defense. 
By now, you may have read the explosive reports about Missouri Governor Mike Parson threatening to prosecute a reporter for “hacking” into a state web app
In a story that has sparked considerable controversy, a St. Louis Post-Dispatch journalist discovered a flaw in one of the state’s web applications, which allowed access to view teachers’ credentials and certifications.
While several media outlets said Social Security numbers were not leaked, the Post-Dispatch reporter discovered that the Social Security numbers were actually contained in the HTML source code of the pages, meaning the numbers were exposed and could have been accessed by a bad actor. 
And importantly, the newspaper notified the state and then agreed to hold off publishing a story about the vulnerability until the department fixed the problem. That is what happened.
Following the publication of the story, Governor Parson was not happy. For a baseline understanding of how he viewed the report, here is his tweet below.
Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators.

We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate.
From the initial tweet, you can see the governor did not call out the journalist by name, but instead implied a person had illegally accessed data records.
Pleas from InfoSec professionals and elected officials erupted after the tweet was posted, calling for the governor to understand the difference between hacking and ethical reporting of a security vulnerability.
Several elected officials oppose an investigation into the reporter in this case.
Republican Representative Tony Lovasco (R-MO) tweeted that the Governor’s office has “a fundamental misunderstanding” of how security research works.
It’s clear the Governor’s office has a fundamental misunderstanding of both web technology and industry standard procedures for reporting security vulnerabilities.

Journalists responsibly sounding an alarm on data privacy is not criminal hacking.#moleg
Senator Ron Wyden (D-OR), who often focuses on cybersecurity issues, had harsh words about Gov. Parson’s leadership skills. 
Journalism isn’t a crime. Cybersecurity research isn’t either. Real leaders don’t unleash their attack dogs on the press when they expose government failures, they roll up their sleeves and fix the problem.
U.S. Cybersecurity Infrastructure and Security Agency (CISA) Director Jen Easterly also appeared to respond to the governor, stating that CISA values research where individuals “responsibly disclose” vulnerabilities. 
We at @CISAgov greatly value the partnerships and efforts of researchers, hackers, academics, and any others working to find and responsibly disclose vulnerabilities, which makes us all more safe & more secure. (1/2)
The governor’s comments resulted in prickly responses from cybersecurity experts.
Cybersecurity influencer and data breach hunter Chris Vickery called out the governor’s mindset as a reason “cybersecurity is terrible everywhere.” 
This mentality is the reason why cybersecurity is terrible everywhere.

Someone responsibly notified the State of Missouri about an agency exposing personal data to the public internet.

And now the Governor of Missouri is trying to prosecute the person who notified the State.
Others were disturbed by the governor’s focus on the number of steps it took to decode data.
Serious talk for my less technical followers: it doesn’t matter how many steps it takes to convert the data to a social security number.

The data never should be exposed to public access in any format that can be decoded, regardless of the number of steps. Period. 1/
And journalists in the St. Louis area are also coming to the defense of the reporter. 
Messenger: Missouri has an award-winning cyber security team. Why is ⁦@GovParsonMO⁩ calling such work a crime? ⁦@stltoday⁩ ⁦@Kirkman#moleg
It is likely we’ll see more opinions flowing forth on this hot cybersecurity topic.
What are your thoughts about Gov. Parson’s statements? Can his opinions be validated in any way? Or is this just another example of a weak link when it comes to leaders understanding cybersecurity basics and protocol? Share your comments with us. 
[RELATED: The Pentesters Arrested for Doing Their Job]


Article Categories:
Cybersecurity News

Comments are closed.