By Mark Lanterman
Late last year, I wrote an article (“On the Defensive: Responding to Security Suggestions” B&B Dec 2021) regarding a cybersecurity vulnerability discovered in a Missouri state education website—and Gov. Mike Parson’s response to the situation. The St. Louis Post Dispatch first reported on the vulnerability, revealing that it left the Social Security numbers of educators unprotected and readily accessible on a public website. It became evident that a large number of educators’ personal information had been compromised, their privacy was diminished, and the threat of identity theft for those affected was increased. The severity of the issue was obvious. Yet the governor’s response was not one of concern or gratitude—for the research, for the notification, or for the opportunity to mitigate future damage. Rather, he responded with the threat of a lawsuit and the accusation that the newspaper was only out to make a profit by criticizing the state.
This past February, however, Missouri prosecutors stated that they would not be pursuing legal action after all, citing a lack of evidence.1 While the governor insisted that the reporter was guilty of unlawful “hacking,” a 158-page (!) report detailing the Missouri Highway Patrol’s investigation ultimately revealed that no hacking had been required to access the Social Security numbers.2 Rather, the numbers were publicly available due to a misconfiguration. No password was needed. The process to find and view them was easy to explain and easy to replicate.
The investigative report included multiple interviews with those involved in the incident, including Mallory McGowin, chief communications officer for the Communications Division of the Department of Elementary and Secondary Education (DESE). This interview uncovered key information regarding the existence of the vulnerability, including the fact that the vulnerability had existed since 2011. The investigator also asked about the lack of encryption:
I asked… if she knew why the teacher’s social security numbers were encoded instead of encrypted, and she stated she did not know. She stated based on what she had heard over the past few days, when the website was brought online in 2011, that practice would have been okay…. (Supplement 3, Section 15).
I stated to Mrs. McGowin it was my understanding the website was developed in 2011, and that portion of the website had not been updated since 2011, and she indicated that was her understanding. She stated DESE was working to ascertain what the vulnerability scans actually test for. (Supplement 3,
Section 16). (Emphasis added.)
It is surely alarming to think that this flaw existed since 2011, and that this feature of the website had gone without updates during that entire time. Within this context, it is perhaps not much of a surprise that personal information had been compromised, but it is shocking to think about how long it took to notice. The report details how the Post-Dispatch researcher took steps to alert the appropriate parties prior to the publication of its article. An explanation was also provided as to how “hacking” and discovering a vulnerability are distinct, and how the process of the researcher did not involve bypassing encryption or accessing information without authorization. Rather, the researcher had simply pointed out that he could see information that anyone could potentially view on the website.
The Missouri Highway Patrol’s investigation thoroughly examined the events and circumstances surrounding the history and unearthing of the vulnerability that left the private information of numerous educators up for grabs. But in many ways, the terrain they investigated is only the tip of the iceberg with respect to assessing the big-picture strengths and weaknesses of the security culture from which it originated. Given the out-of-date website, insufficient vulnerability scanning, lack of encryption, siloed departments, and miscommunication, it is not hard to believe that basic best practices might have fallen by the wayside. Even the investigation itself required resources, time, and effort that may otherwise have been allocated to improving cybersecurity within the state (and remediation services for those who have been affected, in addition to credit monitoring). The security issue was easy to fix—but the deeper issues that allowed it to exist for so long may prove more challenging to identify and resolve.
Despite the findings and the prosecutors’ decision to not move forward with legal action, Gov. Mike Parson is still not convinced. At the time of this writing, the governor has refused to acknowledge, let alone apologize for, the error in his original statements or for his handling of the situation. According to one news account, “[Parson’s] spokeswoman Kelli Jones continued to call Renaud’s reporting ‘the hacking of Missouri teachers’ personally identifiable information’ and a ‘clear violation’ of the state’s computer tampering statutes.”3 Fortunately, though, no further resources will be expended, and with any luck this ordeal can be used as a good example of a bad response to security research.
Making strides in cybersecurity and maintaining that progress requires diligence and an open mind. Oftentimes, it is tempting to deny problems exist or to regard checking compliance boxes as a security “pass.” A proactive approach requires top-down management support and a willingness to objectively assess weaknesses in the status quo. Achieving this kind of objectivity is easier said than done, but incorporating cybersecurity into the day-to-day makes problems easier to contend with when they arise. Whether it be an external researcher or an employee voicing a concern, it is critical that leadership respond to criticism with goals for improvement in mind.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board. email@example.com