Bug Bounties, Vulnerability Management

Row over data leak disclosure by journalist further erodes researcher trust in government

The relationship between the ethical hacking community and government officials has improved in recent years with the development of official federal bug bounty programs. But there are still many political leaders who inherently distrust security researchers and also lack even a basic understanding of cybersecurity risks, standards and practices.

So say experts in the wake of controversial statements from Missouri Gov. Mike Parson, who has come under heavy criticism for threatening to prosecute a St. Louis Post-Dispatch journalist who reported a security oversight in a state agency web app that leaked thousands of teachers’ Social Security numbers. 

On Oct. 14, the Post-Dispatch journalist Josh Renaud reported finding the SSNs of more than 100,000 state educators embedded within the HTML source code of the Missouri Department of Elementary and Secondary Education’s (DESE) website. According to a Post-Dispatch editorial published today, Renaud discovered the SSNs “while attempting to aggregate publicly available teacher certification data.” The newspaper reportedly verified the data leak by contacting three of the educators whose data was exposed, and also waited to publish its story until the state had acted to disable the faulty web feature.

It is the website owner and operator’s responsibility to make sure such privacy violations do not occur in the first place. However, in a press conference and in social media statements, Parson focused his ire on the reporter, mischaracterizing him as the criminal perpetrator of a malicious back intended to embarrass his administration.

The governor further claimed the report’s research required a complex hack that involved some level of “decoding” — despite the fact that anyone can plainly view a web page’s source code via their browser simply by right-clicking on the page and selecting “View Page Source” or a similar option.

“Through a multi-step process, an individual took the records of at least three educators, decoded the HTML source code, and viewed the SSN of those specific educators. We notified the Cole County prosecutor and the Highway Patrol’s Digital Forensic Unit will investigate,” the governor tweeted.

Commentators in the cyber space were not kind to the governor, opining that his description of the journalist was vengeful and/or ignorant, while characterizing the report’s actions as benevolent.

Aaron Mackey, senior staff attorney at the Electronic Frontier Foundation (EFF), called the governor’s response “vindictive, retaliatory, and incredibly short-sighted” in an interview with Brian Krebs. “It’s dangerous and wrong to go after someone who behaved ethically and responsibly in the disclosure sense, but also in the journalistic sense,” he said.

“Based on the available facts, this appears to be a pretty straightforward example of beneficial security research and responsible vulnerability disclosure,” stated Harley Geiger, senior director of public policy at Rapid7. “The state is raising the fact that the Post-Dispatch viewed a small set of Social Security numbers, but these were exposed to the open web and it does not appear that more SSNs were viewed than necessary to validate the vulnerability.”

However, Kelli R. Jones, communications director in Parson’s office, contended in a comment shared with SC Media that the journalist’s actions were “more than just a right-click,” adding “this information was not freely available, and by the actor’s own admission, the data had to be taken through eight separate steps in order to generate a SSN.” The governor’s office also referred SC Media to a press release.

Count Jake Williams, co-founder and CTO at BreachQuest, among those who don’t buy into the state’s point of view. “This is certainly not hacking in any sense of the word,” he said. “The reporter simply viewed the source code of the web page and found the Social Security numbers. While Governor Parson said the reporter ‘decoded the HTML source code,’ in reality they simply used the feature built into every web browser since the dawn of the Internet. Because HTTP is stateless, many web applications store their status in hidden form fields so they can be passed from the browser back to the server with every request. It seems likely that these hidden form fields included the Social Security number of the teacher.”

Unfortunately, not everyone understands the nuances of security research — even in a case that cyber experts are saying isn’t particularly nuanced.

“To be honest, the hacker community is still a big unknown to politicians,” said hacker advocate Chloe Messdaghi, owner, strategy consultant and researcher at Stand Out in Tech. “Due to socially constructed beliefs that the public strongly believes in, many folks, including politicians, don't try to understand hackers further. They do not know that hackers are protecting folks every single moment around the world.”

Critical to assessing the circumstances is an understanding of the difference between white-hat hackers and malicious adversaries. “These two parties are separated by intent. They both use the same skills but for different objectives — protection vs. malicious gains,” Messdaghi continued. And clearly in this case, the newspaper staff “conducted themselves fairly well.”

The Post-Dispatch would certainly agree with that notion. In its scathing editorial, the paper reiterated the fact that it withheld publication of Renaud’s story to give the state time to disable the web feature that put Social Security numbers at risk of discovery. “Predatory hackers don’t behave that way. Responsible journalists do. This is watchdog journalism at its finest,” stated the editorial, which accused Parson of attempting to “distract the public and hide the state’s embarrassment over its own gross negligence.”

Experts expressed doubt that a criminal case could go very far. “It’s hard to imagine that the low-technical sophistication of the behaviors described, with a tool as common as a web browser, constitutes anything but the digital equivalent of observations made in a public context,” said Tim Wade, Technical Director, CTO Team at Vectra. “Courts recognize limits to protections from unlawful search when activities occur clearly in a public context.”

Yet as absurd the governor’s threat may be, such actions can create a chilling effect that might deters the next researcher from preventing an attack.

“When someone shares a vulnerability to be patched, it's pretty scary,” said Messdaghi. “One out of four hackers do not report vulnerabilities simply because they are afraid of being prosecuted. The governor should try his best to understand it's better for one to report the vulnerability for it to be fixed rather than not report it. By not reporting the vulnerability to the responsible party, an attacker can find the vulnerability and exploit it for their own gain. In return, so many teachers' lives would be impacted.”

“We must never shoot the messenger,” agreed Marten Mickos, CEO of HackerOne. “Prosecuting those that are doing their best to report vulnerabilities responsibly will only discourage proper disclosure in the long term and render everyone less secure.”

If anything, the attempt to deflect blame likely had the opposite effect.

“Threatening a reporter with legal action is almost always a bad idea and usually creates an unintended Streisand Effect,” said Williams, referring to a phenomenon in which one’s attempt at concealing information actually amplifies its spread.

Mickos at HackerOne, suggested that states could avoid future conflicts like this if it were to have an official vulnerable disclosure or bug bounty program through which researchers could report their findings.

“I would encourage the Missouri Governor’s Office not to take this as a chance to prosecute, but an opportunity to become more proactive in the state’s cybersecurity strategy,” said Mickos. “With the U.S. government regularly announcing new best practices and — in some cases — mandates for organizations to implement VDPs, this is the perfect time to launch one.”

“In this circumstance, a VDP could have helped the St. Louis Post-Dispatch by offering a clearer process for reporting the vulnerability. It would have also given the Department of Elementary and Secondary Education (DESE) more control over how the vulnerability was disclosed to the public,” Mickos continued.

Geiger agreed with these sentiment. “This could have been a positive story if the state thanked the reporter for helping to protect educators, announced a formal vulnerability disclosure policy, and committed to addressing reports of vulnerabilities in government systems. All software has security flaws, so it's not as though discovering and patching a vulnerability is unique," he said. But by reacting to a helpful vulnerability disclosure as though it was a malicious attack, it gives the impression that the state's priority is retribution for uncovering an embarrassing security flaw. This reaction is going to backfire on the state, but sometimes organizations must make this very mistake before they take the opportunity to adopt a more constructive vulnerability disclosure and management process.”

Unfortunately, for now, Missouri is decidedly unfriendly toward security researchers, added Geirger, noting that its data tampering laws are “definitely in the over-criminalization category.”

Citing this case as an example of how cybercrime laws can be misapplied and abused, Geiger called on federal, state and international lawmakers to update these laws “with modern and realistic expectations of how people use technology in ways that should not be criminalized.”

Casey Ellis, chief technology officer and chairman of Bugcrowd, made a similar recommendation, while also calling more hacker-friendly initiatives along the lines of Hackers On the Hill by I Am The Cavalry, the BOD 20-01 vulnerability disclosure directive from CISA/OMB, and the Hack The Pentagon program by the Department of Defense, which “have all been useful tools to demystify good-faith hacking and hackers themselves  in the eyes of legislators.”

“Most of these initiatives have focused on the federal levels of government, and so seeing more of this type of initiative at the states and county level would be especially helpful,” he added.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.