Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Missouri Governor Urged to Appoint Cybersecurity Panel

Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.

Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.

Democratic state Rep. Ashley Aune, of Kansas City, helped write the section of Senate Bill 49 that created the Missouri Cybersecurity Commission. Parson, a Republican, signed the bill into law in mid-July.

“In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure,” Aune said in a news release.

A St. Louis Post-Dispatch journalist uncovered a security flaw on a Department of Elementary and Secondary Education’s web application that allowed the public to search teacher certifications and credentials. The newspaper found that the Social Security numbers of perhaps 100,000 teachers and other school officials from around the state were in the HTML source code of the pages involved.

The Post-Dispatch alerted the department on Tuesday and the agency removed the pages. The Post-Dispatch said it gave the state time to fix the problem before publishing a story on Thursday.

But Parson on Thursday announced a criminal investigation, alleging the newspaper journalist was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Aune accused Parson of a “smear campaign” against the Post-Dispatch journalist when it was Parson’s administration that stored the private information and left it unprotected.

“This fiasco perfectly illustrates why Missouri needs to get serious about confronting 21st century cyberthreats,” Aune said.

Advertisement. Scroll to continue reading.

[ ReadResponsible Disclosure – Critical for Security, Critical for Intelligence ]

An email message left Friday with Parson’s spokeswoman was not immediately returned. But during his news conference Thursday, Parson said the state is “working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”

Ian Caso, publisher of the Post-Dispatch, said in a statement that the newspaper stands by the story and the reporter, who he said “did everything right.”

Orin Kerr, a law professor at the University of California, Berkeley, and an expert on computer crime law, said the fact that the Post-Dispatch journalist looked at the HTML source code is not a crime.

“The Supreme Court has recently said the federal computer hacking law calls for a ‘gates up’ versus ‘gates down’ inquiry,” Kerr said. “And when you post information in source code on your website, on pages the public is supposed to access, that gate is ‘up.’”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.