Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Missouri Governor Urged to Appoint Cybersecurity Panel

Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.

Three months after creation of a commission to identify cybersecurity risks in state government, Missouri Gov. Mike Parson has yet to appoint any members. A state lawmaker said Friday that vulnerabilities exposed on a state website prove the need for just such a panel of experts.

Democratic state Rep. Ashley Aune, of Kansas City, helped write the section of Senate Bill 49 that created the Missouri Cybersecurity Commission. Parson, a Republican, signed the bill into law in mid-July.

“In light of the events that have transpired this week, I believe the governor cannot wait any longer to appoint members to this commission so it may do the critical work of identifying and rectifying gaps in Missouri’s cyberinfrastructure,” Aune said in a news release.

A St. Louis Post-Dispatch journalist uncovered a security flaw on a Department of Elementary and Secondary Education’s web application that allowed the public to search teacher certifications and credentials. The newspaper found that the Social Security numbers of perhaps 100,000 teachers and other school officials from around the state were in the HTML source code of the pages involved.

The Post-Dispatch alerted the department on Tuesday and the agency removed the pages. The Post-Dispatch said it gave the state time to fix the problem before publishing a story on Thursday.

But Parson on Thursday announced a criminal investigation, alleging the newspaper journalist was “acting against a state agency to compromise teachers’ personal information in an attempt to embarrass the state and sell headlines for their news outlet. We will not let this crime against Missouri teachers go unpunished.”

Aune accused Parson of a “smear campaign” against the Post-Dispatch journalist when it was Parson’s administration that stored the private information and left it unprotected.

“This fiasco perfectly illustrates why Missouri needs to get serious about confronting 21st century cyberthreats,” Aune said.

[ ReadResponsible Disclosure – Critical for Security, Critical for Intelligence ]

An email message left Friday with Parson’s spokeswoman was not immediately returned. But during his news conference Thursday, Parson said the state is “working to strengthen our security to prevent this incident from happening again. The state is owning its part, and we are addressing areas in which we need to do better than we have done before.”

Ian Caso, publisher of the Post-Dispatch, said in a statement that the newspaper stands by the story and the reporter, who he said “did everything right.”

Orin Kerr, a law professor at the University of California, Berkeley, and an expert on computer crime law, said the fact that the Post-Dispatch journalist looked at the HTML source code is not a crime.

“The Supreme Court has recently said the federal computer hacking law calls for a ‘gates up’ versus ‘gates down’ inquiry,” Kerr said. “And when you post information in source code on your website, on pages the public is supposed to access, that gate is ‘up.’”

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.