The film Highlander (https://en.wikipedia.org/wiki/Highlander_(film)) was enormously popular when it came out, as were several of the songs in it. (I’d prefer to pretend that the subsequent Highlander movies were never made, so I shall from here on...)
“It’s a kind of magic” was a tagline in the movie, and one of the hit songs that were featured in it. #TIL that a complete soundtrack was never actually released, though several of the songs from the film appeared on the Queen album “A Kind of Magic” (https://en.wikipedia.org/wiki/A_Kind_of_Magic)
In the film, the “magic” referred mainly to the immortality of Conner MacLeod (of the clan MacLeod), but the phrase (and the song) popped into my head while thinking about recent events in Missouri.
These events have been discussed (or at least mentioned) by all of the InfoSec podcasts I listen to, and reactions ranged from noting the near-universal negative feedback received from most technology experts, to open mockery of Governor Mike Parson.
The thing is, for non-technical people, some of what is being described may seem like magic. The original story from the St. Louis Post-Dispatch (https://www.stltoday.com/news/local/education/missouri-teachers-social-security-numbers-at-risk-on-state-agencys-website/article_f3339700-ece0-54a1-9a45-f300321b7c82.html) describes the issue, and Brian Krebs (https://krebsonsecurity.com/2021/10/missouri-governor-vows-to-prosecute-st-louis-post-dispatch-for-reporting-security-vulnerability/) provides a number of responses to Governor Parson’s statements, but both assume a level of familiarity with the technology that not everyone has.
I have described HTML previously (https://www.til-technology.com/post/fiat-lamp), but to summarize, it is basically a way of adding instructions around how to format the text on a web page.
A web site might pass this:
... but you see this:
Now, this example may seem silly, but HTML organizes text, images, links, and the various other components which make web pages work. Most people aren’t interested in doing so, but you can see the “raw” HTML code by clicking the “F12” key on most browsers, which is apparently what the reporter did while looking at the Missouri Department of Elementary and Secondary Education (DESE) website.
While I did not find any clear confirmation of this, most sources assume that the exposed data were simply included in the HTML code but not visible on the page. The Missouri state website describing the incident states:
“Through a multi-step process, a hacker took the records of at least three educators, decoded the HTML source code, and viewed the social security number (SSN) of those specific educators.”
And Governor Parson is quoted as writing:
“By the actor’s own admission, the data had to be taken through eight separate steps in order to generate a (Social Security number).”
One thing that was not mentioned, however, was that the Social Security number of any of more than 100,000 educators were basically freely available to anyone able to press the F12 key on their keyboard. This is a failure of basic security practices, and a major red flag to anyone involved with web development.
Another problem is that I could not find anyone able to figure out how to get the number of steps up to eight. Another page describing this incident states:
“Through a multi-step process, an individual took the records of at least three educators, unencrypted the source code from the webpage, and viewed the social security number (SSN) of those specific educators.”
Er, “unencrypted”? The only way that makes sense is if you assume that the site is running on HTTPS. I have described this elsewhere (https://www.til-technology.com/post/infosec-basics-what-is-cryptography), but your browser does all of this automatically, so this seems irrelevant to the issue, doesn’t it? In any case, that would make the number of steps “two”, wouldn’t it?
While I have seen several entertaining lists of the “steps” required to access the information, my favourite was from Troy Hunt (https://twitter.com/troyhunt/status/1448849413162500096).
So, where does that leave us?
Well, the St. Louis Post-Dispatch reporter (Josh Renaud) apparently hit F12 on his browser while looking at the record of a teacher, saw a number which looked like a Social Security Number, double-checked on two other records, and immediately notified the Missouri Department of Elementary and Secondary Education. He then waited until they advised him that the issue had been corrected before publishing his story on the finding.
This is, essentially, a textbook description of the correct way to handle “responsible disclosure” of a vulnerability, and the appropriate response would simply have been to thank Mr. Renaud for the information.
But, since Governor Parson decided to accuse Mr. Renaud of being a “hacker” and calling the action a “crime”, the issue has come to the attention of vastly more people than would otherwise have heard of it, and demonstrates that Governor Parson doesn’t understand even the basics of the technology, doesn’t have advisors who do, doesn’t listen to them, is deliberately twisting these events to support a narrative of his own – or some combination of those or other reasons. In the end, it appears that he has destroyed his own credibility in the eyes of anyone even remotely familiar with technology, but maybe he has some other plan?
If so, then that is a kind a magic I simply don’t understand.
Cheers!
Comments