Those who expose cyber vulnerabilities risk getting attacked themselves
When the St. Louis Post-Dispatch uncovered dangerous bugs in a state website, Gov. Mike Parson (R) lashed out at the newspaper rather than at the education department's shoddy security.
Parson's response illustrates the perils that routinely face researchers who expose hackable security vulnerabilities in government and industry websites.
The bug discovered by the Post-Dispatch could have given malicious hackers access to the Social Security numbers of roughly 100,000 state educators, exposing them to identity theft and other fraud. The newspaper alerted the state’s Department of Elementary and Secondary Education about the bug before publishing to minimize the potential damage.
But Parson went after the paper. He claimed it had violated a state anti-hacking law, ordered an investigation by the State Highway Patrol’s digital forensic unit and said his administration had spoken to a prosecutor in Cole County, which includes the state capital, Jefferson City.
Such attacks are a common experience for cybersecurity researchers who try to root out bugs in company apps and websites before malicious hackers exploit them. There are two main reasons:
- Overly broad and outdated hacking laws at the federal and state level that can be read to criminalize innocuous activity such as violating a website’s terms of service.
- Companies and other organizations that are embarrassed by their poor security and willing to use legal threats to keep people from exposing it.
“The governor’s office is trying to divert attention from the fact they left people’s Social Security numbers exposed and they’re criminalizing good reporting,” Tor Ekeland, an attorney who specializes in defending people accused of computer crimes, told me.
“I’ve had numerous clients who think they’re doing something for the public good exposing information like this. And because people or institutions that had bad information security are embarrassed, they go and kill the messenger.”
Most hacking laws were written long before the modern Internet. That often makes it tough to figure out what counts as hacking and what doesn’t.
According to the Post-Dispatch story, the reporter accessed the Social Security numbers through a common flaw in the source code of a database designed for looking up teacher pay records. Source code is typically viewable by simply right-clicking on a Web page or clicking the F12 key.
Parson painted the action as far more nefarious on Twitter. He cited a Missouri law that criminalizes accessing personal information without permission — apparently even if the information was left accessible on the open Internet.
That reading would essentially make it a crime to alert any organization about a serious security flaw without the organization's prior permission.
The logical result: Websites in Missouri would almost certainly be far less safe.
“For cybersecurity research, it would be very poor policy to criminalize this,” Jeffrey L. Vagle, a Georgia State University law professor who focuses on cybersecurity law, told me. “This is the sort of thing you want researchers doing.”
Parson’s office declined my request for comment, citing the ongoing investigation.
A spokeswoman shared Parson’s statement on Twitter that the case is “more than just a ‘right click’" and that “an individual accessed source code and then went a step further to convert and decode that data.”
Parson’s supporters, meanwhile, are doubling down on his attacks.
A political action committee created by Parson supporters published a video set to dramatic music that described the tumult this way: “Gov. Parson is standing up to the fake news media and is committed to bring to justice anyone who obtained private information.”
There’s been some progress reining in the main federal anti-hacking law.
That law, the Computer Fraud and Abuse Act (CFAA), dates to 1986 and has long been the biggest deterrent to cybersecurity researchers.
The U.S. Supreme Court issued a ruling in June that significantly narrowed how courts should interpret the statute, though cybersecurity advocates say the ruling left too much uncertainty in some cases.
Previously, some judges and prosecutors have interpreted the CFAA so broadly that critics argue it would make it illegal to violate a dating site’s terms of service by lying about your height or an employer’s computer rules by checking personal email at work.
The Russian hackers behind SolarWinds are trying to breach software supply chains
The hackers have targeted “resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers,” Microsoft executive Tom Burt said in a blog post this morning. “Since May we have notified more than 140 resellers and technology service providers that have been targeted,” Burt wrote.
In April, the U.S. government said Russia's foreign intelligence service was behind the SolarWinds breach.
A U.S. government official described the Russian operations detailed by Microsoft as simplistic attacks that cloud service providers could protect against with basic cybersecurity measures.
“Based on the details in Microsoft’s blog, the activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia,” the official said.
Facebook executives declined to take steps to curb misinformation
Newly obtained documents suggest the company acted too quickly to lift checks limiting the spread of misinformation after the 2020 election. The company wasn’t prepared for false information and incitements to violence on Jan. 6 when Trump supporters stormed the capitol, Craig Timberg, Elizabeth Dwoskin and Reed Albergotti report. Facebook denies that it was responsible for the Jan. 6 riot.
Some of the decisions to not curb harmful content can be traced back to CEO Mark Zuckerberg, my colleagues report this morning. In April 2020, Zuckerberg “appeared to shoot down or express reservations about researchers’ proposals to cut down on hate speech, nudity, graphic violence and misinformation,” they report, citing a Facebook document.
A New York Times journalist was hacked by Pegasus spyware twice, researchers say
One of NSO Group’s clients probably successfully used the company’s Pegasus spyware to infect Ben Hubbard’s phone on July 12, 2020. The spyware infected his phone again on June 13, 2021, researchers from Citizen Lab say. Hubbard is the Times’s Beirut bureau chief and wrote a book about Saudi Crown Prince Mohammed bin Salman last year.
Hubbard writes: “As far as I know, no harm has come to any of my sources because of information that may have been stolen from my phone. But the uncertainty was enough to make me lose sleep."
NSO clients have used Pegasus to target journalists, activists and business executives, according to an investigation by The Washington Post and 16 news organizations.
The report came as top French and Israeli officials held talks over Pegasus.
An Israeli proposal ”included a commitment to ban the hacking of French mobile phone numbers in any future spyware deal between an Israeli firm and a third country,” Axios’s Barak Ravid reports.
Israel has come under pressure after French security agencies found traces of Pegasus on the phones of five French government ministers.
Facebook whistleblower warns about encryption
Facebook whistleblower Frances Haugen argues that the company's plan to expand the strongest form of encryption on its messaging service could stymie the company’s ability to trace government espionage operations, the Sunday Telegraph’s Mike Wright reports.
As a Facebook executive, Haugen tracked Chinese government harassment of Uighurs through Facebook Messenger. Haugen, who said she is generally in favor of encryption, is set to testify before the U.K. Parliament this morning.
Context: The U.S. and U.K. governments have long taken aim at Facebook's encryption plans, which government officials say will hamper law enforcement’s ability to investigate crimes including the spread of child abuse material. Cybersecurity advocates say limiting encryption will make Facebook customers more vulnerable to hacking.
- House Veterans' Affairs Committee Chairman Mark Takano (D-Calif.) discusses law enforcement algorithms at a Brookings Institution event today at 3 p.m.
- Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and SolarWinds President and CEO Sudhakar Ramakrishna participate in a Washington Post Live event on Tuesday at 10:30 a.m.
- National Cyber Director Chris Inglis and deputy national security adviser Anne Neuberger speak at a Center for Strategic and International Studies event on Tuesday at 2 p.m.
- The House Homeland Security Committee’s cybersecurity subcommittee holds a hearing on cybersecurity in the transportation sector on Tuesday at 2 p.m.
- The Senate Rules Committee holds a hearing on emerging threats to election administration on Tuesday at 2:30 p.m.
- CISA Chief of Staff Kiersten Todt speaks at the CSA Fed Summit on Thursday.
- Deputy Treasury Secretary Wally Adeyemo, Deputy Assistant Treasury Secretary Rahul Prabhakar, Todt and cybersecurity experts participate in a Carnegie Endowment for International Peace event on the U.S. cybersecurity workforce on Thursday at 10 a.m.
- CISA Director Jen Easterly and Rep. John Katko (N.Y.), the top Republican on the House Homeland Security Committee, speak at a Center for Strategic and International Studies event on critical infrastructure cybersecurity on Friday at 1 p.m.
- Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, speaks at an event hosted by American University’s Tech, Law & Security Program on Friday at 3 p.m.
Secure log off
Just make sure you wear it again four weeks after Halloween. Thanks for reading. See you tomorrow.