So Hitting the F12 Key is Considered Dangerous Hacking Now?
*epilepsy warning*|Hatemail: Newsletter and Intel from the LaBac Hacker Collective
It Dosen’t Take Much to Be Called a Hacker These Days
This past week, Gov. Mike Parson of Missouri escalated attacks against a St. Louis Post-Dispatch journalist for reporting earlier this month that educators’ Social Security numbers had been compromised through a major vulnerability in a state government website.
The vulnerability was related to a search engine on the Missouri Department of Elementary and Secondary Education’s website and made the Social Security numbers of teachers, administrators, and counselors viewable through the HTML source code pages — pages which are sometimes accessible by pressing the F12 key on a keyboard.
Josh Renaud, the reporter who exposed the vulnerability, brought his findings to Shaji Khan, a cybersecurity professor at the University of Missouri-St. Louis, who was able to confirm the existence of the flaw. According to emails dated Oct. 12, Renaud then notified Missouri officials and delayed the story for 48 hours to give the state time to first secure sensitive information.
On Oct. 14, the very same day the St. Louis Post-Dispatch published its news report on the security flaw, Gov. Parson held a press conference saying that Renaud had hacked educators’ private information. Parson also said that prosecutors and state law enforcement had been asked to investigate both Renaud and Khan over the incident, potentially to seek civil damages. (Khan has since demanded an apology from Parson and has asserted that viewing the HTML page of a website is not hacking).
Most recently, on Wednesday, a political action committee called Uniting Missouri (which was created in 2020 by Parson supporters) published a video ad directly attacking the St. Louis Post-Dispatch. The video even calls Renaud a “hacker” who “decoded” the HTML source code on the site.
The claims made about Renaud in the ad, which echo statements made in Parson’s press release, are bizarre… especially to anyone who’s maybe accidentally tapped their F12 key and has ended up on an HTML source code page with ease.
Hacking and Security Headlines
- [Bloomberg] [The Washington Post] Russian government hackers used mobile phone and home computer networks of American residents to mask their attempts to break into hundreds of U.S. targets this year, according to cybersecurity experts. What’s more, on Sunday, Microsoft representatives warned that these campaigns are still ongoing.
- [The Guardian] Cambridge University has halted talks over a collaboration deal with the UAE worth about £400m following the fallout from recent revelations surrounding Pegasus spyware and the NSO Group. We’ve written about both.
- [The Record] [Twitter] The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security alert last Friday about malicious malware found in a popular JavaScript library used by companies such as Facebook, Amazon, Apple, Slack, and IBM.
Facebook Follow-Up
- [The Washington Post] [Twitter] In our last issue of hatemail, we reviewed the massive media storm brewing around Facebook (more so than usual) over the past month. One story of importance that was lost in the news storm is how Facebook Inc. CEO Mark Zuckerberg shut down a voter registration initiative on WhatsApp targeting Hispanic eligible voters.
- [Capitol Hill Seattle Blog] Facebook is also seeking office space related to its recent, quiet acquisition of Big Box VR. The acquisition and investment into the company reflect Facebook’s interest in expanding into the virtual reality market.
- [The Verge] Facebook Inc. is planning to change its name in an effort to rebrand itself. The goal of the name change is reportedly to incorporate the metaverse project into its brand. The name change is expected to be announced today.
On Our Radar...
- [The Washington Post] Apple is in something of a revolutionary change amongst its workforce, as many whistleblowers are coming forward about how they can be treated better at the company. One such leader in this movement is Cher Scarlett, profiled here in the Washington Post.
- [Mother Jones] A leaked spreadsheet containing information on around 25,000 individuals who joined the Oath Keepers reveals details on how recruits describe themselves and their circumstances.
- [Protocol] Twitter is being sued by human rights activist and Saudi dissident Ali Al-Ahmed for failing to detect two men working inside the social media platform company who acted as spies for the Saudi government.
- [Vice] Check out this profile on 14-year-old Bianca Lewis (also known as BiaSciLab) who started the teaching program Girls Who Hack.
Hate speech website: kingidentity[.]com
Who hosts: Sucuri, GoDaddy
Today’s site is kingidentity[.]com. It is the homepage for the Kingdom Identity Ministries, a white nationalist theological organization.
We have observed that the site resolves to an IP address protected by Sucuri, an anti-DDoS servicer, at 192.124.249[.]175. The site previously resolved to a GoDaddy IP at 208.109.166[.]72.
Design and Technology Cloud Salon: Veil Machine (Nov. 2, 2021 - 7 pm ET)
Veil Machine, the project of sex worker artists Sybil Fury, Cléo Ouyuang, and Empress Wu, will discuss developing a practice that is relational, intimate, and ambivalent towards the authentic. At its core, sex work, like artwork, works through the interplay between fantasy and reality, intimacy and lies. Moderated by Decoding Stigma's Gabriella Garcia, join us to explore how Veil Machine, like the sex worker and artist, manipulate through masks and connect through commodification. [RSVP]