Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Find 138 Different Security Gaps In Pentagon Websites (go.com)

Posted by BeauHD on from the white-hat-hackers dept.

An anonymous reader writes from a report via ABC News: High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday. The white-hat hackers were offered various bounties if they could find vulnerabilities on five of the Pentagon's internet pages. The Pentagon says 1,410 hackers participated in the challenge and that the first gap was found just 13 minutes after the hunt began. Overall, 1,189 vulnerabilities were found, though only 138 were deemed valid and unique. The experiment cost $150,000, and about half of it was paid to the hackers as bounties. The "Hack the Pentagon" program will be followed by a series of initiatives, including a process that will allow anyone who finds a security gap in Defense Department systems to report it without fear of prosecution.

21 of 30 comments (clear)

  1. without fear of prosecution by turkeydance · · Score: 1

    but not persecution

    1. Re:without fear of prosecution by Sarten-X · · Score: 4, Informative

      It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.

      Testing the vulnerability is usually a crime.

      Exploiting the vulnerability just to show how it works? Also a crime.

      Breaking other unrelated laws to figure out the vulnerability? Also a crime.

      Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.

      I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.

      --
      You do not have a moral or legal right to do absolutely anything you want.
  2. Amyone have ... by CaptainDork · · Score: 1

    ... Snowden's phone number and stuff?

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Amyone have ... by TheGratefulNet · · Score: 2

      "he knows you are trying to contact him. he will reach out to you when the time is right."

      (a message, translated from a yet unwritten message that was found embedded on an uncooked russian sock)

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Amyone have ... by CaptainDork · · Score: 1

      Crap!

      --
      It little behooves the best of us to comment on the rest of us.
  3. Cost by manu0601 · · Score: 3, Insightful

    The experiment cost $150,000, and about half of it was paid to the hackers as bounties

    Where did the other 75 kUSD half go? Paid to a contractor for creating the vulnerability report web form?

    1. Re:Cost by CanadianMacFan · · Score: 2

      They would have had to find and do background checks on the people attempting the hacking. They wouldn't want someone with the wrong background getting into their systems. Some of the people probably had security clearance before entering the competition. The article talks about a person who did it while they were in high school so a background check would have had to be performed. Additional security checking would have also been places on the five domains that were part of the testing. Plus any setup-costs and money to go through the servers after to make sure that nothing was left behind. They also had to have people go through all of the submissions to verify which ones were valid. And there is the cost to build whatever site to co-ordinate everyone. $150k for all that isn't too bad considering they can roll out checks for all of those vulnerabilities to the rest of their servers. Better than finding them after someone abuses a vulnerability.

    2. Re: Cost by manu0601 · · Score: 1

      Well, even if it miss some troublesome persons, I assume background checks are still about to point some. Do we have statistics?

  4. For a domain that size... by Nutria · · Score: 3, Insightful

    138 vulnerabilities is quite a low number. This is going to do nothing but give them a false sense of security.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:For a domain that size... by CrashNBrn · · Score: 2

      on five of the Pentagon's internet pages

      1410 vulnerabilities were found (138 of which were deemed valid and unique).

    2. Re:For a domain that size... by fahrbot-bot · · Score: 1

      on five of the Pentagon's internet pages

      1410 vulnerabilities were found (138 of which were deemed valid and unique).

      The rest were cleared by adding things like the following after the return() statements: /*NOTREACHED*/
      (I hate lint so much.)

      --
      It must have been something you assimilated. . . .
  5. And now they have a list of good hackers by Anonymous Coward · · Score: 1

    Anyone who succeeded at this game...congrats, you're now under 24/7 surveillance by the FBI. Was it worth the 325 dollars per exploit? (75,000 in prize money, divided by 138, then take taxes out at a 40% rate).

  6. Re:The problem with doing this... by chadenright · · Score: 1

    As a US college student who -could- have specialized in information security, and didn't, I have to admit that my research into the matter suggested that infosec (aka hacking) is basically for people who would rather stroke their own egos than get paid, remain employed and stay out of jail.

    If and when this situation changes -- for example, if I start seeing a bunch of job openings for IT security experts instead of the current bounty system that is so popular with large companies -- then I might reconsider my specialization. Basically, security right now is a hobby for tech people who think starcraft is too mainstream.

  7. XKCD by darkain · · Score: 2

    What? No obligatory XKCD yet!? https://xkcd.com/932/

  8. Among the fastest growing salaries. Fastest in IT by raymorris · · Score: 1

    Security the the fastest growing field in IT in the US, and one of the fastest growing overall. My salary is four times what it was five years ago.

  9. I thought the same, but only certain web pages by raymorris · · Score: 1

    My first thought was the same as yours. On our last PCI ASV test we found something like 8,000 exposures or more. But then I remembered the Pentagon thing is only for specific web pages. Also 138 UNIQUE ones - five instances of similar injections exposures count as one.

  10. Re:The problem with doing this... by TechyImmigrant · · Score: 1

    As a competent security professional you cannot be unemployed right now in the current job market. Security jobs cover a lot more than 'IT'.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  11. In summary by AchilleTalon · · Score: 1

    In summary, the participants were stolen collectively 1 million dollars in exchange of 75 000 dollars. When will CS people start to understand their own work worth something better than the f... peanuts given in such f... events?

    --
    Achille Talon
    Hop!
  12. Re:The problem with doing this... by Sarten-X · · Score: 3, Informative

    I've worked in infosec. You couldn't be more wrong, but I'm quite happy that you are.

    Infosec is one of those fields where, if you do everything right, nobody knows you're doing anything. You write the GPOs, balance user needs and security guidelines, and provide secure alternatives to user-developed horrors.

    The infosec team brought you your corporate WPA2-protected wireless network, without requiring you to do anything other than connect to it. The infosec team has selected encrypted USB drives for corporate IT to hand out, rather than asking you to find your own. The infosec team rolled out the new filtering policy that blocked an emailed ransomware attack.

    Those are the blue teams.

    Then there are the red teams. Those are the penetration testers, who do everything that would be illegal... except the relevant laws all have a clause that says "without authorization", and they have authorizations. Nobody likes to talk about the pre-testing meeting where the boundaries are discussed and targets are defined. Saying you discuss attack vectors and target environments isn't as awesome as saying you hack into highly-secured top-secret government computers and get paid for it. That's also a part of the infosec field, though.

    There are rock stars in any field. There are some folks who want to get their name out there, thinking that's the best way to a lucrative consulting job, just like there are software developers who think that writing a shiny new smartphone game will get them a job at Google. Maybe it works, and maybe it doesn't, but for those of us who would rather have a steady job doing boring information security, where every day you can actually see the mitigations working and the attacks getting blocked, infosec is still a great career choice.

    --
    You do not have a moral or legal right to do absolutely anything you want.
  13. Not if you're just starting out by Bruce66423 · · Score: 1

    Sure - if you are established in your field, then you can command the big bucks. But to achieve a payout like this if you are a college student would make your resume SHINE. It'

  14. 138 security gaps? by JustAnotherOldGuy · · Score: 2

    They found 138 security gaps? So apparently they only tested 138 sites. :)

    This is like dipping a cup in the ocean 10 times and reporting that you "found 10 cups of water in the ocean".

    --
    Just cruising through this digital world at 33 1/3 rpm...