Hackers Find 138 Different Security Gaps In Pentagon Websites

An anonymous reader writes from a report via ABC News: High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday. The white-hat hackers were offered various bounties if they could find vulnerabilities on five of the Pentagon's internet pages. The Pentagon says 1,410 hackers participated in the challenge and that the first gap was found just 13 minutes after the hunt began. Overall, 1,189 vulnerabilities were found, though only 138 were deemed valid and unique. The experiment cost $150,000, and about half of it was paid to the hackers as bounties. The "Hack the Pentagon" program will be followed by a series of initiatives, including a process that will allow anyone who finds a security gap in Defense Department systems to report it without fear of prosecution.

Re:Amyone have ...

[TheGratefulNet]

"he knows you are trying to contact him. he will reach out to you when the time is right."

(a message, translated from a yet unwritten message that was found embedded on an uncooked russian sock)

Cost

[manu0601]

The experiment cost $150,000, and about half of it was paid to the hackers as bounties

Where did the other 75 kUSD half go? Paid to a contractor for creating the vulnerability report web form?

Re:Cost

[CanadianMacFan]

They would have had to find and do background checks on the people attempting the hacking. They wouldn't want someone with the wrong background getting into their systems. Some of the people probably had security clearance before entering the competition. The article talks about a person who did it while they were in high school so a background check would have had to be performed. Additional security checking would have also been places on the five domains that were part of the testing. Plus any setup-costs and money to go through the servers after to make sure that nothing was left behind. They also had to have people go through all of the submissions to verify which ones were valid. And there is the cost to build whatever site to co-ordinate everyone. $150k for all that isn't too bad considering they can roll out checks for all of those vulnerabilities to the rest of their servers. Better than finding them after someone abuses a vulnerability.

Re:without fear of prosecution

[Sarten-X]

It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.

Testing the vulnerability is usually a crime.

Exploiting the vulnerability just to show how it works? Also a crime.

Breaking other unrelated laws to figure out the vulnerability? Also a crime.

Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.

I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.

For a domain that size...

[Nutria]

138 vulnerabilities is quite a low number. This is going to do nothing but give them a false sense of security.

Re:For a domain that size...

[CrashNBrn]

on five of the Pentagon's internet pages

1410 vulnerabilities were found (138 of which were deemed valid and unique).

XKCD

[darkain]

What? No obligatory XKCD yet!? https://xkcd.com/932/

Re:The problem with doing this...

[Sarten-X]

I've worked in infosec. You couldn't be more wrong, but I'm quite happy that you are.

Infosec is one of those fields where, if you do everything right, nobody knows you're doing anything. You write the GPOs, balance user needs and security guidelines, and provide secure alternatives to user-developed horrors.

The infosec team brought you your corporate WPA2-protected wireless network, without requiring you to do anything other than connect to it. The infosec team has selected encrypted USB drives for corporate IT to hand out, rather than asking you to find your own. The infosec team rolled out the new filtering policy that blocked an emailed ransomware attack.

Those are the blue teams.

Then there are the red teams. Those are the penetration testers, who do everything that would be illegal... except the relevant laws all have a clause that says "without authorization", and they have authorizations. Nobody likes to talk about the pre-testing meeting where the boundaries are discussed and targets are defined. Saying you discuss attack vectors and target environments isn't as awesome as saying you hack into highly-secured top-secret government computers and get paid for it. That's also a part of the infosec field, though.

There are rock stars in any field. There are some folks who want to get their name out there, thinking that's the best way to a lucrative consulting job, just like there are software developers who think that writing a shiny new smartphone game will get them a job at Google. Maybe it works, and maybe it doesn't, but for those of us who would rather have a steady job doing boring information security, where every day you can actually see the mitigations working and the attacks getting blocked, infosec is still a great career choice.

138 security gaps?

[JustAnotherOldGuy]

They found 138 security gaps? So apparently they only tested 138 sites. :)

This is like dipping a cup in the ocean 10 times and reporting that you "found 10 cups of water in the ocean".