Army Bug Bounty Researcher Compromises US Defense Department's Internal Network

Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to." An anonymous reader quotes Threatpost: The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.

"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."

solution!

the army is having difficulty recruiting even mildly-competent tech personnel in this country. that much is crystal clear...

i wonder if they've tried the h1b route?

Re:solution!

[MobSwatter]

the army is having difficulty recruiting even mildly-competent tech personnel in this country. that much is crystal clear...

i wonder if they've tried the h1b route?

Admin: "But it says Cisco on it!"

Re:solution!

Tech worker that failed the DOD drug test: "No, that clearly says "Crisco". I know you have to go with the lowest bidder, but damn, you've bought your firewalled routers from a vegetable shortening company."

Re:solution!

[Lumpy]

and it is going to get worse with the new commander and chief.

Want the good researchers? Triple the pay and insulate them from anyone outside the DOD.

Re:solution!

You're joking.

No security researcher wroth hiring has a personality that is acceptable within the DoD. Either you want to break the rules and refuse orders or you are not worth hiring for information security. Further, why would insulating people to only soldiers and support personnel make them better at breaking down barriers. That is what security people do. We need broad ranging freedom. That is why we are good at security in the first place.

Perhaps you are not among people that have the mandatory talents for security, but now you know what it takes. Honestly, your post sounds less like someone talking from an informed opinion and more from a person that is willing to take even the remotest of opportunities to bash the new president. Odd to bash the CIC while encouraging security researchers to be brought under his command.

Re:solution!

[SirSlud]

don't worry, the army of old guys who know Linux will tell them what went wrong

Re:solution!

[mindwhip]

Not a surprise when most government contracts these days go to lowest bidder. Lowest bidder often equates to low(est) quality...

Re:solution!

I see the Drumpf Lovers are out in force down moding anything that is even possibly anti trump.

All of you are fucking morons that support that taking turd with a bad toupee.

Re: solution!

Relax, Trump will negotiate a sweet deal. A tremendous deal for the us with an h1b firm based out of Moscow. They've already got their vpn in place.

Re: solution!

We won. Get over it. Barack H Obama 2008 Election

Re: solution!

That's just the fat off the top that goes into their budget this year

Re: solution!

[iivel]

That would be interesting if true, but the truth is "most" government contracts don't actually go to the lowest bidder. Especially in software, cyber, cloud, and data science. A cost/value tradeoff is determined using a wighted score combining the bid, the proposed technical & management solution, and the bidders' past-performance. Then, there is typically a downselection to the top 3, then more information and final bids are collected, and then the winner is selected by choosing the contractor with the highest combined score. What you're thinking of is called an LPTA aquisition and while they were popular for a few years in the late 2000s, that trend has largely reversed. Which is good for anything other than commodotized services and products.

Good job & this IS a good thing... apk

See my subject: It seals doors that were open that shouldn't have been - so this IS a good thing & good result!

APK

P.S.=> It was also what the intention of such testings were - to "find doors/windows into the house that weren't properly secured" so-to-speak... apk

Re: Good job & this IS a good thing... apk

And the part of Captain Obvious is played by APK.

Re: Good job & this IS a good thing... apk

[mmell]

Hey, at least in this case, he's right, and not spamming the board. When he behaves well we should treat him well.

Re: Good job & this IS a good thing... apk

[Coren22]

You have a point, he is however spamming, just not here.

Three week trial?

[BigBuckHunter]

It pains me that this was a one-off, three week event, rather than something that is done daily or at regular intervals. Compsec is a perpetuity, not an annuity.

Why?

Why are all Trump supporters queer?

Sadly, there should be no lack of talent.

[mmell]

Not that a Trump presidency is itself attractive to anybody of average or higher intelligence, but I'm sure there are a great many highly intelligent individuals ready to cynically take advantage of an administration which has already clearly established is reliance on the"Big Lie" as a tool for governance.

Of course, the is a simpler solution available to the US Army - take back the bounty money and declare publicly that military cyber-security is perfect and no successful expires were found.

Re:Sadly, there should be no lack of talent.

[gtall]

Your view of the U.S. military is about 30 years old. That's not how they work these days, and their attitude towards security is not all that different than your basic hairy FSF guys.

And their view of Trump is that he's a walking disaster just waiting to happen. I agree with your assessment that they aren't attracting the A-list talent. His cabinet sycophants are proof of that. When asked about guns in schools, Ms. DeVos opined about grizzlies in Montana invading schools.

His Treasury nominee does a first class backstroke. When questioned about el Presidente Tweety's remarks about having U.S. debt holders accept less than face value of the debt in repayment, he trotted out the usual Republican b.s. about an expanding economy curing the debt and deficit problem, the latter to be made worse by Tweety's plans to piss off infrastructure money on his construction buddies. When it was pointed out that even their most optimistic projections of GDP growth wouldn't cover the new deficit spending much less pay down existing debt, he whined about the senator using old figures. It was pointed out that the figures were more current than the nominee's. He then proceeded to explain that using dynamic scoring, the figures were in line. The senator told him he was full of shit. Too bad the senator's time ran out then.

In case you were wondering, static scoring is what used to be used to judge the cost of a government program. Then the Republican figured they could make the figures look so much better if they calculated the expansion of the GDP with the new government program. That's about as honest claiming I'll be rich if only I'd win the lottery. It isn't wrong, just highly unlikely.

Re: Sadly, there should be no lack of talent.

[mmell]

Awesome . . . Looks like Herr Drumpf's fans have mod points. More amusingly, looks like they're butt-hurt.

s/expires/exploits

[mmell]

Using swipe to input from an Android tablet . . . I've really got to start double-checking before I hit the 'submit' button.

Need to remove ITAR limitations

[mmell]

Which don't seem to be preventing us from exporting weapons-grade stupidity, in any event.

Never mind when did we learn about this.

[mmell]

How long have the Russians known about this, and what have they done with it?

Re:Never mind when did we learn about this.

[DonaId+Trump]

Russia doesn't exist! It's a conspiracy by China to harm American business! As soon as Betsy DeVos is confirmed as Education Secretary, I'm making her brother Chairman of the Joint Chiefs of Staff. We're gonna have the best Blackwater anyone has ever seen, folks!

hi

Real hacker here....just thought i'd say ...ain't never gonna happen , i'd rather be poor , and free of the bs...govt is about...

want a tip , you have to allow me to be me lest i become not me....you can't do that....

WHY? CAUSE I DO WHAT I F.IN WANT....i discover crap cause im curious and play games and use new stuff here and there and also have tools i make to do what i want....when i want how i want.

OH, and i have a honorable discharge from the military and i'm not telling which country from.

Re:hi

So you run porn sites or what?

Re:hi

[SirSlud]

Oh, real hacker. Hehe.

Re: hi

When will we see a hacker who has read a book?

Not sure I get your A/C point.

[mmell]

less like someone talking from an informed opinion and more from a person that is willing to take even the remotest of opportunities to bash the new president

Surprising how similar those two things are these days, isn't it?

Re: Not sure I get your A/C point.

We won. Get over it. Barack H Obama 2008

We have smart people too

Posting anonymously for reasons.

The US army has competent personnel - very little of what goes on at Ft. Huachuca is public, the army ITOC has always been a good place for zero day exploits, and there's a small army of civilian contractors at places (Aberdeen and others) that do some interesting things.

Here's the thing: When an army grey hat / white hat discovers something interesting, or creates something interesting, they don't get PERSONAL credit - they don't go hack a database, or deface a website and splay their name and try making the news. You don't hear about them. The image of "solo rogue hacker" is out of a 90s movie, and most people classifying themselves as such - in need of a classification or identification - are script kiddies. We have shops. They have shops. It doesn't do anyone good for everyone to be talking about them.

But don't kid yourself that there's no talent - or that this fun PR event was the summation of assembled talent.

Re: We have smart people too

This. Stunts like Hack the Army and Hack the Pentagon are good PR, but reinforce the perception that DoD doesn't have competent internal capabilities. They do, but their day to day work red teaming systems doesn't make good copy.

True. Challenging assumptions, bending rules

[raymorris]

I think there is some truth to that. I wouldn't do well in the Army. My natural tendency is to challenge assumptions and manipulate, if not break, the rules. This personality has served me well in my infosec career.

My tendency to always think about what I can get away with fits infosec well, but probably not DoD. It has also meant that I have to be very careful about ethical and moral behavior. Since I'm always thinking about how I *could* steal something or how I *could* spy on someone, it would be easy to start actually stealing and spying of I'm not on guard.

and get rid of up or out!

[Joe_Dragon]

up or out! = stay good at your job and get forced out or get pushed up to more paper pushing management jobs.

@ least I'm not you Capt. "ne'er-do-well"!

See my subject: Since our topic's security related I'm actually out there creating things to help it APK Hosts File Engine 9.0++ SR-5 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ & speed, reliability + anonymity online... & you?

* See subject - says it all for me, vs. you... lol!

APK

P.S.=> It honestly amazes me people like you are allowed to exist taking up food, water, oxygen & shelter that productive others could be using instead of waste-of-life do-nothing of worth YOU... apk

I hear different from field grade officers

"Your view of the U.S. military is about 30 years old. That's not how they work these days, and their attitude towards security is not all that different than your basic hairy FSF guys. And their view of Trump is that he's a walking disaster just waiting to happen - by gtall ( 79522 ) on Sunday January 22, 2017 @04:55PM (#53717045)

See my subject: ... Who live & work in Washington D.C. (majors/colonel usually) - I regularly speak w/ them & each time they tell me they're HAPPY Mr. Trump's our president!

* They're the command + intelligentia of the military in their respective branches - so I trust their opinions.

(You may have heard the opinion of undereducated 'grunts' instead I imagine...)

APK

P.S.=> By the way - they work with well over 2 billion dollars each to save monies in their respective areas of the military & have saved tons doing so (it's their job, cost-cutting, in fact)... apk

Re: I hear different from field grade officers

So these government people you know they exist in your head right?

Lg k540 font too small

In portrait & landscape mode

great but can you trust the hackers?

TFA says they are using people the would normally try to avoid. So we are are giving people we don't trust free reign to try to break into the Army's network and paying aprox 1k per vulnerability. I'm sure getting serious access to the army's network sells for more than that on the black market. Who's to say a researcher turned in all they found?

Quit projecting your issues onto me

See my subject: Got that? Good...

APK

You're a lying chicken dick punk Coren22

See my subject & proof's here https://slashdot.org/comments.pl?sid=10141067&cid=53725923 & https://slashdot.org/comments.pl?sid=10141067&cid=53725817/ where you can't backup your lies directed MY way pussy.

* Why don't you just tell me WHO you are wannabe "karate man" (mu tai bs which from YOU, liar, as shown above, I severely doubt - just another bullshit lie - lol, want to know how MANY fucks like that I've torn up? More than a few) so we can settle our differences FACE to FACE (I'd say man to man, but then, you're NO MAN, pussy...)

APK

P.S.=> Keep spreading your 'gossip' punk: You're playing with fire, & I'm fairly warning you, cut the shit (I've tried that 3x though peaceably, doesn't work with retards like you)!

You don't GET IT do you? Real "social disconnect" in your assburger addled brain:

Decent real men & women look @ "your kind" (defective brain-damaged gossiping little bitches) like the SCUMBAG punks you are!

Yes - I think you KNOW that, hence your FAKE NAME online usage pussy - I am certain you need to get your ass kicked for your OWN good to be honest (before a TRULY 'bad motor scooter' gets ahold of you & you do NOT want that - so let me do YOU a favor, ok? Make good on what I ask there vs being the PUSSY liar you are)... apk

Re:You're a lying chicken dick punk Coren22

[Coren22]

*Yawn*

How childish. I thought you were retired and therefore should be more mature than me. When will you start looking into the mirror and fix yourself before attacking others?

Re:You're a lying chicken dick punk Coren22

You're the one attacking first Coren22.

Re:You're a lying chicken dick punk Coren22

[Coren22]

No, there has been 0 attacking here from my side. I suggested, rather politely, that you should perhaps stop stalking and harassing raymorris. You are the one who then flipped shit and started your barrage of attacking.

Coren22 prove your words quoted here

"Apk doesn't think DNS servers are worth running & believes Microsoft Active Directory can run w/out DNS." - by Coren22 (1625475) on Tuesday October 27, 2015

Prove your quoted words above Coren22: Where'd I say it? Show us. I say AD needs internal DNS far back as 2007 http://forums.tweaktown.com/windows/25596-how-secure-windows-2000-xp-server-2003-vista-fully-per-cis-tool-scoring-3.html?s=0ae07d5b5389e06fd6bcfd05bc2d2cc0/

See "To warn users who have ActiveDirectory/AD LAN-WAN setups to NOT use external DNS servers" there on OpenDNS free (I use it) + AD in my security guide.

APK

P.S.=> Whose mistake is that Coren22? YOURS, lol (again) w/ https://slashdot.org/comments.pl?sid=10141067&cid=53725817/ idiot (I've got TONS more too)... apk

Coren22 prove your words quoted here

"Apk doesn't think DNS servers are worth running & believes Microsoft Active Directory can run w/out DNS." - by Coren22 (1625475) on Tuesday October 27, 2015

Prove your quoted words above Coren22: Where'd I say it? Show us. I say AD needs internal DNS far back as 2007 http://forums.tweaktown.com/windows/25596-how-secure-windows-2000-xp-server-2003-vista-fully-per-cis-tool-scoring-3.html?s=0ae07d5b5389e06fd6bcfd05bc2d2cc0/

See "To warn users who have ActiveDirectory/AD LAN-WAN setups to NOT use external DNS servers" there on OpenDNS free (I use it) + AD in my security guide.

APK

P.S.=> Whose mistake is that Coren22? YOURS, lol (again) w/ https://slashdot.org/comments.pl?sid=10141067&cid=53725817/ idiot (I've got TONS more too)... apk

Coren22 prove your words quoted here

"Apk doesn't think DNS servers are worth running & believes Microsoft Active Directory can run w/out DNS." - by Coren22 (1625475) on Tuesday October 27, 2015

Prove your quoted words above Coren22: Where'd I say it? Show us. I say AD needs internal DNS far back as 2007 http://forums.tweaktown.com/windows/25596-how-secure-windows-2000-xp-server-2003-vista-fully-per-cis-tool-scoring-3.html?s=0ae07d5b5389e06fd6bcfd05bc2d2cc0/

See "To warn users who have ActiveDirectory/AD LAN-WAN setups to NOT use external DNS servers" there on OpenDNS free (I use it) + AD in my security guide.

APK

P.S.=> Whose mistake is that Coren22? YOURS, lol (again) w/ https://slashdot.org/comments.pl?sid=10141067&cid=53725817/ idiot (I've got TONS more too)... apk