Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck The Military Communications Government Network Networking Privacy Software The Internet News Technology

Hackers Find 138 Different Security Gaps In Pentagon Websites (go.com) 30

An anonymous reader writes from a report via ABC News: High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday. The white-hat hackers were offered various bounties if they could find vulnerabilities on five of the Pentagon's internet pages. The Pentagon says 1,410 hackers participated in the challenge and that the first gap was found just 13 minutes after the hunt began. Overall, 1,189 vulnerabilities were found, though only 138 were deemed valid and unique. The experiment cost $150,000, and about half of it was paid to the hackers as bounties. The "Hack the Pentagon" program will be followed by a series of initiatives, including a process that will allow anyone who finds a security gap in Defense Department systems to report it without fear of prosecution.
This discussion has been archived. No new comments can be posted.

Hackers Find 138 Different Security Gaps In Pentagon Websites

Comments Filter:
  • but not persecution
    • by Sarten-X ( 1102295 ) on Friday June 17, 2016 @08:57PM (#52341163) Homepage

      It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.

      Testing the vulnerability is usually a crime.

      Exploiting the vulnerability just to show how it works? Also a crime.

      Breaking other unrelated laws to figure out the vulnerability? Also a crime.

      Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.

      I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.

  • ... Snowden's phone number and stuff?

  • Cost (Score:4, Insightful)

    by manu0601 ( 2221348 ) on Friday June 17, 2016 @08:56PM (#52341161)

    The experiment cost $150,000, and about half of it was paid to the hackers as bounties

    Where did the other 75 kUSD half go? Paid to a contractor for creating the vulnerability report web form?

    • They would have had to find and do background checks on the people attempting the hacking. They wouldn't want someone with the wrong background getting into their systems. Some of the people probably had security clearance before entering the competition. The article talks about a person who did it while they were in high school so a background check would have had to be performed. Additional security checking would have also been places on the five domains that were part of the testing. Plus any setup-co

  • by Nutria ( 679911 ) on Friday June 17, 2016 @08:59PM (#52341169)

    138 vulnerabilities is quite a low number. This is going to do nothing but give them a false sense of security.

    • on five of the Pentagon's internet pages

      1410 vulnerabilities were found (138 of which were deemed valid and unique).

      • on five of the Pentagon's internet pages

        1410 vulnerabilities were found (138 of which were deemed valid and unique).

        The rest were cleared by adding things like the following after the return() statements: /*NOTREACHED*/
        (I hate lint so much.)

    • My first thought was the same as yours. On our last PCI ASV test we found something like 8,000 exposures or more. But then I remembered the Pentagon thing is only for specific web pages. Also 138 UNIQUE ones - five instances of similar injections exposures count as one.

  • by Anonymous Coward

    Anyone who succeeded at this game...congrats, you're now under 24/7 surveillance by the FBI. Was it worth the 325 dollars per exploit? (75,000 in prize money, divided by 138, then take taxes out at a 40% rate).

  • by darkain ( 749283 ) on Friday June 17, 2016 @09:50PM (#52341349) Homepage

    What? No obligatory XKCD yet!? https://xkcd.com/932/ [xkcd.com]

  • In summary, the participants were stolen collectively 1 million dollars in exchange of 75 000 dollars. When will CS people start to understand their own work worth something better than the f... peanuts given in such f... events?
  • by JustAnotherOldGuy ( 4145623 ) on Saturday June 18, 2016 @10:24AM (#52343057) Journal

    They found 138 security gaps? So apparently they only tested 138 sites. :)

    This is like dipping a cup in the ocean 10 times and reporting that you "found 10 cups of water in the ocean".

Real programmers don't bring brown-bag lunches. If the vending machine doesn't sell it, they don't eat it. Vending machines don't sell quiche.

Working...