Hackers Find 138 Different Security Gaps In Pentagon Websites (go.com) 30
An anonymous reader writes from a report via ABC News: High-tech hackers brought in by the Pentagon to breach Defense Department websites were able to burrow in and find 138 different security gaps, Defense Secretary Ash Carter said Friday. The white-hat hackers were offered various bounties if they could find vulnerabilities on five of the Pentagon's internet pages. The Pentagon says 1,410 hackers participated in the challenge and that the first gap was found just 13 minutes after the hunt began. Overall, 1,189 vulnerabilities were found, though only 138 were deemed valid and unique. The experiment cost $150,000, and about half of it was paid to the hackers as bounties. The "Hack the Pentagon" program will be followed by a series of initiatives, including a process that will allow anyone who finds a security gap in Defense Department systems to report it without fear of prosecution.
without fear of prosecution (Score:2)
Re:without fear of prosecution (Score:5, Informative)
It should be noted that vulnerability reporting is almost always without fear of prosecution, unless you actually committed a crime.
Testing the vulnerability is usually a crime.
Exploiting the vulnerability just to show how it works? Also a crime.
Breaking other unrelated laws to figure out the vulnerability? Also a crime.
Using social engineering to get access to a system where you think there's a vulnerability? Probably also a crime.
I'm not saying it's right, but it's the reality. What's not a crime is figuring out (through lawful means) what platform a service runs on, and setting up your own similar configuration or otherwise conducting hands-off research, then using that to determine candidate vulnerabilities, then reporting those for validation.
Amyone have ... (Score:2)
... Snowden's phone number and stuff?
Re: (Score:3)
"he knows you are trying to contact him. he will reach out to you when the time is right."
(a message, translated from a yet unwritten message that was found embedded on an uncooked russian sock)
Re: (Score:2)
Crap!
Cost (Score:4, Insightful)
The experiment cost $150,000, and about half of it was paid to the hackers as bounties
Where did the other 75 kUSD half go? Paid to a contractor for creating the vulnerability report web form?
Re: (Score:3)
They would have had to find and do background checks on the people attempting the hacking. They wouldn't want someone with the wrong background getting into their systems. Some of the people probably had security clearance before entering the competition. The article talks about a person who did it while they were in high school so a background check would have had to be performed. Additional security checking would have also been places on the five domains that were part of the testing. Plus any setup-co
Re: (Score:2)
For a domain that size... (Score:4, Insightful)
138 vulnerabilities is quite a low number. This is going to do nothing but give them a false sense of security.
Re: (Score:3)
on five of the Pentagon's internet pages
1410 vulnerabilities were found (138 of which were deemed valid and unique).
Re: (Score:2)
on five of the Pentagon's internet pages
1410 vulnerabilities were found (138 of which were deemed valid and unique).
The rest were cleared by adding things like the following after the return() statements: /*NOTREACHED*/
(I hate lint so much.)
I thought the same, but only certain web pages (Score:2)
My first thought was the same as yours. On our last PCI ASV test we found something like 8,000 exposures or more. But then I remembered the Pentagon thing is only for specific web pages. Also 138 UNIQUE ones - five instances of similar injections exposures count as one.
And now they have a list of good hackers (Score:1)
Anyone who succeeded at this game...congrats, you're now under 24/7 surveillance by the FBI. Was it worth the 325 dollars per exploit? (75,000 in prize money, divided by 138, then take taxes out at a 40% rate).
Re: (Score:2)
If and when this situation changes -- for example, if I start seeing a bunch of job openings for IT security experts instead of the current bounty system that is so popular with large companies -- then I might reconsid
Among the fastest growing salaries. Fastest in IT (Score:2)
Security the the fastest growing field in IT in the US, and one of the fastest growing overall. My salary is four times what it was five years ago.
Re: (Score:2)
As a competent security professional you cannot be unemployed right now in the current job market. Security jobs cover a lot more than 'IT'.
Re:The problem with doing this... (Score:4, Informative)
I've worked in infosec. You couldn't be more wrong, but I'm quite happy that you are.
Infosec is one of those fields where, if you do everything right, nobody knows you're doing anything. You write the GPOs, balance user needs and security guidelines, and provide secure alternatives to user-developed horrors.
The infosec team brought you your corporate WPA2-protected wireless network, without requiring you to do anything other than connect to it. The infosec team has selected encrypted USB drives for corporate IT to hand out, rather than asking you to find your own. The infosec team rolled out the new filtering policy that blocked an emailed ransomware attack.
Those are the blue teams.
Then there are the red teams. Those are the penetration testers, who do everything that would be illegal... except the relevant laws all have a clause that says "without authorization", and they have authorizations. Nobody likes to talk about the pre-testing meeting where the boundaries are discussed and targets are defined. Saying you discuss attack vectors and target environments isn't as awesome as saying you hack into highly-secured top-secret government computers and get paid for it. That's also a part of the infosec field, though.
There are rock stars in any field. There are some folks who want to get their name out there, thinking that's the best way to a lucrative consulting job, just like there are software developers who think that writing a shiny new smartphone game will get them a job at Google. Maybe it works, and maybe it doesn't, but for those of us who would rather have a steady job doing boring information security, where every day you can actually see the mitigations working and the attacks getting blocked, infosec is still a great career choice.
XKCD (Score:3)
What? No obligatory XKCD yet!? https://xkcd.com/932/ [xkcd.com]
In summary (Score:2)
Not if you're just starting out (Score:2)
Sure - if you are established in your field, then you can command the big bucks. But to achieve a payout like this if you are a college student would make your resume SHINE. It'
138 security gaps? (Score:3)
They found 138 security gaps? So apparently they only tested 138 sites. :)
This is like dipping a cup in the ocean 10 times and reporting that you "found 10 cups of water in the ocean".