Army Bug Bounty Researcher Compromises US Defense Department's Internal Network (threatpost.com) 49
Thursday the U.S. Army shared some surprising results from its first bug bounty program -- a three-week trial in which they invite 371 security researchers "trained in figuring out how to break into computer networks they're not supposed to."
An anonymous reader quotes Threatpost:
The Army said it received more than 400 bug reports, 118 of which were unique and actionable. Participants who found and reported unique bugs that were fixed were paid upwards of $100,000... The Army also shared high-level details on one issue that was uncovered through the bounty by a researcher who discovered that two vulnerabilities on the goarmy.com website could be chained together to access, without authentication, an internal Department of Defense website.
"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."
"They got there through an open proxy, meaning the routing wasn't shut down the way it should have been, and the researcher, without even knowing it, was able to get to this internal network, because there was a vulnerability with the proxy, and with the actual system," said a post published on HackerOne, which managed the two bounty programs on its platform. "On its own, neither vulnerability is particularly interesting, but when you pair them together, it's actually very serious."
Re: (Score:1)
Tech worker that failed the DOD drug test: "No, that clearly says "Crisco". I know you have to go with the lowest bidder, but damn, you've bought your firewalled routers from a vegetable shortening company."
Re: (Score:1)
and it is going to get worse with the new commander and chief.
Want the good researchers? Triple the pay and insulate them from anyone outside the DOD.
Re: (Score:2)
Oh, real hacker. Hehe.
Not sure I get your A/C point. (Score:2)
Surprising how similar those two things are these days, isn't it?
True. Challenging assumptions, bending rules (Score:2)
I think there is some truth to that. I wouldn't do well in the Army. My natural tendency is to challenge assumptions and manipulate, if not break, the rules. This personality has served me well in my infosec career.
My tendency to always think about what I can get away with fits infosec well, but probably not DoD. It has also meant that I have to be very careful about ethical and moral behavior. Since I'm always thinking about how I *could* steal something or how I *could* spy on someone, it would be easy t
and get rid of up or out! (Score:2)
up or out! = stay good at your job and get forced out or get pushed up to more paper pushing management jobs.
Need to remove ITAR limitations (Score:2)
Re: (Score:2)
don't worry, the army of old guys who know Linux will tell them what went wrong
Re: (Score:2)
Not a surprise when most government contracts these days go to lowest bidder. Lowest bidder often equates to low(est) quality...
Re: solution! (Score:1)
Re: Good job & this IS a good thing... apk (Score:2)
Re: (Score:2)
You have a point, he is however spamming, just not here.
Re: (Score:2)
*Yawn*
How childish. I thought you were retired and therefore should be more mature than me. When will you start looking into the mirror and fix yourself before attacking others?
Re: (Score:2)
No, there has been 0 attacking here from my side. I suggested, rather politely, that you should perhaps stop stalking and harassing raymorris. You are the one who then flipped shit and started your barrage of attacking.
Three week trial? (Score:2)
Sadly, there should be no lack of talent. (Score:1, Insightful)
Of course, the is a simpler solution available to the US Army - take back the bounty money and declare publicly that military cyber-security is perfect and no successful expires were found.
s/expires/exploits (Score:2)
Re: (Score:2, Informative)
Your view of the U.S. military is about 30 years old. That's not how they work these days, and their attitude towards security is not all that different than your basic hairy FSF guys.
And their view of Trump is that he's a walking disaster just waiting to happen. I agree with your assessment that they aren't attracting the A-list talent. His cabinet sycophants are proof of that. When asked about guns in schools, Ms. DeVos opined about grizzlies in Montana invading schools.
His Treasury nominee does a first c
Re: Sadly, there should be no lack of talent. (Score:2)
Never mind when did we learn about this. (Score:4, Insightful)
Re: (Score:1)
We have smart people too (Score:2, Insightful)
Posting anonymously for reasons.
The US army has competent personnel - very little of what goes on at Ft. Huachuca is public, the army ITOC has always been a good place for zero day exploits, and there's a small army of civilian contractors at places (Aberdeen and others) that do some interesting things.
Here's the thing: When an army grey hat / white hat discovers something interesting, or creates something interesting, they don't get PERSONAL credit - they don't go hack a database, or deface a website and