A security researcher found misconfigured servers operated by the U.S. Department of Defense that could allow --...
or may have already allowed -- a successful Pentagon hack.
Dan Tentler, founder of cybersecurity firm Phobos Group, found several misconfigured Pentagon servers and reported the issues in March 2016. But he claimed the vulnerabilities were dismissed because they were "out of scope" for the bug bounty program being run. As of three weeks ago, the flaws were still not fixed.
Tentler submitted reports to the Hack the Pentagon bug bounty program run by HackerOne -- a company that facilitates bug bounties and, more recently, held a Hack the Army program. Tentler said the misconfigured servers could allow a foreign attacker to run Pentagon hacks while making the origin of the attacks appear to be the U.S.
The rules of the bug bounty program don't allow Tentler to release the details of the vulnerabilities. Tentler told ZDnet it is likely these servers currently are being exploited and suggested a potential Pentagon hack could lead threat actors to Department of Defense (DOD) personnel files, but perhaps not more highly classified documents.
Reactions to the Pentagon hack
Chris Pogue, CISO for Nuix, based in Herndon, Va., said the vulnerability management troubles of the DOD prove that "simply identifying vulnerabilities is only part of the challenge."
"This shows how far we have to go in terms of building and maintaining a realistic, effective security program at scale. Those vulnerabilities or misconfigurations need to be corrected or mitigated, and then retested to ensure that they have both achieved the intended consequences and have not inadvertently introduced new vulnerabilities," Pogue told SearchSecurity. "Provided that can happen in a timely manner, the process then needs to be repeated at scale over and over and over again."
Carson Sweet, CTO and co-founder of CloudPassage, a San Francisco-based cloud security company, said there were a number of possible reasons why the DOD would risk a Pentagon hack by allowing vulnerabilities to fester, including building in-house services that are hard to maintain in the face of employee turnover.
"The result is that it takes so long for a security solution to be built in-house -- like a patch management solution -- that the underlying technology has already moved on. These systems may be so old that people are afraid to touch them. This fear really gets intense when the people who developed a proprietary system leave an agency or department, so they just decay in place," Sweet told SearchSecurity via email. "Another common situation is systems being run by contractors that are less security-savvy, and there might be financial or contractual limitations on what the DOD can compel them to do."
John Chirhart, federal technical director at Tenable Network Security, based in Columbia, Md., said the issue could be that the U.S. military's global presence has led to the DOD having "more IT infrastructure in more places than any other IT user in the world."
"Coordinating the scanning of these systems is difficult enough, let alone the mitigation of vulnerabilities found," Chirhart told SearchSecurity. "They have laptops in every forward-deployed Humvee, aircrafts with over 500 computers on board, and submarines and ships in every imaginable navigable waterway. The DOD is a 24/7 organization, so the question is: How do you patch something that moves constantly? Their tier-one missions can't hit pause for an hourglass to spin while a patch gets pushed."
Pogue said the pursuit of security should be constant, because "these sorts of issues will never be resolved."
"There is no point at which IT administrators can raise their hands in triumph and declare their state of security," Pogue said. "It's a process much like physical fitness. Each day, you will either be more secure or less, but your tomorrow is a direct result of the choices you make today. I hope that we choose wisely."
Learn more about a Pentagon hack widening government email woes.
Find out how to use data to mitigate risk in vulnerable software.
Get info on a malvertising campaign that targeted unpatched systems.