Buggy Pentagon systems a dream come true to attackers, says researcher

Potentially a national security matter for the United States.

Buggy Pentagon systems a dream come true to attackers, says researcher

Vulnerable servers owned by the Department of Defense could allow hackers to launch digital attacks via the Pentagon's systems, says a researcher.

Dan Tentler, founder of the security firm Phobos Group, found the vulnerable hosts as part of "Hack the Pentagon," a bug bounty program announced by the U.S. Department of Defense in 2016.

This program requires that researchers report vulnerabilities that fall under two domains: "defense.gov" and any site with a ".mil" subdomain. The servers reported by Tentler to HackerOne, which hosts Hack the Pentagon, fall in scope of those domains.

The security researcher told ZDNet that the way in which the hosts are configured could pose a threat to the United States' national security:

"There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country, who could want to implicate the US as culprits in hacking attacks if they so desire. The flaw could allow politically motivated attacks that could implicate the US."

In other words, someone could abuse the hosts to launch an attack through the Pentagon's systems, thereby creating the appearance that the United States launched a digital attack against someone. This capability is dangerous in a world where government officials keep referring to the digital realm in increasingly militarized terms.

Tentler encountered very little trouble in finding the vulnerable hosts. This lack of difficulty has him worried about whether others might have already located the servers. If a malicious attacker did and knew how to exploit the level of access afforded by the hosts, the security expert feels another security incident on par with the Office of Personnel Management (OPM) breach would follow:

"It could've been OPM, but for the Marine Corps."

Admittedly, we're not at DEF CON 5 here. (The threat level. Not the conference.) Phobos' founder said the Pentagon's networks doesn't contain any classified information. That means someone couldn't exploit these issues to gain access to something like a missile defense system.

But that doesn't mean the Pentagon should leave the servers misconfigured.

Pentagon hack

After finding the hosts, Tentler filed a bug report to Hack the Pentagon. His report argues that the misconfigured hosts fall in scope of the two domains open to the bug bounty program. Even so, the Pentagon dismissed the report and has so far refused to fix the issues.

The vulnerable hosts were still active as of three weeks ago.

Tentler is worried that other unknown security issues might be on Pentagon's systems. He argues that researchers won't be able to find them because of how the Pentagon has structured its bug bounty program.

As he told ZDNet:

"The Pentagon has created a circumstance where the good guys can't find the problems because we're not allowed to scan, or go out of scope, or find things on our own. But the bad guys can scan whatever they want, for as long as they want, and exploit whatever they feel like. Well, Russia and China don't care. You can bet they're scanning those networks."

The Pentagon is in the uneviable position of deciding which parts of its systems it would like outside parties to scan. As a result, the Department of Defense needs to take care its bug bounty program doesn't jeopardize national security. In my estimation, that includes responding to reports like Tentler's and fixing those issues in a timely manner.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, ,

3 Responses

  1. Matthew Parkes

    February 3, 2017 at 10:59 am #

    Thing is, wouldn't the government want these vulnerable systems to remain because at the very least if other countries did turn around and accuse the US of committing a Cyber attack at least they would have the option of plausible deniability due to these flaws. If the issues were fixed and the systems were flawless (which would never happen) then they would have nowhere to hide.

  2. Jim Goltz

    February 3, 2017 at 12:58 pm #

    Minor nit: DEFCON 5 is the normal no-alert state. DEFCON 1 is the highest DEFCON, and indicates we're at war.

  3. Elliot Alderson

    February 3, 2017 at 6:05 pm #

    it was a parting gift from 44 to 45. and it didn't matter who 45 was going to be. it just was!

Leave a Reply