Saturday, June 18, 2016

Our Networks Will Work - For 13 Minutes

This is slightly off topic but it’s too good to pass up.  The Pentagon apparently hosted a “Hack the Pentagon” event in which friendly hackers were invited to attempt to hack certain Pentagon computers and networks.  Hackers who successfully found vulnerabilities would be paid a bounty.

“Within 13 minutes of launching the first U.S. Government commercial bug bounty program we had our first submission. Just six hours later, that number grew to nearly 200. Hack the Pentagon shattered initial expectations for participation and vulnerability report submissions. By its end, more than 1,400 hackers were accepted to the program, and in total 138 [unique] valid bugs were resolved in Pentagon’s systems.” (1)

In total, 1189 bug reports were submitted with 138 being verified as unique.  The Pentagon paid out over $72,000 in bounties to 58 hackers as a reward for their efforts.

So, 1400 hackers found 138 holes in the Pentagon’s network security in just a matter of minutes and hours?  So what will Chinese, Russian, and NKorean military professional hackers be able to do by working full time on hacking Pentagon networks and with the resources of entire countries to back them up?  A lot more I would imagine!

I heartily applaud this effort by the Pentagon to find and fix network vulnerabilities but I really have to question the wisdom of basing our entire Third Offset Strategy on networks of various types.  It seems foolish in the extreme.  There is no such thing as a secure network.


_____________________________

(1)hackerone blog website, “What Was It Like To Hack the Pentagon?”, Marten Mickos, 17-Jun-2016,


19 comments:

  1. " So what will Chinese, Russian, and NKorean military professional hackers be able to do by working full time on hacking Pentagon networks and with the resources of entire countries to back them up? A lot more I would imagine!"

    Nar, they'll be far less capable.
    A fighter pilot who goes on a 6 week IT course isnt a viable black hat.

    ReplyDelete
  2. Given your previous post on Battlestar Galactica, it seems that life is imitating art here. The 2004 BSG TV series kicked off with a massive cyberwarfare attack on the 12 human colonies that disabled almost every defense they had, and from this article it looks like a similar incident could happen to the USA's armed forces too. Commander Adama, one of the main protagonists of the BSG TV series, was adamant that no computer networks or updates be installed on his beloved Galactica, which is what saved a lot of survivors in the beginning of that show too.

    ReplyDelete
    Replies
    1. The similarity between art and life has not escaped me, nor you. Well noted!

      Networking is kind of okay as long as the individual components can be effective without the network. Unfortunately, we don't seem to be ensuring that. Our networks are moving along the path of "all or nothing".

      Delete
    2. Do you think its possible to hijack one of these networking systems? I know thats how Iran captured that UAV, theres cases under investigation where it probably was done to civilian cars, and I think DHS has admitted its possible to do so airliners.

      Delete
    3. CNO, would you happen to be a fan of the 2004 BSG TV series? I left a comment on your old USS Galactica blog post I'd like your input on. Ronald D. Moore, one of the Producers and chief writers of the show, actually spent time in the US Navy.

      Delete
  3. $72,000 wow that's cheap for network penetration testing.

    Can you imagine what BAE would have charge ? proberbly that for the initial project meeting.

    ReplyDelete
    Replies
    1. Yep,
      Thought the exact same thing.
      Have a friend who has a white hat hacking company, get hired by Aust big 4 accounting firms, for pen tests and such, $74k wouldn't get you very much by way of testing talent directed your way. Genius marketing, cheap as chips, crowd sourced pen tests. Amazing.

      Delete
  4. SW Engineering is going to have to grow up soon. All recent SW is just a series of quicksand buildings on top of quicksand buildings. No one knows what the SW below them does or how it can be hacked. Anyone that follows the RFC process for proposing new standards knows that there is little to no focus on security being built in.

    Add to that the lousy implementation practices where no one does SW security testing (even when it is automated) much less design reviews and you have a disaster waiting to happen.

    This is why companies that have product liability responsibility do NOT use the COTS unsecure stuff out there.

    You can buy a #500 laptop with a COTS OS (pick any of them) and while you save a lot on purchase cost you inherit a HUGE Security liability.

    Start making Computer Scientists be licensed and have to carry liability insurance.

    ReplyDelete
    Replies
    1. BS. This thinking is what keeps govt. computers locked into boeing and lockheed IT circles. Because it is a closed system makes it more vulnerable.

      Saying that COTS is not secure is un-nuanced. Who gets hacked more, COTS Microsoft or COTS opensource LINUX/BSD? The more secure system is the one that allows cheap, no barrier auditing of code.

      Delete
    2. Mud Marine - You missed my point.

      Believe me I have worked for the BIG Defense Contractors and I think they are WORSE than COTS.

      My point is the SW industry does NOT do common man reasonable steps to make sure the SW they produce is secure. When was the last time Windows or Linux was code reviewed to detect common bad practices? NEVER because there is no product liability impact.

      Read Mark Minasi's Book - The SW Conspiracy. It will open your eyes to how the industry is works to keep liability on the user via the EULAs.

      Lastly on your comment about open code reviews - how do the Zero Day vulnerabilities get into the Linux (open Source) code if there are so many and vigorous code reviews?

      Show me the run results from automated tools (free or paid for) that look for common coding mistakes, THEN you have taken the first step to common man responsibility. The runs ( I have done them) take less than an hour on medium size projects.

      Delete
  5. Yes, its alarming, but this turn of events is a good thing. The government can't claim to employ the best computer people anymore.

    It sort of blows my mind that the Govt. does not hire engineers from the likes of Amazon, Google, etc. to setup and or manage their IT. When Amazon or Google go down, they lose real money. Because of this, they are very good at what they do. Can you imagine if Amazon was hired to design Healthcare.gov? I bet you it would have worked.

    ReplyDelete
    Replies
    1. "It sort of blows my mind that the Govt. does not hire engineers from the likes of Amazon, Google, etc. to setup and or manage their IT."

      They try, but they are fundamentally incapable.
      Facebook employs 12,000 people and is "commanded" bu Cuckerberg, age 32 and is worth $52bn
      At 32, a government IT guy might be in charge of 5 people and worth $52,000

      On top of that, hes expected to know how to iron properly and march in order.

      Delete
  6. Currently, the Pentagon released a proposal to be able to transfer people with particular skill sets, IT, doctors, and such to their equivalent rank to try to address this. O-6 was the max rank they could be made, at least according to the Army Times.

    ReplyDelete
    Replies
    1. So they can work in silicon valley and earn $120,000 per year, arrive late, wearing jeans, and have several million dollars of stock options available for doing well

      Or

      They can work in wherever the government sends them, and earn $120,000 per year, but be expected to arrive at work at 6am for PT, then wear uniform, and not have a million dollar option package dangled in front of them.


      You would not believe the number of government jobs I turn down for stupid reasons that essentially boil down to my "your rules dont apply to me"* policy.
      And I wouldnt get a job at google.


      *Most recently a department was closing, their me had walked out, and they needed a new me to join for 8 weeks and finish exiting everything.
      They wanted a week by week evidence of what I'd done for the past two years, I said no, they said yes, so I started a role with another company doing the same thing, who had the same rule about new starters, but bent it for me.

      Delete
  7. Option 2 without the salary. They would be commissioned and promoted to the rank that correlated with civlian position.

    ReplyDelete
  8. Perhaps they should consider middle-aged people who may be horribly unfit but have made a pile in industry already and want to give something back - the nice fit people can go and run around in the mud and leave the office work to experts with decades of experience.

    ReplyDelete
  9. Bringing smart people in form outside will NOT change the culture. Look at David Packard who was Deputy Secretary of Defense and pushed prototyping as a way to cut acquisition costs by not rushing immature technologies into production.

    LCS, F-35, FCS, AAAv, DDG-1000 - WTF OVER. Have we learned ANYTHING?

    If someone at THAT level can't make lasting change what do you think some newbie civilian wannabe Colonel is gonna be able to do?

    If you want to fix the system and culture you have to do it yourself. So all you Soldiers, Sailors, Airmen, and Marines start changing things from the inside.

    ReplyDelete
  10. One won't do anything but thousands would. What if the uniformed people went back to telling the non-uniform people what they wanted and stopped trying to (badly) project manage, administer, supply etc and the non-uniform people weren't working for a very expensive defense contractor?

    ReplyDelete