- May 26, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Hacking, Posts with image, Vulnerabilities
A hacker takes us on his journey into the digital guts of the Department of Defense.
It’s three o’clock in the morning. Your eyes are red, your neck is sore. But there is no time for sleep, or even coffee. You’re hacking the Pentagon, and you need to find a big security hole before one of the 1,400 other hackers on this same mission turns it in for the prize.
“I need to be the first,” said a hacker we will call Bobby Tables—first, or he loses out on the reward.
Bobby—not his real name–joined the first ever bug bounty program for the Department of Defense, sniffing out vulnerabilities in the computer systems that run America’s military and protect some of the most sensitive strategic information in government.
“Why? Money, and because it’s badass,” he said.
The big bug hunt ended May 12, and the payments are going out to the winners of this race. Bobby takes us inside his trek through the Pentagon’s complex web of cyber assets.
“It’s arguably the biggest defender on the planet,” he told Archer News. “You’d think they would be well ahead of the game.”
Five sides, five stories and more than six million square feet—the Department of Defense’s headquarters may seem intimidating to those on the outside.
“I grew up in the WarGames and Sneakers era, so the Pentagon held a weird blend of awe at its power with a tinge of anti-establishment distrust,” said Bobby. “To me, it has always been a mysterious but very visible symbol of U.S. military muscle.”
Stay away from the Pentagon and all of its computer systems, Bobby believed. Keep your digital hands to yourself.
That changed with the Hack the Pentagon program. The door to the five-sided building was opened a crack. Bobby and hackers across the country got the invite to poke, prod and uncover fissures in the armor of this military giant.
Pitted against each other, the hackers began competition on April 18.
Bobby’s first move—to scope out the landscape. What are they allowed to hack and how?
“The thing that first struck me was just the magnitude the amount of real estate on the Internet that the DoD takes up,” said Bobby. “It’s big. There’s a lot of stuff.”
The vast cyber holdings may be overwhelming, but they can also mean more opportunities for hackers like Bobby.
“The more things you have hanging out there,” he said, “Statistically, the higher the chances of vulnerabilities in those things.”
The next move—to figure out how he could apply his skills in the most efficient way possible.
“What are the things that I know how to do? I think every hacker has their own bag of tricks, their own things they’re uniquely good at,” he said.
Not just good, but fast—hopefully faster than the other 1,400 hunters just a laptop away.
“What are the kinds of things I know how to attack? What are the kinds of things that I can identify of the assets within the scope that fit the skills I have?” he added. “Those are the things most likely to give me a reward.”
Rules of engagement
Your Pentagon attack plan may be ready, your map drawn out. But in this battle, the Department of Defense set up special rules of engagement. You can’t just fire at will, but instead must follow guidelines laid out in the bounty brief.
For some hackers, this was the end of the game.
“The bounty brief left some room for interpretation around, ‘Is what I’m doing right now something that is okay or is it something that is potentially going to get me in trouble?’” he said.
Some participants found the brief so vague that they dropped out rather than accidentally make a wrong move and end up with a criminal record, he said.
“They have the ability to really come after researchers and cause some trouble if they feel you’re crossing legal lines,” said Bobby.
“The combination of that kind of vagueness and just generally mistrusting of the idea of the DoD doing this in the first place,” he said. “There were a bunch of people that basically opted out.”
Bobby forged on. His strategy—to put himself in the place of the developer.
“For me personally, I tend to think about, ‘How would you build this thing?’” he said. “If I was the developer setting up whatever it is I’m looking at, what are the processes?”
“I basically look for mistakes that people make systemically,” he added. “It’s common mistakes people make when they deploy software.”
A vast landscape with numerous opportunities to discover security holes in what may be the world’s largest defender—it’s the kind of thing that can keep a hacker at his or her laptop for hours on end.
“You’re getting to the opportunity to hack the Pentagon. As a hacker, it’s something that is completely unprecedented and it’s going to keep you up all night,” he said. “It’s something that you’ll finally be able to do without the fear of becoming a criminal.”
As you hack, as you search for cracks in the defenses, you may have some nagging questions on your mind.
Is this real and will the Pentagon actually pay?
“One of the things that is interesting about bug bounty programs is that you’re making a commitment to pay someone in the future for work they’re doing now. That’s a risk we take as hunters,” Bobby said.
Also, is another hacker with the same skills as you working faster and/or more efficiently? The person who finds the vulnerability first gets paid. Second in line does not.
“For us as researchers, that is difficult. ‘Duplicates’ as we talk about them are kind of a bummer. You don’t want to deploy a bunch of creativity to find out you’ve been beaten,” Bobby said.
Some of his fellow hackers may have turned in vulnerabilities within a matter of hours, he said.
“The ones that are good know how to do what others can’t,” Bobby said.
At the finish line
The game is now over. The vulnerabilities are in. What did Bobby find, and was he a winner?
“The nature of the program is that you can’t actually talk about that,” he explained. “What I can say is that, as a participant, there were a lot of things to look at.”
People are getting paid, he said. The rewards are said to range from $100 to $15,000.
“The way the DoD did it is they basically said, ‘Okay, we’re going to run this over a period of time. We’re not going to give results until the end.’” Bobby said. “Everyone’s staying quiet about what they find until they fix it.”
But out of 1,400 people who signed up to hack the Pentagon, only about 90 will get paid for the 90 vulnerabilities found, according to Defense News.
“I think people that missed out are a little bit disappointed they missed out,” said Bobby. “And that’s human nature.”
The biggest winner may be the Department of Defense. And now Bobby sees why they asked for assistance from hackers.
“They realize that they’re in a position where they’re creating attack surface more quickly than they can protect it,” he said. “Overall, I think they’re in a pretty good position. It’s a question of how much real estate they have. You can’t secure all of that unless you have help.”
The next step
The results of the program “look really positive,” DoD spokesperson Mark Wright told Defense News as the hunt came to an end.
The Department of Defense is considering another run, with even more real estate open for hunting, according to the agency’s Corey Harrison in FCW.
And reports say other federal agencies are looking at doing their own bug bounty programs with rewards up to $3,500.
“All of this is helping us be more secure, at a fraction of the cost that exhaustively diagnosing ourselves would take,” said Defense Secretary Ash Carter in Politico.
A new industry
Some hope the results of the program will extend beyond more security for the Pentagon.
“This is a group of people that have been at the table wanting to help the Internet be safer for 20 years,” Bugcrowd CEO Casey Ellis told Archer News.
Ellis, himself a hacker, founded Bugcrowd, a company that organizes bug bounty programs for organizations like Western Union and Pinterest.
He said hackers have often been treated with suspicion—even if they hack for good rather than evil—in part because they know how to think like an attacker.
“’They should not be trusted and they’re bad people,’” Ellis said, describing how people may think of hackers. “We have to fight against that, that anyone who is a hacker is a threat. That’s flawed.”
Instead, he believes organizations should harness hackers’ knowledge to help protect themselves, and the DoD’s embracing of the bug bounty program could help legitimize hackers’ skills.
“They’re fighting against the incumbent perception that they are criminals, which is not the case. Now you’ve got the DoD rolling out the red carpet and saying, ‘Welcome hackers.’ That’s a radical shift,” Ellis said.
“The DoD stepping forward and adopting this model is validation,” he added. “The fact that they’re dealing with the opportunity to engage some incredible talent that’s out there that’s not really well activated, not really well understood, but is incredibly valuable to the Internet.”
As for Bobby, his view of the Pentagon may have changed.
“The DoD is traditionally a pretty conservative group of people. They’re not known for taking risks on stuff like that,” Bobby said. “To me, that’s pretty impressive.”