Imagine if someone asked you and several other computer experts to "hack" the US Pentagon..Not only that, but for every vulnerability this so-called wall of secrecy you and your associates could find, you would be paid a bounty — an actual cash bonus..Well guess what, it did happen, and it's been happening since 2016..Dubbed "Hack U.S." nearly 270 researchers participated in the week-long effort attempting to sniff out critical- and high-level vulnerabilities in Defense Department networks, according to a report in TheRecord..To no surprise, 648 reports were submitted, of which 349 were deemed "actionable" — paying out $75,000 in total bounties and bonus awards..“In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge,” Melissa Vice, Vulnerability Disclosure Program (VDP) director, said in a statement..“This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner,” she added..The "white hat" test was launched between July 4 and July 11 by the Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne, TheRecord reported..The department launched its first bug bounty, dubbed “Hack the Pentagon,” in 2016..The practice has since proliferated to include specific chunks of DoD’s various systems, the military branches and the Homeland Security Department..Vice said an initial evaluation of the program’s results found that the most commonly identified vulnerability was categorized as “information disclosure.”.“With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems,” Vice said..Other top flaws discovered through the effort included improper access and generic SQL injection, TheRecord reported..The announcement comes as the number of exploits throughout the software supply chain is skyrocketing, with 18,378 vulnerabilities reported in 2021 alone..The US government is focused on securing the supply chain following President Joe Biden’s executive order from May of this year for improving the nation’s cybersecurity, VentureBeat.com reported..This bug bounty challenge presented an opportunity to test the mettle of crowdsourced security approaches..The level of engagement and the number of important vulnerabilities that were discovered made the initiative a success..The crowdsourced security movement is picking up steam rapidly, with the global Bug Bounty market valued at US$223.1 million in 2020 and anticipated to reach $5.4 billion by 2027, VentureBeat.com reported..Major technology companies, including Google, Facebook and Microsoft, have all set up similar programs to accept unsolicited reports from outside researchers..But security issues are not new at the Pentagon..According to intelligence sources, the building houses thousands of workers, and at one time had a big problem with stolen laptops..The problem got so bad, new security procedures had to be put in place for all laptops coming and leaving the massive building..Meanwhile, widespread cyberattacks have become a major security issue for nations around the world..Just weeks ago, the US Justice Department said it charged three Iranians in a wide-ranging hacking campaign across the world that targeted local governments, public utilities and nonprofit institutions, including a domestic violence shelter and a children’s hospital..According to an indictment unsealed in New Jersey, the men, who remain at large in Iran, breached the computers of hundreds of people in the United States, Israel, Russia and Britain, The New York Times reported..They demanded ransom in Bitcoin after deploying malware to block access to networks or to steal data and threatened to sell or make public sensitive information if their victims did not pay up, officials at the Justice Department and the FBI told the NY Times..“We have to make sure we stay two steps ahead of any malicious actor,” Katie Olson Savage, deputy CDAO intelligence officer and DDS director, said in a statement..“This crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface.”.In other words, computer geeks in their pyjamas, living in their mothers' basement, venturing out only for 7-Eleven Big Gulps..And you thought they had no future.
Imagine if someone asked you and several other computer experts to "hack" the US Pentagon..Not only that, but for every vulnerability this so-called wall of secrecy you and your associates could find, you would be paid a bounty — an actual cash bonus..Well guess what, it did happen, and it's been happening since 2016..Dubbed "Hack U.S." nearly 270 researchers participated in the week-long effort attempting to sniff out critical- and high-level vulnerabilities in Defense Department networks, according to a report in TheRecord..To no surprise, 648 reports were submitted, of which 349 were deemed "actionable" — paying out $75,000 in total bounties and bonus awards..“In just seven days, Hack U.S. ethical hackers submitted 648 reports, including numerous which would be considered critical had they not been identified and remediated during this bug bounty challenge,” Melissa Vice, Vulnerability Disclosure Program (VDP) director, said in a statement..“This bounty challenge shows the extra value we can earn by leveraging their subject matter expertise in an incentivized manner,” she added..The "white hat" test was launched between July 4 and July 11 by the Chief Digital and Artificial Intelligence Office (CDAO), Directorate for Digital Services (DDS), DoD Cyber Crime Center (DC3), and HackerOne, TheRecord reported..The department launched its first bug bounty, dubbed “Hack the Pentagon,” in 2016..The practice has since proliferated to include specific chunks of DoD’s various systems, the military branches and the Homeland Security Department..Vice said an initial evaluation of the program’s results found that the most commonly identified vulnerability was categorized as “information disclosure.”.“With the identification of vulnerability trends, we can seek out patterns of detection and ultimately create new processes and system checks to ensure we address the root cause and develop further mitigations against malicious actors who might try to exploit our systems,” Vice said..Other top flaws discovered through the effort included improper access and generic SQL injection, TheRecord reported..The announcement comes as the number of exploits throughout the software supply chain is skyrocketing, with 18,378 vulnerabilities reported in 2021 alone..The US government is focused on securing the supply chain following President Joe Biden’s executive order from May of this year for improving the nation’s cybersecurity, VentureBeat.com reported..This bug bounty challenge presented an opportunity to test the mettle of crowdsourced security approaches..The level of engagement and the number of important vulnerabilities that were discovered made the initiative a success..The crowdsourced security movement is picking up steam rapidly, with the global Bug Bounty market valued at US$223.1 million in 2020 and anticipated to reach $5.4 billion by 2027, VentureBeat.com reported..Major technology companies, including Google, Facebook and Microsoft, have all set up similar programs to accept unsolicited reports from outside researchers..But security issues are not new at the Pentagon..According to intelligence sources, the building houses thousands of workers, and at one time had a big problem with stolen laptops..The problem got so bad, new security procedures had to be put in place for all laptops coming and leaving the massive building..Meanwhile, widespread cyberattacks have become a major security issue for nations around the world..Just weeks ago, the US Justice Department said it charged three Iranians in a wide-ranging hacking campaign across the world that targeted local governments, public utilities and nonprofit institutions, including a domestic violence shelter and a children’s hospital..According to an indictment unsealed in New Jersey, the men, who remain at large in Iran, breached the computers of hundreds of people in the United States, Israel, Russia and Britain, The New York Times reported..They demanded ransom in Bitcoin after deploying malware to block access to networks or to steal data and threatened to sell or make public sensitive information if their victims did not pay up, officials at the Justice Department and the FBI told the NY Times..“We have to make sure we stay two steps ahead of any malicious actor,” Katie Olson Savage, deputy CDAO intelligence officer and DDS director, said in a statement..“This crowd-sourced security approach is a key step to identifying and closing potential gaps in our attack surface.”.In other words, computer geeks in their pyjamas, living in their mothers' basement, venturing out only for 7-Eleven Big Gulps..And you thought they had no future.
