Army’s first-ever bug bounty finds entry points to sensitive DoD systems

Editor’s note: This edition of On DoD also includes an interview with Jeremy Corey, the Defense Information Systems Agency’s lead PKI engineer, on Purebred, DoD’s program to deliver derived credentials to mobile devices.

In November, when Army officials decided to launch the service’s first-ever bug bounty, one of the key questions they wanted to answer was whether sensitive personnel records were vulnerable to theft by hackers via the Army’s public-facing websites. As it turns out, the answer was yes.

The Army and HackerOne, its contractor for the bug bounty, announced the final results from the Hack the Army challenge late last week: In all, 371 “white hat” hackers participated in the one-month exercise and uncovered a total of 118 separate security holes in websites operated by Army Human Resources Command.

Sponsored Content: Why Governance, Risk and Compliance is Everyone’s Business - Download the Executive Brief Today.

But among the most serious was one in which a security researcher discovered a pair of security problems that let him hop directly from the Army’s main recruiting website, GoArmy.com, to an internal DoD network that’s not supposed to be accessible to the public without triggering any warnings to the Army’s cyber defenders.

Advertisement

According to HackerOne, the serious security problem was a combination of a misconfigured proxy server in the public-facing web portal and a separate flaw in a system that controls access to the Army’s internal network.

“It allowed researchers to chain a couple vulnerabilities together to get access to internal systems that shouldn’t have been exposed to the public internet,” Alex Rice, the company’s chief technology officer and co-founder said in an interview on Federal News Radio’s On DoD. “That’s exactly the type of finding that shows the value of having human intelligence applied to this problem. When you have multiple vulnerabilities that would have to be combined in a creative manner in order for someone to exploit them, that’s the kind of thing that automated tools and traditional scanning technologies just completely miss. It takes human ingenuity to make these leaps of logic.”

The Army says its Cyber Command acted quickly to fix the security problem as soon as the competition participants discovered and reported it. It was one of a total of 416 bugs submitted during the bug bounty (the first one was submitted five minutes after the challenge started). HackerOne says it’s paid out more than $100,000 in bounties for verified bug reports thus far, but some rewards are still being processed.

Hack the Army was only the second bug bounty the Defense Department has conducted so far, and the first to specifically use the process to look for undiscovered pathways by which malevolent hackers might find sensitive data. The first challenge, called Hack the Pentagon, targeted nonsensitive news and information sites run by the Defense Information Activity.

In another first, the Army got legal permission to allow its own employees to participate in the challenge (though they weren’t eligible for monetary awards). In all, 25 federal workers registered to search for bugs, including 17 uniformed military personnel.

The Army competition was funded as the first task order in a $3 million indefinite delivery-indefinite quantity contract DoD issued HackerOne last October so that military services and Defense agencies could set up their own bug bounties, and company officials say remaining funds under the contract could still pay for up to 19 more bug bounties across DoD.

But no other task orders have been issued to date, and there is some degree of uncertainty whether the incoming administration will be as enthusiastic as the last one was about bug bounties and other nontraditional technology projects that were launched by the U.S. Digital Service and its DoD outpost, the Defense Digital Service.

As my colleague Jason Miller reported recently, the Trump administration is expected to significantly scale back USDS, believing that the Obama administration “created a monster” that was overly empowered to usurp the authority of the federal chief information officer and federal laws that dictate roles, responsibilities and chains of command in federal IT policy.

“I’m optimistic we’ll see more [bug bounties] in the future, but it’s going to be up to the individual Defense components to decide that,” Rice said. “We certainly haven’t eliminated every vulnerability in DoD, and I think anyone who engaged in these programs would have a hard time disagreeing with the results of working with the hacker community in this fashion.”