The Pentagon has known about the problem for 8 months.
The U.S. Department of Defense could be at risk of being attacked by hackers quite easily, one security researcher warns.
According to ZDNet, who cites Dan Tentler, founder of cybersecurity firm Phobos Group, several misconfigured servers run by the DoD could allow hackers easy access to internal government systems. That includes foreign actors eager to find a way into U.S. systems, especially since they could easily make it seem as if the attacks originated in the United States.
Tentler has said that he’s probably not the first one to discover the flaws since they were particularly easy to discover. He added that they’re probably already being exploited.
“There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country, who could want to implicate the US as culprits in hacking attacks if they so desire,” Tentler told ZDNet.
The Pentagon was informed of the problem eight months ago, but no security fix has been deployed to those servers, indicating crass negligence. This is mostly because the vulnerable servers were not part of the scope of the bug bounty program run by the Pentagon, which started about a year ago.
The Pentagon has been running a bug bounty program in the past year, allowing white hats to find and report bugs and flaws in the system in exchange for money, something that tech companies have been doing for years. The extent of what they can test for flaws is limited, however, since only defense.gov and .mil are open to the program.
With this massive bug being dismissed, the servers remain unpatched, with the last check being done about three weeks back. Tentler assessed the vulnerability as being a serious one. The presumed level of access given by the unsecured servers, if obtained by a malicious actor, could result in a massive data breach. He compares it to the breach into the Office of Personnel Management servers last year, when 22 million personnel records were stolen. This time, however, the focus would be on the Marine Corps.
While Tentler came forward and explained the situation out of frustration due to the time it has passed since the bug was reported and the lack of response in fixing the vulnerability, he couldn’t give more details about the problem since he wasn’t given authorization from the Pentagon to do so.
This makes one particular idea of the Trump administration quite laughable. The President was to sign a cybersecurity order but postponed it for various reasons. The leaked document indicated that all federal systems would be reviewed for security issues and vulnerabilities over 60 days. Taking into consideration that the Pentagon has not fixed a problem reported to them eight months ago, a vulnerability assessment on the entire government in 60 days is not exactly something that can be done.