Security flaws in Pentagon systems "easily" exploited by hackers

["David Farber" <farber () gmail com>]

Begin forwarded message:

From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: [Dewayne-Net] Security flaws in Pentagon systems "easily" exploited by hackers
Date: February 2, 2017 at 9:21:56 AM EST
To: Multiple recipients of Dewayne-Net <dewayne-net () warpspeed com>
Reply-To: dewayne-net () warpspeed com

[Note:  This item comes from friend Steve Goldstein.  DLH]

Security flaws in Pentagon systems "easily" exploited by hackers
Hackers are likely exploiting the easy-to-find vulnerabilities, according to the security researcher who warned the 
Pentagon of the flaws months ago.
By Zack Whittaker for Zero Day
Feb 1 2017
<http://www.zdnet.com/article/pentagon-system-flaws-likely-under-attack-by-foreign-hackers/>

Several misconfigured servers run by the US Dept. of Defense could allow hackers easy access to internal government 
systems, a security researcher has warned.

The vulnerable systems could allow hackers or foreign actors to launch cyberattacks through the department's systems to 
make it look as though it originated from US networks.

Dan Tentler, founder of cybersecurity firm Phobos Group, who discovered the vulnerable hosts, warned that the flaws are 
so easy to find that he believes he was probably not the first person to find them.

"It's very likely that these servers are being exploited in the wild," he told me on the phone.

While the Pentagon is said to be aware of the vulnerable servers, it has yet to implement any fixes -- more than eight 
months after the department was alerted.

It's a unique case that casts doubts on the effectiveness of the Trump administration's anticipated executive order on 
cybersecurity, which aims to review all federal systems of security issues and vulnerabilities over a 60-day period.

The draft order was leaked last week, but it was abruptly pulled minutes before it was expected to be signed on Tuesday.

Tentler, a critic of the plans, argued that the draft plans are "just not feasible."

"It's laughable that an order like this was drafted in the first place because it demonstrates a complete lack of 
understanding what the existing problems are," he said.

"The order will effectively demand a vulnerability assessment on the entire government, and they want it in 60 days? 
Just that one vulnerability finding from me... it's been months -- and they still haven't fixed it," he said.

In the past year, the Pentagon became the first government department to ease up on computer hacking laws by allowing 
researchers to find and report bugs and flaws in systems in exchange for financial rewards.

But security researchers like Tentler are still limited in how much they can poke around the military's public-facing 
systems.

The department's official bug bounty governs the scope of what networks researchers can access. Researchers must limit 
their testing to two domains -- "defense.gov" and its subdomains, and any ".mil" subdomain.

In an effort to pare down the list of hosts from "all public Department of Defense hosts" to "only the ones in scope," 
Tentler was able to identify several hosts which answered to the domain names in scope.

"There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused 
by an attacker inside or outside of the country, who could want to implicate the US as culprits in hacking attacks if 
they so desire," he told me.

"The flaw could allow politically motivated attacks that could implicate the US," he added.

[snip]

Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>






-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170202094247:DB0B2E14-E955-11E6-BB10-EFE008957542
Powered by Listbox: http://www.listbox.com