Army’s hacking contest finds Soldiers’ sensitive information at risk of theft

(Photo Credit: U.S. Army)

The Army’s contest to find vulnerabilities within its websites found some alarming issues.  The “Hack The Army” challenge uncovered that sensitive personnel records have been at risk of being stolen by hackers through the Army’s public websites.

Late last week, the Army and the contest’s contractor, HackerOne, announced the results of the challenge, in which 371 hackers found 118 separated security holes in websites operated by Army Human Resources Command.

When the month long contest started on November 30, it only took five minutes for the first vulnerability report to be submitted.

The most serious security hole was found in the Army’s main recruiting website, GoArmy.com.  The hole allowed hackers to access an internal DoD network from the website without triggering any notifications to the Army’s cyber defense.  The DoD network requires “special credentials” for access, but the hackers were able to bypass through an “open proxy” which was supposed to be shut down, according to HackerOne’s report.

HackerOne assured the security hole was quickly fixed.

“The Army remediation team that own and operate the websites, as well as the Army Cyber Protection Brigade, acted fast,” stated HackerOne’s report. Once the report was submitted, they were able to block any further attacks, and ensure there was no way to exploit the chain of vulnerabilities.”

“Hack the Army” was the second bug bounty challenge of the Department of Defense.  The first challenge was “Hack the Pentagon” and aimed to find vulnerabilities within the DoD public websites.

Carter said that the “Hack the Pentagon” pilot program only cost $150,000 in “bug bounties” for finding weaknesses in the DoD systems, whereas hiring contractors would have cost upwards of a million dollars.

Since the “Hack the Army” contest started, around $100k has been rewarded in “bug bounties” to hackers and more payments are still being processed.

The Army’s contest was the first time an employee had legal permission to participate but without the promise of monetary compensation awarded to private hackers.

“While bug bounties are a way for the DoD to tap into private sector talent, sometimes the rock stars are already within their ranks,” according to HackerOne.  “One of the researchers that participated is an Army Captain presently in school at Army’s Cyber Center of Excellence at Fort Gordon, Georgia.”

While the Pentagon and Army’s contests are over, HackerOne is still accepting reports of DoD vulnerabilities on their website.

© 2017 Bright Mountain Media, Inc.

All rights reserved. The content of this webpage may not be reproduced or used in any manner whatsoever without the express written consent of Bright Mountain Media, Inc. which may be contacted at info@brightmountainmedia.com, ticker BMTM.

Author

Post navigation