Monday, May 21, 2018

Hacking The Pentagon

Today we’re going to talk about The Pentagon, the headquarters of the Defense Department in the United States. In this building, 23.000 militaries and citizens are working along 3000 supporters. The Pentagon is located in Arlington, Virginia.  Right now, The Pentagon is the biggest office building in the world. What’s interesting about it is that it’s also one of the most protected buildings in the world. It’s is nothing more than the United States Defense Department, what makes the government make great investments in their security to store there new and technological projects. But, what would you say if they tried to hack their own system? 

In today’s interview to Lisa Wiswell from Grimm & HackerOne, Security area’s leader with more than 10 years in programming experience and cyberwar, talked about the program “Hack the Pentagon”.

As she explains in the interview: “Yeah. We hacked the Pentagon. We still are. I had gotten to a point where I’d been trying to throw the bowling ball through the window and hit the Pentagon and shake up the culture a fair amount. I’d spent a lot of years of my life on the offensive problem set, and I kept thinking, you can use the same set of people for defensive purposes too. I had thought about this for quite a few years. Microsoft had come out with the Bug Bounty program and we had been asking a lot of questions about that, straight to the Microsoft folks. It got to a point after — well, the OPM hack happened. I had a buddy who is a hacker for the government who called me up and said, “Liz, my information was just stolen too. Can you please just find some kind of legal way for me to jam on some of these other government systems?”

That was the starting point for program “Hacking The Pentagon”. As Lisa explains: “Hack the Pentagon was initially a three-week long bug bounty where we allowed 1,187 people completely unaffiliated with the U.S. government to hack us. They signed up with a username, so the government didn’t even know who they were, but they signed up and told us – they committed to us that they would follow our instructions to a tee, and they did.” The first thing that came to her head was the possibility that this group of people made illegal things, but none of them did because they trusted 100% the program.

Lisa’s goal, after doing a lot of forensic analysis, was to spread the information and the results obtained to have complete transparency with the government: “  I think one of the things that I did very well in terms of making this a successful ongoing program, is I wrote the hell out of everything afterwards. I would write after action reports. I would write a final report and I would push the information out as broadly as I could to make everybody in the government feel very comfortable about it, and they did, and now it’s an ongoing thing. We just announced that hack the defense travel system is going to happen.”

There have been a lot of attacks to the program “Hacking The Pentagon”: “We hacked the Army. We hacked the Air Force twice. It’s cool because we’ve got a good cadre of researchers across the globe who are looking for weaknesses in DoD systems, telling us what they are and providing recommendations to us on how to fix them. So when you do that, when you outsource basically two-thirds of the problem; discovery, disclosure and remediation are the three parts of the vulnerability life cycle. When you outsource two of those parts and you just let your work force focus on the remediation phase, suddenly you go from having vulnerabilities for months or years. In some case, years from the time that you’ve known about the vulnerability to, in cases, days, weeks is the long time.”

The program “Hacking The Pentagon” is a clear example of effectiveness when detecting vulnerabilities inside the organizations. You must know your strengths but it’s more important to know your weaknesses to solve them and not let hackers get inside you that easily. 


Post a Comment