Meet David Dworken, the teenager who hacked the Pentagon

 

Kid helps hack the Pentagon – sweet story.  http://www.csmonitor.com/World/Passcode/Security-culture/2016/0705/Meet-David-Dworken-the-teenager-who-hacked-the-Pentagon?mc_cid=d8c55afbde&mc_eid=a787bfae2a (reference).

 

 

Meet David Dworken, the teenager who hacked the Pentagon

Within 13 minutes of urging hackers to take their best shot at the Pentagon’s public websites, the US government’s first-ever bug bounty program had its first submission.

Just six hours later, hackers had already uncovered nearly 200 vulnerabilities in the Department of Defense’s networks.

Already a staple for companies such as Google and Facebook, the bug bounty program – which pays friendly hackers to do the sorts of things that recreational hackers might do for fun, and that criminals like to do for far more nefarious purposes – was so successful that Pentagon officials say that they are considering another bug bounty program for later this year. Other federal agencies, they add, would do well to follow their lead.

The chance to hack the feds drew a wide variety of comers, including David Dworken, 18, who has been a fan of bug bounty programs since middle school. He did it for the T-shirts initially.

“I probably spent about 20 hours on one because I thought they had a really cool t-shirt,” he says. “I thought it was pretty awesome that you could get free T-shirts in the mail.”

Mr. Dworken signed up for an account with HackerOne, a firm that runs bug bounty programs, and gravitated toward companies that offer “Hall of Fame” listings on their websites in lieu of cash for finding bugs.

On the Netflix website, for instance, Dworken found that he could create a URL “that could display and do whatever I wanted. I could send it to you and if you were signed into Netflix, I could steal your account information,” he says. “The fact that software engineers at Netflix are making sure that’s fixed is incredibly satisfying.”

Get Monitor cybersecurity news and analysis delivered straight to your inbox.

As he got more experience, he moved on to companies such as Uber, where he’s earned $8,000 finding four bugs, “which is amazing,” Dworken says. “I do this because I think it’s the right thing to do, but I really started to get to the point where I made a good chunk of change.”

Then, as he was getting a lift to school with his dad one morning, he heard about a bug bounty on National Public Radio. “We always listen to NPR in the car,” he says. It didn’t take long for Dworken to set off on his most intriguing challenge to date: Hacking the Pentagon.

Not long after learning about the program, he received an email from HackerOne, which was running the Pentagon’s bug bounty. They wanted him to participate. “I was shocked, and unbelievably excited,” he said.

There was just one snag. His Advanced Placement exams were happening at the same time. So he quickly got to work, reporting “four or five vulnerabilities within the first 12 hours of it opening,” then got back to his studies.

“They were the standard web security vulnerabilities that are on pretty much any website unless they have a really good web security team – or a bug bounty,” he said.

While these sorts of vulnerabilities are “shockingly common overall,” the fact that they existed until recently on DOD websites was striking to Dworken. “Now, it’s raised the barrier to hacking into the Pentagon, which is absolutely an amazing thing,” he says. “This may sound cheesy, but it’s a way to serve my country from the comfort of my computer.”

Defense officials are counting on this kind of patriotic spirit, and the cache of getting to hack, well, the Pentagon.

“A lot of hackers, like myself, will choose to help – and not just for the money, but for recognition. This is a historic program,” Kate Moussouris, currently an independent security consultant and former chief policy officer at HackerOne, told reporters in April. “The prestige of being part of the very first program for the US government is also commodity in and of itself.”

And that saves the Pentagon money – the bug bounty pilot program cost $150,000.

“It’s not a small sum but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us over $1 million,” said Defense Secretary Ash Carter.

The DOD paid $5 million over three years to one vendor, which found less than 10 vulnerabilities.

These public bug bounty programs do not throw open the Pentagon’s flood gates to let hackers poke around its Secret Internet Protocol Router Network, or SIPRNet, or even the sensitive-but-unclassified Non-Secure Internet Protocol Router Network, or NIPRNet.

Instead, these are programs to sweep up the admittedly low-hanging fruit – such as where to go rent canoes as part of a military recreation website – that offer all too enticing opportunities for “embarrassment through defacement,” as defense officials put it. The Pentagon runs roughly 450 of these websites.

In total, 1,400 eligible ethical hackers – otherwise known as “white hats” – were invited to take part in the program, and more than 250 of them found and submitted at least one vulnerability. Of these, 138 were found to be “legitimate, unique, and eligible for a bounty,” said Secretary Carter.

Equally important, by allowing outside hackers to find holes and vulnerabilities, it frees up the US military’s own cyberspecialists “to spend more time fixing them than finding them,” Carter added. “The pilot showed us one way to streamline what we do to defend out networks and correct vulnerabilities more quickly.”

The highest individual bounty was $3,500; the average was $588. The top-earning hacker made $15,000.

Dworken didn’t make any actual money, since other bug bounty hackers had already discovered the vulnerabilities he reported. But the experience made for good public service and a considerable resume builder.

He also got a trip to the Pentagon to meet Carter. “I’d never been to the Pentagon, despite living in DC and driving past it 10,000 times.”

This fall, he is headed to Northeastern University in Boston to study computer science, with a focus on cybersecurity. Before that, though, he’s spending a month this summer hiking the Appalachian Trail by himself. During that time, he says, “I’m mostly checking out of technology.”

Get Monitor cybersecurity news and analysis delivered straight to your inbox.

Chris Neudecker is letting you know about a Hackathon Event

The following Info came from one of my professors.  Great guy.
Hello Cyber Intel Warriors,
We (USF/MCPA with HCC) have been working on hosting a “Capture the Flag” event (and maybe others) at the Mil-OSS Hackathon this year at SOFIC in Tampa.
You can register individually or as a team for the Hackathon.
Some key dates/information:
21 Apr: Monthly Mil-OSS Meeting (3rd Thurs of each month)
When/Where: 5:30- 8:00pm; SOFWERX, 1320 East 9th Ave, Tampa
Why: Mil-OSS is a grass-roots organization that connects and empowers civilian and military software developers using, improving, and releasing Open Source Software (OSS) and hardware across the US DoD. OSS allows the DoD to improve software security, control development costs and increase innovation – all of which benefit the Warfighter.
21-22 May (Sat/Sun): Hackathon@SOFIC “Man-Machine Collaboration”
23-24 May (Mon/Tues): WG7@SOFIC “All About Open Source”
Tampa Location: SOFWERX
Registration: http://mil-oss.org/wg7-registration
Two offsite locations connected via VTC: Wright Brothers Institute and the Griffiss Institute
PLUS: several additional entities will contribute to the Hackathon environment including the Air Force Research Lab and GSA 18F
Hackathon organizers are seeking additional sponsors to cover expenses (T-shirts, food, etc.) with remaining funds donated to the Special Operations Warrior Foundation.
23-26 May: SOFIC 2016

2016 booth sales info is on the 2015 exhibits website
Select the upper left hand column “2016 SOFIC Information” tab.

Chris Neudecker talks about Mobile Security Threat Landscape

The following came from the site

CyberIntel Blog: White Paper Sneak Peek: 2016 Mobile Security Predictions

 

 

Today’s post is an excerpt of findings from our new white paper “Mobile Security Threat Landscape: Recent Trends and 2016 Outlook” where we discuss some of the top cyber threats from 2015 as well as an outlook for 2016 mobile security. 

As more people turn to their phones and other mobile devices, mobile applications are becoming a primary portal for interacting online. However, the more invested we become in mobility, the more we open ourselves up to new forms of intrusions from malicious actors.

As we move through 2016, here are what we see to be the top threats to the mobile security landscape this year.

The hacking of everything  

The Internet of Things (IoT) – interconnected devices that can communicate without human control – is growing, and fast. Analyst firm Gartner estimates that there will be almost 21 billion IoT devices by 2020 and market research firm IDC predicts there will be 30 billion by that date. While the convenience-factor of IoT is great, the reality is that threat actors are taking advantage of all these newly-connected devices and hacking anything and everything connected to the Internet.

Apple devices will be hackers’ prime targets

In 2015, mobile hacking stories about new vulnerabilities found in Android devices dominated the news. However, as more people begin to use iOS devices in 2016, we expect hackers to expand their focus to target Mac OS X and iOS platforms. Since the App Store’s launch, Apple has touted strong security. Now, as hackers become more sophisticated, we are seeing more malware and vulnerabilities in Apple’s devices. Reports indicate that 2015 was the “most prolific year for Mac malware in history” with there being five times more cases of malware instances than 2010-2014 combined. Mac OS X and iOS also registered the most disclosed vulnerabilities in 2015, with OS X having 384 security flaws and iOS having 375. One malware in particular, XcodeGhost infected as many as 4,000 apps and compromised passwords and devices’ name, type, and universally unique identifier (UUID).

More mobile payment system vulnerabilities

 In 2015, Apple Pay, Samsung Pay, and Android Pay continued to increase their footholds in the market as consumers looked to their smartphones as a means of payment. Many of these payment systems, such as Apple Pay and Android Pay are reliant on near field communication (NFC) technologies – a short-range communication system that uses near field (NF) wireless to connect compatible NF technologies together and exchange information without the need of an Internet connection. Apple Pay and Android Pay in particular are reliant on NFC technologies. Nevertheless, the hype around mobile payment systems has brought to light consumer concern around potential security ramifications of systems using NFC technologies.

Additionally, we provide a high-level overview of the current encryption debate.

Exploring the encryption debate

There has been substantial discussion with regards to tech companies being legally required to provide law enforcement with backdoors to access encrypted data. Events like the 2015 Paris terrorist attacks, where the attackers reportedly used “end-to-end” encryption to communicate through instant messaging services like WhatsApp and Telegram, have further emboldened calls for the companies who own the proprietary encryption software that drives these apps to voluntarily cooperate with law enforcement. However, end-to-end encryption, which protects data-in-transit (sometimes known as data-in-motion), is only one part of the problem facing law enforcement’s access to encrypted data.

To read more about each of these trends, download our white paper, “Mobile Security Threat Landscape: Recent Trends and 2016 Outlook” here.

Contact us for more information on our mobile security solutions.

The post White Paper Sneak Peek: 2016 Mobile Security Predictions appeared first on Cyveillance Blog – The Cyber Intelligence Blog.

“Hack the Pentagon”

 

DoD announces “Hack the Pentagon” initiative March 4, 2016 by Loren BlindeThe Department of Defense announced on March 2 that it will invite vetted hackers to test the department’s cybersecurity under a unique pilot program.  The “Hack the Pentagon” initiative is the first cyber bug bounty program in the history of the federal government.

Under the pilot program, the department will use commercial sector crowdsourcing to allow qualified participants to conduct vulnerability identification and analysis on the department’s public webpages.  The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services. The pilot marks the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites, and networks.

Participants in the bug bounty will be required to register and submit to a background check prior to any involvement with the pilot program.  Once vetted, these hackers will participate in a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system.  Other networks, including the department’s critical, mission-facing systems will not be part of the bug bounty pilot program.  Participants in the competition could be eligible for monetary awards and other recognition.

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” said Secretary of Defense Ash Carter.  “Inviting responsible hackers to test our cybersecurity certainly meets that test.  I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”

The “Hack the Pentagon” initiative is being led by the department’s Defense Digital Service (DDS), launched by Secretary Carter last November.  The DDS, an arm of the White House’s dynamic cadre of technology experts at the U.S. Digital Service, includes a small team of engineers and data experts meant to improve the department’s technological agility.

“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” said DDS Director and technology entrepreneur Chris Lynch.

This initiative is consistent with the administration’s Cyber National Action Plan announced on February 9, which prioritizes near-term actions to improve our cyber defences and codifies a long-term strategy to enhance cybersecurity across the U.S. government.

The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks.

Source: DoD