VIDEO: Pentagon system security flaws can be easily exploited by foreign hackers
Several misconfigured servers run by the US Department of Defense (DOD) could allow hackers easy access to internal government systems, a security researcher has warned.
The vulnerable systems could allow hackers or foreign actors to launch cyberattacks through the department's systems to make it look as though it originated from US networks.
Dan Tentler, founder of cybersecurity firm Phobos Group, who discovered the vulnerable hosts, warned the flaws are so easy to find that he believes he was probably not the first person to find them.
"It's very likely that these servers are being exploited in the wild," he told me on the phone.
While the Pentagon is said to be aware of the vulnerable servers, it has yet to implement any fixes -- more than eight months after the department was alerted.
It's a unique case that casts doubts on the effectiveness of the Trump administration's anticipated executive order on cybersecurity, which aims to review all federal systems of security issues and vulnerabilities over a 60-day period.
The draft order was leaked last week, but it was abruptly pulled minutes before it was expected to be signed on Tuesday.
Tentler, a critic of the plans, argued that the draft plans are "just not feasible."
"It's laughable that an order like this was drafted in the first place because it demonstrates a complete lack of understanding what the existing problems are," he said.
"The order will effectively demand a vulnerability assessment on the entire government, and they want it in 60 days? Just that one vulnerability finding from me... It's been months -- and they still haven't fixed it," he said.
In the past year, the Pentagon became the first government department to ease up on computer hacking laws by allowing researchers to find and report bugs and flaws in systems in exchange for financial rewards.
But security researchers like Tentler are still limited in how much they can poke around the military's public-facing systems.
The DOD's official bug bounty governs the scope of what networks researchers can access. Researchers must limit their testing to two domains -- "defense.gov" (and its subdomains) and any ".mil" subdomain.
In an effort to pare down the list of hosts from "all public Department of Defense hosts" to "only the ones in scope," Tentler was able to identify several hosts that answered to the domain names in scope.
"There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country, who could want to implicate the US as culprits in hacking attacks if they so desire," he told me.
"The flaw could allow politically motivated attacks that could implicate the US," he added.
In other words, a foreign hacker or nation-state attacker could launch a cyberattack and make it look like it came from the Pentagon's systems.
Tentler explained the issue over the phone, but the rules of the bug bounty prohibit him from publicly disclosing "any details of the vulnerability... except upon receiving explicit written authorization" from the Pentagon.
The vulnerable servers were immediately reported to HackerOne, which facilitates the bug bounty, but the report was rejected as the servers were "out of scope."
Tentler argued that the hosts were covered by the scope of the wildcard domains. But while hosts were said to be "misconfigured," effectively proving his point, the bug report was dismissed out of hand.
A Pentagon spokesperson confirmed Tuesday that the vulnerabilities had been fixed, and encouraged researchers to continue to submit bugs and vulnerabilities, which are covered under the Pentagon's vulnerability disclosure policy.
Careful not to step over the line into illegality by violating computer hacking laws, Tentler said that his presumed level of access, if obtained by a malicious actor, could have resulted in a similar data breach on a scale with the Office of Personnel Management (OPM) breach last year, which led to the theft of over 22 million personnel records.
"It could've been OPM, but for the Marine Corps," he said.
Tentler didn't speculate on what other systems or data could have been accessed on the network, but put the vulnerabilities in proportion.
"It's bad, but it's not like I could control weapon systems," he said.
"The Pentagon's networks may have personal or personnel files, but it's not anything as classified as other networks," he said, referencing SIPRNET, a highly classified government network.
How companies and governments handle vulnerability reports can say a lot.
Tentler said that the government's approach to cybersecurity was outdated and would inevitably cause problems down the line.
He argued that the government's obsession with compliance to appease lawmakers and auditors alike is lazy, and it doesn't fundamentally make the systems any more secure. His security firm, which has a business interest in penetration testing and red-teaming, preaches that best practices and security compliance tend to be bare-minimum efforts and should not dictate how security operates.
"The reason [the attack on] OPM happened is because people didn't care about security. People did the barest minimum. And even when people aren't qualified, they refuse to let qualified people in, and they don't want to admit they have problems," he said.
Other government departments, he said, are heading in the same direction.
"The Pentagon has created a circumstance where the good guys can't find the problems because we're not allowed to scan, or go out of scope, or find things on our own," he said. "But the bad guys can scan whatever they want, for as long as they want, and exploit whatever they feel like."
"Well, Russia and China don't care," he added. "You can bet they're scanning those networks."
Updated on February 7: with comment from Pentagon.
Video: Could hackers use artificial intelligence to steal your data?