Pentagon uses crowd to plug security gaps

A team of around 80 ethical hackers have uncovered critical vulnerabilities in the US Department of Defense’s critical systems as part of the ongoing Hack the Pentagon program.

The hackers, vetted and led by crowdsourced penetration testing and bug bounty company Synack, carried out vulnerability testing on a simulated version of the mechanism Defense uses to send sensitive emails, documents and images between networks.

In a blog post, Synack co-founder and CTO Mark Kuhr said within a matter of hours of commencing work on the project, the team was uncovering and reporting critical vulnerabilities.

The exercise forms part of a three-year, $4 million contract awarded to Synack by Defense in September last year to carry out bug bounty tracking across the Pentagon. The team consisted of security researchers from the US, as well as Australia, Canada and the UK.

“When Jay [Kaplan, co-founder of Synack] and I were at the NSA, we saw firsthand that adversaries were swimming through our networks with ease. In many cases, they used known vulnerabilities as their points of entry, but in others they leveraged common vulnerabilities that should have been discovered by a testing team,” Kuhr wrote.

“Traditional solutions leave undiscovered vulnerabilities on the table. We knew that if we united a crowd of talented security researchers, and enabled them with proprietary vulnerability intelligence technology, we could provide an adversarial perspective on a system’s security that would uncover those ‘unknown’ vulnerabilities.”

He said the project highlights growing awareness of the value of crowdsourcing for finding and addressing vulnerabilities.

“With even the most sophisticated security organisations like the Pentagon realising the value of crowd security intelligence, we know that we are on the brink of disruption,” Kuhr said. “We cannot wait to see what comes next.”

Image courtesy of gregwest98 under CC

Follow us on Twitter and Facebook