Air Force cloud had 54 vulnerabilities before hackers found them

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Air Force’s online portal, which is the face to the hundreds of thousands of airmen who rely on the site for promotion announcements and other vital information, is vulnerable to attack.

At least it was.

Advertisement

Now it’s a little more secure after white-hat hackers found 54 vulnerabilities in the Air Force’s Cloud One. The environment uses Amazon Web Services and Microsoft Azure to host the Air Force portal and more than 100 other applications used by airmen every day.

The Air Force and the Defense Department’s Defense Digital Service teamed up to award $130,000 to coders who could find ways into the Air Force’s commercial cloud environment. The bug bounty challenge followed previous Hack the Air Force and Hack the Pentagon models by rewarding tech-savvy cyber buffs for finding vulnerabilities in the network.

The challenge lasted about three months from March to June. The most critical vulnerability found netted one hacker $20,000.

“The challenge was unique in a number of different ways,” said James Thomas, who is part of the Defense Digital Service’s Hack the Air Force portfolio. “The first phase was source code analysis, the second was AWS environment testing, third was Azure testing, four was a black box network authentication assessment, five was social engineering and six was the Air Force portal.”

Thomas said the Air Force wanted the challenge to be an internal and external event so the service could get a holistic assessment on the platform.

“That goes from the average user, the Joe Schmo on the internet, but also someone who has authentication on the environment, but maybe not privileged access, what can someone do from there?” Thomas said. “Even further, if I have privileged access, what can I access? Can I go to a segmented region in the platform other than common plane?”

Thomas said hackers found some configuration settings that were handy for developers, but lead to some issues from an insider threat perspective.

The Air Force remediated and retested the issues afterward.

The service and DoD worked with Bugcrowd, a cybersecurity company, to help find issues and researchers to test the system.

“We start off pretty early in the process figuring out the different trust requirements,” Casey Ellis, chief technology officer and founder of Bugcrowd said. “Then it starts to dig into the more technical side of it in terms of what the different environments consist of, what are the different products that might be deployed, what are the different languages and different kind of interfaces and really what is the technical nature of the attack surface overall? That’s the information we use to connect the right people with the right skills into the engagement.”

DoD and the military services are putting more stock into hackathon type contests in order to make their networks more secure.

Thomas said the contests bring a whole other world of knowledge that DoD cannot provide.

“We have our internal cyber protection teams, we have our internal intrusion detection systems and devices, we have network scanners and they work to the extent of what they work at, but we really are seeing a different shift in mentality,” Thomas said. “We are able to procure a crowdsource security model that really brings a huge surface area of knowledge that sometimes our internal teams don’t have because researchers are exposed to every type of industry imaginable.”

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.