Over the course of six weeks, beginning in January 2021, a team of hackers described as top-tier military and civilian operatives targeted military assets belonging to the US Department of the Army and the US Defense Digital Services. These assets included a number of applications army.mil and westpoint.edu. The operation was a success, and that’s not bad because the hackers were participating in the third Hack the Army event that took place since 2016.
Hack the Army 3.0
Hack the Army 3.0 was a joint venture between the Hacker-powered vulnerability discovery platform HackerOne and the objectives mentioned above. Inviting hackers onto your networks may seem like a bad idea, but it’s actually quite the opposite.
You have to remember that while many cybercrimes involve hacking, that does not mean that all hackers are criminals. In this case, the hacker-driven event was part of a bug bounty scheme developed to uncover previously unknown vulnerabilities ‘hidden from view’ so they can be fixed before adversaries can exploit them and weaken national security.
“Often when we see the term hacker, it is associated with illegal acts, and it is perhaps not surprising that much of the world’s attention has been focused on the negative behavior of illegal hacking,” says Luke Tucker, vice president of community. by HackerOne. , “However, we have challenged this notion and see hackers as a way of doing good.” And it was definitely doing well here.
102 critical or highly rated vulnerabilities found
While the team size was smaller than what we saw during the Hack the Army 2.0 event in 2019, the number of vulnerabilities found in 2021 was much higher. In 2019, a total of 146 vulnerabilities were validated, while 238 were identified by Hack the Army 3.0 operatives. In particular, 102 of them were considered to have a high or critical rating and were designated for immediate repair.
In return, more than $ 150,000 was awarded to civilian hackers as a reward for the security holes they discovered. The military operatives who participated were not entitled to such remuneration.
“Hack the Army does a tremendous job of exposing content and coding errors that our normal compliance-based scan had missed,” said Johann R. Wallace, chief of the Army Network Enterprise Technology Command’s compliance division.
An absolute wonder
Describing the event as “an absolute blastWallace explained that automated tools can never replace the effectiveness of the human mind, our adaptability, and the special skill set it takes to follow the white rabbit.
The great diversity in both the thought process and attack methodologies within the research population is “crucial when simulating what real adversaries would do,” said Maya Kuang, army product manager for the Defense Digital Service. “The hacker community is pushing the limits of what we know in cybersecurity in each participation and does not hesitate to try different processes,” concluded Kuang.
It should be noted that of course all hackers who participated in Hack the Army 3.0 had passed a background check, as part of the HackerOne Clear program, before gaining access to military targets.
One of those hackers, who happened to be the main hacker for Hack the Army 3.0, is Corben Leo, also known as cdl. A 21-year-old computer science student at Dakota State University, cdl is already a Hack the Army veteran who also finished atop the leaderboard in the last event. “I enjoy how great the range and responsiveness of the team is,” said cdl, “I feel like I can make a difference and improve the security of our military.”