How secure are the websites and servers of the US military? According to an independent security researcher, who found several "serious" flaws in a bunch of .mil sites, the answer is "not so much."
The flaws show that the the Department of Defense is failing to take care of basic cybersecurity, and that its public facing sites and employee portals are still trivial to hack, according to experts.
According to the researcher, who goes by the name MLT, the worst vulnerability was in a subdomain of the website of the Defense Contract Management Agency, a military agency responsible for contract administration services. The bug essentially allowed hackers to trick the site into revealing the contents of a database containing personal information on DoD employees, such as employees' names and home addresses.
"It's not a good thing—at all—for such an easy to find and easy to fix problem exist in a high risk site."
MLT didn't exploit the bug, but given the website it was on, and some data he was able to see without hacking the site, it seems like a malicious attacker could have abused it to steal very sensitive and personal data.
"I can't confirm that without actually exploiting it," MLT told me over an online chat. "But from the table names and the government warnings all over the site, I'd guess that's the kind of page that shouldn't be vulnerable to SQL injection."
SQL injection, or SQLi, is an extremely common but dangerous bug that allows hackers to trick websites into spilling database information. (For more on SQLi, read Motherboard's guide.) Despite being an ancient bug, and despite the fact that web developers should know how to prevent it, countless sites are vulnerable to it, and it still causes major breaches. The fact that a military site was vulnerable to it is certainly not good news.
"SQL injection in a military site is a very, very, very serious issue." Jim Manico, a board member of the Open Web Application Security Project, told Motherboard in an email. "It allows the attacker to steal all data from a database. It's not a good thing—at all—for such an easy to find and easy to fix problem exist in a high risk site."
For MLT, the danger was that someone with less friendly intentions could have used this to get the personal information of DoD employees, who could then be targeted both on the internet and in real life.
"What if some blackhats found this vulnerability and exploited it, and are now in possession of the personal information of a bunch of DoD employees?" MLT wrote in a blog post. "Judging from those warnings on the index page, I expected them to take their site security at least somewhat seriously."
"I'm quite certain they are vulnerable to far more than what MLT found. That should make every American and every ally nervous."
MLT reached out to Motherboard about this and other vulnerabilities at the end of November. After finding the flaws, MLT tried to report them to the Pentagon via email, but received no answer. That's when he reached out to me, hoping I could prod the Pentagon to fix the issues. At that point, I contacted a person who used to work at DoD, hoping he could convey the report to the right people.
My contact said he passed the report on, but didn't know whether the Pentagon acted on it. Several spokespeople for the Department of Defense and the Army did not respond to multiple requests for comment. In any case, the SQLi exploit on the Defense Contract Management Agency site was fixed around a week ago, according to MLT.
MLT found several other vulnerabilities, which he detailed in a blog post published on Monday.
One of the bugs allowed anyone to access a US Army server just by typing the right string of characters in a browser's URL bar. MLT also found a list of credentials in cleartext on a page within another Army website. One of the passwords was "mysecretpassword."
Lastly, the researcher also found around a dozen Cross Site Scripting, or XSS, vulnerabilities, which are also extremely common on the web. In fact, 80 percent of all sites have an XSS vulnerability, according to estimates web security firm WhiteHat Security.
Given the US military's footprint on the web, and its outdated systems, "it is completely unsurprising that the military is vulnerable to all of these attacks," according to Robert Hansen, who works at WhiteHat Security. "Truthfully, I'm quite certain they are vulnerable to far more than what MLT found, even."
Still, "that should make every American and every ally nervous," he concluded.