Cyber Week in Review: Bossier, Hack the Army and ImageMagick

Media Division | February 3, 2017

Some weeks our review covers the small or personal, such as the digital smear campaign of a celebrity, or an individual’s hacked Twitter account.  But other weeks we have to take a look at the bigger picture: a really big picture, on the scale of an army.

This is one of those weeks: where we look at some of the biggest news in the cyberverse this week and find it involves some of the biggest organizations in the digital and material world.

Busting into Bossier

In beautiful Bossier City, Louisiana sits a high tech infrastructure: the Cyber Innovation Center (CIC).  This 3,000 acre National Cyber Research Park, known in the digital arena as collaborative technology research and development facility, though remote, has its finger on the pulse of the cyber world.

Which is why, we suppose, Russians would want to attack a town in Louisiana with less than 70,000 occupants.

Reports out of Bossier City say they have evidence that the CIC has been under Russian (attempted) attack for years.  Foreign hackers may want digital data, classified information for blackmail purposes, or even to attempt to remotely shut down a power grid or activate a nuclear bomb.

So far, no such attempts have been successful, according to CIC personnel.  They have bigger problems: namely, getting enough young people interested in cyber security to have sufficient white hat hackers competing with the black hat hackers aiming their way.

Hack the Army (or the Pentagon)

Speaking of hackers, as you may already know, hacking can pay very well, and you don’t have to do anything criminal to go home with a payload.  In addition to a legit white hat hacking job, many companies offer cash prizes, known as bug bounties, for identifying vulnerabilities in their digital security.

Now the United States Army wants to play the digital game: and within just a few minutes of announcing their program, “Hack the Army” they had their first payout: a hacker was able to access an internal Department of Defense network, no password required, by following a vulnerability that began with a public-facing Army recruitment website.

Yikes!

Of course, the Army was thrilled to see the results so quickly.  Sort of.

Programs like Hack the Army and Hack the Pentagon provide cash incentive to do what criminals might do anyway: access classified information within these military systems.  Literally hundreds of vulnerabilities have been found this way, to date (each one quickly patched).

On the plus side, it’s like running a water test on your roof before in rains—who wouldn’t want that before certifying your roofing?

There may be some negatives, however:

• How does a population feel about government security when vulnerabilities are discovered, quickly and in large numbers?  Not the best PR campaign ever run.

• When a bug is found, are they really all getting reported with no harm done, or do you risk exposure to, even invite, criminal activity?  What’s to keep someone from discovering multiple vulnerabilities, but only turning in one?

• Major, major work—each vulnerability then needs to be analyzed and repaired, costing more than just the bounty payout, costing many employee hours (aka tax dollars, when you are talking about a government agency).

Private corporations have long sponsored bug bounty programs.  We’ll see if these military ones last.

Inside the Face of Facebook

Speaking of giant entities and also bug bounties, Facebook gave a major payout this week—$40,000, the largest to date.  The company has reportedly paid out $5 million in bug bounties over the past five years of the program.

In this case, the hacker, Andrew Leonov, was able to execute code remotely on Facebook servers using a flaw in ImageMagick, the tool used to resize, crop and tweak pictures on their program and many others.

The vulnerability let you use ImageMagick to upload malicious images that would then grant remote code execution.  Data exfiltration as well as other lateral movement were all possible, according to the bug report.

As usual, you know what that means: update your apps to be sure you have the latest patch.

It also means: in this digital age, not even the information protected by the largest army in the world is safe.  The safest bet: get your security as tight as the Cyber Innovation Center.  When we all get to that level, it will be a genuine innovation.

MEDIA DIVISION
Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.