Skip to main content

Misconfigured Pentagon servers could have been exploited for cyberattack

vulnerable pentagon servers the united states department of defense
Image used with permission by copyright holder
A cybersecurity researcher has discovered a number of misconfigured servers belonging to the Department of Defense that could have left internal networks vulnerable to outsider access and attack.

According to Dan Tentler of Phobos Group, these vulnerable servers could have been used, in theory, to carry out cyberattacks to make them look like they were perpetrated by United States actors. No classified information could be accessed through these vulnerabilities however.

“There were hosts that were discovered that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country, who could want to implicate the U.S. as culprits in hacking attacks if they so desire,” Tentler told ZDNet.

Last year the Department of Defense launched its first bug bounty program. It allows accredited white hat hackers to test various (but not all) of the Pentagon’s public facing networks for bugs. Hackers are limited to the department’s services on the defense.gov and .mil domains. The servers that Tentler discovered were within these domains.

Tentler said it was “very likely” that these servers have been exploited already. The Pentagon was allegedly made aware of the misconfigured servers eight months ago but has yet to patch the flaws. Tentler reported the bugs to HackerOne, which operates bug bounty programs, but given the rules of the program, he is limited in what he can disclose publicly.

Tentler himself is critical of the cybersecurity preparedness of the Pentagon, and the government in general. “The Pentagon has created a circumstance where the good guys can’t find the problems because we’re not allowed to scan, or go out of scope, or find things on our own,” he said, while bad actors can tinker away at these systems with little or no regard.

Much has been made about how the Trump administration will handle cybersecurity. Tentler added that leaked plans to carry cyber reviews on federal systems every 60 days “demonstrates a complete lack of understanding what the existing problems are.”

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
How to check your fps (frames per second) in games on PC
Colt shoots an enemy off their feet in Deathloop.

PC gaming is all about pushing frames per second (fps) as high as possible. With a high refresh rate monitor, a high fps makes your games look smoother and feel more responsive, helping you be more competitive in esports games. But in order to know if your frame rate is high enough, you need to know how high it actually is. You need to know how to check your fps.

Read more
Stop spending so much money on your laptop
Asus Zenbook 14X OLED front angled view showing display and keyboard.

If you're in the market for a new laptop today, you'll encounter a dizzying array of options ranging in price from a few hundred dollars up to the low five figures. You'll find different build qualities, specifications, display types, and much more, all of which combine to make choosing the best laptop for you a challenge.

It's tempting to get mesmerized by the latest and greatest machines and end up spending a lot more than you need to or should. The thing is, there are legitimate reasons to spend less on a laptop in 2023, and trust me -- it hasn't always been this way.
You probably don't need more power
Asus ZenBook 14X OLED Mark Coppock / Digital Trends

Read more
Malicious bots make up 73% of internet traffic, report says
italy agcom pirate anti piracy download bay software keyboard skull music cyber crime

In a concerning revelation by the fraud control platform Arkose Labs, about 73% of internet traffic to websites and apps that was analyzed between January and September 2023 has been attributed to bots engaging in malicious activities. This revelation sparks discussions about the significant drain on valuable resources caused by such nefarious actions.

The third quarter of 2023 witnessed the dominance of five primary categories of bad bot activities, including account takeover, scraping, fake account creation, account management, and in-product abuse. This is similar to the second quarter, with the notable exception of in-product abuse stepping in for card testing.

Read more