Anthropic and the Pentagon

OpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department. This news caps a week of bluster by the highest officials in the US government towards some of the wealthiest titans of the big tech industry, and the overhanging specter of the existential risks posed...

Defense Department Scrambles to Pretend It’s Called the War Department

President Donald Trump said the so-called Department of War branding is to counter the “woke” Department of Defense name...

Another Supply Chain Vulnerability

ProPublica is reporting: Microsoft is using engineers in China to help maintain the Defense Department's computer systems--with minimal supervision by U.S. personnel--leaving some of the nation's most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigatio...

U.S. Dept Of Defense: Reflected XSS via user Parameter on getconfig.esp Endpoint

A reflected Cross-Site Scripting XSS vulnerability was discovered in the /ssl-vpn/getconfig.esp endpoint, where user input in the 'user' parameter was not properly sanitized and allowed the injection of arbitrary JavaScript. This could have enabled remote attackers to execute malicious scripts in...

U.S. Dept Of Defense: Restrict any user from Login to their account

A security vulnerability was discovered where an attacker could change their email address to the victim's email, effectively restricting the victim from accessing their account. The vulnerability stemmed from improper authentication on the "Update Profile" functionality of the website...

U.S. Dept Of Defense: Pull Any Automated Record Brief

The vulnerability allows an authenticated user to request other soldiers' Automated Record Briefs ARBs or Officer Record Briefs ORBs by manipulating the URL. The URL contained an identifier that could be incrementally changed to access the records of other individuals. This vulnerability exposed...

U.S. Dept Of Defense: ███ on https://████ enable ███ scraping, injection, stored XSS

Summary: An open ████████ at the ████████ system enables quick and easy scraping of ███ without authentication nor authorization. Description: The █████ includes an open set of ██████endpoints at https://██████████. Any individual can execute requests on these endpoints without authorization nor...

Examining the US Cyber Budget

Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack. To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5...

U.S. Dept Of Defense: [CVE-2018-0296] Cisco VPN path traversal on the https://1████████ (https://████████.███.████████/)

The Cisco VPN vulnerability CVE-2018-0296 was discovered, which allowed an unauthenticated attacker to perform path traversal and disclose sensitive information such as VPN sessions and files. The issue was addressed by updating to a patched version, which returned a 404 "File not found" error...

U.S. Dept Of Defense: Authentication bypass and RCE on the https://████ due to exposed Cisco TelePresence SX80 with default credentials

Description Hello. I was able to identify Cisco TelePresence SX80 device located on the https://█████ According to the IP Info: https://ipinfo.io/████████it belongs to ASN with ID ███████ so it's likely in scope of the program. The mentioned instance has default credentials ████ POC https://█████...

Hack'em If You Can — U.S. Air Force launches Bug Bounty Program

With the growing number of data breaches and cyber attacks, a significant number of companies and organizations have started Bug Bounty programs for encouraging hackers and bug hunters to find and responsibly report vulnerabilities in their services and get rewarded. Now, following the success of...

Risk of Election Day Cyberattacks Low According To Cyber Chatter

Security experts monitoring cyber-chatter for virtual and real-world threats against U.S. Election Day targets say so far, so good. They don’t believe there will be cyberattack or al-Qaeda terror attack come Election Day. That’s not to say the U.S. government isn’t ready for the worst. The White...

Domain Creep? Maybe Not.

I just read a very interesting article by Sydney Freedberg titled DoD CIO Says Spectrum May Become Warfighting Domain. That basically summarizes what you need to know, but here's a bit more from the article: Pentagon officials are drafting new policy that would officially recognize the...

5.6 Million Federal Employees' Fingerprints Stolen in OPM Hack

The OPM Data Breach Office of Personnel Management is getting even worse than we thought. We already know more than 21 Million current and former federal employees had their personal and highly sensitive private information hijacked in a massive data breach that affected Defense Department's OPM...

NSA Official: Support for Compromised Dual EC Algorithm Was 'Regrettable'

In a new article in an academic math journal, the NSA’s former director of research says that the agency’s decision not to withdraw its support of the Dual ECDRBG random number generator after security researchers found weaknesses in it and questioned its provenance was a “regrettable” choice...

Cyber 9/11, cyber doomsday...between fear and need for action

It’s not a mystery, every nation is worried of the level of security of its infrastructure, the United States are among the most concerned governments due the high number of cyber-attack against its networks. US Government representative such us former States Secretary of Defense Leon Panetta and...

Pentagon boosts contractor cybersecurity program

Pentagon boosts contractor cybersecurity program The US Defense Department invited all of its eligible contractors on Friday to join a previously restricted information-sharing pact aimed at guarding sensitive Pentagon program data stored on private computer networks. The Pentagon predicts that a...

Top Government Security Officials Call For Secure OS Development

WASHINGTON–One of the keys to addressing the widespread security threats facing both private and government networks is to develop more secure operating systems from the ground up and not rely on trying to secure existing ones, top CIA and Pentagon information assurance officials said. The federa...

Pentagon launches "Cyber Fast Track" program to fund hacker innovation

Pentagon launches "Cyber Fast Track" program to fund hacker innovation Peiter Zatko, a hacker known as Mudge who is now at the Defense Advanced Research Projects Agency, said he joined the Pentagon's research arm to try and build bridges between the government's cybersecurity needs and hackers...

Titan Rain

Hacks against the Defense Department and other U.S. agencies stretching back to 2003 were codenamed Titan Rain by investigators. The attacks, which breached hundreds of networks, including Departments of State, Energy and Homeland Security, were coordinated from Chinese computers, investigators...