The Ethical Hacker’s Mind For National Security

Most of the hackers I know from the circles I have traveled in started when they were still in grade school or college. Their journey began with simple experiments from their personal computers, pouring over pirated ebooks and exclusive tutorials passed between trusted friends.


The great thing about being a hacker among an online family of hackers are the teachers - those brainiacs and information wizards who know multiple programming languages and could write exploits in their sleep.


These are the ones who could break into virtually anything connected to the internet, and design impenetrable defenses that dance around the industry’s most powerful tools. Most importantly, in keeping with one of the oldest principles of the hacker subculture, they liberated information for the education of others, so we could learn to be better at what we love to do.


Though some secrets had to be guarded closely, they disclosed them to those whom they knew would be responsible for it, whether the teacher and their circle of friends had criminal ambitions or otherwise.


They put information in our heads that couldn’t be found on Github, Google, or even the dark web. This, in turn, evolved the way we solved problems because being a hacker never has been about having the ability to break into something.


Since the 1950s when phone phreaking was first stumbled upon, as phone hackers started learning how to traverse through Ma Bell’s telecommunications systems, to the present day, the art of hacking has always been defined by what a person knows, and how they came into the knowledge they possess.


Imagine what it took for these individuals to become masters. While it seems most hackers use scripts that other hackers wrote, they were the ones who could read source code as easily as reading an open book pulled from a shelf.


Ethical Hacker Gives Defense Department A Helping Hand

I have made a strong emphasis on knowledge and skills because there sometimes exists a profound disconnect between the skill sets of many in the cybersecurity industry and the extraordinary paths taken by advanced threat actors.


This has been a highly discussed topic among hackers for decades, where it is agreed that traditional qualifications have proven rather insufficient due to the lack of current resources being used in curriculums and textbooks. It could be said that our teachers are different than industry teachers.


For years, hackers have tried to offer a helping hand to various government agencies and military branches concerning vulnerabilities they try to address. While unauthorized vulnerability and port scanning aren't defined as illegal in the United States Criminal Code, it could bring on civil lawsuits and complaints to the Internet Service Provider. For this reason, the industry considers unauthorized scanning as an unethical act.

It goes without saying why a rift has always existed between hackers and government agencies. But because of the current climate within the cybersecurity arena, this is finally starting to change. Having hackers help protect aspects of the national security cyberinfrastructure could prove to be a turning point in the fight against cybercriminals and Advanced Persistent Threat (APT) groups.


One such hacker named Matthew Telfer (MLT) is a security researcher and notable blackhat-turned-whitehat with advanced skillsets. Some time ago he became one of the very first individuals authorized by the United States Department of Defense (DoD) to assist in vulnerability disclosure, without being in the employ of the Department of Defense or working for them as a contractor.


This came at a time before the DoD launched their participation with the Bug Bounty Program on Hackerone and had yet to offer a Vulnerability Disclosure Policy (VDP), which makes this a rare encounter at the time.


Most hackers will tell you that every time they try to connect with government agencies and military departments to report security issues, they are often met with resistance. This is largely due to a lack of trust.


Just because a hacker is trying to “report a security concern” doesn’t necessarily explain their intent or motive for doing so. This may also arise because said agency or department already has personnel responsible for maintaining security.


However, the hesitancy on behalf of the hacker when it comes to collaborating with agencies usually is centered on the fear of self-incrimination, in addition to not being perceived as an opportunity to be used as a confidential informant.


In the end, it neither addresses the issues surrounding vulnerability disclosure nor makes it more accessible to hackers who are striving to bolster national security.


MLT had discovered a plethora of security issues affecting defense websites and tried to broach the concerns with the right security contacts, making a special emphasis on the absence of any vulnerability disclosure policy, which would have made collaboration easier. At the time of the discoveries, the US Department of Defense had not yet begun to participate in the Bug Bounty Program.


At the time, the DoD remained silent, while the security risks remained uncorrected. Ultimately, he reached out to a media contact to voice the concerns to the DoD on his, which ostensibly set a fire under them and opened a dialogue. MLT said:


“I was welcome to test their assets and report my findings, as a 'trial-run' of sorts in regards to them handling triage for their upcoming program. This gave me the chance to become one of the very first (albeit brief - it was a 48-hour trial run) vuln hunters to be able to test on their program.”

Now that he had the DoD’s attention, he was given the authorization to perform his tests within a 48-hour period. Selecting what he believed would be a difficult target, we went to work on an asset belonging to the Defense Contract Management Agency (DCMA).


This defense agency is responsible for making sure that arms are delivered to the military, through a series of bidding contracts that correspond with arms dealerships across the globe.


Within a couple of minutes, he uncovered a subdomain using off-the-shelf enumeration programs, and, after manually entering some custom HTTP GET parameters, he triggered a critical server error that could have been escalated into revealing sensitive information stored on the server database.


In all, his tests encompassed dozens of military and defense servers, which revealed massively jaw-dropping security flaws. This was during an unprecedented time when the defense department didn’t recognize the dire necessity of entering into a collaboration agreement with members of the hacker community.


If this had been a story about a threat actor or APT group working with a foreign state, the conclusion of the matter would have been quite the opposite. This is why it is absolutely vital for the Bug Bounty Program to exist, and for agencies to make full use of the advanced skill sets offered by the hacking communities.


Together, we are building a more secure future, with every disclosed and fixed security flaw. This in turn becomes one less threat vector to be exploited by criminals and threat actors.


An article by

Jesse McGraw


Edited by

Ana Alexandre


Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

56 views0 comments