by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : November and December 2016
It was a Tuesday in April, and Mark Litch- field was poking around the Defense Department’s Defense Video Imagery Dis- tribution System, looking for security holes. It didn’t take him long to find one. He soon uncovered a vulnerability known as a blind persistent cross-site script. It could enable any maliciously minded hacker to log in as a site administrator and broadcast whatever content he or she wanted from the DVIDS website, which is the primary way the U.S. military keeps the public informed about its activities around the world. The hacker could also have accessed the email messages of the registered users of DVIDS. “As you can imagine, [Islamic State mil- itants], if they had launched that kind of attack, they would have had a field day if they could upload whatever they wanted onto a website that’s run by the military,” Litchfield said. Such propaganda risks are hardly hypo- thetical; last year, Islamic State sympathiz- ers hacked into U.S. Central Command’s Twitter feed and YouTube accounts. Luckily it was Litchfield, a security researcher and entrepreneur, who discov- ered the vulnerability — and he did so at DOD’s invitation. Had he discovered the problem under regular circumstances, it would not have been clear what he could do about it. Like most other websites, DVIDS does not pro- vide explicit instructions on how to respon- sibly report problems. Instead, in the “Pri- vacy and Security” section, DOD threatens prosecution for any unauthorized attempts to upload or change the information pro- vided by DVIDS. But Litchfield was able to report the problem — and 35 others — without fear of prosecution because he was participat- BY SARAH LAI STIRLAND November/December 2016 FCW.COM 17 AND HOW YOUR AGENCY CAN, TOO HOW DOD EMBRACED BUG BOUNTIES — Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries 1216fcw_016-021.indd 17 11/7/16 11:06 AM
January and February 2017