According to the anonymous hacker, cYbrg0D, last night’s lightshow at the Department of Foreign Affairs building in Washington, DC, was a hack of the building control system using a vulnerability he had reported to the Department’s vulnerability disclosure program. DFA refused to pay him for the reported vulnerability under the Department’s Bug Bounty program because the vulnerability did not affect an information system.
The lightshow last night at the building involved turning all of the lights on each of the fourteen floors on and off in a pattern that changed all night long. Government officials were only able to stop the light show early this morning by turning off the power to the building. Emergency systems are providing power to critical offices while system engineers are working to remove the malware that controls the lightshow.
John Jay, a spokesperson for the DFA, confirmed to reporters this morning that the Bug Bounty program did refuse to pay cYbrg0D for the reported vulnerability. “We are constrained by the congressional authorization for the program,” Jay explained, “The definition of information system used in the legislation authorizing the program clearly excluded operational control systems, such as the building management system that was apparently hacked last night.”
The hacker explained his point of view about the conflict with the Department of Foreign Affairs in a web page that was posted to the DFA web site. That page was taken down early this morning, just hours after it appeared on the site.
Junior Butts, a lawyer representing cYbrg0D, is in conversation with the Federal Bureau of Inquiry (FBI) about their interest in questioning the hacker. “My client is willing to cooperate with the Department in clearing the malware that is controlling the lighting system in exchange for acknowledgement that his vulnerability report should have been eligible for the bug bounty program,” Butts explained.
The Cybersecurity Agency is working with the DFA to resolve the control system security issue. “Technicians quickly found and removed the malware last night, but it reappears each time the system is restarted,” Ida Long, CSA spokesperson explained, “It is apparent that cYbrg0d found more vulnerabilities than the one that he reported to the VDP.”
Johnathan Quest, spokesperson for the FBI, confirmed that the agency is looking to talk to cYbrg0d about the incident. “We have not yet sought an arrest warrant for the individual,” Quest explained, “At this point, we just want to talk to the hacker.”
No comments:
Post a Comment