Attacks/Breaches
5/6/2014
08:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Verizon Breach Report Puzzle Solved

A two-man team solves the Verizon Data Breach Investigations Report (DBIR) puzzle contest, which began with a cipher hidden on the cover page of the famed report.

Some people can't wait to get their hands on the annual Verizon Data Breach Investigations Report -- but not for the reasons you'd think. For security professionals like Alex Pinto and David Schuetz, it's all about finding the stealthy clue embedded in the cover of the breach report.

Pinto and Schuetz are this year's winners of the coveted Verizon DBIR Cover Challenge, which kicks off with the publication of the respected and oft-cited data breach report. It's a combination puzzle and virtual scavenger hunt that cipher and puzzle enthusiasts from the security industry clamor to each year when the report gets published. It begins with a single clue found somewhere on the report's cover. The contest has been running for six of the DBIR's seven years.

The first clue this year was culled from text on the back cover written in JavaScript Object Notation, aka JSON, a data-interchange format, near text about the cover graphic, which ultimately led the contestants on a wild ride through various challenges -- and diversions -- to find subsequent clues to solve the puzzle. Much of the contest entailed finding clues on the fictitious and tongue-in-cheek Canada State University website created by the Verizon puzzle masters, where the contestants enrolled for classes, uploaded videos of themselves singing the Canada State U fight song, and ultimately pulled hidden clues from video clips and a simulated academic file.

Verizon's earlier contests were mainly cryptography challenges with blocks of cipher that contestants had to decrypt. But the contest has evolved over the years from a crypto focus to more of a mind-bending puzzler. "It's less about someone being an expert in cryptography as it is for someone who is really good at troubleshooting and solving problems... and being really good at puzzles," says Marc Spitler, co-author of the Verizon DBIR and the mastermind behind the cover challenge contest.

"We don't want it to be just for cryptographers [anymore]. We wanted to make it slightly different and open to information security generalists," says Spitler, a senior analyst for risk and intelligence for Verizon Enterprise Solutions.

More than five different teams and individual contestants participated in this year's contest, which begins and ends with the report's cover. "The puzzle typically has been linear, where you solve one thing and bread crumbs lead to another clue," Spitler says. But this year's contest included clues posted in Amazon reviews, Pastebin, a phone call to Verizon, YouTube videos, and the fake college website, which (aside from containing clues) was "chock full of ridiculous things, many of which had nothing to do with" the puzzle.

Schuetz and Pinto found that one of the tricks to solving the puzzle is to avoid getting sidetracked by the irrelevant material. Pinto says he initially missed one key clue because he listened to a simulated lecture video clip instead of viewing it. "I missed [the clues] the first time because I was not watching."

The clue, "victim.state=CA," actually flashed on the video player screen, so Pinto didn't see it the first time. Luckily, Shuetz, who did view the video, caught it. "It was a flashing neon sign... I knew this was what to go look for," he says.

Schuetz, a senior consultant with the Intrepidus Group, also got temporarily diverted by a fileson the Canada State University site. "I got sidetracked... there was a sequence of 13 numbers at the bottom of the web pages, and I didn't know what to make of that. I spent a lot of time working on that. Eventually... someone tweeted something he'd seen and shared it with me -- a way to get to the webpage from an earlier clue I had completely skipped."

He and Pinto, who were acquaintances, started out as solo contestants but decided to team up after they each had gotten through the first two clues. It was getting tougher to go it alone. "We both got very frustrated," says Pinto, who is chief data scientist at MLSec Project.

The team approach helped the two maximize their resources. Schuetz was about to board a flight for Chicago for a security conference and was going to be off the grid one day during the contest, so Pinto took the reins and hacked away at the puzzle. "I decided to give what I [had found] to him, so he could work on it while I [was] on the plane," Schuetz recalls.

The two ultimately solved the puzzle in less than 20 hours, working mostly after hours. Both had some experience with the contest. Shuetz, who has some crypto expertise, won the Verizon cover contest two years ago and came in second place last year. Pinto started last year's contest but didn't finish it.

"I've done a lot of different puzzles, mostly at security conferences," Schuetz says. "It's a nice distraction. It helps to refresh your head, and changes your perspective... and exercises [other] parts of your brain."

[The new Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93% of security incidents in the past decade. Read Stolen Passwords Used In Most Data Breaches here.]

Among the clues they discovered was a private encryption key planted in a GitHub repository by "a careless developer," as Spitler describes it, and they used the key to decrypt the Canada State U student file.

Pinto says he then agonized over just what this list of 138 students with their IDs, class grades, GPAs, and social insurance numbers meant. "I knew it probably had to do with sorting so it becomes a word." He tried sorting by grade, first name, middle initial, and other categories, but he got nowhere.

All the contestants at the time were struggling with that step, so Verizon threw out a hint that ultimately helped Pinto and Schuetz get to the next clue, which was "asset category = media."

"That opened it wide for us," Pinto says.

After a couple of other steps that further revealed the final answer, with the clues "action.physical.location = victim work area" as well as the video clue about the state of California being part of the answer, they found another piece of the puzzle. The phrase "actor=external" was written on a whiteboard in a screenshot in another lecture video.

The next clue was "small business only," and it was discovered by overlaying the DBIR cover with a fictional dinner menu for a Canada State University business school fundraiser. "We got an email from Verizon saying be sure you use one from Github that should be the same size. So [I said], ah, this should be a grill," Schuetz says.

(Source: Verizon)
(Source: Verizon)

They gleaned the final answer from Verizon's VERIS Community Database of publicly disclosed breach incidents. With the search variables they had found earlier in the puzzle, they narrowed the answer to two public breach incidents in California that occurred at small businesses, Vudu and Crescent Health. "They had an external actor steal media assets from the victim's work area," Spitler says.

Schuetz came away with a 3D printer for the win, and Pinto, with an iPad mini. The team of Mike Czumak, Andrij Kuzyszyn, and Will Pustorino finished in second place. Michael Oglesby, managing director and principal security consultant for True Digital Security, finished third. Czumak and Kuzyszyn are both security professionals from the healthcare industry.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/6/2014 | 12:07:31 PM
Re: Creativity in security
I totally agree, Tim. What was also cool about this contest was how much fun the Verizon puzzle creators had putting it together, adding humor and some silly elements to keep the contestants entertained, too, while the did their work.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
5/6/2014 | 11:52:59 AM
Creativity in security
The creativity of the security industry never ceases to amaze me. Whether it's contests like Verizon's or capture the flag competitions, security folk are some of the greatest problem-posers and problem-solvers in IT.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant