Attacks/Breaches
5/6/2014
08:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Verizon Breach Report Puzzle Solved

A two-man team solves the Verizon Data Breach Investigations Report (DBIR) puzzle contest, which began with a cipher hidden on the cover page of the famed report.

Some people can't wait to get their hands on the annual Verizon Data Breach Investigations Report -- but not for the reasons you'd think. For security professionals like Alex Pinto and David Schuetz, it's all about finding the stealthy clue embedded in the cover of the breach report.

Pinto and Schuetz are this year's winners of the coveted Verizon DBIR Cover Challenge, which kicks off with the publication of the respected and oft-cited data breach report. It's a combination puzzle and virtual scavenger hunt that cipher and puzzle enthusiasts from the security industry clamor to each year when the report gets published. It begins with a single clue found somewhere on the report's cover. The contest has been running for six of the DBIR's seven years.

The first clue this year was culled from text on the back cover written in JavaScript Object Notation, aka JSON, a data-interchange format, near text about the cover graphic, which ultimately led the contestants on a wild ride through various challenges -- and diversions -- to find subsequent clues to solve the puzzle. Much of the contest entailed finding clues on the fictitious and tongue-in-cheek Canada State University website created by the Verizon puzzle masters, where the contestants enrolled for classes, uploaded videos of themselves singing the Canada State U fight song, and ultimately pulled hidden clues from video clips and a simulated academic file.

Verizon's earlier contests were mainly cryptography challenges with blocks of cipher that contestants had to decrypt. But the contest has evolved over the years from a crypto focus to more of a mind-bending puzzler. "It's less about someone being an expert in cryptography as it is for someone who is really good at troubleshooting and solving problems... and being really good at puzzles," says Marc Spitler, co-author of the Verizon DBIR and the mastermind behind the cover challenge contest.

"We don't want it to be just for cryptographers [anymore]. We wanted to make it slightly different and open to information security generalists," says Spitler, a senior analyst for risk and intelligence for Verizon Enterprise Solutions.

More than five different teams and individual contestants participated in this year's contest, which begins and ends with the report's cover. "The puzzle typically has been linear, where you solve one thing and bread crumbs lead to another clue," Spitler says. But this year's contest included clues posted in Amazon reviews, Pastebin, a phone call to Verizon, YouTube videos, and the fake college website, which (aside from containing clues) was "chock full of ridiculous things, many of which had nothing to do with" the puzzle.

Schuetz and Pinto found that one of the tricks to solving the puzzle is to avoid getting sidetracked by the irrelevant material. Pinto says he initially missed one key clue because he listened to a simulated lecture video clip instead of viewing it. "I missed [the clues] the first time because I was not watching."

The clue, "victim.state=CA," actually flashed on the video player screen, so Pinto didn't see it the first time. Luckily, Shuetz, who did view the video, caught it. "It was a flashing neon sign... I knew this was what to go look for," he says.

Schuetz, a senior consultant with the Intrepidus Group, also got temporarily diverted by a fileson the Canada State University site. "I got sidetracked... there was a sequence of 13 numbers at the bottom of the web pages, and I didn't know what to make of that. I spent a lot of time working on that. Eventually... someone tweeted something he'd seen and shared it with me -- a way to get to the webpage from an earlier clue I had completely skipped."

He and Pinto, who were acquaintances, started out as solo contestants but decided to team up after they each had gotten through the first two clues. It was getting tougher to go it alone. "We both got very frustrated," says Pinto, who is chief data scientist at MLSec Project.

The team approach helped the two maximize their resources. Schuetz was about to board a flight for Chicago for a security conference and was going to be off the grid one day during the contest, so Pinto took the reins and hacked away at the puzzle. "I decided to give what I [had found] to him, so he could work on it while I [was] on the plane," Schuetz recalls.

The two ultimately solved the puzzle in less than 20 hours, working mostly after hours. Both had some experience with the contest. Shuetz, who has some crypto expertise, won the Verizon cover contest two years ago and came in second place last year. Pinto started last year's contest but didn't finish it.

"I've done a lot of different puzzles, mostly at security conferences," Schuetz says. "It's a nice distraction. It helps to refresh your head, and changes your perspective... and exercises [other] parts of your brain."

[The new Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93% of security incidents in the past decade. Read Stolen Passwords Used In Most Data Breaches here.]

Among the clues they discovered was a private encryption key planted in a GitHub repository by "a careless developer," as Spitler describes it, and they used the key to decrypt the Canada State U student file.

Pinto says he then agonized over just what this list of 138 students with their IDs, class grades, GPAs, and social insurance numbers meant. "I knew it probably had to do with sorting so it becomes a word." He tried sorting by grade, first name, middle initial, and other categories, but he got nowhere.

All the contestants at the time were struggling with that step, so Verizon threw out a hint that ultimately helped Pinto and Schuetz get to the next clue, which was "asset category = media."

"That opened it wide for us," Pinto says.

After a couple of other steps that further revealed the final answer, with the clues "action.physical.location = victim work area" as well as the video clue about the state of California being part of the answer, they found another piece of the puzzle. The phrase "actor=external" was written on a whiteboard in a screenshot in another lecture video.

The next clue was "small business only," and it was discovered by overlaying the DBIR cover with a fictional dinner menu for a Canada State University business school fundraiser. "We got an email from Verizon saying be sure you use one from Github that should be the same size. So [I said], ah, this should be a grill," Schuetz says.

(Source: Verizon)
(Source: Verizon)

They gleaned the final answer from Verizon's VERIS Community Database of publicly disclosed breach incidents. With the search variables they had found earlier in the puzzle, they narrowed the answer to two public breach incidents in California that occurred at small businesses, Vudu and Crescent Health. "They had an external actor steal media assets from the victim's work area," Spitler says.

Schuetz came away with a 3D printer for the win, and Pinto, with an iPad mini. The team of Mike Czumak, Andrij Kuzyszyn, and Will Pustorino finished in second place. Michael Oglesby, managing director and principal security consultant for True Digital Security, finished third. Czumak and Kuzyszyn are both security professionals from the healthcare industry.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/6/2014 | 12:07:31 PM
Re: Creativity in security
I totally agree, Tim. What was also cool about this contest was how much fun the Verizon puzzle creators had putting it together, adding humor and some silly elements to keep the contestants entertained, too, while the did their work.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
5/6/2014 | 11:52:59 AM
Creativity in security
The creativity of the security industry never ceases to amaze me. Whether it's contests like Verizon's or capture the flag competitions, security folk are some of the greatest problem-posers and problem-solvers in IT.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2003-1598
Published: 2014-10-01
SQL injection vulnerability in log.header.php in WordPress 0.7 and earlier allows remote attackers to execute arbitrary SQL commands via the posts variable.

CVE-2011-4624
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in facebook.php in the GRAND FlAGallery plugin (flash-album-gallery) before 1.57 for WordPress allows remote attackers to inject arbitrary web script or HTML via the i parameter.

CVE-2012-0811
Published: 2014-10-01
Multiple SQL injection vulnerabilities in Postfix Admin (aka postfixadmin) before 2.3.5 allow remote authenticated users to execute arbitrary SQL commands via (1) the pw parameter to the pacrypt function, when mysql_encrypt is configured, or (2) unspecified vectors that are used in backup files gene...

CVE-2014-2640
Published: 2014-10-01
Cross-site scripting (XSS) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-2641
Published: 2014-10-01
Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.4 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Chris Hadnagy, who hosts the annual Social Engineering Capture the Flag Contest at DEF CON, will discuss the latest trends attackers are using.