Threat Intelligence

5/12/2016
02:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Verizon DBIR Puzzler Solved With Meghan Trainor And Cyber Pathogens

All about that puzzler's paradise that is the 2016 Annual Verizon Data Breach Investigations Report cover contest.

Meghan Trainor’s voice on the other end of the line was the first sign of real progress.

Matt Johansen, the winner of this year’s annual Verizon Data Breach Investigations Report (DBIR) Cover Challenge, nervously dialed the 800 number, hoping he wasn’t waking up an innocent bystander. He had pieced together the phone number from a puzzle he printed and cut into pieces and assembled on his kitchen counter.

“I called at 11 pm, hoping I got it right. Then I heard the voicemail [greeting] with Meghan Trainor singing that ‘All About That Bass’ song,” he says. “I had spent how many hours [on the puzzle] and now I was listening to that song.”

The song confirmed the key code he had needed to solve this one of four different puzzles required for the contest: “allaboutthebase,” a reference to the base rate in statistics parlance.

“I was getting a good laugh at how far I was going, my wife and I standing in the kitchen and messing with pieces of paper cut out, and rotating [the pieces] in different positions to try to figure out the puzzle,” says Johansen, who also drew from a couple of hints provided on the puzzler website. 

Source: Verizon
Source: Verizon

That was just about the time that Verizon’s cover contest -- a combination puzzle, cipher, and virtual scavenger hunt -- got a lot harder to solve. Johansen, who is director of security for Honest Dollar, says he got his first two clues off the DBIR cover, which wasn’t too difficult to decode. “A lot of the early ones were less technical, to get the ball rolling,” he notes. He also gobbled up veiled hints that the Verizon team occasionally tweeted to contestants.

Each year, there are stories of fits and starts with the puzzler, when contestants pursue for hours or days a clue that is actually a dead end. Or like Johansen, they inadvertently waste time by pursuing too many flags: he at first tried to solve all nine puzzles in the game when in fact you only needed to solve four. (A delicate hint via Twitter from the Verizon team got him back on track). Verizon had also placed a red herring on the cover -- a set of phony Roman numerals under the pyramid image that when decoded, basically told the contestant to "go play golf."

Source: Verizon
Source: Verizon

“It was a red herring for them...we figured it would be the first place people would go,” says Gabe Bassett, senior information security data scientist, Verizon Enterprise Solutions, a member of the team of 10 puzzle-masters made up of Verizon employees and the two previous puzzle winners, Alex Pinto and David Schuetz.

But a Morse code puzzle on the cover page led Johansen to embedded text on the back page of the report. By putting together extra characters from text on the back page, contestants were led to a “pathogen page” and then ultimately, the were led to the puzzler website, a fictional site called “Global Cyber CDC,” where people “report” so-called “cyber-pathogens” to the satiric Center for Disease Control. The tongue-in-cheek site explains:

WELCOME TO THE GLOBAL CYBER CENTERS 
FOR DISEASE CONTROL. TO REPORT AN EMERGING CYBER
PATHOGEN, PLEASE ENTER IT'S CORE AI HERE

THE GLOBAL CYBER CDC WORKS 25/6 TO PROTECT
THE WORLD FROM HEALTH, SAFETY AND SECURITY 
THREATS, BOTH INTERPLANETARY AND ON THE EARTH.

There’s also a list of nine “retired cyber pathologists,” which represent the nine core puzzles, including personas such as Colonel Henry J. Haberdasher, Dr. Rob Bootis, Sir Baskart William, and Dr. Pedro Tipton.

‘Cyber Pathology’ For The Win

Verizon’s Bassett says the idea for “cyberpathology” came from a friend’s LinkedIn profile. “One of our friends had ‘cyber pathologist’ on his LinkedIn ... So we wondered what would happen if cyber pathologists” were real and what would their story be? he says.

“So we incorporated other data science people we knew and gave them all roles as cyber pathologists,” he says. The goal was to provide various non-linear paths to solve each step of the puzzle, and to keep it accessible to non-cipher experts as well: one of the first steps is a crossword puzzle, a relatively simple one to solve, he says. There was also a complex dataset puzzle that no one was able to crack.

“We had all different types of puzzles so no single skillset had an advantage,” he says.

“You needed at least four pathologists'” steps completed in order to get to the final solution, he says, and the goal was to make it solvable in about three days. 

Verizon also had to ensure the contest wasn’t easily hackable.

Bassett says the puzzler team built the infrastructure with that in mind. “The ‘CDC’ was a static webpage ... and is written in Python and Pelican and saved to Amazon S3 so no dynamic stuff [can occur] and so hackers couldn’t attack and dump the database or anything,” he says. “The .ai site where we got feedback [from contestants] was a bit different in that it had to be dynamic ... Ultimately, if you knew the location of certain files, you could download them, but we monitored” the traffic, he says. That site ran on Heroku’s cloud-based platform.

“If you can beat a puzzle a different way and not be caught, you deserve props for your ingenuity.”

Johansen, who worked on the puzzle after-hours, finished it in about 6 ½ days and won a telescope for his first-place prize. Among other flags, he also cracked a haiku challenge. “I’d never done poem code before,” he says. “I spent an embarrassing amount of time” cracking it, he says. “That was my favorite one.”

The puzzler isn’t for the faint of heart, nor the impatient. In one breath, the finalists were lauding it for the twists and turns and challenges—punctuated by the thrill of getting to the next flag. In the next, they were lamenting the fact that it’s not your father’s crossword puzzle: “It was a giant pain in the ass,” quips Bryan Schuetz, who took home the second-place prize, and blogged about how he cracked the puzzler.

Matthew Keyser, who came in third, also blogged about his experience.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.