Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/12/2015
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Verizon 2015 Data Breach Cover Puzzler Solved: Defending Champs Win

The 2015 DBIR Cover Challenge is as highly anticipated by some as the DBIR report itself.

Every year, cipher and puzzler enthusiasts clamor to get a first look at the cover of the much-anticipated Verizon Data Breach Investigations Report (DBIR):  that's right, the cover.

That's because for the past seven years, Verizon has included the first clue in its DBIR Cover Challenge contest, a combination puzzle and virtual scavenger hunt camouflaged somewhere on the cover of the renowned report that offers fresh data on just what's going on hack- and breach-wise out in the world. While last year's contest's first clue featured text written in the JavaScript Object Notation (JSON) data-interchange format, this year's contest was more of a throwback to earlier days in the contest that focused on the cover design itself hosting the first clue.

"Instead of having a block of text hidden in the cover, we were able to bring in actual artwork and design back to the cover," says Marc Spitler, one of the masterminds of the contest and a co-author of the DBIR.

The front cover basically extends to the back cover, with wrap-around lines. The lines on the front cover offer a graphical representation of attack trends in specific vertical industries based on data from the report, and the lines wrap to the back cover, where there are small up-and-down arrows representing binary numbers. The down arrows represent 0, and the up arrows, 1, Spitler says.

"We anticipated this would be the most arduous part for people solving the puzzle … They have 12 of these numbers, and they couldn't convert it to text. They needed to XOR" them, he says. XOR is a process that compares two input bits and then generates an output bit:  if the bits are the same, the answer is 0. If the bits are different, the answer is 1.

The winners for the second consecutive year were the two-man team of David Schuetz and Alex Pinto, who solved the puzzler in one day, seven hours, and 17 minutes. Coming in second place was Michael Oglesby, who cracked the puzzle in two days, one hour, and 26 minutes.

The cover's string of 1s and 0s, once converted to text was: 1by5IJ1. With a little sleuthing, the contestants determined that was actually a portion of a bit.ly URL-shortener link:  bit.ly/1by5IJ1 led them to another webpage, dburr-sql.com, and the next clue in the puzzler.

Spitler, senior risk analyst for Verizon, says the reason for the throwback cover challenge was basically a practical one -- they were crunched for time due to the size and scope of this year's DBIR report itself. "This year, we did not have nearly as many steps as last year" in the contest, he says. "We didn't have a lot of time to devote to something [the contest] with extreme intricacy."

The initial puzzle that required decoding the back-cover binary code was indeed tough, even for the winning team of Pinto and Schuetz. Pinto says that was the most difficult first step in the contest that he has seen in the past three years he's competed.

[New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse. Read Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks.]

The dburr-sql.com, meanwhile, was a mockup of the Heartbleed.com website, with a fictitious vulnerability of its own, dburr-sql (with dburr as a nod to DBIR), with its own Heartbleed-esque logo as well. On that page was a vulnerability name of SVE-2015-9999, with SVE as a takeoff on the Common Vulnerability Enumeration (CVE) naming convention for bugs.

To get to step 3, the contestants had to perform a Google search of the "SVE" number, which led them to a webpage mimicking CVE pages. That's where it got even more retro: the Verizon puzzle masters planted a link to Gopher, an old-school Web search tool. "It was circa 1993 web presence," Spitler says.

The Gopher site contained pictures as well as weather information. "One of photos had yet another URL embedded in it" and viewing the metadata of the JPEG revealed another webpage, he says.

That URL then led to a page with nine images, six of which were images from prior DBIR covers, and three were designs that didn't make the cut in years past. The winners took the image names of the six cover images in chronological order, which resulted in a 10-digit number. "When you put it all in order, you would see you have a 10-digit phone number," Spitler says.

Calling the phone number led to a Google Voice mail message that instructed the contestants to email Verizon a haiku about their favorite incident classification pattern.

Pinto says the final puzzle was intriguing. "We figured out that we had to call a telephone number, but it was already past midnight Eastern, so we decided to wait until it was morning. I was on the West Coast, and when I woke up 7am-ish there, David had already called and I learned from Twitter first that we had won," Pinto says.

Schuetz says the last step was "tricky."

"We quickly identified the important part of the page, and recognized what we were looking at, but then didn't think of the right way to put it all together.  We considered book ciphers -- which they’ve used a couple of times in the past -- steganography, using the image numbers in some kind of mathematical process (multiplying them together to get an IP address, for example)," he says. "We even noted that 'the ordering of the images seems artificial' but didn't latch onto that as the key trick until about 90 minutes later, when I figured it out. We also got distracted by the non-relevant parts of the puzzle for a while, trying to figure out what they were pictures of."

The team spent about three-and-a-half hours on that step. And that was the point where they were given a hint that they were "almost there," so it got a little heated at the end, Schuetz says.

Interestingly, Pinto and Schuetz hadn't really intended to compete again this year, but teamed up early on just to "leisurely follow along" with the contest, Pinto says. "I guess the heat of the competition got the best of us," Pinto says.

The winners' haikus weren't exactly Poet Laureate material, but they got the job done for the win:

 

Colors ebb and flow

Red and green like Christmas Tree

Think It Was China

 

Their prizes are still being finalized, but they will be some sort of "tech toys," Spitler says.

The contest creation process happens after-hours for the Verizon team. "We want to make it fun and challenging, but we don't want to make it [impossible] to make it to the first clue. It's really hard to find that balance … We make it like a video game so you can see some progress" you are making during the process, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.