Some people can't wait to get their hands on the annual Verizon Data Breach Investigations Report -- but not for the reasons you'd think. For security professionals like Alex Pinto and David Schuetz, it's all about finding the stealthy clue embedded in the cover of the breach report.
Pinto and Schuetz are this year's winners of the coveted Verizon DBIR Cover Challenge, which kicks off with the publication of the respected and oft-cited data breach report. It's a combination puzzle and virtual scavenger hunt that cipher and puzzle enthusiasts from the security industry clamor to each year when the report gets published. It begins with a single clue found somewhere on the report's cover. The contest has been running for six of the DBIR's seven years.
Verizon's earlier contests were mainly cryptography challenges with blocks of cipher that contestants had to decrypt. But the contest has evolved over the years from a crypto focus to more of a mind-bending puzzler. "It's less about someone being an expert in cryptography as it is for someone who is really good at troubleshooting and solving problems... and being really good at puzzles," says Marc Spitler, co-author of the Verizon DBIR and the mastermind behind the cover challenge contest.
"We don't want it to be just for cryptographers [anymore]. We wanted to make it slightly different and open to information security generalists," says Spitler, a senior analyst for risk and intelligence for Verizon Enterprise Solutions.
More than five different teams and individual contestants participated in this year's contest, which begins and ends with the report's cover. "The puzzle typically has been linear, where you solve one thing and bread crumbs lead to another clue," Spitler says. But this year's contest included clues posted in Amazon reviews, Pastebin, a phone call to Verizon, YouTube videos, and the fake college website, which (aside from containing clues) was "chock full of ridiculous things, many of which had nothing to do with" the puzzle.
Schuetz and Pinto found that one of the tricks to solving the puzzle is to avoid getting sidetracked by the irrelevant material. Pinto says he initially missed one key clue because he listened to a simulated lecture video clip instead of viewing it. "I missed [the clues] the first time because I was not watching."
The clue, "victim.state=CA," actually flashed on the video player screen, so Pinto didn't see it the first time. Luckily, Shuetz, who did view the video, caught it. "It was a flashing neon sign... I knew this was what to go look for," he says.
Schuetz, a senior consultant with the Intrepidus Group, also got temporarily diverted by a fileson the Canada State University site. "I got sidetracked... there was a sequence of 13 numbers at the bottom of the web pages, and I didn't know what to make of that. I spent a lot of time working on that. Eventually... someone tweeted something he'd seen and shared it with me -- a way to get to the webpage from an earlier clue I had completely skipped."
He and Pinto, who were acquaintances, started out as solo contestants but decided to team up after they each had gotten through the first two clues. It was getting tougher to go it alone. "We both got very frustrated," says Pinto, who is chief data scientist at MLSec Project.
The team approach helped the two maximize their resources. Schuetz was about to board a flight for Chicago for a security conference and was going to be off the grid one day during the contest, so Pinto took the reins and hacked away at the puzzle. "I decided to give what I [had found] to him, so he could work on it while I [was] on the plane," Schuetz recalls.
The two ultimately solved the puzzle in less than 20 hours, working mostly after hours. Both had some experience with the contest. Shuetz, who has some crypto expertise, won the Verizon cover contest two years ago and came in second place last year. Pinto started last year's contest but didn't finish it.
"I've done a lot of different puzzles, mostly at security conferences," Schuetz says. "It's a nice distraction. It helps to refresh your head, and changes your perspective... and exercises [other] parts of your brain."
[The new Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93% of security incidents in the past decade. Read Stolen Passwords Used In Most Data Breaches here.]
Among the clues they discovered was a private encryption key planted in a GitHub repository by "a careless developer," as Spitler describes it, and they used the key to decrypt the Canada State U student file.
Pinto says he then agonized over just what this list of 138 students with their IDs, class grades, GPAs, and social insurance numbers meant. "I knew it probably had to do with sorting so it becomes a word." He tried sorting by grade, first name, middle initial, and other categories, but he got nowhere.
All the contestants at the time were struggling with that step, so Verizon threw out a hint that ultimately helped Pinto and Schuetz get to the next clue, which was "asset category = media."
"That opened it wide for us," Pinto says.
After a couple of other steps that further revealed the final answer, with the clues "action.physical.location = victim work area" as well as the video clue about the state of California being part of the answer, they found another piece of the puzzle. The phrase "actor=external" was written on a whiteboard in a screenshot in another lecture video.
The next clue was "small business only," and it was discovered by overlaying the DBIR cover with a fictional dinner menu for a Canada State University business school fundraiser. "We got an email from Verizon saying be sure you use one from Github that should be the same size. So [I said], ah, this should be a grill," Schuetz says.
They gleaned the final answer from Verizon's VERIS Community Database of publicly disclosed breach incidents. With the search variables they had found earlier in the puzzle, they narrowed the answer to two public breach incidents in California that occurred at small businesses, Vudu and Crescent Health. "They had an external actor steal media assets from the victim's work area," Spitler says.
Schuetz came away with a 3D printer for the win, and Pinto, with an iPad mini. The team of Mike Czumak, Andrij Kuzyszyn, and Will Pustorino finished in second place. Michael Oglesby, managing director and principal security consultant for True Digital Security, finished third. Czumak and Kuzyszyn are both security professionals from the healthcare industry.