Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 AM
Connect Directly

Verizon Breach Report Puzzle Solved

A two-man team solves the Verizon Data Breach Investigations Report (DBIR) puzzle contest, which began with a cipher hidden on the cover page of the famed report.

Some people can't wait to get their hands on the annual Verizon Data Breach Investigations Report -- but not for the reasons you'd think. For security professionals like Alex Pinto and David Schuetz, it's all about finding the stealthy clue embedded in the cover of the breach report.

Pinto and Schuetz are this year's winners of the coveted Verizon DBIR Cover Challenge, which kicks off with the publication of the respected and oft-cited data breach report. It's a combination puzzle and virtual scavenger hunt that cipher and puzzle enthusiasts from the security industry clamor to each year when the report gets published. It begins with a single clue found somewhere on the report's cover. The contest has been running for six of the DBIR's seven years.

The first clue this year was culled from text on the back cover written in JavaScript Object Notation, aka JSON, a data-interchange format, near text about the cover graphic, which ultimately led the contestants on a wild ride through various challenges -- and diversions -- to find subsequent clues to solve the puzzle. Much of the contest entailed finding clues on the fictitious and tongue-in-cheek Canada State University website created by the Verizon puzzle masters, where the contestants enrolled for classes, uploaded videos of themselves singing the Canada State U fight song, and ultimately pulled hidden clues from video clips and a simulated academic file.

Verizon's earlier contests were mainly cryptography challenges with blocks of cipher that contestants had to decrypt. But the contest has evolved over the years from a crypto focus to more of a mind-bending puzzler. "It's less about someone being an expert in cryptography as it is for someone who is really good at troubleshooting and solving problems... and being really good at puzzles," says Marc Spitler, co-author of the Verizon DBIR and the mastermind behind the cover challenge contest.

"We don't want it to be just for cryptographers [anymore]. We wanted to make it slightly different and open to information security generalists," says Spitler, a senior analyst for risk and intelligence for Verizon Enterprise Solutions.

More than five different teams and individual contestants participated in this year's contest, which begins and ends with the report's cover. "The puzzle typically has been linear, where you solve one thing and bread crumbs lead to another clue," Spitler says. But this year's contest included clues posted in Amazon reviews, Pastebin, a phone call to Verizon, YouTube videos, and the fake college website, which (aside from containing clues) was "chock full of ridiculous things, many of which had nothing to do with" the puzzle.

Schuetz and Pinto found that one of the tricks to solving the puzzle is to avoid getting sidetracked by the irrelevant material. Pinto says he initially missed one key clue because he listened to a simulated lecture video clip instead of viewing it. "I missed [the clues] the first time because I was not watching."

The clue, "victim.state=CA," actually flashed on the video player screen, so Pinto didn't see it the first time. Luckily, Shuetz, who did view the video, caught it. "It was a flashing neon sign... I knew this was what to go look for," he says.

Schuetz, a senior consultant with the Intrepidus Group, also got temporarily diverted by a fileson the Canada State University site. "I got sidetracked... there was a sequence of 13 numbers at the bottom of the web pages, and I didn't know what to make of that. I spent a lot of time working on that. Eventually... someone tweeted something he'd seen and shared it with me -- a way to get to the webpage from an earlier clue I had completely skipped."

He and Pinto, who were acquaintances, started out as solo contestants but decided to team up after they each had gotten through the first two clues. It was getting tougher to go it alone. "We both got very frustrated," says Pinto, who is chief data scientist at MLSec Project.

The team approach helped the two maximize their resources. Schuetz was about to board a flight for Chicago for a security conference and was going to be off the grid one day during the contest, so Pinto took the reins and hacked away at the puzzle. "I decided to give what I [had found] to him, so he could work on it while I [was] on the plane," Schuetz recalls.

The two ultimately solved the puzzle in less than 20 hours, working mostly after hours. Both had some experience with the contest. Shuetz, who has some crypto expertise, won the Verizon cover contest two years ago and came in second place last year. Pinto started last year's contest but didn't finish it.

"I've done a lot of different puzzles, mostly at security conferences," Schuetz says. "It's a nice distraction. It helps to refresh your head, and changes your perspective... and exercises [other] parts of your brain."

[The new Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93% of security incidents in the past decade. Read Stolen Passwords Used In Most Data Breaches here.]

Among the clues they discovered was a private encryption key planted in a GitHub repository by "a careless developer," as Spitler describes it, and they used the key to decrypt the Canada State U student file.

Pinto says he then agonized over just what this list of 138 students with their IDs, class grades, GPAs, and social insurance numbers meant. "I knew it probably had to do with sorting so it becomes a word." He tried sorting by grade, first name, middle initial, and other categories, but he got nowhere.

All the contestants at the time were struggling with that step, so Verizon threw out a hint that ultimately helped Pinto and Schuetz get to the next clue, which was "asset category = media."

"That opened it wide for us," Pinto says.

After a couple of other steps that further revealed the final answer, with the clues "action.physical.location = victim work area" as well as the video clue about the state of California being part of the answer, they found another piece of the puzzle. The phrase "actor=external" was written on a whiteboard in a screenshot in another lecture video.

The next clue was "small business only," and it was discovered by overlaying the DBIR cover with a fictional dinner menu for a Canada State University business school fundraiser. "We got an email from Verizon saying be sure you use one from Github that should be the same size. So [I said], ah, this should be a grill," Schuetz says.

(Source: Verizon)
(Source: Verizon)

They gleaned the final answer from Verizon's VERIS Community Database of publicly disclosed breach incidents. With the search variables they had found earlier in the puzzle, they narrowed the answer to two public breach incidents in California that occurred at small businesses, Vudu and Crescent Health. "They had an external actor steal media assets from the victim's work area," Spitler says.

Schuetz came away with a 3D printer for the win, and Pinto, with an iPad mini. The team of Mike Czumak, Andrij Kuzyszyn, and Will Pustorino finished in second place. Michael Oglesby, managing director and principal security consultant for True Digital Security, finished third. Czumak and Kuzyszyn are both security professionals from the healthcare industry.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/6/2014 | 12:07:31 PM
Re: Creativity in security
I totally agree, Tim. What was also cool about this contest was how much fun the Verizon puzzle creators had putting it together, adding humor and some silly elements to keep the contestants entertained, too, while the did their work.
User Rank: Strategist
5/6/2014 | 11:52:59 AM
Creativity in security
The creativity of the security industry never ceases to amaze me. Whether it's contests like Verizon's or capture the flag competitions, security folk are some of the greatest problem-posers and problem-solvers in IT.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...