Every year, cipher and puzzler enthusiasts clamor to get a first look at the cover of the much-anticipated Verizon Data Breach Investigations Report (DBIR): that's right, the cover.
"Instead of having a block of text hidden in the cover, we were able to bring in actual artwork and design back to the cover," says Marc Spitler, one of the masterminds of the contest and a co-author of the DBIR.
The front cover basically extends to the back cover, with wrap-around lines. The lines on the front cover offer a graphical representation of attack trends in specific vertical industries based on data from the report, and the lines wrap to the back cover, where there are small up-and-down arrows representing binary numbers. The down arrows represent 0, and the up arrows, 1, Spitler says.
"We anticipated this would be the most arduous part for people solving the puzzle … They have 12 of these numbers, and they couldn't convert it to text. They needed to XOR" them, he says. XOR is a process that compares two input bits and then generates an output bit: if the bits are the same, the answer is 0. If the bits are different, the answer is 1.
The winners for the second consecutive year were the two-man team of David Schuetz and Alex Pinto, who solved the puzzler in one day, seven hours, and 17 minutes. Coming in second place was Michael Oglesby, who cracked the puzzle in two days, one hour, and 26 minutes.
The cover's string of 1s and 0s, once converted to text was: 1by5IJ1. With a little sleuthing, the contestants determined that was actually a portion of a bit.ly URL-shortener link: bit.ly/1by5IJ1 led them to another webpage, dburr-sql.com, and the next clue in the puzzler.
Spitler, senior risk analyst for Verizon, says the reason for the throwback cover challenge was basically a practical one -- they were crunched for time due to the size and scope of this year's DBIR report itself. "This year, we did not have nearly as many steps as last year" in the contest, he says. "We didn't have a lot of time to devote to something [the contest] with extreme intricacy."
The initial puzzle that required decoding the back-cover binary code was indeed tough, even for the winning team of Pinto and Schuetz. Pinto says that was the most difficult first step in the contest that he has seen in the past three years he's competed.
[New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse. Read Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks.]
The dburr-sql.com, meanwhile, was a mockup of the Heartbleed.com website, with a fictitious vulnerability of its own, dburr-sql (with dburr as a nod to DBIR), with its own Heartbleed-esque logo as well. On that page was a vulnerability name of SVE-2015-9999, with SVE as a takeoff on the Common Vulnerability Enumeration (CVE) naming convention for bugs.
To get to step 3, the contestants had to perform a Google search of the "SVE" number, which led them to a webpage mimicking CVE pages. That's where it got even more retro: the Verizon puzzle masters planted a link to Gopher, an old-school Web search tool. "It was circa 1993 web presence," Spitler says.
The Gopher site contained pictures as well as weather information. "One of photos had yet another URL embedded in it" and viewing the metadata of the JPEG revealed another webpage, he says.
That URL then led to a page with nine images, six of which were images from prior DBIR covers, and three were designs that didn't make the cut in years past. The winners took the image names of the six cover images in chronological order, which resulted in a 10-digit number. "When you put it all in order, you would see you have a 10-digit phone number," Spitler says.
Calling the phone number led to a Google Voice mail message that instructed the contestants to email Verizon a haiku about their favorite incident classification pattern.
Pinto says the final puzzle was intriguing. "We figured out that we had to call a telephone number, but it was already past midnight Eastern, so we decided to wait until it was morning. I was on the West Coast, and when I woke up 7am-ish there, David had already called and I learned from Twitter first that we had won," Pinto says.
Schuetz says the last step was "tricky."
"We quickly identified the important part of the page, and recognized what we were looking at, but then didn't think of the right way to put it all together. We considered book ciphers -- which they’ve used a couple of times in the past -- steganography, using the image numbers in some kind of mathematical process (multiplying them together to get an IP address, for example)," he says. "We even noted that 'the ordering of the images seems artificial' but didn't latch onto that as the key trick until about 90 minutes later, when I figured it out. We also got distracted by the non-relevant parts of the puzzle for a while, trying to figure out what they were pictures of."
The team spent about three-and-a-half hours on that step. And that was the point where they were given a hint that they were "almost there," so it got a little heated at the end, Schuetz says.
Interestingly, Pinto and Schuetz hadn't really intended to compete again this year, but teamed up early on just to "leisurely follow along" with the contest, Pinto says. "I guess the heat of the competition got the best of us," Pinto says.
The winners' haikus weren't exactly Poet Laureate material, but they got the job done for the win:
Colors ebb and flow
Red and green like Christmas Tree
Think It Was China
Their prizes are still being finalized, but they will be some sort of "tech toys," Spitler says.
The contest creation process happens after-hours for the Verizon team. "We want to make it fun and challenging, but we don't want to make it [impossible] to make it to the first clue. It's really hard to find that balance … We make it like a video game so you can see some progress" you are making during the process, he says.