Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/12/2016
02:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Verizon DBIR Puzzler Solved With Meghan Trainor And ‘Cyber Pathogens’

All about that puzzler's paradise that is the 2016 Annual Verizon Data Breach Investigations Report cover contest.

Meghan Trainor’s voice on the other end of the line was the first sign of real progress.

Matt Johansen, the winner of this year’s annual Verizon Data Breach Investigations Report (DBIR) Cover Challenge, nervously dialed the 800 number, hoping he wasn’t waking up an innocent bystander. He had pieced together the phone number from a puzzle he printed and cut into pieces and assembled on his kitchen counter.

“I called at 11 pm, hoping I got it right. Then I heard the voicemail [greeting] with Meghan Trainor singing that ‘All About That Bass’ song,” he says. “I had spent how many hours [on the puzzle] and now I was listening to that song.”

The song confirmed the key code he had needed to solve this one of four different puzzles required for the contest: “allaboutthebase,” a reference to the base rate in statistics parlance.

“I was getting a good laugh at how far I was going, my wife and I standing in the kitchen and messing with pieces of paper cut out, and rotating [the pieces] in different positions to try to figure out the puzzle,” says Johansen, who also drew from a couple of hints provided on the puzzler website. 

Source: Verizon
Source: Verizon

That was just about the time that Verizon’s cover contest -- a combination puzzle, cipher, and virtual scavenger hunt -- got a lot harder to solve. Johansen, who is director of security for Honest Dollar, says he got his first two clues off the DBIR cover, which wasn’t too difficult to decode. “A lot of the early ones were less technical, to get the ball rolling,” he notes. He also gobbled up veiled hints that the Verizon team occasionally tweeted to contestants.

Each year, there are stories of fits and starts with the puzzler, when contestants pursue for hours or days a clue that is actually a dead end. Or like Johansen, they inadvertently waste time by pursuing too many flags: he at first tried to solve all nine puzzles in the game when in fact you only needed to solve four. (A delicate hint via Twitter from the Verizon team got him back on track). Verizon had also placed a red herring on the cover -- a set of phony Roman numerals under the pyramid image that when decoded, basically told the contestant to "go play golf."

Source: Verizon
Source: Verizon

“It was a red herring for them...we figured it would be the first place people would go,” says Gabe Bassett, senior information security data scientist, Verizon Enterprise Solutions, a member of the team of 10 puzzle-masters made up of Verizon employees and the two previous puzzle winners, Alex Pinto and David Schuetz.

But a Morse code puzzle on the cover page led Johansen to embedded text on the back page of the report. By putting together extra characters from text on the back page, contestants were led to a “pathogen page” and then ultimately, the were led to the puzzler website, a fictional site called “Global Cyber CDC,” where people “report” so-called “cyber-pathogens” to the satiric Center for Disease Control. The tongue-in-cheek site explains:

WELCOME TO THE GLOBAL CYBER CENTERS 
FOR DISEASE CONTROL. TO REPORT AN EMERGING CYBER
PATHOGEN, PLEASE ENTER IT'S CORE AI HERE

THE GLOBAL CYBER CDC WORKS 25/6 TO PROTECT
THE WORLD FROM HEALTH, SAFETY AND SECURITY 
THREATS, BOTH INTERPLANETARY AND ON THE EARTH.

There’s also a list of nine “retired cyber pathologists,” which represent the nine core puzzles, including personas such as Colonel Henry J. Haberdasher, Dr. Rob Bootis, Sir Baskart William, and Dr. Pedro Tipton.

‘Cyber Pathology’ For The Win

Verizon’s Bassett says the idea for “cyberpathology” came from a friend’s LinkedIn profile. “One of our friends had ‘cyber pathologist’ on his LinkedIn ... So we wondered what would happen if cyber pathologists” were real and what would their story be? he says.

“So we incorporated other data science people we knew and gave them all roles as cyber pathologists,” he says. The goal was to provide various non-linear paths to solve each step of the puzzle, and to keep it accessible to non-cipher experts as well: one of the first steps is a crossword puzzle, a relatively simple one to solve, he says. There was also a complex dataset puzzle that no one was able to crack.

“We had all different types of puzzles so no single skillset had an advantage,” he says.

“You needed at least four pathologists'” steps completed in order to get to the final solution, he says, and the goal was to make it solvable in about three days. 

Verizon also had to ensure the contest wasn’t easily hackable.

Bassett says the puzzler team built the infrastructure with that in mind. “The ‘CDC’ was a static webpage ... and is written in Python and Pelican and saved to Amazon S3 so no dynamic stuff [can occur] and so hackers couldn’t attack and dump the database or anything,” he says. “The .ai site where we got feedback [from contestants] was a bit different in that it had to be dynamic ... Ultimately, if you knew the location of certain files, you could download them, but we monitored” the traffic, he says. That site ran on Heroku’s cloud-based platform.

“If you can beat a puzzle a different way and not be caught, you deserve props for your ingenuity.”

Johansen, who worked on the puzzle after-hours, finished it in about 6 ½ days and won a telescope for his first-place prize. Among other flags, he also cracked a haiku challenge. “I’d never done poem code before,” he says. “I spent an embarrassing amount of time” cracking it, he says. “That was my favorite one.”

The puzzler isn’t for the faint of heart, nor the impatient. In one breath, the finalists were lauding it for the twists and turns and challenges—punctuated by the thrill of getting to the next flag. In the next, they were lamenting the fact that it’s not your father’s crossword puzzle: “It was a giant pain in the ass,” quips Bryan Schuetz, who took home the second-place prize, and blogged about how he cracked the puzzler.

Matthew Keyser, who came in third, also blogged about his experience.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27569
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can maximize or minimize the window of a running process by sending the process name in a crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
CVE-2021-27570
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 3.015. Attackers can close any running process by sending the process name in a specially crafted packet. This information is sent in cleartext and is not protected by any authentication logic.
CVE-2021-27571
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Attackers can retrieve recently used and running applications, their icons, and their file paths. This information is sent in cleartext and is not protected by any authentication logic.
CVE-2021-27572
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Authentication Bypass can occur via Packet Replay. Remote unauthenticated users can execute arbitrary code via crafted UDP packets even when passwords are set.
CVE-2021-27573
PUBLISHED: 2021-05-07
An issue was discovered in Emote Remote Mouse through 4.0.0.0. Remote unauthenticated users can execute arbitrary code via crafted UDP packets with no prior authorization or authentication.