Verizon 2015 Data Breach Cover Puzzler Solved: Defending Champs Win

  /     /     /  
Publicated : 22/11/2024   Category : security


Verizon 2015 Data Breach Cover Puzzler Solved: Defending Champs Win


The 2015 DBIR Cover Challenge is as highly anticipated by some as the DBIR report itself.



Every year, cipher and puzzler enthusiasts clamor to get a first look at the cover of the much-anticipated Verizon Data Breach Investigations Report (DBIR):  thats right, the cover.
Thats because for the past seven years, Verizon has included the first clue in its DBIR Cover Challenge contest, a combination puzzle and virtual scavenger hunt camouflaged somewhere on the cover of the renowned report that offers fresh data on just whats going on hack- and breach-wise out in the world. While last years contests first clue featured text written in the JavaScript Object Notation (JSON) data-interchange format, this years contest was more of a throwback to earlier days in the contest that focused on the cover design itself hosting the first clue.
Instead of having a block of text hidden in the cover, we were able to bring in actual artwork and design back to the cover, says Marc Spitler, one of the masterminds of the contest and a co-author of the DBIR.
The front cover basically extends to the back cover, with wrap-around lines. The lines on the front cover offer a graphical representation of attack trends in specific vertical industries based on data from the report, and the lines wrap to the back cover, where there are small up-and-down arrows representing binary numbers. The down arrows represent 0, and the up arrows, 1, Spitler says.
We anticipated this would be the most arduous part for people solving the puzzle … They have 12 of these numbers, and they couldnt convert it to text. They needed to XOR them, he says. XOR is a process that compares two input bits and then generates an output bit:  if the bits are the same, the answer is 0. If the bits are different, the answer is 1.
The winners for the second consecutive year were the two-man team of David Schuetz and Alex Pinto, who solved the puzzler in one day, seven hours, and 17 minutes. Coming in second place was Michael Oglesby, who cracked the puzzle in two days, one hour, and 26 minutes.
The covers string of 1s and 0s, once converted to text was: 1by5IJ1. With a little sleuthing, the contestants determined that was actually a portion of a bit.ly URL-shortener link:  bit.ly/1by5IJ1 led them to another webpage, dburr-sql.com, and the next clue in the puzzler.
Spitler, senior risk analyst for Verizon, says the reason for the throwback cover challenge was basically a practical one -- they were crunched for time due to the size and scope of this years DBIR report itself. This year, we did not have nearly as many steps as last year in the contest, he says. We didnt have a lot of time to devote to something [the contest] with extreme intricacy.
The initial puzzle that required decoding the back-cover binary code was indeed tough, even for the winning team of Pinto and Schuetz. Pinto says that was the most difficult first step in the contest that he has seen in the past three years hes competed.
[New annual Verizon Data Breach Investigations Report shows most attacks affect a secondary victim, the average cost of a data breach is just 58 cents per stolen record -- and attackers are not going after mobile en masse. Read
Verizon DBIR: Mobile Devices Not A Factor In Real-World Attacks
.]
The dburr-sql.com, meanwhile, was a mockup of the Heartbleed.com website, with a fictitious vulnerability of its own, dburr-sql (with dburr as a nod to DBIR), with its own Heartbleed-esque logo as well. On that page was a vulnerability name of SVE-2015-9999, with SVE as a takeoff on the Common Vulnerability Enumeration (CVE) naming convention for bugs.
To get to step 3, the contestants had to perform a Google search of the SVE number, which led them to a webpage mimicking CVE pages. Thats where it got even more retro: the Verizon puzzle masters planted a link to Gopher, an old-school Web search tool. It was circa 1993 web presence, Spitler says.
The Gopher site contained pictures as well as weather information. One of photos had yet another URL embedded in it and viewing the metadata of the JPEG revealed another webpage, he says.
That URL then led to a page with nine images, six of which were images from prior DBIR covers, and three were designs that didnt make the cut in years past. The winners took the image names of the six cover images in chronological order, which resulted in a 10-digit number. When you put it all in order, you would see you have a 10-digit phone number, Spitler says.
Calling the phone number led to a Google Voice mail message that instructed the contestants to email Verizon a haiku about their favorite incident classification pattern.
Pinto says the final puzzle was intriguing. We figured out that we had to call a telephone number, but it was already past midnight Eastern, so we decided to wait until it was morning. I was on the West Coast, and when I woke up 7am-ish there, David had already called and I learned from Twitter first that we had won, Pinto says.
Schuetz says the last step was tricky.
We quickly identified the important part of the page, and recognized what we were looking at, but then didnt think of the right way to put it all together.  We considered book ciphers -- which they’ve used a couple of times in the past -- steganography, using the image numbers in some kind of mathematical process (multiplying them together to get an IP address, for example), he says. We even noted that the ordering of the images seems artificial but didnt latch onto that as the key trick until about 90 minutes later, when I figured it out. We also got distracted by the non-relevant parts of the puzzle for a while, trying to figure out what they were pictures of.
The team spent about three-and-a-half hours on that step. And that was the point where they were given a hint that they were almost there, so it got a little heated at the end, Schuetz says.
Interestingly, Pinto and Schuetz hadnt really intended to compete again this year, but teamed up early on just to leisurely follow along with the contest, Pinto says. I guess the heat of the competition got the best of us, Pinto says.
The winners haikus werent exactly Poet Laureate material, but they got the job done for the win:
 
Colors ebb and flow
Red and green like Christmas Tree
Think It Was China
 
Their prizes are still being finalized, but they will be some sort of tech toys, Spitler says.
The contest creation process happens after-hours for the Verizon team. We want to make it fun and challenging, but we dont want to make it [impossible] to make it to the first clue. Its really hard to find that balance … We make it like a video game so you can see some progress you are making during the process, he says.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Verizon 2015 Data Breach Cover Puzzler Solved: Defending Champs Win