Verizon Breach Report Puzzle Solved

  /     /     /  
Publicated : 22/11/2024   Category : security


Verizon Breach Report Puzzle Solved


A two-man team solves the Verizon Data Breach Investigations Report (DBIR) puzzle contest, which began with a cipher hidden on the cover page of the famed report.



Some people cant wait to get their hands on the annual Verizon Data Breach Investigations Report -- but not for the reasons youd think. For security professionals like Alex Pinto and David Schuetz, its all about finding the stealthy clue embedded in the cover of the breach report.
Pinto and Schuetz are this years winners of the coveted Verizon DBIR Cover Challenge, which kicks off with the publication of the respected and oft-cited data breach report. Its a combination puzzle and virtual scavenger hunt that cipher and puzzle enthusiasts from the security industry clamor to each year when the report gets published. It begins with a single clue found somewhere on the reports cover. The contest has been running for six of the DBIRs seven years.
The first clue this year was culled from text on the back cover written in JavaScript Object Notation, aka JSON, a data-interchange format, near text about the cover graphic, which ultimately led the contestants on a wild ride through various challenges -- and diversions -- to find subsequent clues to solve the puzzle. Much of the contest entailed finding clues on the fictitious and tongue-in-cheek Canada State University website created by the Verizon puzzle masters, where the contestants enrolled for classes, uploaded videos of themselves singing the Canada State U fight song, and ultimately pulled hidden clues from video clips and a simulated academic file.
Verizons earlier contests were mainly cryptography challenges with blocks of cipher that contestants had to decrypt. But the contest has evolved over the years from a crypto focus to more of a mind-bending puzzler. Its less about someone being an expert in cryptography as it is for someone who is really good at troubleshooting and solving problems... and being really good at puzzles, says Marc Spitler, co-author of the Verizon DBIR and the mastermind behind the cover challenge contest.
We dont want it to be just for cryptographers [anymore]. We wanted to make it slightly different and open to information security generalists, says Spitler, a senior analyst for risk and intelligence for Verizon Enterprise Solutions.
More than five different teams and individual contestants participated in this years contest, which begins and ends with the reports cover. The puzzle typically has been linear, where you solve one thing and bread crumbs lead to another clue, Spitler says. But this years contest included clues posted in Amazon reviews, Pastebin, a phone call to Verizon, YouTube videos, and the fake college website, which (aside from containing clues) was chock full of ridiculous things, many of which had nothing to do with the puzzle.
Schuetz and Pinto found that one of the tricks to solving the puzzle is to avoid getting sidetracked by the irrelevant material. Pinto says he initially missed one key clue because he listened to a simulated lecture video clip instead of viewing it. I missed [the clues] the first time because I was not watching.
The clue, victim.state=CA, actually flashed on the video player screen, so Pinto didnt see it the first time. Luckily, Shuetz, who did view the video, caught it. It was a flashing neon sign... I knew this was what to go look for, he says.
Schuetz, a senior consultant with the Intrepidus Group, also got temporarily diverted by a fileson the Canada State University site. I got sidetracked... there was a sequence of 13 numbers at the bottom of the web pages, and I didnt know what to make of that. I spent a lot of time working on that. Eventually... someone tweeted something hed seen and shared it with me -- a way to get to the webpage from an earlier clue I had completely skipped.
He and Pinto, who were acquaintances, started out as solo contestants but decided to team up after they each had gotten through the first two clues. It was getting tougher to go it alone. We both got very frustrated, says Pinto, who is chief data scientist at MLSec Project.
The team approach helped the two maximize their resources. Schuetz was about to board a flight for Chicago for a security conference and was going to be off the grid one day during the contest, so Pinto took the reins and hacked away at the puzzle. I decided to give what I [had found] to him, so he could work on it while I [was] on the plane, Schuetz recalls.
The two ultimately solved the puzzle in less than 20 hours, working mostly after hours. Both had some experience with the contest. Shuetz, who has some crypto expertise, won the Verizon cover contest two years ago and came in second place last year. Pinto started last years contest but didnt finish it.
Ive done a lot of different puzzles, mostly at security conferences, Schuetz says. Its a nice distraction. It helps to refresh your head, and changes your perspective... and exercises [other] parts of your brain.
[The new Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93% of security incidents in the past decade. Read Stolen Passwords Used In Most Data Breaches
here
.]
Among the clues they discovered was a private encryption key planted in a GitHub repository by a careless developer, as Spitler describes it, and they used the key to decrypt the Canada State U student file.
Pinto says he then agonized over just what this list of 138 students with their IDs, class grades, GPAs, and social insurance numbers meant. I knew it probably had to do with sorting so it becomes a word. He tried sorting by grade, first name, middle initial, and other categories, but he got nowhere.
All the contestants at the time were struggling with that step, so Verizon threw out a hint that ultimately helped Pinto and Schuetz get to the next clue, which was asset category = media.
That opened it wide for us, Pinto says.
After a couple of other steps that further revealed the final answer, with the clues action.physical.location = victim work area as well as the video clue about the state of California being part of the answer, they found another piece of the puzzle. The phrase actor=external was written on a whiteboard in a screenshot in another lecture video.
The next clue was small business only, and it was discovered by overlaying the DBIR cover with a fictional dinner menu for a Canada State University business school fundraiser. We got an email from Verizon saying be sure you use one from Github that should be the same size. So [I said], ah, this should be a grill, Schuetz says.
They gleaned the final answer from Verizons VERIS Community Database of publicly disclosed breach incidents. With the search variables they had found earlier in the puzzle, they narrowed the answer to two public breach incidents in California that occurred at small businesses, Vudu and Crescent Health. They had an external actor steal media assets from the victims work area, Spitler says.
Schuetz came away with a 3D printer for the win, and Pinto, with an iPad mini. The team of Mike Czumak, Andrij Kuzyszyn, and Will Pustorino finished in second place. Michael Oglesby, managing director and principal security consultant for True Digital Security, finished third. Czumak and Kuzyszyn are both security professionals from the healthcare industry.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Verizon Breach Report Puzzle Solved