DBIR Cover Challenge

We are proud to announce that two members of the DCSec Team solved this years cover challenge of Verizons Data Breach Investigation Report. Jan and Christopher achieved the second and third place respectively. The first prize went to Michael Oglesby from truedigitalsecurity.com.

In the following Jan sketches how he solved the challenge.

Since Michael described how he solved the Verizon Data Breach Investigation Report (DBIR) Cover Challenge as winner and Christopher depicted which problems he encountered during the challenge, I will now describe some (false) attempts to solve the challenge:

The fundamental things were found quickly, at least because of the open discussion on twitter (search tag #DBIR). They are:

• the word „openssl“ and

• the „(F+)“ or „p(F+)“ in the blue fingerprint and

• the ciphertext on the back cover

the missing link to solve the challenge are the right cipher (brute force over all 70 possible ciphers) and the right passphrase.

To find the passphrase first I tried somewhat halfhearted a brute force dictionary attack, but that was not the right approach. I knew that this was a weak attempt, but maybe ...

Then the first clue on zdnet was published and I read the DBIR Report carefully, I read it twice.

Then I tried several combinations from the needles and haystacks section without success.

„Everything you need is in the print“

Hm, maybe the graphic on the cover could help, so I tried a grille cipher. I tried it twice, once physically

and then I tried to find the words „agent“, „action“, „attribute“, and „asset“ in the text. Hey, there are only two sites with all four words. So I turned and stretched the graphic to fit the text, doesn‘t work.

The second clue on zdnet was published:

„The ``F+´´ is one of those things that seem like something important at first but turns out to be nothing.“

Yes, I have said that a long tome ago, it‘s nothing. But the graphic on the front cover, thats the right way, I knew it, yes. Maybe I thought the wrong way, not from the inside to the outside, vice versa. OK, looking for an agent, who is described as follows:

AGENT: external, organized criminal group, eastern europe

together with „Everything you need is in the print“, that must be Maksik or this Alexander from the chapter about Alberto Gonzales. The

ACTION: hacking, sql injection, use of stolen credentials, web application

ACTION: malware, packet sniffer,backdoor, installed/injected by remote attacker

leads to „access“, „harm“, „attack“, „disguise“, or „retrieve“, while the

ATTRIBUTE: integrity, confidentiality

leads to „limited“ or „sensitive“. And lastly

ASSET: database server, payment card data, intellectual property

The solution must be one or two (because of the two actions) sentences. Some openssl loops and greps later I reconized that this approach was also wrong.

Very amusing was the tweet from @schuetzdj:

"Huh. Look what happens when you base-64 encode `(F+)´. #dbir"

Then the first winner was announced, I put this on a little carelessness from our side, because we haven‘t confused our combatants with enough twitter feeds. Together with the amount of alcohol that we have consumed on Micha‘s housing party and at the Oscar‘s the message leads to a total loss of interessed on the challenge.

Some day‘s later the recapitulating tweets from Wade Baker animates me to another approach.

Then the next tweet from wadebaker summarized all known facts and forces the final.

The last obstacle was the correct input in google, First I tried „ ``false positive``(probability || chance) fingerprint“ and found an interesting paper. A little variation of the search „fingerprint (probability || chance) ``false positive``“ leads to the right result and with the adequate amount of luck I found the right passphrase:

1in64billion

to finalize the DBIR cover challenge.

Congratulations! You've solved the 2010 DBIR Cover Challenge. If you happen to be the among the first three people to see this message and email us the correct answer to the question below, you will receive a prize.

Who calculated the probability of a false positive in using fingerprint analysis for identification?

Email your answer to dbir@lists.verizonbusiness.com

I send the mail a little under pressure since some collegues were waiting to go to lunch, so the hole lunchtime I was curious about the response.

Congrats, Jan. You're the second one to get it.

So, here's the deal. We've got a $100 gift card that we'll mail to whatever address you like. If you feel like writing about your solution, we just ask that you hold off on the details until 3rd place winners come in (we'll announce that on our blog and via Twitter). After that, say whatever you want. We plan to write about the contest as well - do you mind if we mention you by name?

Nice job. I was beginning to wonder if anyone else would get it.

Wade Baker

YES, I made it.

I plan to spend a reasonable part of the prize to Pakistan and another part into a favored beverage ;-)

	DBIR Cover Challenge
DCSec Research Projects Teaching Publications Team Login	DBIR Cover Challenge We are proud to announce that two members of the DCSec Team solved this years cover challenge of Verizons Data Breach Investigation Report. Jan and Christopher achieved the second and third place respectively. The first prize went to Michael Oglesby from truedigitalsecurity.com. In the following Jan sketches how he solved the challenge. Since Michael described how he solved the Verizon Data Breach Investigation Report (DBIR) Cover Challenge as winner and Christopher depicted which problems he encountered during the challenge, I will now describe some (false) attempts to solve the challenge: The fundamental things were found quickly, at least because of the open discussion on twitter (search tag #DBIR). They are: • the word „openssl“ and • the „(F+)“ or „p(F+)“ in the blue fingerprint and • the ciphertext on the back cover the missing link to solve the challenge are the right cipher (brute force over all 70 possible ciphers) and the right passphrase. To find the passphrase first I tried somewhat halfhearted a brute force dictionary attack, but that was not the right approach. I knew that this was a weak attempt, but maybe ... Then the first clue on zdnet was published and I read the DBIR Report carefully, I read it twice. Then I tried several combinations from the needles and haystacks section without success. „Everything you need is in the print“ Hm, maybe the graphic on the cover could help, so I tried a grille cipher. I tried it twice, once physically and then I tried to find the words „agent“, „action“, „attribute“, and „asset“ in the text. Hey, there are only two sites with all four words. So I turned and stretched the graphic to fit the text, doesn‘t work. The second clue on zdnet was published: „The ``F+´´ is one of those things that seem like something important at first but turns out to be nothing.“ Yes, I have said that a long tome ago, it‘s nothing. But the graphic on the front cover, thats the right way, I knew it, yes. Maybe I thought the wrong way, not from the inside to the outside, vice versa. OK, looking for an agent, who is described as follows: AGENT: external, organized criminal group, eastern europe together with „Everything you need is in the print“, that must be Maksik or this Alexander from the chapter about Alberto Gonzales. The ACTION: hacking, sql injection, use of stolen credentials, web application ACTION: malware, packet sniffer,backdoor, installed/injected by remote attacker leads to „access“, „harm“, „attack“, „disguise“, or „retrieve“, while the ATTRIBUTE: integrity, confidentiality leads to „limited“ or „sensitive“. And lastly ASSET: database server, payment card data, intellectual property The solution must be one or two (because of the two actions) sentences. Some openssl loops and greps later I reconized that this approach was also wrong. Very amusing was the tweet from @schuetzdj: "Huh. Look what happens when you base-64 encode `(F+)´. #dbir" Then the first winner was announced, I put this on a little carelessness from our side, because we haven‘t confused our combatants with enough twitter feeds. Together with the amount of alcohol that we have consumed on Micha‘s housing party and at the Oscar‘s the message leads to a total loss of interessed on the challenge. Some day‘s later the recapitulating tweets from Wade Baker animates me to another approach. Then the next tweet from wadebaker summarized all known facts and forces the final. The last obstacle was the correct input in google, First I tried „ ``false positive``(probability \|\| chance) fingerprint“ and found an interesting paper. A little variation of the search „fingerprint (probability \|\| chance) ``false positive``“ leads to the right result and with the adequate amount of luck I found the right passphrase: 1in64billion to finalize the DBIR cover challenge. Congratulations! You've solved the 2010 DBIR Cover Challenge. If you happen to be the among the first three people to see this message and email us the correct answer to the question below, you will receive a prize. Who calculated the probability of a false positive in using fingerprint analysis for identification? Email your answer to dbir@lists.verizonbusiness.com I send the mail a little under pressure since some collegues were waiting to go to lunch, so the hole lunchtime I was curious about the response. Congrats, Jan. You're the second one to get it. So, here's the deal. We've got a $100 gift card that we'll mail to whatever address you like. If you feel like writing about your solution, we just ask that you hold off on the details until 3rd place winners come in (we'll announce that on our blog and via Twitter). After that, say whatever you want. We plan to write about the contest as well - do you mind if we mention you by name? Nice job. I was beginning to wonder if anyone else would get it. -- Wade Baker YES, I made it. I plan to spend a reasonable part of the prize to Pakistan and another part into a favored beverage ;-)
	Top Druckversion Letzte Änderung: 31.01.2011 Jan Wiebelitz

	© Leibniz Universität Hannover Impressum Verantwortlich Prof. Dr. Matthew Smith