Hackers Claim $10K Prize For StrongWebmail Breakin

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

Hu?

[ae1294]

Wait I'm confused??? They expected the hackers to follow rules?

Re:Hu?

[Allicorn]

I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.

Re:Hu?

[Tubal-Cain]

I could understand if they don't want to pay up to someone that hacked something other than their software. Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't. Yes, a real cracker may hack one of this product's customers that way, but Telesign couldn't be at fault for that.

Re:Hu?

[Ethanol-fueled]

What parent may or may not imply is that it was an inside job with lots of external obfuscation.

Re:Hu?

[MrMista_B]

Social engineering is an perfectly valid and entirely effective method of hacking.

Re:Hu?

[iamhassi]

"Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't."

The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email. That's like saying social engineering doesn't count. Of course it counts, the end results were the same, right?

Re:Hu?

[XanC]

But it doesn't test their software.

Re:Hu?

[maxwells_deamon]

I suspect and hope that the statement was just a way to delay until the person in charge of the contest (some committee perhaps) officially confirms the win so that the check can be written.

that said, if you set something like this up with no rules you are being quite dumb.

for instance you can not violate law, don't ambush employees in the parking lot with weapons. Don't physically break into the building, don't download the employee database...

Re:Hu?

[jesseck]

While I agree that social engineering is a very legit way to hack a system, the terms of the challenge ( link here state that "You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners to accomplish the email hack." Since this was StrongWebmail's contest, they make the rules. Even if the rules prevent a common method of hacking from taking place. On the other hand, people are quite often the weak link... by preventing the contestants from using this "easy" entry point (say, a janitor or secretary), they can test the technical system itself.

Re:Hu?

[ae1294]

Honestly what I find extremely funny is that they already know they have a security problem and that these hackers have some sort of access.

Are they really going to try and piss them off and not pay up?

Re:Hu?

[C18H27NO3+]

agreed.
In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
"They got in through a vulnerability in our OS, but our software held up".
"Someone in our company helped themselves/someone else to your mails, but our software held up".
"Someone installed a trojan that compromised the authentication system, but our software held up".

I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
At least that's the way the rules and TFA sound.

Re:Hu?

[ta+bu+shi+da+yu]

Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?

Re:Hu?

[C18H27NO3+]

"You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners..." I interpret that as colluding or conspiring with them is forbidden when in fact social engineering would technically be 'working against them'.

Re:Hu?

[nine-times]

Why shouldn't bribing a janitor count? If I'm paying someone to call me every time I want to log into my email, then I'm probably pretty paranoid about security and don't want other people gaining access to my email. If security is so bad that random employees (including the janitor) can read my email, and those employees are so untrustworthy that they can be easily bribed, then that's just as real of a security problem as if their software were flawed.

Security is often only as strong as its weakest point. If the point of this prize was to prove that your email is secure on their servers, then gaining unauthorized access to other people's email on their servers should be enough to claim the prize.

Re:Hu?

[Allicorn]

That wasn't the whole challenge. The challenge was to access an account on their allegedly super-secure webmail service. If the software is fairly solid but the staff are easily duped/bribed... how secure is the service?

Even if social engineering alone resulted in getting access to the prize data, then the challenge has still been met: StrongWebmail.com - the service - is not secure.

Re:Hu?

[capnkr]

FTFA (page 2, first paragraph):

James said that these contests might be fun, but they don't provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example.

Re:Hu?

Wait, that sounds like it was a client-side attack on the CEO's machine. That also fails to test their email service.

Re:Hu?

[XanC]

Well, suppose they bribed or tricked the CEO's secretary. She has the CEO's email password, not because she works for StrongWebmail.com, but because she's his secretary.

That kind of attack has nothing to do with the service, since she wouldn't have everybody else's password too. And it would work against pretty much any (gullible or corrupt) secretary, regardless of the system or security.

Re:Hu?

[Tubal-Cain]

The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.

That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.

Re:Hu?

[Tubal-Cain]

I got the impression this is meant to be a locally-administered system rather than a remote one. I would have a hard time blaming Microsoft for a social engineering-based security breach of a MS Exchange setup, though I would not hesitate to lampoon them for such a breach at Hotmail.

Re:Hu?

[innocent_white_lamb]

Your impression is wrong. I just looked at their website. They're offering a webmail service like Yahoo or Gmail -- the difference is that they phone you with an access code at a pre-determined phone number every time you want to access your email account.

Re:Hu?

[Jah-Wren+Ryel]

Wait, that sounds like it was a client-side attack on the CEO's machine. That also fails to test their email service.

Sounds like cross-site scripting to me. And if it can be done to the CEO to give other's access to his account, then it can also be done to any other user and their account too. If the company doesn't take precautions against that form of exploit then they are vulnerable and ultimately the bad guys don't give a shit about how they get access, they just care about getting access.

Re:Hu?

[GumphMaster]

Am I alone in thinking that: "work with an employee..." != "dupe an employee"?

If these guys managed to get in by conning an unknowing employee then they can hardly be claimed to have been working together. They are no more working together than the way a con-man "works with" their victim. It's largely moot anyway, which employee is going to say, "Hey boss, I let them have the information."? Severely career limiting methinks.

Re:Hu?

[houghi]

You could even tell your employees that if somebody does get into the mailbox that way, the only way for them to claim their prize is to tell who was the leak. That then would result in directly and immediately firing the person.

That way everybody is aware of the challenge and people will be double care full about giving out any details.
Make them also aware that people from IT also should not be asking for your password.

You have increased security for no cost. :-D

Re:Hu?

they phone you with an access code

Yikes, somebody PLEASE tell them about SecurID.

Re:Hu?

[Yvanhoe]

It tests their security, which was the point.

Re:Hu?

[Yvanhoe]

They talk about "working with an employee", does it encompass fooling one of them ?

Re:Hu?

[TheLink]

Yeah, I'd want to know that too.

And if it was because of the janitor attack, then the hackers shouldn't win the prize, but in that case I still won't say good things about StrongWebmail to anyone :).

Re:Hu?

[TheLink]

If it doesn't meet their rules the hackers shouldn't win the prize.

But we might still give low ratings to StrongWebmail the service.

Hmmm, their site seems to require javascript to log in. I'll give it a low rating just for that alone.

Oh, even worse: enabling js for their domain alone doesn't work! Seems like they need googleapis.com.

I'm not going to enable js for other domains - what if googleapis gets exploited one day? Even if strongwebmail is ok, googleapis might not be (look at google's security track record).

At this rate I think the more I look at their system the lower my opinion will be ;).

Re:Hu?

[Nikker]

In reality they have just shot themselves in the foot by admitting they have had sensitive information retrieved by an unauthorized person. The whole idea of contests like this is for marketing and the CEO looking for a gold star type reputation. If the contest had gone without a hitch then they would pass their service off as 'air tight' since they are "securewebmail.com" ;) Regardless now of whether they pay out it is obvious that they are insecure so spending time arguing semantics is just going to kill them by the Streisand effect. It's stupid for them to argue over 10K while their rep will cost the company its livelihood regardless if they pay it or not. Some posts here seem to refer that any social engineering would likely be limited in nature as off-the-cuff phone calls to employees where the attacker seems to be a trusted member will not likely be effective in the long run. The truth is that supply and demand will mitigate this factor, especially since people get more interested in whats inside a room the more locks you put on it ;) New vectors will be sought and acted on and they will be hacked again. It would have been better for them to offer the 10K as a consultants fee and have all this under a NDA then going balls out with this kind of thing cause obviously it wasn't secure to begin with.

Re:Hu?

[Nikker]

Question: Is this StrongWebmail.com a software or a service ?

Question: Since the CEO got his information retrieved with out his permission would you trust their claims with your own data?

Re:Hu?

[mrmeval]

Kidnapping his secretary and removing apendages till they talked is not worthy of paying for. Sneaking in and looking at his calendar while he's taking a dump is not worth paying for. Blackmale...No. Social engineering..No. They actually had to be intelligent and hack.

Re:Hu?

[KDR_11k]

Blackmale...No.

That's racism!

Re:Hu?

FTA: "succeeded when security software called NoScript was disabled on the Firefox browser"

It was clearly an XSS attack, confirmed by the zdnet article. Probably the only social engineering in the attack involved enticing the CEO to click a malicious link.

Re:Hu?

[Lobster+Quadrille]

ZDnet Article: http://blogs.zdnet.com/security/?p=3514

One of the hackers posted an uninformative response on his blog: http://skeptikal.org/2009/06/strongwebmail-incident.html

Re:Hu?

They never logged into the account themselves.

It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.

The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.

No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.

Re:Hu?

These guys are all professional penetration testers- Aviv Raff was involved in finding the carpetbomb exploits against browsers a while back, and Mike Bailey was the person who published a bunch of holes in McAfee's web site last month.

I rather suspect that it was an intelligent hack, and the other articles (google: strongwebmail) seem to comfirm that.

Re:Hu?

[GaryOlson]

But the SMS message on my phone says it was sent by my email provider. SMS would never lie!

Re:Hu?

[MikeBabcock]

I would still claim it matters. In a properly designed system, the janitor shouldn't be able to get access credentials even if he or she wanted them. In a truly secure environment, every access of any type of information should be properly audited so that any permitted but strange access is noted as well.

Re:Hu?

[nine-times]

Well, yeah. I would expect part of the rules to be that the hackers have to disclose their methods. And if you caused that sort of security breach, whether connected to a contest or not, I would imagine that would be a firing offense.

Re:Hu?

[Odinlake]

...social engineering is a very legit way to hack a system

interesting - are there more legit ways to hack a system? I'd like to hack into this bank but preferably without breaking the law...

Re:Hu?

[uglyduckling]

Yes, that would seem to be the case.

The thing that I've never understood is why more sites that are supposedly 'secure' don't have any mechanism for them to authenticate themselves to me. It would seem to me fairly trivial for users of a website to choose a second password that the website would show to them when they tried to log-on, after some sort of pre-authentication and therefore make it really easy to avoid any phishing attacks.

Re:Hu?

[blhack]

This was exploited using a bug in strongwebmail's software.

They weren't sanitizing or validating inputs on CGIs, which allowed the contest winner to run some javascript on the target's machine.

The other thing they weren't doing was protecting themselves against CSRF attacks.

This was ABSOLUTELY a problem with strongwebmail's software. Yes, user interaction was required, but the interaction was to exploit flaws in the software.

Re:Hu?

[bad4u2]

"Legit" != "legal"...

Re:Hu?

Except it sounds like the employee they duped was the CEO

Re:Hu?

[Odinlake]

Yes and no, but I'll not continue that. I merely found the concept "legitimate hacking" funny, is legitimate hacking a legitimate business in general?

Re:Hu?

No the challenge was to "break in", not to simply access the account. If there was a challenge to "break in" to a high security house, but someone knocked on the door and was invited in by the butler, it couldn't be considered as a legitimate entry. Nobody can guarantee against humans being bribed, and they stated as much in their terms.

Re:Hu?

[dave87656]

Basically, then, if they offered to split the prize money with an insider they didn't break into the system. The service StrongWebMail itself isn't 100% secure. But, on the other hand, I guess I would feel pretty safe as a consumer knowing that, until someone finds an insider and is willing to pay, my email is prertty secure from outside hackers.

Re:Hu?

[rant64]

Stop right there. StrongWebmail requires the boss' password to answer e-mail on his behalf or to view his calendar? What a piece of crap.

Re:Hu?

[rant64]

spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.

I give up. What does any of this have to do with ponies?

Re:Hu?

You don't have to work 'with' someone to steal information. You can gather information without the person providing it being aware of the intent or security breach.

Re:Hu?

Look at the names and institutes involved in the hack. Really they can still use this as marketing by saying it took the best and the brightest to perform the hack, and they are now working with them, or their best to close the exploitable features of their service.

Do not underestimate the power of failure as a marketing tool.

Rules?

Rules? LOL.. Ok just as long as all hackers abide by the rules I'm sure all our information is safe :)

Telegraphing

[inviolet]

The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

Re:Telegraphing

[Alethes]

Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

Re:Telegraphing

[gavron]

There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

Strongmail isn't the "best" (whatever criteria you use for "best") webmail site for "security" (whatever your definition of "security"). It's proven that it's easily cracked, and that is in and of itself a stay-away sign.

I highly recommend Bruce's blog at http://www.schneier.com/blog/.

E

Re:Telegraphing

[Moridineas]

There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals? You can't possibly be claim that under cover air marshals are "security theater."

Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

Re:Telegraphing

[gavron]

"Heightened awareness" of untrained personnel yield more chaos and more chaffe, not more data. Sorry.

Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.

Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.

Under-cover air-marshals board first, and keep their jackets on. IF THEY WERE ADEQUATELY TRAINED, NOT CORRUPT (see many news stories to the contrary) then they might make a difference but not for any real scenarios.

You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.

Before you argue whether such an attack would be successful -- consider this -- if they can do it (which they can) then security since 9/11 has not increased which is exactly what I said.

"Who says security theater isn't effective?"

It's effective as mediocre entertainment if someone you don't like has to go through it.

It's not effective as security.

Best regards

E

Re:Telegraphing

[Foodie]

$10,000 is not a bad price to pay for that much publicity. Too bad they got hacked in such a short amount of time.

Re:Telegraphing

You think awareness will help to any degree? Awareness of what and how is that equal greater security? I worked at a major airline before and about 5 months after 9/11. I worked at an airline and at an airport that was used by the 9/11 terrorists. Things may have seem to have changed but if you knew anything about the operations at an airport, it was smoke and mirrors. Maybe have things have changed since then so I can not comment.

On another note, I now live and work in DC. I see cars being checked before pulling into parking garages of important buildings. A security guard walks around the car with a mirror on a stick and checks the underneath of the cars before allowing entry. You call that increased security? Paint your bomb with undercoating or put it in the truck, in your engine bay, or hell, even in the back seat. As long as it does not have flashing lights and does not say "EXPLOSIVE" on it, they would never know.

You want to know what heightened awareness there is? Remeber this incident? http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare
It had lights and wires, it must be a bomb. You feel save with that level of awareness? I don't.

Re:Telegraphing

[bitt3n]

The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

Perhaps they'll fix their software by simply offering a lower prize.

"Hack our software, and win a free small soda with purchase of any McDonald's value meal!"

Re:Telegraphing

[bitt3n]

Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

I'm building a webmail service packed with so many sql injection opportunities that it gets hacked by accident, just so you can put your mind at ease.

Re:Telegraphing

[michaelhood]

You started to touch one the one thing that has changed that matters, IMO. And that's largely a policy change.

We used to operate under the assumption that would-be hijackers wanted political attention and/or money. Now we operate under the assumption they are willing to die if it means inflicting more casualties. This means we will never again open the [now reinforced] cockpit doors in any circumstances when there is a hostile scenario in the cabin.

So all of this talk about box-cutters and other mythical impromptu melee weapons is a false dilemma. This is no longer a viable threat. Virtually all threats to be considered at this point are ones capable of causing harm to a large number of passengers in the passenger cabin (firearms), or causing the plane to crash (explosives). There are of course fringe cases, but all things must be a balance of convenience/accessibility and security.

Re:Telegraphing

[gavron]

That's a red herring. Today's pilots don't know whether the terrorist of tomorrow wants to use the plane as a weapon (as did the one occurrence in 2001) or whether they have other goals they wish to accomplish. These same N terrorists (pick a number -- the lack of security won't prevent ten boxcutters from being brought on board any more than they'd not prevent 4 being brought on board) can threaten a LARGE number of innocent women, children, and men.

Pilots will likely respond and land the plane. Sure, it won't be used as a weapon (but that was the 8-year-old plan... not tomorrow's plan). They can still get hundreds of hostages.

Going back to my original point. THERE IS NO MORE SECURITY TODAY. The Pilots' attitude is not a result of heightened security nor better screeners, nor the creation of DHS nor anything else.

Again, the web site does not provide stronger security. The airlines do not provide stronger security. There is equal lack of realism in saying "I'd rather fly now than before 2001" as "I'd rather trust strongwebmail now rather than before they were hacked." Neither has improved their security.

E

Re:Telegraphing

[capnkr]

Wrong. There IS more security today. Lots of it - just go to an airport and look.

Security definition. Check 3(b).

That said - the efficaciousness of said can be brought into doubt, but the fact that there is more of it (or at least, an attempt at such) cannot.

No matter how much you believe to the contrary. Sorry, but you might want to put more thought into how you are phrasing/making your argument. This is a tough crowd. ;)

Re:Telegraphing

[lwsimon]

I was on a flight last night, actually, and looked over to see a fire extinguisher behind the last row of seats.

I can't take nail clippers on the plane (because I might hijack it!), but its okay to leave a fire extinguisher sitting there. Ever see someone sprayed with a fire extinguisher?

If America was a truly free country still, 9/11 would have ended with a bunch of terrorists with gunshot wounds.

Re:Telegraphing

[capnkr]

+1 Funny. :)

Re:Telegraphing

[lwsimon]

That policy change happened before the day was out, even - as evidenced by a field in Pennsylvania. An airliner in the US will never be hijacked again.

Re:Telegraphing

[Mad+Merlin]

Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

Security theater is worse than no security at all.

Re:Telegraphing

[gavron]

Thanks for the definition. It confirms there's no more security. There's just the appearance of same.

See my post (granparent's parent) on "Security theater."

It has nothing to do with beliefs. Security is a fact, or in this case a fact of nonexistence.

"This is a tough crowd"

Work harder to convince them then.

The facts speak for themselves.

It's now Friday night. Have a good one. Try not to be confused by the appearance of something vs the real thing.

E

Re:Telegraphing

[gavron]

"An airliner in the US will never be hijacked again."

Sadly, sir, you are incorrect.

E

Re:Telegraphing

[lwsimon]

Do you honestly think a planeful of people are going to let someone take over the controls, regardless of what weapon he might have?

That's not happening - it simply won't. They'd have to kill everyone on the plane.

Re:Telegraphing

[gavron]

No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

All the little wanna be heroes would remain seated.

thanks for the question. Off to enjoy my weekend. There are no terrorists nor fake would-be security in my weekend.

Best regards,

E

Re:Telegraphing

[lwsimon]

Just out of curiosity, have you ever been in a situation that involved the use of deadly force?

Re:Telegraphing

[capnkr]

I'm not confused or tricked in the least - quite the contrary, in fact.

Parse the 'security' definition a little further and/or with more care; in particular, pay attention to the use of the word "assure", as opposed to "ensure", which, based on how you are arguing this point, seems to be your expectation of what is implicit in the term and/or idea of 'security'.

Security (3) reads: "Something that gives or assures safety,"

The first half of Assure defined states:

1. To inform positively, as to remove doubt. 2. To cause to feel sure. 3. To give confidence to; reassure.

I do understand the point you are trying to make, and why. In fact, we are likely largely in agreement. I am simply pointing out that the statements you are making are overbroad and general, and that you could make them more effective in order to get the point across.

Have a good Friday evening yourself. :)

Re:Telegraphing

Bahaha, this ain't no amusement park ride kid

Re:Telegraphing

[Jah-Wren+Ryel]

Wrong. There IS more security today. Lots of it - just go to an airport and look.

Security definition. Check 3(b).

Wooo-hoo! Dictionary flame! You are kicking ass in this fight!
Semantic dickweed for the win!

Re:Telegraphing

[MobileTatsu-NJG]

That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals?

Not to mention that it would have been crazy to attempt a hijacking after that. As soon as you made a move *bam* a sea of people would have sat on you.

Heightened state of alert. It's not just for passengers, it's for corruptible PA's, too.

Re:Telegraphing

Kinda like flying after right after 9/11.

lol, wow that 9/11 comment sure started a fire of replies

Re:Telegraphing

[jonbryce]

Yes, if they were so busy looking for dark skinned people with bottles of Evian mineral water that they missed some Russians with Polonium. This did happen.

Re:Telegraphing

[ShakaUVM]

>>No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

Have you SEEN a box cutter? They're x-acto knives, dude. If some terrorist has hijacked my plane by shouting at the pilot through the security door that he can't get through now, and the pilot is - what? - intimidated into steering into a skyscraper (think about why this doesn't make sense) AND is waving a box cutter with a 3/4th inch blade sticking out of it, then fuck yeah I'm taking the guy on, and there'll be another hundred people behind me in case I go down with a minor laceration to the arm or something.

The other guy is right - there's been a culture change on our airplanes after 9/11. Prior to it, the idea was to stay cool and let the terrorists land and try to get their money. After it, you have a hundred angry passengers trying to take you down.

I'm sorry you like the phrase "security theatre" so much, but think about the case of the Shoe Bomber. YES, we have the stupid fucking policy of "take off your shoes through security" which is probably the single biggest factor in the slow lines we have now, but, from Wikipedia, "The 6 foot 4 inch (193 cm) Reid was eventually subdued by other passengers on the airliner, using plastic handcuffs, seatbelt extensions, and headphone cords."

But don't let facts get in the way of your nice, pat, theory that you read somewhere.

Re:Telegraphing

[gavron]

You're still thinking in the past. Steering into skyscapers is an 8-year old attack vector.

The point of security is to prevent a future attack vector, and the boxcutter at the throat does well. A simple phrase like "We're not going to crash we just want to go to X" will prevent anyone from rushing the attackers, potentially risking the lives of the flight attendants. Your fat ass will stay in its seat as will those of the hundreds of people you think would follow you in your playstation-fantasy of a situation. One day when you're in a real life/death situation you'll find it's not quite as easy as your slashdot-keyboard-aloofness suggests.

In any event it's not relevant what boasters like you claim they'll do. That's not "security" and it's not "enhanced security" and it didn't make flying after 9/11 any safer, and that's what the OP was talking about.

Here's a Cliff's notes version of this little portion of the discussion about why you should NOT TRUST STRONGWEBMAIL to be safe and secure:
What I said: There's no additional security.
What others have said: But there's newer screening technology.
What I said: The puffer machines only detect fine residue of gunpowder and explosives.
What others have said: But people will rise up on the plane.
What I said: That's not security. That's people rising up on the plane. Easily stopped through coercion or acid in the face.
What others have said: Ha, you just like to say security theater (note the spelling of theater)
What I said: It IS security theater, it's not security.

So if you've read all this and grokked the big words, you'll know that it comes down to this:
Strongwebmail was hacked.
It is not secure.
The OP said he'd trust Strongwebmail BECAUSE they were hacked because NOW (that they'd been hacked) they'll be really secure... just like airports after 9/11.
I said airports were no more secure after 9/11, and still aren't.
And here we are.

E

Re:Telegraphing

[maxume]

Hardened cockpit doors and the elimination of 3/4 of Al Qaeda don't count?

Re:Telegraphing

[gavron]

Hardened cockpit doors deal with the attack vectors of 8 years ago, nothing going forward.
3/4 of a loose-knit association of any terrorist who wants to claim it never happened. Al Qaeda isn't a country-club that has a set number of members and if you go and kill some of them in Afghanistan -- or pretend they're really in Iraq and go kill random people who hate you there -- you don't impact them.

Even if Al Qaeda WAS an organization *LOL*, that is one name of many of terrorist groups. Removing 3/4 of one group is like scratching half of one itching point. That doesn't increase security -- it just removes the bad terrorists (the ones who got caught or found out) and through Darwinism allows the better terrorists to advance.

E

Re:Telegraphing

[maxume]

Read at least the closing 2 paragraphs of each of these essays:

http://www.schneier.com/essay-096.html
http://www.schneier.com/essay-038.html

You apparently think Bruce is a moron too.

Re:Telegraphing

[gavron]

I never ever used the word moron. Kindly don't put your words in mouth.

Second, while I agree with 90% of what Bruce says, I disagree with the idea that 300 people who have seen Passenger 57 are in some way a part of a successful response to a terrorist attack.

On "the cockpit door" (which I brought up as a positive thing in this thread yesterday) there is a difference between "cockpit door to prevent incursion into the cockpit" (for which it is effective) and "cockpit door to prevent all attack vectors including hijacking through coercion" (for which is is ineffective.)

E
Thanks for saying "read at least the ..." I recommend you read this whole thread. It will help you understand what the posters actually said.

Re:Telegraphing

[maxume]

Yes, but are the cockpit doors nothing, or are they something?

I sure don't think that everything done in the name of airport and flight safety has been effective, but saying that things are identical to 8 years ago (this seems like the most reasonable way to read nothing to me) is pretty silly.

I read (one place) where you talk about cockpit doors; pretty much every pilot is going to let the stewardesses (and some passengers) die before they intentionally crash their planes, so yeah, the doors do actually make the people on the plane safer, the box cutter terrorists have to make a bloody mess killing them one by one instead of simply incinerating them.

Re:Telegraphing

[Antique+Geekmeister]

The last 9/11 attack failed because the old "leave the hijacker alone and everyone will probably be safe" no longer applied, and the passengers found out it no longer applied. Don't expect that kind of attack to work again anywhere. Even before the word of the crashes got out, there was at least one former member of the Israeli Defense Forces on one of the earlier 9/11 flights, Danny Lewin. I assume he tried something, unsuccessfully, because the FAA reports that he was stabbed by Satam al Suqami , the terrorist who had apparently been seated right behind Danny.

Re:Telegraphing

[gavron]

Wow, now that's as far off-topic as we can get. The parents says nothing about security and nothing about StrongWebmail.

Bring on the Nazi-Germany analogy, throw it on the wall to see if it sticks, and stick a fork in it.

It's done.

E

Re:Telegraphing

[maxume]

Enjoy your cashews.

Re:Telegraphing

[Moridineas]

Security theater is worse than no security at all.

Explain why.

Re:Telegraphing

[Moridineas]

I can't take nail clippers on the plane (because I might hijack it!), but its okay to leave a fire extinguisher sitting there. Ever see someone sprayed with a fire extinguisher?

Really? Do you REALLY ever fly? I've flown about a dozen times in the past year, have a normal sized stick of deodorant, travel shampoo, normal toothpaste, and nail scissors in my cosmetics bag and I've never once been stopped.

I guess you think that planes should not have fire extinguishers??

Re:Telegraphing

I've actually been someone at a bar or a public place and once on a college frat row sidewalk when someone was attacked and I ran to help, and defended strangers from being beaten. I even stopped a screaming maniac with a sword once: that was scary as hell. I was off-duty, but had some idea how to get inside his grip and give him a very unpleasant surprise or two. Heroes still exist. Sometimes we can surprise even ourselves, because we didn't realize we were heroes until we saw the need.

Re:Telegraphing

[Moridineas]

"Heightened awareness" of untrained personnel yield more chaos and more chaffe, not more data. Sorry.
Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.

You know that's interesting--blanket statements without the slightest bit of supporting evidence. Retraining staff was a large part of post-9/11 reforms. Patdowns--which I've only ever had to go through once when I forgot my shoes had some metal in them (this was before proforma taking off of shoes)--are certainly effective as a layer of security. Should cops (etc) get rid of patdowns on criminals since it's jut security theater?

Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.

I'm not sure where you're getting these facts--at my local airport shortly after 9/11 they added a new security step for all checked luggage -- a new machine that kind of jutted out into the departures area and that was a new addition. I don't know what it is. Additionally, they added what I assume is the"puff" test for when you are going through security (took swab samples of various parts of your luggage?). Lastly, they in the past year have added one of those obnoxious full body scanners. That seems like a good amount of new equipment to me...

Under-cover air-marshals board first, and keep their jackets on. IF THEY WERE ADEQUATELY TRAINED, NOT CORRUPT (see many news stories to the contrary) then they might make a difference but not for any real scenarios.

That, yet again, is utterly ludicrous. They're called undercover for a reason, and the slightest research would show that they haven't had to wear their uniforms in several years. Secondly, who cares if they are undercover or not--undercover or overt, it's still an official presence on flights.

You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.

I did neglect to mention them, you're correct. Yeah, reinforced doors may not save passengers or crew, but you can bet they save the pilots from being murdered and the plane flown as a weapon. You may remember that's what happened in 9/11 and is the ABSOLUTE WORST outcome of a terrorist hijacking.

Before you argue whether such an attack would be successful -- consider this -- if they can do it (which they can) then security since 9/11 has not increased which is exactly what I said.

Like I said, worst case scenario for a hijacking with reinforced cockpit doors is the passengers and crew are killed, and maybe a bomb or something is set off destroying the plane. It's absolutely effective for stopping a terrorist hijacking that planned to kill the pilots and use the plane itself as a weapon. That is the main goal of most of these security steps.

It's effective as mediocre entertainment if someone you don't like has to go through it.

It's not effective as security.

I find that very debatable.

Cheers.

Re:Telegraphing

[Moridineas]

That's a red herring.

No, it's really not. But you ARE missing the point here. Stopping weaponized planes is exactly what most of the security additions are about.

These same N terrorists (pick a number -- the lack of security won't prevent ten boxcutters from being brought on board any more than they'd not prevent 4 being brought on board) can threaten a LARGE number of innocent women, children, and men.
Pilots will likely respond and land the plane. Sure, it won't be used as a weapon (but that was the 8-year-old plan... not tomorrow's plan). They can still get hundreds of hostages.

Yeah sure, terrorists being able to avoid watchlists, smuggle on boxcutters, and attempt to overcome any air marshall on board the plane to take the passengers hostage is a certain possibility. However, since nothing remotely close has happened since 9/11, you're talking in pure hypotheticals. The scenario of "planeful of hostages" versus "weaponized plane impacting urban area" I think is a tradeoff just about anybody would choose to make.

Again, the web site does not provide stronger security. The airlines do not provide stronger security. There is equal lack of realism in saying "I'd rather fly now than before 2001" as "I'd rather trust strongwebmail now rather than before they were hacked." Neither has improved their security.

I really think the onus is on you here--you keeping repeating the same things, so where's the proof. Let's see a comprehensive study of airline security before and after 9/11?

Re:Telegraphing

[russotto]

You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.

The toilet stuff (not congregating, and not using the forward toilet if you're in steerage) isn't security OR security theatre. It's a way for the airlines to use government force to keep first class service levels better than those in economy.

Re:Telegraphing

[gavron]

Most US flights are "regional" carriers and don't include any class of service other than coach. There is no distinction between the forward lavatory and the rear. The restriction on "congregating" near the forward lavatory is pure security theater.

Re:Telegraphing

[gavron]

"I really think the onus is on you here--you keeping repeating the same things, so where's the proof. Let's see a comprehensive study of airline security before and after 9/11?"

Before 9/11: 0 hijackings using planes as weapons
After 9/11: 0 hijackings using planes as weapons

Best of luck to you argumentative types -- I've got some racing to go watch.

Cheers,

E

Re:Telegraphing

[russotto]

The point of security is to prevent a future attack vector, and the boxcutter at the throat does well. A simple phrase like "We're not going to crash we just want to go to X" will prevent anyone from rushing the attackers, potentially risking the lives of the flight attendants. Your fat ass will stay in its seat as will those of the hundreds of people you think would follow you in your playstation-fantasy of a situation. One day when you're in a real life/death situation you'll find it's not quite as easy as your slashdot-keyboard-aloofness suggests.

How many times have you been in one? And failed to act? It's de rigueur to assume that everyone is easily cowed and will never actually try to play the hero, but actual real life cases demonstrate otherwise -- unless people are actually taught not to fight back, a significant number of them will. Not everyone and certainly not the majority, but more than enough for there to be several on your average airliner. Probably more, if you count those who will act only after someone else does.

Further, I'm not sure what good your boxcutter attack does the terrorists. The terrorist grabs a flight attendant to use as a hostage against the passengers. Now what? He still doesn't have control of the plane. He's got one hostage, or one per terrorist if there's multiple terrorists. The flight crew aren't going to open the door and be seen as the biggest chumps since Neville Chamberlain. And if a terrorist starts working on opening that door by force, a rather large number of passengers are not going to believe his assurances either. So best case scenario for the terrorists is that they land somewhere of the flight crew's choosing and a standoff continues until the SWAT team comes in.

Re:Telegraphing

[Moridineas]

Best of luck to you argumentative types -- I've got some racing to go watch.

Touche ;-)

Cheers

Re:Telegraphing

[ion.simon.c]

On top of that, he will have a tounge...

Tongue. The word that you are looking for is tongue.

Re:Telegraphing

[ion.simon.c]

Assurances are not security.

To wit:
I hand you a router. I assure you that you can put your unpatched Windows boxes behind this router, and it will protect them. I tell you that you can hook the other side of this router to the Internet and it will continue to protect those boxes from all threats.
My assurances are nothing more than empty promises, as this router exposes each box that you attach to it directly to the Internet.

Happy Saturday!

Re:Telegraphing

[ion.simon.c]

No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

All the little wanna be heroes would remain seated.

Doubtful. Even *I* can see that a planeload of people can overpower five? ten? attackers. If we can play up the passenger's fears of riding around in the guts of an extra-large missile, we can get them up and striking back. :D

Re:Telegraphing

[ion.simon.c]

Security theater:
A) Consumes resources better used elsewhere, like, say, real security.
B) Can further reduce funding for real security by convincing less knowledgeable people that allocating resources to the smoke and mirror show actually *is* keeping them safer. They *feel* safe, so they don't see the need to spend more for something that actually *keeps* them safe.

Please don't go off on a tangent about the TSA or stuff like that. I'm addressing your challenge and nothing more.

Re:Telegraphing

[Moridineas]

The exact quote I questioned was "security theater is worse than no security at all" so I don't really think your point "A" is relevant (or really "B" for that matter)

Your point "B" assumes that security theater doesn't also convince the people who are the targets of security that they are less able to get stuff through security. If they *feel* they are less able to get illicit stuff onboard a plane, then that's a perfect example of security theater working.

Beyond that, I do question how much of TSA is security vs security theater, but as you say, that's another tangent :-)

Re:Telegraphing

Rarely say never. That was not a case where you should.

An airliner will be hijacked again in the US. If it happens "soon", then it will be an unsuccessful hijacking. If the perpetrators wait long enough (about a human generation, so ten/twenty to thirty/fifty years) then the majority of the victims will not be so affected by the current climate nor by the September 11th hijackings, and will not resist, leading to a successful hijacking.

People have said that certain things may never happen again in the past, and usually, if not always, they were proven wrong.

Re:Telegraphing

[ShakaUVM]

>>Your fat ass will stay in its seat as will those of the hundreds of people you think would follow you in your playstation-fantasy of a situation. One day when you're in a real life/death situation you'll find it's not quite as easy as your slashdot-keyboard-aloofness suggests.

I was jumped a couple times when I was a teenager, and my fight or flight reflex is definitely set to fight. The fact that I'm 6'6" and have been doing martial arts for 10 years is just gravy on the cake. I wouldn't want to fight a guy with a gun, and I've done enough work with knives to be pretty cautious of them, but an X-acto knife? Come on, dude. And even knife wounds are better than being pancaked into a skyscraper.

Besides, actual examples (you know, in "real life") show that you're wrong. People are no longer willing to sit back and watch terrorists hijack a plane. There's been a lot of cases of passengers wrestling people to the ground, you just don't hear about them as much because the press only talks about security failures, not security successes, which biases our opinion on the matter.

As for the guy saying he'd trust strongbad's email because it had been hacked recently... I'll give you a hint. It was modded "funny".

Re:Telegraphing

The same goes for requirements to have a Hazmat endorsement on a CDL. Are terrorists going to placard their suicide bomb carrying trucks? Will they also stop at railroad crossings and do everything else as they might professionally do, if they're carrying out a plan? Security is a foolish concept created by assholes that like to capitalize on morons. And there's nothing wrong with making a buck on morons. :)

Interesting approach

[l2718]

Offering bounties is a great approach to finding bugs in your code. The crackers are taking quite a legal risk, however -- what if the owner of the computer decided that they "exceeded the hacking authorization"?

Re:Interesting approach

[The+MAZZTer]

As long as they followed the rules, in theory they could probably defend themselves quite well in court considering the whole thing with the prize money and the offer. It's a bit hard to claim that someone illegally hacked into your system when a) you invited anyone to hack it and b) you laid out rules WHICH THEY FOLLOWED.

Re:Interesting approach

[Eil]

IANAL, but... In a U.S. court, you can be successfully sued or convicted for doing something that's against the law, even if there is an abundance of evidence that the "victim" gave you permission to do so. There is no reason to believe that the same couldn't happen to this team of researchers.

In the late 80's and early 90's, various police departments and government agencies were trying to make examples out of evil computer hackers (who would probably be called "digital terrorists" or some such nonsense these days). They managed to put many behind bars even though the companies they "hacked" refused to press charges because in most cases no damage was done, the company plugged the security hole, and the hackers often told the companies how they got in after the fact. A sufficiently evil prosecutor could easily charge the researchers in this case with unauthorized access of an information system and win, because a judge and jury are bound to follow the letter of the law and the law doesn't allow for exceptions when permission is granted.

Put the Vi.agr.a team on it!!!

They'll break it. Guaranteed. Or your money back.

This is obvious

[empesey]

If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.

Re:This is obvious

, it still indicates that there is a weak link in the armor.

That's not the preferred nomenclature. Asian-american, please.

Re:This is obvious

This joke wasn't immediately apparent to me. If it isn't to anybody else, then my advice to them is to try to imagine synonyms for "weak link" as it applies to armour.

Re:This is obvious

You found the chink in my armor!

Re:This is obvious

[houghi]

Because they might not be interested to see if it as a whole can be hacked, but if certain parts can be hacked. They might be aware that it can be DDOSsed. They know that social engineering will work, so they do not need or do not want to test those parts of the security.

It is like a bargame. You have a glass with beer and on top is a coaster. You must drink the beer without touching the coaster and when done drinking the coaster must be on top of the glass again.
The solution would be to take two barstools, place them close together, get the glass from top to bottom so that the coaster rests on the two stools and the glass is still in your hand. Drink the beer, and pick up the coaster with the glass.

Now you could say "why rules? Just drink the beer." But the challenge is not drinking the beer. The challenge is to solve the problem on HOW to do it. The beer is the prize.

Re:This is obvious

[Yaur]

Social engineering shouldn't work. In this case only the CEO should have the password and probably isn't giving it out. If social engineering works (and the CEO isn't involved) it suggests that they are storing or moving passwords insecurely which is a significant problem.

Re:This is obvious

[TheLink]

There are always rules in a contest.

Rule #0 - A "win" is defined by the rules.

If there are no rules, there is no winning. If there is no winning, what sort of contest is it? And who gets the prize?

Yes there may be a weak link in the armor, but if you don't follow the rules you SHOULDN'T get the $10K.

Re:This is obvious

You're a fucking idiot.

The Catch

[LSDelirious]

from StrongWebmail's Site

There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone. If you do manage to be the first person to break into his email account, there's $10,000 in it for you - just register below to get started. Good luck!

So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access? They might be cool with having their own systems hacked, but it sounds like they are now involving a phone company, which might not be too thrilled to be a part of their little game - the only way around that I can see is to hack the StrongWebmail system to change the "pre-registered" phone number....

and who the hell wants an email account you have to approve via phone call every time you login?!? What if your phone is lost/broken/dead/no reception/etc.. then you have no way in

Re:The Catch

[Tubal-Cain]

Telesign, a provider of voice-based authentication software...

Sounds like something for protecting a phone system.

Re:The Catch

[Gi0]

If i could hack the phone company's system, or find a way to clone their CEO cellphone,besides hacking their system,would i be willing to let them know for just 10 grant?Nop.That knowledge has got to be more precious.

Re:The Catch

[Jaime2]

Or hack the authentication system so that it thinks you already went through all that stuff when all you did was forge an authentication proof. Their system is very resistant to some types of attacks, like password guessing. But, it is no stronger than a normal username and password against most attacks on the system itself. SrongWebmail.com's biggest mistake was thinking that they knew of all of their weaknesses.

Re:The Catch

[mysidia]

Or find a bug in the webmail system that lets them get through without access to the phone number, lets them prevent or redirect the call.

At one extreme... figure out how their system works, how it makes its outgoing calls, and one night, install some passive "taps" outside their building to capture the outgoing call when they attempt to login....

Re:The Catch

[michaelhood]

My voice is my passport; verify me.

Re:The Catch

[digitalchinky]

Damn, I wish I lived in the US. This is easy money.

For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.

It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)

Re:The Catch

[JonJ]

That's "easy money" where you live? Where the fuck is that? And I wonder what's considered "hard" for you people.

Re:The Catch

[digitalchinky]

I'm Australian, a former secret 3 letter agency drone (Defence Signals Directorate, and others), probably disgruntled, and a few years back I moved to Asia. I'd love to say I now dabble in a little light industrial espionage, but really, there isn't much of a call for former spies. People don't believe you anyway. These days I'm just some guy with a keen interest in radio communications. And this problem is naught more than a bit of a jigsaw puzzle of equipment and a hex editor. Pretty much anyone working with any kind of satellite communication system will be familiar with the technology.

What is hard? For me, anything that is largely not radio communications, like women, and carburettors :-)

Re:The Catch

[koiransuklaa]

It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

I'm not saying GSM isn't swiss cheese from todays security POV, but you make it sound like you would definitely succeed in that: in practice it would require a lot of effort and luck. First of all you're implying all BTS-BSC traffic goes over microwave which just isn't true: most of it is cable (probably partly because of the insecurity of the protocol). I've also heard some manufacturers break the standard and encrypt the BTS-BSC traffic in networks that are all their equipment (no links just hearsay, sorry).

Second, while locating the cell might not be hard, locating the BSC is more work and getting to the line of sight could be a real pain... these are implementation details of the attack but IMO important since you said "this is easy money": I disagree, it probably would not be easy even if you were lucky and the link really was microwave, definitely not half a day. Plus it absolutely would be criminal at least here in Finland, I'm guessing your laws don't actually require you to 'monitor a call' either for it to be criminal...

It's entirely possible that breaking the phone-BTS encryption could be an easier solution -- at least if they were still using A5/2 (an encryption shown to be just slightly better than ROT-13 when there is any known plaintext), but I guess that's not the case in the US. Social engineering or just lifting the phone from the CEOs pocket are almost certainly easier...

Re:The Catch

[karbyn-aceous]

Open the pod bay doors, HAL.

Re:The Catch

[cOle2]

I'm no hacker but if you already have access to their systems then wouldn't it be easier to just change the phone number to one you control than to intercept a phone call or some such. Just a thought.

Re:The Catch

[digitalchinky]

Hopefully there would be no need to mess with the GSM/CDMA over the air part, but you are right, lots of papers on the encryption schemes and they could be brute forced if time is not much of a factor. You are right about the luck part in some ways, but perhaps not as much as you might think. Unless the guy has his office on the 35th floor and has a thousand in view, then probably we only need to seek out 3 or 4 towers at most and work with those.

I concur, not all of these are microwaved, but in built up city areas, ~many~ of them actually are. (And if 10k was important enough, you'd hit the comms box and wire yourself in directly) Some are non-standard, but by their nature they will be either entirely packet switched, or multiplexed. It's just a binary data stream, so worst case whatever it is, it's going to raster at some width and give itself away. SS7 is in the majority of cases a 64kbps packet switched channel, the vocoders are normally taking up 16kbps and get padded out a little. Law of averages would hopefully be on my side here.

I've never seen a BTS-BSC link that has been 'encrypted', though I don't doubt you on this point, it wouldn't surprise me at all. Having tuned up a lot of these things I've never actually seen one using encryption.

I'm not sure if I'm understanding the methodology of this email system though, if it uses a simple SMS to send it's secret key, then it is entirely trivial. We already know what we are looking for - the origin, destination, and payload. Though if we have to pick out a particular audio stream from the pile, we would require the services of a few extra sets of ears, but then we are moving in to the realms of the illegal. If that were the case, and I didn't care about breaking the law, I'd modify my estimate to about a week. If it works on some kind of voice print authorization then it'd make things a little bit more complicated again, we'd have to get a sample from the man, but still not impossible.

I did gloss over the details a little bit - lots of cell sites act as relays for others, and many that are wired up can actually have air gaps in places, so there are still vulnerabilities. There might well be a lot of data to sift through, but really, we know the phone number of the calling system, so it still wouldn't take very long to narrow things down to the right trunk. It's all in the SS7 links so we have a waiting game, but we wouldn't be passive, we'd be working pretty hard to activate the guys phone as often as we could.

I guess the bigger picture is whether 10 thousand is enough to reveal the methodology - everyone has a price I guess. Others have pointed out the legalities better than I know them.

Re:The Catch

[toddestan]

The only detail that your missing is that you would also his username and password in addition to being able to tap his cell phone.

Re:The Catch

In the US, this level of skill generally hires out for more than 10 grand for an on-site engagement. The money is actually too low, which is why it is surprising anyone succeeded - nobody good enough should get involved for that little, especially since it's not even guaranteed, you might fail if they are good or someone else might beat you to it if they are bad.

Re:The Catch

This wasn't an on-site engagement. This was 3 hackers putting in a few hours of free time. The result is a few bugs patched, not a comprehensive security review, which would be virtually guaranteed to find many more such bugs.

You can bet that if they found more (and they probably did), they aren't sharing the details... especially not if StrongwebMail is trying to back out of paying.

Full Details

[LSDelirious]

here: Official Contest Rules, Terms, and Conditions

Re:Full Details

[LSDelirious]

Official Contest Rules, Terms, and Conditions

RULES?

one question stands out in my mind.... what WERE the rules to the contest? and was it stated they could be changed at any time?

Hate to be a pedant.... But,

[davidsyes]

"break-in'", or "break-in"?

This is annoying, just as is "Logout", wich is best thought of as an act, so it should be writtein as "Log out", nnnnnnnoTTTTT, "Logout". When i see "logout" i think "oh, a PLACE". When i see "Log out", i thank the smarter site editor and imagine an act, not a place... But,that's just me...

Re:Hate to be a pedant.... But,

Huh?

Re:Hate to be a pedant.... But,

This comment is a good vision test. ;)

Re:Hate to be a pedant.... But,

[geekprime]

@davidsyes

No, that's just you.

Sorry.

Re:Hate to be a pedant.... But,

Haha, his marks. This reminds me of back in the day with some MIRC client as popular and flooding rooms with a name as a mixture of singles and doubles like "''"''''"""""""' . With the popular clients the ops would type your name into to kick you or ban you, but they couldn't type your name in because it was indecipherable, and they couldn't select your name in the namelist on the side (just because it wouldn't let you) and they couldn't select your name in the chat itself (because it was moving as you flooded). Always a good trick.

Re:Hate to be a pedant.... But,

[artor3]

Yeah, and blackbirds are just black birds, so it should be written that way!

Or, you could learn English as its actually used, instead of pretending its a programming language.

Re:Hate to be a pedant.... But,

[sdBlue]

Just to pedant you back... :) Out of curiosity, what place do you think of when you see "logout"? It's so common these days, and after all, isn't "common usage" what defines the english language?

Just Kidnap the Bastard

[LSDelirious]

Just make sure Darren Berkovitz has his phone on him There's nothing in the rules against it...

Blackjacking's been around for awhile

[sgt_doom]

Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....

Re:Blackjacking's been around for awhile

[grcumb]

Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....

That must be uncomfortable for the Thais...

... What? Oh! 'Coming up from the rear.' Forget I said anything.

Webmail can be secured. It's simple.

[symbolset]

All you need are users who are willing to submit to invasive biometrics and can remember a few hundred pages of random one-time pad, an OS with no open ports, a data entry device that can't be subverted, a display device that projects no EMR, a single fiber from the reading device to the server protected by quantum encryption, gold shielding and armed guards for everybody involved including every developer who ever touched the code and every engineer who thought about the hardware, a whitelist both of senders and sending IP's all on a similarly secured network...

No, never mind. I don't really know how to do this. Do not use the freaking Internet for stuff that must be secure.

Re:Webmail can be secured. It's simple.

All you need are users who are willing to submit to invasive biometrics and can remember a few hundred pages of random one-time pad, an OS with no open ports, a data entry device that can't be subverted, a display device that projects no EMR, a single fiber from the reading device to the server protected by quantum encryption, gold shielding and armed guards for everybody involved including every developer who ever touched the code and every engineer who thought about the hardware, a whitelist both of senders and sending IP's all on a similarly secured network...

Get ready for a call from the Feds, because you just leaked the specs for Obama's BlackBerry!

Point of Order...

[ae1294]

Void where prohibited, taxed, or otherwise restricted by law. Subject to all federal, state, and local laws. This Contest is open to all legal residents of the United States and the District of Columbia, and U.S. Military personnel (and their families) with APO/FPO addresses, who are eighteen (18) years of age or older.

Void where prohibited? - Hacking? Nah...
Taxed? - Hacking? - Donno it might be now...
Otherwise restricted by law? - Hacking? Nah....
Subject to all federal, state, and local laws? - Hacking? Nah...
Only open to US residents? - SURE, "all" the best hackers and US born.
18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

Gezzzzz come on now... If you try and claim the 10 grand you're going to get 30 years in federal prison.....
No wonder they didn't think anyone would try for the 10 grand.

Re:Point of Order...

[ae1294]

Taxed? - Hacking? - Donno it might be now...

wait wait wait... are they saying VOID where the proceeds of the contest are TAXED? That would be everywhere in the US!

Re:Point of Order...

[benjamindees]

The DMCA is probably the only law broad enough to include hacking that is expressly permitted. And, even then, calendar entries probably don't rise to the level of copyright protection. So I don't see what law would have been broken.

Re:Point of Order...

[ae1294]

Are you a lawyer? I'm not but I am pretty sure there are anti-hacking laws... Where is a good lawyer when you need one.... for free.... at 1am on a Friday night.... while in jail....

Someone needs to summon that NC-lawyer guy from his bed... Maybe prank call him and tell him the RIAA wants to settle to get him up on here to chime in.

I read over their rules and it was extremely iffy looking to me... But I'm no Hacker, I mean lawyer so ehh...

Anyway this story is 1am3, I will never use this company's product as I prefer an extremely old alpha copy of qmail and outlook express.

Re:Point of Order...

[ae1294]

Anyway this story is 1am3, I will never use this company's product as I prefer an extremely old alpha copy of qmail and outlook express.

If you where wondering... I was taut to rename all of my executable's on my server and replace them with very small shell scripts that mock all the hackers who gain root just before kill -9'ing their pids with a very meaty grep command...

They think it's some sort of "chat with lisa" joke type server.. they are wrong... Dead Wrong...

Re:Point of Order...

[pavon]

There are anti-hacker laws, but they generally read along the lines of

Whoever having knowingly accessed a computer without authorization or exceeding authorized access...
Whoever intentionally, without authorization to access any nonpublic computer ...
Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access

(From 18.USC 1030, the law Lori Drew was charged with)

Darren Berkovitz gave explicit permission when he announced this contest, so they had authorization to attempt to gain access by any means allowed by the rules. The only restrictions given were that you had to register first, and you couldn't get help from a StrongWebmail employee.

The rest of the rules looked innocuous to me. Most of it was standard broiler-plate which is required by law for any contest - a cereal box prize will have the same language. The last paragraph of the third section was all just Disclaimers of Liabilities - we aren't responsible for network congestion if someone tries to DoS us to win the prize, we aren't responsible if you download some script-kiddy software to use in the competition and it screws up your computer, etc.

If you did clearly break the rules that you could be charged under 18.USC 1030 as the access was unauthorized, knowing (you agreed to the rules), and fraudulent (you were attempting to cheat them out of prize money), and crossed state lines. But they weren't tricky rules to follow.

Re:Point of Order...

[amicusNYCL]

Only open to US residents? - SURE, "all" the best hackers and US born.
18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

They have to limit their liability by only allowing American adults, a minor can't enter into a contract so there's no point in even allowing them to compete. They probably need to be American just in case the company decides to sue them. As for hacking being illegal, it's not exactly illegal when you have permission to do it. The definition of hacking includes lack of authorization to do what you're doing. If you have authorization, legally speaking you're not hacking.

Re:Point of Order...

For the love of anything anyone considers holy, don't mod this "Insightful."

Funny perhaps, in a sort of tongue-in-cheek way...but seriously, all of those restrictions are generally required for any kind of contest with a large cash reward. It's just to remove any liability from the company for refusing would-be contest winners that are not permitted through laws, or for any actions of individuals illegally participating.

Re:Point of Order...

There are laws regarding the way contests conducted in the United States are allowed to work.

Nothing to see here.

Re:Point of Order...

[ae1294]

They have to limit their liability by only allowing American adults, a minor can't enter into a contract so there's no point in even allowing them to compete. They probably need to be American just in case the company decides to sue them. As for hacking being illegal, it's not exactly illegal when you have permission to do it. The definition of hacking includes lack of authorization to do what you're doing. If you have authorization, legally speaking you're not hacking.

But when you combine point A with Point B you get the legal paxadox of "the hacker smashed our system" and thus wins the 10 grand but we are sueing them for 150 grand in damages unless of coarse he wants to work off the debit by fixing our servers.. frickin genius...

Re:Point of Order...

[ae1294]

Funny perhaps, in a sort of tongue-in-cheek way...but seriously, all of those restrictions are generally required for any kind of contest with a large cash reward. It's just to remove any liability from the company for refusing would-be contest winners that are not permitted through laws, or for any actions of individuals illegally participating.

Yeah yeah bash the drunk guy on Friday night who points out that a hacking contest has a long list of restrictions and requires you to follow the law in order to get paid.

Yawn...

Re:Point of Order...

[ae1294]

If you did clearly break the rules that you could be charged under 18.USC 1030 as the access was unauthorized, knowing (you agreed to the rules), and fraudulent (you were attempting to cheat them out of prize money), and crossed state lines. But they weren't tricky rules to follow.

Since hackers where required to register with them lets hope no one did anything that Strongwebmail finds didn't follow their rules, or at least choose to be honest and not make false claims about those "hackers" just to avoid paying and/or have them ToS'ed in jail.

Re:Point of Order...

Don't belittle my drunken ramblings you COWARD!

Re:Point of Order...

[selven]

Hacking is perfectly legal, just like lockpicking. What's illegal is trespassing.

Re:Point of Order...

[ae1294]

Hacking is perfectly legal, just like lockpicking. What's illegal is trespassing.

And yet lock picking tools are perfectly illegal in many states.

Hacking

Hacking by definition is gaining "unauthorized access". If you are providing a reward, rules, and encourage people to participate (as in a contest), does it really count as unauthorized access?

Oh, no.

[symbolset]

Obama's CrackBerry has even better security: it's being operated by somebody who's not stupid.

/Was that a state secret? Should I not have said that?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Password are bad for security.

[mcrbids]

Passwords are a bad means of securing a computer. Sure, passwords are far cry more secure means no authentication at all, but they do have some pretty severe limitations...

1) Any breach of a password pretty much kills them. Dead. If your ex-GF/BF gets the password to your webmail account, god help you, because the password in their hands works just as well as in yours.

2) Usually you don't have any (obvious) way of knowing that the breach occurred.

3) Because of (1) and (2), they are highly vulnerable to social engineering attacks: just convince somebody to give the password and it's game over. And it doesn't have to be you: it could be the system administrator, somebody at the help desk, you name it.

So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access?

Yes. That's the point, and it's a good point, too. This is a good step towards improving security, and I've toyed with doing something similar with our web-based product. Basically, the idea goes like this:

1) End user enters login name, clicks the "next" button.

1a) (in the background, a text message is sent to user's cell phone, with a code tied to the account and to the specific login session)

2) End user enters password, clicks the "next" button.

2a) (password verified against login account)

3) End user enters code that they've received on their phone, click next

3a) (system compares login, password, session, and entered code. If they all match, user is allowed through.

In order compromise this system without actually rooting the server, the hax0r has to: know the login & password, have the cell phone or hax0rz the phone company, AND know the session code sent to the end user's browser. While not actually impossible, it's a damned sight more difficult than just a username/password!

Usually, the only way to accomplish these is to either BE the person, or steal their phone AND know their login/password. And if the phone is stolen, the rightful owner only needs to make a phone call to report it stolen, so the attack window is very small.

This is a GOOD thing folks!

Re:Password are bad for security.

In order compromise this system without actually rooting the server, the hax0r has to: know the login & password, have the cell phone or hax0rz the phone company, AND know the session code sent to the end user's browser. While not actually impossible, it's a damned sight more difficult than just a username/password!

Usually, the only way to accomplish these is to either BE the person, or steal their phone AND know their login/password. And if the phone is stolen, the rightful owner only needs to make a phone call to report it stolen, so the attack window is very small.

This is a GOOD thing folks!

Security seems much easier than it actually is (hint: you missed a significant attack vector) so you are usually better off leaving it to pros... If you need this level of security you should buy/license/integrate with SecureID or something similar.

Re:Password are bad for security.

[_Sharp'r_]

1. Install script in end user's browser using drive-by download on site you get them to access, emailed javascript, etc... multitude of ways.
2. Wait for end user to accomplish steps 1-3a for you, which he will the next time he checks his mail.
3. Installed script passes whatever you want back to you since it now has secured access to your secure site. (???? step)
4. Profit $10K!

The phone call method of security is useless if you can just wait for the end user to legitimately accomplish it for you when they think they're doing it for themselves.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Log On/Off, In/Out Annoyance

[msgmonkey]

What greatly annoys me is when I see a site has that has for example a "Log On" button but the corresponding button is called "Log Out" when it should be "Log Off".

Hacking into webmail

[brys]

Hacking into webmail normally is done by sending email which exploits vulnerability of the web browser.
It's easy to detect the browser USER AGENT, prepare hack (there are many, the browser can run many various code like java, javascript, flash, even adobe pdf, microsoft word etc) and send email and job done.
Actually CEO of that company propably did'nt know that hacking webmail is always easy for experienced crackers.

They don't use ssl

Yes they call you to verify who you are, but they're not using ssl to secure the logins. Does not give a lot of confidence.

Screenshots here:

http://www.strongwebmail.com/secure/email/howitworks

Re:They don't use ssl

[Foogle]

You can't possibly tell that from the screen shots. The form itself is not on an SSL-protected page, but that's not uncommon. What's important is whether it *submits* to an SSL-protected URL, and I'd be kind of surprised if they didn't do that.

Put their heads down?

[Antique+Geekmeister]

Won't they have to pull their heads out, first?

Remember, folks, in the real world, crackers won't abide by your user agreements. They will look under your secretary's keyboard for the password list, check your logs for mistyped passwords instead of login names, read your Subversion stored plain text passwords from your backup tapes, and read your Wiki for shared passwords.

It does have to do with the service

[way2trivial]

"Procedures and Policies" are as much a part of the service as the programming of the web engine.

If you can trust the web engine, but not the staff- does it really matter? it's still a fail.

my two cents

[nimbius]

pay the guys. they invested the effort to crack your impenetrable fortress of code, and you were stupid enough to encourage them. dont turn this into something akin to the qmail bounty.

of course the idea of foss software comes to mind...where everyone has access to your obviously lacking source and can suggest cool new security features that arent cracked at a near zero day rate.

Re:Full Details - or 'Contest can not be won'

[Lobster+Quadrille]

Unless the explanation itself is emailed to them and contains a secondary attack... if they really did it with XSS as the ZDNet article states, that's a reasonable assumption.

But we may be bordering on ridiculous.

Re:Hate to be a pedant.... But, ... really odd

[davidsyes]

that this site behaves like an emo-machine...

Yesterday, my original post/comment was -1, flamebait. This AM, it was 2, Insightful, up to an hour ago (12 PM PST). Now, it's -1, Offtopic.

So, i state an opinion, which a sane, normal grammar/English teacher might be enthusiastically jump on, yet in this site chock-full of would-be intelligent people has a number of pain-pushing lurkers and some even with very low numbers who deign to seek and stomp down the rating given by someone trying to be benevolent.

This is why i've stated over an over that slashdot is a breeding ground for emotionally disturbed (but outwardly intelligent-- mostly, but not all) people who have so much frustration in their lives that they just explode and take it out on someone for the smallest little infraction they cannot tolerate. I'm NOT just talking about subscribers/readers. I am 80% sure there are a few on-duty moderators who sit back and watch and allow such scoring to occur.

I propose, as i have in the past, that slashdot create a heuristics-like scoring and capping system where punishers are denied moderating priveleges or at least have them degraded. "Balancers" would be accorded extra privileges when they promote or rescue comments. The scoring system would show how many moderators/readers read the thread scored/attacked, show the plot, and suggest from the database a handful of decent moderators/readers to weigh in to counter the effect of wingnut/one-shot/reactionary attackers who in large number (or, from the looks of things, small numbers) come along and just bury someone, not so much to suppress their comment from read-level view, but to also psychologically assail someone as if to say, "you're not welcome here -- unless you keep your TERSE opinions to yourself..."....

All it needs to look like is a combination of Tektronix oscillator and a mini-scoring table. Nothing too hard to invent, and i certainly will not recognize any patent claims, because such a thing is described here in words, and is obvious and easy to visualize, and deserves no patent protection anyway. With the brainpower at VA/slashdot, such a scoring system would go a long way toward removing digital bully power in a geek forum. (And, yeh, 99% of the time that i am a paid contributor/subscriber, i post with the No Subscriber Bonus box checked, so i automatically start low, relying only on readers to buoy me, not my ego to buoy my comments.)

If anything, such code could be Open Source developed and published as prior art before some commercial entity picks up my comments/idea and tries to patent it. If such a system exists, it ought to reviewed for patent revocation.

Re:Hate to be a pedant.... But, ... really odd

[davidsyes]

Forgot:

Being at "-1 to keep an eye out for abuses" does NOT WORK. It's nice to show, but if it doesn't "out" abusers, then "first responders" will merely be punished for buoying an abused, worthwhile comment. The key to clipping/nipping/curbing abuses is to out the abusing account, and remove that account's ability to post or at least its ability to moderate and make it painfully slow to access pages or see firehose submissions.... something which is suspect IS being experimented with here on /..