Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Claim $10K Prize For StrongWebmail Breakin

Posted by Soulskill on from the worth-their-while dept.

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

9 of 193 comments (clear)

  1. Hu? by ae1294 · · Score: 5, Insightful

    Wait I'm confused??? They expected the hackers to follow rules?

    1. Re:Hu? by MrMista_B · · Score: 5, Insightful

      Social engineering is an perfectly valid and entirely effective method of hacking.

    2. Re:Hu? by XanC · · Score: 4, Insightful

      But it doesn't test their software.

    3. Re:Hu? by C18H27NO3+ · · Score: 4, Insightful

      agreed.
      In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
      "They got in through a vulnerability in our OS, but our software held up".
      "Someone in our company helped themselves/someone else to your mails, but our software held up".
      "Someone installed a trojan that compromised the authentication system, but our software held up".

      I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
      There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
      At least that's the way the rules and TFA sound.

    4. Re:Hu? by Anonymous Coward · · Score: 5, Insightful

      They never logged into the account themselves.

      It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.

      The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.

      No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.

  2. Telegraphing by inviolet · · Score: 4, Insightful

    The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

    And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

    --
    FATMOUSE + YOU = FATMOUSE
    1. Re:Telegraphing by Alethes · · Score: 5, Insightful

      Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

  3. Re:Interesting approach by The+MAZZTer · · Score: 4, Insightful

    As long as they followed the rules, in theory they could probably defend themselves quite well in court considering the whole thing with the prize money and the offer. It's a bit hard to claim that someone illegally hacked into your system when a) you invited anyone to hack it and b) you laid out rules WHICH THEY FOLLOWED.

  4. This is obvious by empesey · · Score: 5, Insightful

    If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.