Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Claim $10K Prize For StrongWebmail Breakin

Posted by Soulskill on from the worth-their-while dept.

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

7 of 193 comments (clear)

  1. Re:Hu? by Allicorn · · Score: 4, Interesting

    I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.

    --
    OMG!!! Ponies!!!
  2. Just Kidnap the Bastard by LSDelirious · · Score: 2, Interesting

    Just make sure Darren Berkovitz has his phone on him There's nothing in the rules against it...

    --
    Slavery is the legal fiction that a person is property; A Corporation is the legal fiction that property is a person.
  3. Re:Hu? by ta+bu+shi+da+yu · · Score: 4, Interesting

    Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  4. Re:Hu? by Tubal-Cain · · Score: 4, Interesting

    The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.

    That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.

  5. Re:The Catch by digitalchinky · · Score: 5, Interesting

    Damn, I wish I lived in the US. This is easy money.

    For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.

    It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

    Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)

  6. Re:This is obvious by houghi · · Score: 2, Interesting

    Because they might not be interested to see if it as a whole can be hacked, but if certain parts can be hacked. They might be aware that it can be DDOSsed. They know that social engineering will work, so they do not need or do not want to test those parts of the security.

    It is like a bargame. You have a glass with beer and on top is a coaster. You must drink the beer without touching the coaster and when done drinking the coaster must be on top of the glass again.
    The solution would be to take two barstools, place them close together, get the glass from top to bottom so that the coaster rests on the two stools and the glass is still in your hand. Drink the beer, and pick up the coaster with the glass.

    Now you could say "why rules? Just drink the beer." But the challenge is not drinking the beer. The challenge is to solve the problem on HOW to do it. The beer is the prize.

    --
    Don't fight for your country, if your country does not fight for you.
  7. Re:The Catch by digitalchinky · · Score: 3, Interesting

    I'm Australian, a former secret 3 letter agency drone (Defence Signals Directorate, and others), probably disgruntled, and a few years back I moved to Asia. I'd love to say I now dabble in a little light industrial espionage, but really, there isn't much of a call for former spies. People don't believe you anyway. These days I'm just some guy with a keen interest in radio communications. And this problem is naught more than a bit of a jigsaw puzzle of equipment and a hex editor. Pretty much anyone working with any kind of satellite communication system will be familiar with the technology.

    What is hard? For me, anything that is largely not radio communications, like women, and carburettors :-)