Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Claim $10K Prize For StrongWebmail Breakin

Posted by Soulskill on from the worth-their-while dept.

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

4 of 193 comments (clear)

  1. Re:Hu? by Allicorn · · Score: 4, Interesting

    I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.

    --
    OMG!!! Ponies!!!
  2. Re:Hu? by ta+bu+shi+da+yu · · Score: 4, Interesting

    Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?

    --
    XML is like violence. If it doesn't solve the problem, use more.
  3. Re:Hu? by Tubal-Cain · · Score: 4, Interesting

    The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.

    That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.

  4. Re:The Catch by digitalchinky · · Score: 5, Interesting

    Damn, I wish I lived in the US. This is easy money.

    For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.

    It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

    Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)