Hackers Claim $10K Prize For StrongWebmail Breakin

← Back to Stories (view on slashdot.org)

Hackers Claim $10K Prize For StrongWebmail Breakin

Posted by Soulskill on Friday June 5, 2009 @01:54PM from the worth-their-while dept.

alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

19 of 193 comments (clear)

Hu? by ae1294 · 2009-06-05 13:57 · Score: 5, Insightful

Wait I'm confused??? They expected the hackers to follow rules?
1. Re:Hu? by Allicorn · 2009-06-05 14:20 · Score: 4, Interesting
  
  I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.
  
  --
  OMG!!! Ponies!!!
2. Re:Hu? by MrMista_B · 2009-06-05 14:47 · Score: 5, Insightful
  
  Social engineering is an perfectly valid and entirely effective method of hacking.
3. Re:Hu? by XanC · 2009-06-05 15:01 · Score: 4, Insightful
  
  But it doesn't test their software.
4. Re:Hu? by jesseck · 2009-06-05 15:13 · Score: 5, Informative
  
  While I agree that social engineering is a very legit way to hack a system, the terms of the challenge ( link here state that "You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners to accomplish the email hack." Since this was StrongWebmail's contest, they make the rules. Even if the rules prevent a common method of hacking from taking place. On the other hand, people are quite often the weak link... by preventing the contestants from using this "easy" entry point (say, a janitor or secretary), they can test the technical system itself.
5. Re:Hu? by C18H27NO3+ · 2009-06-05 15:18 · Score: 4, Insightful
  
  agreed.
  In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
  "They got in through a vulnerability in our OS, but our software held up".
  "Someone in our company helped themselves/someone else to your mails, but our software held up".
  "Someone installed a trojan that compromised the authentication system, but our software held up".
  
  I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
  There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
  At least that's the way the rules and TFA sound.
6. Re:Hu? by ta+bu+shi+da+yu · 2009-06-05 15:22 · Score: 4, Interesting
  
  Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
7. Re:Hu? by Tubal-Cain · 2009-06-05 16:35 · Score: 4, Interesting
  
  The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.
  That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.
8. Re:Hu? by Anonymous Coward · 2009-06-06 00:17 · Score: 5, Insightful
  
  They never logged into the account themselves.
  It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.
  The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.
  No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.
Telegraphing by inviolet · 2009-06-05 14:00 · Score: 4, Insightful

The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.
And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

--
FATMOUSE + YOU = FATMOUSE
1. Re:Telegraphing by Alethes · 2009-06-05 14:08 · Score: 5, Insightful
  
  Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.
2. Re:Telegraphing by Anonymous Coward · 2009-06-05 15:32 · Score: 4, Informative
  
  You think awareness will help to any degree? Awareness of what and how is that equal greater security? I worked at a major airline before and about 5 months after 9/11. I worked at an airline and at an airport that was used by the 9/11 terrorists. Things may have seem to have changed but if you knew anything about the operations at an airport, it was smoke and mirrors. Maybe have things have changed since then so I can not comment.
  On another note, I now live and work in DC. I see cars being checked before pulling into parking garages of important buildings. A security guard walks around the car with a mirror on a stick and checks the underneath of the cars before allowing entry. You call that increased security? Paint your bomb with undercoating or put it in the truck, in your engine bay, or hell, even in the back seat. As long as it does not have flashing lights and does not say "EXPLOSIVE" on it, they would never know.
  You want to know what heightened awareness there is? Remeber this incident? http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare
  It had lights and wires, it must be a bomb. You feel save with that level of awareness? I don't.
3. Re:Telegraphing by bitt3n · 2009-06-05 15:53 · Score: 4, Funny
  
  The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.
  And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.
  Perhaps they'll fix their software by simply offering a lower prize.
  "Hack our software, and win a free small soda with purchase of any McDonald's value meal!"
  
  --
  how many pairs of boxer shorts should you own?
Re:Interesting approach by The+MAZZTer · 2009-06-05 14:14 · Score: 4, Insightful

As long as they followed the rules, in theory they could probably defend themselves quite well in court considering the whole thing with the prize money and the offer. It's a bit hard to claim that someone illegally hacked into your system when a) you invited anyone to hack it and b) you laid out rules WHICH THEY FOLLOWED.
This is obvious by empesey · 2009-06-05 14:17 · Score: 5, Insightful

If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.
The Catch by LSDelirious · 2009-06-05 14:23 · Score: 5, Informative

from StrongWebmail's Site
There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone. If you do manage to be the first person to break into his email account, there's $10,000 in it for you - just register below to get started. Good luck!
So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access? They might be cool with having their own systems hacked, but it sounds like they are now involving a phone company, which might not be too thrilled to be a part of their little game - the only way around that I can see is to hack the StrongWebmail system to change the "pre-registered" phone number....
and who the hell wants an email account you have to approve via phone call every time you login?!? What if your phone is lost/broken/dead/no reception/etc.. then you have no way in

--
Slavery is the legal fiction that a person is property; A Corporation is the legal fiction that property is a person.
1. Re:The Catch by digitalchinky · 2009-06-05 19:32 · Score: 5, Interesting
  
  Damn, I wish I lived in the US. This is easy money.
  For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.
  It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.
  Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)
Re:Full Details by LSDelirious · 2009-06-05 14:36 · Score: 5, Informative

Official Contest Rules, Terms, and Conditions

--
Slavery is the legal fiction that a person is property; A Corporation is the legal fiction that property is a person.
Re:Blackjacking's been around for awhile by grcumb · 2009-06-05 16:02 · Score: 4, Funny

Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....
That must be uncomfortable for the Thais...
... What? Oh! 'Coming up from the rear.' Forget I said anything.

--
Crumb's Corollary: Never bring a knife to a bun fight.