Forgot your password?
typodupeerror
Security The Almighty Buck

Hackers Claim $10K Prize For StrongWebmail Breakin 193

Posted by Soulskill
from the worth-their-while dept.
alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"
This discussion has been archived. No new comments can be posted.

Hackers Claim $10K Prize For StrongWebmail Breakin

Comments Filter:
  • Hu? (Score:5, Insightful)

    by ae1294 (1547521) on Friday June 05, 2009 @09:57PM (#28229477) Journal

    Wait I'm confused??? They expected the hackers to follow rules?

    • Re:Hu? (Score:5, Interesting)

      by Allicorn (175921) on Friday June 05, 2009 @10:20PM (#28229599) Homepage

      I'm thinking - if the hackers actually bribed/tricked the CEO's PA into just telling them what what in the calendar record then the guy is going to try to weasel out of paying.

      • Re:Hu? (Score:5, Insightful)

        by MrMista_B (891430) on Friday June 05, 2009 @10:47PM (#28229729)

        Social engineering is an perfectly valid and entirely effective method of hacking.

        • Re:Hu? (Score:5, Insightful)

          by XanC (644172) on Friday June 05, 2009 @11:01PM (#28229775)

          But it doesn't test their software.

          • Re:Hu? (Score:5, Interesting)

            by ta bu shi da yu (687699) on Friday June 05, 2009 @11:22PM (#28229867) Homepage

            Uh? According to NetworkWorld, "the IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine." wtf?

            • Re:Hu? (Score:5, Insightful)

              by Anonymous Coward on Saturday June 06, 2009 @08:17AM (#28231879)

              They never logged into the account themselves.

              It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.

              The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.

              No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.

          • Re:Hu? (Score:4, Insightful)

            by Allicorn (175921) on Saturday June 06, 2009 @12:09AM (#28230033) Homepage

            That wasn't the whole challenge. The challenge was to access an account on their allegedly super-secure webmail service. If the software is fairly solid but the staff are easily duped/bribed... how secure is the service?

            Even if social engineering alone resulted in getting access to the prize data, then the challenge has still been met: StrongWebmail.com - the service - is not secure.

            • by TheLink (130905)
              If it doesn't meet their rules the hackers shouldn't win the prize.

              But we might still give low ratings to StrongWebmail the service.

              Hmmm, their site seems to require javascript to log in. I'll give it a low rating just for that alone.

              Oh, even worse: enabling js for their domain alone doesn't work! Seems like they need googleapis.com.

              I'm not going to enable js for other domains - what if googleapis gets exploited one day? Even if strongwebmail is ok, googleapis might not be (look at google's security track r
          • by Yvanhoe (564877)
            It tests their security, which was the point.
        • Re:Hu? (Score:4, Insightful)

          by C18H27NO3 (1282172) on Friday June 05, 2009 @11:18PM (#28229847)
          agreed.
          In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
          "They got in through a vulnerability in our OS, but our software held up".
          "Someone in our company helped themselves/someone else to your mails, but our software held up".
          "Someone installed a trojan that compromised the authentication system, but our software held up".

          I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
          There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
          At least that's the way the rules and TFA sound.
      • Re:Hu? (Score:5, Informative)

        by jesseck (942036) on Friday June 05, 2009 @11:13PM (#28229831)
        While I agree that social engineering is a very legit way to hack a system, the terms of the challenge ( link here [strongwebmail.com] state that "You may not work with an employee, partner, or owner of StrongWebmail.com or any of its affiliates or partners to accomplish the email hack." Since this was StrongWebmail's contest, they make the rules. Even if the rules prevent a common method of hacking from taking place. On the other hand, people are quite often the weak link... by preventing the contestants from using this "easy" entry point (say, a janitor or secretary), they can test the technical system itself.
        • by Yvanhoe (564877)
          They talk about "working with an employee", does it encompass fooling one of them ?
        • Re:Hu? (Score:4, Insightful)

          by Nikker (749551) on Saturday June 06, 2009 @05:35AM (#28231307)
          In reality they have just shot themselves in the foot by admitting they have had sensitive information retrieved by an unauthorized person. The whole idea of contests like this is for marketing and the CEO looking for a gold star type reputation. If the contest had gone without a hitch then they would pass their service off as 'air tight' since they are "securewebmail.com" ;) Regardless now of whether they pay out it is obvious that they are insecure so spending time arguing semantics is just going to kill them by the Streisand effect. It's stupid for them to argue over 10K while their rep will cost the company its livelihood regardless if they pay it or not. Some posts here seem to refer that any social engineering would likely be limited in nature as off-the-cuff phone calls to employees where the attacker seems to be a trusted member will not likely be effective in the long run. The truth is that supply and demand will mitigate this factor, especially since people get more interested in whats inside a room the more locks you put on it ;) New vectors will be sought and acted on and they will be hacked again. It would have been better for them to offer the 10K as a consultants fee and have all this under a NDA then going balls out with this kind of thing cause obviously it wasn't secure to begin with.
        • Re: (Score:2, Funny)

          by Odinlake (1057938)

          ...social engineering is a very legit way to hack a system

          interesting - are there more legit ways to hack a system? I'd like to hack into this bank but preferably without breaking the law...

      • Re:Hu? (Score:4, Informative)

        by capnkr (1153623) on Saturday June 06, 2009 @12:16AM (#28230069)
        FTFA (page 2, first paragraph):

        James said that these contests might be fun, but they don't provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example.

    • Re:Hu? (Score:4, Insightful)

      by Tubal-Cain (1289912) on Friday June 05, 2009 @10:25PM (#28229623) Journal
      I could understand if they don't want to pay up to someone that hacked something other than their software. Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't. Yes, a real cracker may hack one of this product's customers that way, but Telesign couldn't be at fault for that.
      • by iamhassi (659463)
        "Exploiting a Window bug may count if they are not cross-platform may count, but bribing the janitor probably doesn't."

        The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email. That's like saying social engineering [wikipedia.org] doesn't count. Of course it counts, the end results were the same, right?
        • Re:Hu? (Score:5, Interesting)

          by Tubal-Cain (1289912) on Saturday June 06, 2009 @12:35AM (#28230157) Journal

          The hell it doesn't! If hackers can pay the janitor or other employee a few bucks to access the CEO's email then I wanna know that before I hand StrongWebmail $$$ to handle my email.

          That depends on what they are providing. If they are providing a hosting service of some sort, then bribing a janitor counts. If they are providing a system to be handled by the local network admins (that's the impression I get), then it shouldn't. The janitors there are not the janitors that will be around the customers servers.

          • I would still claim it matters. In a properly designed system, the janitor shouldn't be able to get access credentials even if he or she wanted them. In a truly secure environment, every access of any type of information should be properly audited so that any permitted but strange access is noted as well.

        • by TheLink (130905)
          Yeah, I'd want to know that too.

          And if it was because of the janitor attack, then the hackers shouldn't win the prize, but in that case I still won't say good things about StrongWebmail to anyone :).
      • Re:Hu? (Score:4, Insightful)

        by nine-times (778537) <nine.times@gmail.com> on Saturday June 06, 2009 @12:05AM (#28230007) Homepage

        Why shouldn't bribing a janitor count? If I'm paying someone to call me every time I want to log into my email, then I'm probably pretty paranoid about security and don't want other people gaining access to my email. If security is so bad that random employees (including the janitor) can read my email, and those employees are so untrustworthy that they can be easily bribed, then that's just as real of a security problem as if their software were flawed.

        Security is often only as strong as its weakest point. If the point of this prize was to prove that your email is secure on their servers, then gaining unauthorized access to other people's email on their servers should be enough to claim the prize.

        • I got the impression this is meant to be a locally-administered system rather than a remote one. I would have a hard time blaming Microsoft for a social engineering-based security breach of a MS Exchange setup, though I would not hesitate to lampoon them for such a breach at Hotmail.
          • Re: (Score:2, Informative)

            Your impression is wrong. I just looked at their website. They're offering a webmail service like Yahoo or Gmail -- the difference is that they phone you with an access code at a pre-determined phone number every time you want to access your email account.

        • by houghi (78078)

          You could even tell your employees that if somebody does get into the mailbox that way, the only way for them to claim their prize is to tell who was the leak. That then would result in directly and immediately firing the person.

          That way everybody is aware of the challenge and people will be double care full about giving out any details.
          Make them also aware that people from IT also should not be asking for your password.

          You have increased security for no cost. :-D

          • Well, yeah. I would expect part of the rules to be that the hackers have to disclose their methods. And if you caused that sort of security breach, whether connected to a contest or not, I would imagine that would be a firing offense.
      • by Nikker (749551)
        Question: Is this StrongWebmail.com a software or a service ?

        Question: Since the CEO got his information retrieved with out his permission would you trust their claims with your own data?
      • by blhack (921171)

        This was exploited using a bug in strongwebmail's software.

        They weren't sanitizing or validating inputs on CGIs, which allowed the contest winner to run some javascript on the target's machine.

        The other thing they weren't doing was protecting themselves against CSRF attacks.

        This was ABSOLUTELY a problem with strongwebmail's software. Yes, user interaction was required, but the interaction was to exploit flaws in the software.

    • I suspect and hope that the statement was just a way to delay until the person in charge of the contest (some committee perhaps) officially confirms the win so that the check can be written.

      that said, if you set something like this up with no rules you are being quite dumb.

      for instance you can not violate law, don't ambush employees in the parking lot with weapons. Don't physically break into the building, don't download the employee database...

      • Re: (Score:3, Insightful)

        by ae1294 (1547521)

        Honestly what I find extremely funny is that they already know they have a security problem and that these hackers have some sort of access.

        Are they really going to try and piss them off and not pay up?

    • by mrmeval (662166)

      Kidnapping his secretary and removing apendages till they talked is not worthy of paying for. Sneaking in and looking at his calendar while he's taking a dump is not worth paying for. Blackmale...No. Social engineering..No. They actually had to be intelligent and hack.

  • Telegraphing (Score:5, Insightful)

    by inviolet (797804) <slashdot@ideasma ... org minus distro> on Friday June 05, 2009 @10:00PM (#28229491) Journal

    The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

    And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

    • Re:Telegraphing (Score:5, Insightful)

      by Alethes (533985) on Friday June 05, 2009 @10:08PM (#28229525)

      Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

      • Re: (Score:3, Insightful)

        by gavron (1300111)
        There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

        Strongmail isn't the "best" (whatever criteria you use for "best") webmail site for "security" (whatever your definition of "security"). It's proven that it's easily cracked, and that is in and of itself a stay-away sign.

        I highly recommend Bruce's blog at h [schneier.com]

        • Re: (Score:2, Insightful)

          by Moridineas (213502)

          There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).

          That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals? You can't possibly be claim that under cover air marshals are "security theater."

          Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

          • Re: (Score:3, Insightful)

            by gavron (1300111)
            "Heightened awareness" of untrained personnel yield more chaos and more chaffe, not more data. Sorry.

            Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.

            Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.

            Under-cover air-marshals board first, and keep their jackets on. IF T

            • Re: (Score:3, Insightful)

              by michaelhood (667393)
              You started to touch one the one thing that has changed that matters, IMO. And that's largely a policy change.

              We used to operate under the assumption that would-be hijackers wanted political attention and/or money. Now we operate under the assumption they are willing to die if it means inflicting more casualties. This means we will never again open the [now reinforced] cockpit doors in any circumstances when there is a hostile scenario in the cabin.

              So all of this talk about box-cutters and other mythi
              • Re: (Score:2, Insightful)

                by gavron (1300111)
                That's a red herring. Today's pilots don't know whether the terrorist of tomorrow wants to use the plane as a weapon (as did the one occurrence in 2001) or whether they have other goals they wish to accomplish. These same N terrorists (pick a number -- the lack of security won't prevent ten boxcutters from being brought on board any more than they'd not prevent 4 being brought on board) can threaten a LARGE number of innocent women, children, and men.

                Pilots will likely respond and land the plane. Sure,

                • That's a red herring.

                  No, it's really not. But you ARE missing the point here. Stopping weaponized planes is exactly what most of the security additions are about.

                  These same N terrorists (pick a number -- the lack of security won't prevent ten boxcutters from being brought on board any more than they'd not prevent 4 being brought on board) can threaten a LARGE number of innocent women, children, and men.
                  Pilots will likely respond and land the plane. Sure, it won't be used as a weapon (but that was the 8-year-old plan... not tomorrow's plan). They can still get hundreds of hostages.

                  Yeah sure, terrorists being able to avoid watchlists, smuggle on boxcutters, and attempt to overcome any air marshall on board the plane to take the passengers hostage is a certain possibility. However, since nothing remotely close has happened since 9/11, you're talking in pure hypotheticals. The scenario of "planeful of hostages" versus "weaponized plane impacting ur

              • by lwsimon (724555)

                That policy change happened before the day was out, even - as evidenced by a field in Pennsylvania. An airliner in the US will never be hijacked again.

                • Re: (Score:3, Insightful)

                  by gavron (1300111)
                  "An airliner in the US will never be hijacked again."

                  Sadly, sir, you are incorrect.

                  E

                  • by lwsimon (724555)

                    Do you honestly think a planeful of people are going to let someone take over the controls, regardless of what weapon he might have?

                    That's not happening - it simply won't. They'd have to kill everyone on the plane.

                    • by lwsimon (724555)

                      Just out of curiosity, have you ever been in a situation that involved the use of deadly force?

                    • by ShakaUVM (157947)

                      >>No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

                      Have you SEEN a box cutter? They're x-acto knives, dude. If some terrorist has hijacked my plane by shouting at the pilot through the security door that he can't get through now, and the pilot is - what? - intimidated into steering into a skyscraper (think about why this doesn't make sense) AND is waving a box cutter with a 3/4th inch blade sticking out of it, then fuck yeah I'm taking

                    • The last 9/11 attack failed because the old "leave the hijacker alone and everyone will probably be safe" no longer applied, and the passengers found out it no longer applied. Don't expect that kind of attack to work again anywhere. Even before the word of the crashes got out, there was at least one former member of the Israeli Defense Forces on one of the earlier 9/11 flights, Danny Lewin. I assume he tried something, unsuccessfully, because the FAA reports that he was stabbed by Satam al Suqami , the ter
                    • by russotto (537200)

                      The point of security is to prevent a future attack vector, and the boxcutter at the throat does well. A simple phrase like "We're not going to crash we just want to go to X" will prevent anyone from rushing the attackers, potentially risking the lives of the flight attendants. Your fat ass will stay in its seat as will those of the hundreds of people you think would follow you in your playstation-fantasy of a situation. One day when you're in a real life/death situation you'll find it's not quite as easy a

                    • No, they'd kill one flight attendant, then grab another one by the neck and ask "Who wants to come up and be next."

                      All the little wanna be heroes would remain seated.

                      Doubtful. Even *I* can see that a planeload of people can overpower five? ten? attackers. If we can play up the passenger's fears of riding around in the guts of an extra-large missile, we can get them up and striking back. :D

            • "Heightened awareness" of untrained personnel yield more chaos and more chaffe, not more data. Sorry.
              Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.

              You know that's interesting--blanket statements without the slightest bit of supporting evidence. Retraining staff was a large part of post-9/11 reforms. Patdowns--which I've only ever had to go through once when I forgot my shoes had some metal in them (this was before proforma taking off of shoes)--are certainly effective as a layer of security. Should cops (etc) get rid of patdowns on criminals since it's jut security theater?

              Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.

              I'm not sure where you're getting these facts--at my local airport shortly afte

            • by russotto (537200)

              You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.

              The toilet stuff (not congregating, and not using the forward toilet if you're in steerage) isn't security OR security theatre. It's a way for the airlines to use government force to keep first class service

          • Re:Telegraphing (Score:4, Informative)

            by Anonymous Coward on Friday June 05, 2009 @11:32PM (#28229901)

            You think awareness will help to any degree? Awareness of what and how is that equal greater security? I worked at a major airline before and about 5 months after 9/11. I worked at an airline and at an airport that was used by the 9/11 terrorists. Things may have seem to have changed but if you knew anything about the operations at an airport, it was smoke and mirrors. Maybe have things have changed since then so I can not comment.

            On another note, I now live and work in DC. I see cars being checked before pulling into parking garages of important buildings. A security guard walks around the car with a mirror on a stick and checks the underneath of the cars before allowing entry. You call that increased security? Paint your bomb with undercoating or put it in the truck, in your engine bay, or hell, even in the back seat. As long as it does not have flashing lights and does not say "EXPLOSIVE" on it, they would never know.

            You want to know what heightened awareness there is? Remeber this incident? http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare [wikipedia.org]
            It had lights and wires, it must be a bomb. You feel save with that level of awareness? I don't.

          • by lwsimon (724555)

            I was on a flight last night, actually, and looked over to see a fire extinguisher behind the last row of seats.

            I can't take nail clippers on the plane (because I might hijack it!), but its okay to leave a fire extinguisher sitting there. Ever see someone sprayed with a fire extinguisher?

            If America was a truly free country still, 9/11 would have ended with a bunch of terrorists with gunshot wounds.

            • I can't take nail clippers on the plane (because I might hijack it!), but its okay to leave a fire extinguisher sitting there. Ever see someone sprayed with a fire extinguisher?

              Really? Do you REALLY ever fly? I've flown about a dozen times in the past year, have a normal sized stick of deodorant, travel shampoo, normal toothpaste, and nail scissors in my cosmetics bag and I've never once been stopped.

              I guess you think that planes should not have fire extinguishers??

          • Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?

            Security theater is worse than no security at all.

            • Security theater is worse than no security at all.

              Explain why.

              • Security theater:
                A) Consumes resources better used elsewhere, like, say, real security.
                B) Can further reduce funding for real security by convincing less knowledgeable people that allocating resources to the smoke and mirror show actually *is* keeping them safer. They *feel* safe, so they don't see the need to spend more for something that actually *keeps* them safe.

                Please don't go off on a tangent about the TSA or stuff like that. I'm addressing your challenge and nothing more.

          • That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals?

            Not to mention that it would have been crazy to attempt a hijacking after that. As soon as you made a move *bam* a sea of people would have sat on you.

            Heightened state of alert. It's not just for passengers, it's for corruptible PA's, too.

          • by jonbryce (703250)

            Yes, if they were so busy looking for dark skinned people with bottles of Evian mineral water that they missed some Russians with Polonium. This did happen.

      • by bitt3n (941736)

        Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.

        I'm building a webmail service packed with so many sql injection opportunities that it gets hacked by accident, just so you can put your mind at ease.

    • by bitt3n (941736) on Friday June 05, 2009 @11:53PM (#28229969)

      The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.

      And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.

      Perhaps they'll fix their software by simply offering a lower prize.

      "Hack our software, and win a free small soda with purchase of any McDonald's value meal!"

  • by l2718 (514756) on Friday June 05, 2009 @10:10PM (#28229541)
    Offering bounties is a great approach to finding bugs in your code. The crackers are taking quite a legal risk, however -- what if the owner of the computer decided that they "exceeded the hacking authorization"?
  • This is obvious (Score:5, Insightful)

    by empesey (207806) on Friday June 05, 2009 @10:17PM (#28229577) Homepage

    If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.

    • Re: (Score:3, Interesting)

      by houghi (78078)

      Because they might not be interested to see if it as a whole can be hacked, but if certain parts can be hacked. They might be aware that it can be DDOSsed. They know that social engineering will work, so they do not need or do not want to test those parts of the security.

      It is like a bargame. You have a glass with beer and on top is a coaster. You must drink the beer without touching the coaster and when done drinking the coaster must be on top of the glass again.
      The solution would be to take two barstools,

      • by Yaur (1069446)
        Social engineering shouldn't work. In this case only the CEO should have the password and probably isn't giving it out. If social engineering works (and the CEO isn't involved) it suggests that they are storing or moving passwords insecurely which is a significant problem.
    • by TheLink (130905)
      There are always rules in a contest.

      Rule #0 - A "win" is defined by the rules.

      If there are no rules, there is no winning. If there is no winning, what sort of contest is it? And who gets the prize?

      Yes there may be a weak link in the armor, but if you don't follow the rules you SHOULDN'T get the $10K.
  • The Catch (Score:5, Informative)

    by LSDelirious (1569065) on Friday June 05, 2009 @10:23PM (#28229613)

    from StrongWebmail's Site [strongwebmail.com]

    There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone. If you do manage to be the first person to break into his email account, there's $10,000 in it for you - just register below to get started. Good luck!

    So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access? They might be cool with having their own systems hacked, but it sounds like they are now involving a phone company, which might not be too thrilled to be a part of their little game - the only way around that I can see is to hack the StrongWebmail system to change the "pre-registered" phone number....

    and who the hell wants an email account you have to approve via phone call every time you login?!? What if your phone is lost/broken/dead/no reception/etc.. then you have no way in

    • Re: (Score:3, Funny)

      by Tubal-Cain (1289912)

      Telesign, a provider of voice-based authentication software...

      Sounds like something for protecting a phone system.

    • Re: (Score:3, Insightful)

      by Gi0 (773404)
      If i could hack the phone company's system, or find a way to clone their CEO cellphone,besides hacking their system,would i be willing to let them know for just 10 grant?Nop.That knowledge has got to be more precious.
    • Re: (Score:3, Insightful)

      by Jaime2 (824950)
      Or hack the authentication system so that it thinks you already went through all that stuff when all you did was forge an authentication proof. Their system is very resistant to some types of attacks, like password guessing. But, it is no stronger than a normal username and password against most attacks on the system itself. SrongWebmail.com's biggest mistake was thinking that they knew of all of their weaknesses.
    • Hacking (or blackjacking, to use the vernacular) cells has been in existence for quite awhile, with probably Thai coders taking the lead, with Chinese, Americans, Germans and Brits coming up from the rear.....
    • Passwords are a bad means of securing a computer. Sure, passwords are far cry more secure means no authentication at all, but they do have some pretty severe limitations...

      1) Any breach of a password pretty much kills them. Dead. If your ex-GF/BF gets the password to your webmail account, god help you, because the password in their hands works just as well as in yours.

      2) Usually you don't have any (obvious) way of knowing that the breach occurred.

      3) Because of (1) and (2), they are highly vulnerable to soci

      • by _Sharp'r_ (649297)

        1. Install script in end user's browser using drive-by download on site you get them to access, emailed javascript, etc... multitude of ways.
        2. Wait for end user to accomplish steps 1-3a for you, which he will the next time he checks his mail.
        3. Installed script passes whatever you want back to you since it now has secured access to your secure site. (???? step)
        4. Profit $10K!

        The phone call method of security is useless if you can just wait for the end user to legitimately accomplish it for you when they th

    • Re:The Catch (Score:5, Interesting)

      by digitalchinky (650880) <dtchky@gmail.com> on Saturday June 06, 2009 @03:32AM (#28230847)

      Damn, I wish I lived in the US. This is easy money.

      For 10 grand in prize money - wow, they didn't think about this very well. The kit you need is all available on ebay for less than a grand. I already have the modems, EDT data capture cards, a couple of Sun ultra's (old, but they do the job dependably), a spectrum analyser, antennas, level converters, up/down converter, transceivers and a bunch of cables to connect it all together.

      It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

      Legal? I'd say absolutely, you haven't actually monitored a 'cell phone' at all, nor have you tuned your receive gear to any part of the spectrum used by a cell phone. All you've done is read the out of band signalling system on an entirely separate trunk over a link, that is not breaking the 'do not monitor phone calls' rule. (No such rules exist where I live, mostly because radio is still thought of as magic by the Government)

      • Re: (Score:3, Funny)

        by JonJ (907502)
        That's "easy money" where you live? Where the fuck is that? And I wonder what's considered "hard" for you people.
        • Re:The Catch (Score:4, Interesting)

          by digitalchinky (650880) <dtchky@gmail.com> on Saturday June 06, 2009 @08:11AM (#28231853)

          I'm Australian, a former secret 3 letter agency drone (Defence Signals Directorate, and others), probably disgruntled, and a few years back I moved to Asia. I'd love to say I now dabble in a little light industrial espionage, but really, there isn't much of a call for former spies. People don't believe you anyway. These days I'm just some guy with a keen interest in radio communications. And this problem is naught more than a bit of a jigsaw puzzle of equipment and a hex editor. Pretty much anyone working with any kind of satellite communication system will be familiar with the technology.

          What is hard? For me, anything that is largely not radio communications, like women, and carburettors :-)

      • It would take a half a day at most. Camp outside his office or home, figure out which cell tower he is on (line of site) and poke an antenna in the path of the microwave link the tower uses to talk to the exchange. (This traffic is all unencrypted, bog standard T1/E1 stuff) - do whatever you need to do to trigger the text alert, suck down the CCITT-7 channel, then pick through the SMS payload until you find the code. Log in and take the cash.

        I'm not saying GSM isn't swiss cheese from todays security POV, bu

        • Hopefully there would be no need to mess with the GSM/CDMA over the air part, but you are right, lots of papers on the encryption schemes and they could be brute forced if time is not much of a factor. You are right about the luck part in some ways, but perhaps not as much as you might think. Unless the guy has his office on the 35th floor and has a thousand in view, then probably we only need to seek out 3 or 4 towers at most and work with those.

          I concur, not all of these are microwaved, but in built up ci

      • Re: (Score:3, Insightful)

        by toddestan (632714)

        The only detail that your missing is that you would also his username and password in addition to being able to tap his cell phone.

  • Just make sure Darren Berkovitz has his phone on him There's nothing in the rules against it...
  • Point of Order... (Score:2, Insightful)

    by ae1294 (1547521)

    Void where prohibited, taxed, or otherwise restricted by law. Subject to all federal, state, and local laws. This Contest is open to all legal residents of the United States and the District of Columbia, and U.S. Military personnel (and their families) with APO/FPO addresses, who are eighteen (18) years of age or older.

    Void where prohibited? - Hacking? Nah...
    Taxed? - Hacking? - Donno it might be now...
    Otherwise restricted by law? - Hacking? Nah....
    Subject to all federal, state, and local laws? - Hacking? Nah...
    Only open to US residents? - SURE, "all" the best hackers and US born.
    18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

    Gezzzzz come on now... If you try and claim the 10 grand you're going to get 30 years in federal prison.....
    No w

    • Only open to US residents? - SURE, "all" the best hackers and US born.
      18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.

      They have to limit their liability by only allowing American adults, a minor can't enter into a contract so there's no point in even allowing them to compete. They probably need to be American just in case the company decides to sue them. As for hacking being illegal, it's not exactly illegal when you have permission to do it. The definition of hacking includes lack of authorization to do what you're doing. If you have authorization, legally speaking you're not hacking.

  • Won't they have to pull their heads out, first?

    Remember, folks, in the real world, crackers won't abide by your user agreements. They will look under your secretary's keyboard for the password list, check your logs for mistyped passwords instead of login names, read your Subversion stored plain text passwords from your backup tapes, and read your Wiki for shared passwords.

  • pay the guys. they invested the effort to crack your impenetrable fortress of code, and you were stupid enough to encourage them. dont turn this into something akin to the qmail bounty.

    of course the idea of foss software comes to mind...where everyone has access to your obviously lacking source and can suggest cool new security features that arent cracked at a near zero day rate.

Today's scientific question is: What in the world is electricity? And where does it go after it leaves the toaster? -- Dave Barry, "What is Electricity?"

Working...