Hackers Claim $10K Prize For StrongWebmail Breakin 193
alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"
The Catch (Score:5, Informative)
from StrongWebmail's Site [strongwebmail.com]
There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone. If you do manage to be the first person to break into his email account, there's $10,000 in it for you - just register below to get started. Good luck!
So they have to hack the phone company's system too, or find a way to clone his cellphone, so they can intercept the call and approve access? They might be cool with having their own systems hacked, but it sounds like they are now involving a phone company, which might not be too thrilled to be a part of their little game - the only way around that I can see is to hack the StrongWebmail system to change the "pre-registered" phone number....
and who the hell wants an email account you have to approve via phone call every time you login?!? What if your phone is lost/broken/dead/no reception/etc.. then you have no way in
Re:Full Details (Score:5, Informative)
Blackjacking's been around for awhile (Score:3, Informative)
Re:Hu? (Score:5, Informative)
Re:Telegraphing (Score:4, Informative)
You think awareness will help to any degree? Awareness of what and how is that equal greater security? I worked at a major airline before and about 5 months after 9/11. I worked at an airline and at an airport that was used by the 9/11 terrorists. Things may have seem to have changed but if you knew anything about the operations at an airport, it was smoke and mirrors. Maybe have things have changed since then so I can not comment.
On another note, I now live and work in DC. I see cars being checked before pulling into parking garages of important buildings. A security guard walks around the car with a mirror on a stick and checks the underneath of the cars before allowing entry. You call that increased security? Paint your bomb with undercoating or put it in the truck, in your engine bay, or hell, even in the back seat. As long as it does not have flashing lights and does not say "EXPLOSIVE" on it, they would never know.
You want to know what heightened awareness there is? Remeber this incident? http://en.wikipedia.org/wiki/2007_Boston_Mooninite_Scare [wikipedia.org]
It had lights and wires, it must be a bomb. You feel save with that level of awareness? I don't.
Re:This is obvious (Score:1, Informative)
This joke wasn't immediately apparent to me. If it isn't to anybody else, then my advice to them is to try to imagine synonyms for "weak link" as it applies to armour.
Re:Hu? (Score:4, Informative)
James said that these contests might be fun, but they don't provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example.
Re:Hu? (Score:2, Informative)
Your impression is wrong. I just looked at their website. They're offering a webmail service like Yahoo or Gmail -- the difference is that they phone you with an access code at a pre-determined phone number every time you want to access your email account.
Re:Point of Order... (Score:4, Informative)
There are anti-hacker laws, but they generally read along the lines of
Whoever having knowingly accessed a computer without authorization or exceeding authorized access... ...
Whoever intentionally, without authorization to access any nonpublic computer
Whoever knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access
(From 18.USC 1030 [cornell.edu], the law Lori Drew was charged with)
Darren Berkovitz gave explicit permission when he announced this contest, so they had authorization to attempt to gain access by any means allowed by the rules. The only restrictions given were that you had to register first, and you couldn't get help from a StrongWebmail employee.
The rest of the rules looked innocuous to me. Most of it was standard broiler-plate which is required by law for any contest - a cereal box prize will have the same language. The last paragraph of the third section was all just Disclaimers of Liabilities - we aren't responsible for network congestion if someone tries to DoS us to win the prize, we aren't responsible if you download some script-kiddy software to use in the competition and it screws up your computer, etc.
If you did clearly break the rules that you could be charged under 18.USC 1030 as the access was unauthorized, knowing (you agreed to the rules), and fraudulent (you were attempting to cheat them out of prize money), and crossed state lines. But they weren't tricky rules to follow.
Re:Point of Order... (Score:1, Informative)
For the love of anything anyone considers holy, don't mod this "Insightful."
Funny perhaps, in a sort of tongue-in-cheek way...but seriously, all of those restrictions are generally required for any kind of contest with a large cash reward. It's just to remove any liability from the company for refusing would-be contest winners that are not permitted through laws, or for any actions of individuals illegally participating.