Hackers Claim $10K Prize For StrongWebmail Breakin 193
alphadogg writes "Telesign, a provider of voice-based authentication software, challenged hackers to break into its StrongWebmail.com Web site late last week. The prize: $10,000. On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"
Hu? (Score:5, Insightful)
Wait I'm confused??? They expected the hackers to follow rules?
Telegraphing (Score:5, Insightful)
The size of the prize -- $10,000 -- indicates that the company thought it reasonably possible that they'd get hacked, and/or desired to avoid motivating any serious hacking attempt. Neither explanation gives me much confidence in their product.
And wow did it ever backfire. Normally they do these kinds of promotions in the hopes that nobody will bother, so that the company can later say "We offered a wheelbarrow of cash, and still nobody hacked us!". As if that was equivalent to a real security audit.
Re:Telegraphing (Score:5, Insightful)
Maybe I'm naive, but I figure StrongWebmail.com might be the best webmail site to use for security right now because they're in a heightened state of alert. Kinda like flying after right after 9/11.
Interesting approach (Score:4, Insightful)
Re:Interesting approach (Score:5, Insightful)
This is obvious (Score:5, Insightful)
If they idea is to determine whether it can be cracked, why are there rules? Whether they followed some self-imposed rules or not, it still indicates that there is a weak link in the armor.
Re:Hu? (Score:4, Insightful)
Re:Telegraphing (Score:3, Insightful)
Strongmail isn't the "best" (whatever criteria you use for "best") webmail site for "security" (whatever your definition of "security"). It's proven that it's easily cracked, and that is in and of itself a stay-away sign.
I highly recommend Bruce's blog at http://www.schneier.com/blog/ [schneier.com].
E
Re:The Catch (Score:3, Insightful)
Re:Telegraphing (Score:2, Insightful)
There was nothing done after 9/11 to raise the level of security for the flying public. That includes the period right after 9/11 up to and including today. Everything that was done was in the spirit of "security theater" (credit: Bruce Schneier).
That is such incredible BS. Disregarding the heightened awareness of airport personnel and stricter rules for metal detection, body pat downs, and newer equipment, what about air marshals? You can't possibly be claim that under cover air marshals are "security theater."
Yeah, some of it is no doubt security theater, that's not in dispute...who says security theater isn't effective?
Re:Hu? (Score:5, Insightful)
Social engineering is an perfectly valid and entirely effective method of hacking.
Re:Telegraphing (Score:3, Insightful)
Body pat downs are security theater. The 9/11 terrorists didn't have boxcutters on them nor would that have been found in a pat down.
Newer equipment has only been installed in test markets to do the "puff" test. It detects gunpowder or explosive residue. Neither the "liquid explosive" (myth) nor the boxcutters can be detected by it.
Under-cover air-marshals board first, and keep their jackets on. IF THEY WERE ADEQUATELY TRAINED, NOT CORRUPT (see many news stories to the contrary) then they might make a difference but not for any real scenarios.
You forgot to mention "reinforced cockpit doors" and "not congregating at the toilet." These also, like the former, do not prevent a terrorist with a boxcutter from putting it to the throat of a flight attendant (and four of them doing so to all four flight attendants) and threatening to kill them all.
Before you argue whether such an attack would be successful -- consider this -- if they can do it (which they can) then security since 9/11 has not increased which is exactly what I said.
"Who says security theater isn't effective?"
It's effective as mediocre entertainment if someone you don't like has to go through it.
It's not effective as security.
Best regards
E
Re:The Catch (Score:3, Insightful)
Re:Hu? (Score:5, Insightful)
But it doesn't test their software.
Re:Hu? (Score:3, Insightful)
Honestly what I find extremely funny is that they already know they have a security problem and that these hackers have some sort of access.
Are they really going to try and piss them off and not pay up?
Re:Hu? (Score:4, Insightful)
In the real world I'm not going to care HOW my secret correspondence was hacked when they assured me it would never happen.
"They got in through a vulnerability in our OS, but our software held up".
"Someone in our company helped themselves/someone else to your mails, but our software held up".
"Someone installed a trojan that compromised the authentication system, but our software held up".
I understand perfectly what they are trying to achieve with this contest but they come off as sounding as if any other means of obtaining 'secure' information is beyond their liability when they state that it is the most secure webmail system out there.
There are many different levels to security that need to be continually addressed yet they seem to think that as long as their little solo phone app doesn't get compromised then it's not really their fault.
At least that's the way the rules and TFA sound.
Re:Telegraphing (Score:3, Insightful)
We used to operate under the assumption that would-be hijackers wanted political attention and/or money. Now we operate under the assumption they are willing to die if it means inflicting more casualties. This means we will never again open the [now reinforced] cockpit doors in any circumstances when there is a hostile scenario in the cabin.
So all of this talk about box-cutters and other mythical impromptu melee weapons is a false dilemma. This is no longer a viable threat. Virtually all threats to be considered at this point are ones capable of causing harm to a large number of passengers in the passenger cabin (firearms), or causing the plane to crash (explosives). There are of course fringe cases, but all things must be a balance of convenience/accessibility and security.
Re:Hu? (Score:4, Insightful)
Why shouldn't bribing a janitor count? If I'm paying someone to call me every time I want to log into my email, then I'm probably pretty paranoid about security and don't want other people gaining access to my email. If security is so bad that random employees (including the janitor) can read my email, and those employees are so untrustworthy that they can be easily bribed, then that's just as real of a security problem as if their software were flawed.
Security is often only as strong as its weakest point. If the point of this prize was to prove that your email is secure on their servers, then gaining unauthorized access to other people's email on their servers should be enough to claim the prize.
Re:Hu? (Score:4, Insightful)
That wasn't the whole challenge. The challenge was to access an account on their allegedly super-secure webmail service. If the software is fairly solid but the staff are easily duped/bribed... how secure is the service?
Even if social engineering alone resulted in getting access to the prize data, then the challenge has still been met: StrongWebmail.com - the service - is not secure.
Re:Telegraphing (Score:2, Insightful)
Pilots will likely respond and land the plane. Sure, it won't be used as a weapon (but that was the 8-year-old plan... not tomorrow's plan). They can still get hundreds of hostages.
Going back to my original point. THERE IS NO MORE SECURITY TODAY. The Pilots' attitude is not a result of heightened security nor better screeners, nor the creation of DHS nor anything else.
Again, the web site does not provide stronger security. The airlines do not provide stronger security. There is equal lack of realism in saying "I'd rather fly now than before 2001" as "I'd rather trust strongwebmail now rather than before they were hacked." Neither has improved their security.
E
Point of Order... (Score:2, Insightful)
Void where prohibited, taxed, or otherwise restricted by law. Subject to all federal, state, and local laws. This Contest is open to all legal residents of the United States and the District of Columbia, and U.S. Military personnel (and their families) with APO/FPO addresses, who are eighteen (18) years of age or older.
Void where prohibited? - Hacking? Nah...
Taxed? - Hacking? - Donno it might be now...
Otherwise restricted by law? - Hacking? Nah....
Subject to all federal, state, and local laws? - Hacking? Nah...
Only open to US residents? - SURE, "all" the best hackers and US born.
18 Years of Age. - O yes, for "all" the best hackers are 18 and older because they have girlfriends, jobs and a shit-ton more to loose.
Gezzzzz come on now... If you try and claim the 10 grand you're going to get 30 years in federal prison.....
No wonder they didn't think anyone would try for the 10 grand.
Re:Telegraphing (Score:3, Insightful)
Sadly, sir, you are incorrect.
E
Re:Hu? (Score:4, Insightful)
Re:Hu? (Score:5, Insightful)
They never logged into the account themselves.
It's an XSS exploit: StrongWebmail expended all their resources attempting to prevent people obtaining credentials and logging in. However, send an email with an appropriate piece of script to the target user, or provide a link targetting one of the iframes on the site, and all you have to do is sit back and wait for that to get loaded in the browser.
The person doing the exploit never has to log in, all they need is to get some script on the page and wait for the target user to use their account as normal, which triggers the exploit right inside the browser. That's why noscript blocked the attempt on IDG - it wasn't the hackers running Firefox+noscript, it was the journalist asking them to replicate the attack.
No secretaries, janitors or midnight exchanges of cash-filled envelopes required - they spent so much time decorating the front door that they forgot to check inside the constant stream of animal-shaped wooden statues delivered to the service entrance.
Re:The Catch (Score:3, Insightful)
The only detail that your missing is that you would also his username and password in addition to being able to tap his cell phone.