True’s very own Michael Oglesby was recognized within the credit statement of the Oracle January 2012 CPU for identifying specific vulnerabilities addressed in the report. In a future post, Michael will share insights into the vulnerabilities he uncovered.

True consultants are active participants in the security research community, often contributing their expertise by reporting vulnerability findings; providing insight within articles, news stories and white papers; and speaking at local security chapter associations and national security conferences, with the goal of helping security professionals improve their information security practices.

Kayna Kelley

Kayna Kelley is True's Marketing Manager and Technical Writer with responsibilities of managing True's marketing and sales support efforts. Kayna received her undergraduate and MBA degrees from Oklahoma State University and has rich experience promoting B2B technology companies.

For a third year, Verizon Business has embedded a “Cover Challenge” in its annual Data Breach Investigation Report (DBIR). The challenge is an unspecified puzzle hidden within the document. I finished the puzzle in second place after having placed first last year. Congrats to Dan Caselden on his amazingly fast first place win this year.

If you want to solve the puzzles yourself, spoilers free, I suggest you read no further. Otherwise, here is how I solved this year’s challenge. If you are interested in last year’s solution check out my post from last year.

While scanning this year’s DBIR in detail, several items immediately jump out:

• “aes-128-cbc” embedded in text on the cover (near the bottom left)
• “3Wolf” on the cover (on the white sunglass)
• “pplwc” at the bottom of the second to last page
• A block of encrypted data on the last page (text is in black matching the background)

U2FsdGVkX180AaM+aGDY0cUgudzihpyjBoJJEIwu5CW4aLf7EeoMz3FuwU0WrSmK
D+pq8WBiECoFNB1K0qesbQBtCkbrOZyufwWKEcy3KwTQfdG6LSiswvfHq0R1slNT
dKuZ0DREk3N5NK5BDzbrFwI+4znBihkILoatsKQ6uR0BlxoHQnoyNT/tYMKv/r/Q
1IDr5qedtUFhGIBSjKgRNg+kUeTzyi/U+jKSzLPR2BiBj2N4YqjCqvzVgFfsqVgU
asOjYIcxyPcRug6TL+OqRoiA8D1IoSRZ1egd7OxoBBx6vYFnsjCvZ7FQB9llGX/7
bAslhxlyQlm05K7zi4MRE8pjp7+S8o86GQqbwNB/R7oqvXjMva4smb9fvIz5xWLR
a8NGak2fYo7PlOtWYcg/o2+pX2SazaABum3uggTxaPAqs1XdTFlswkuRslshkj6o
OsPwv/+/WO4+PEYDseZW4tlcigq37i1Dy6SLBCk8d2CO5Lo9UqKyZWRNTxb6795z
/10O02TTBvFCv4O7uo13HRQw2xYqxsODzjxoZXnmffWhV2+59Dus1iHQJaSr6QGF
0GqrHD6vT54XKP8ph8M7f5pxBC6b8qdV2Gz3agDJEcsAvrfnC7wgdVhK0rqueZGL
zQVU2KoFte2xS2CTs4bqAOygsATBQ9CjQPYb4p1ay6zW4iE9XbcA7r80foQ69MmZ
Mk8iL22lfOMlECHcmKjCln7rGH9X0n/4/VMgrf4pKnHJeqCc58Trlf5LvjEoWJVW
BLc9nrBUeJZAo50s1q2EtBA0EICyz63uOnzbN543CGI=

The encrypted block is of the same format as last year. See last year’s solution for more info on its format.  At this point, we have an encrypted block and its encryption algorithm (no brute forcing this year). Now it’s time to find the decryption key.

If you’re familiar with your Internet memes, 3Wolf jumps out as a reference to the 3 Wolf Moon T-shirt meme from a few years ago. If you’re not familiar with this meme, it’s actually referenced by the DBIR authors on page 12. Following the link within the DBIR takes you to the Amazon page for the t-shirt. After some quick searching around, we find several customer images featuring some of the DBIR authors wearing 3wolf shirts as well as a larger picture of the man on the cover (Cover Guy). His picture’s caption reads “Look at #MEANDMY3WMT !!”

Again, Internet savvy users will immediately recognize the twitter hash tag in the picture’s caption. A quick search on twitter shows one result, user @TresL0b0sDude who has been regularly tweeting a link to http://bit.ly/dQ5a5H. Following the link takes you to yet another picture of the Cover Guy.

So far, this year’s challenge has been much more involved than last year!

Close examination of this new picture reveals:

• “silent” on the eye picture
• “pw” on the cat picture
• A picture of the 2008 DBIR document

Googling the elements discovered in the picture reveals a promising result of a stenography tool called SilentEye is found. Installing and fiddling with the program’s parameters, a file is unhidden within the Cover Guy picture by using a password of “cat”. This file contains the phrase “H00000000wling @ zee moon!”

This phrase is actually the decryption key to the original block of text hidden on the back page on the DBIR. However, unlike last year, it seems we are not done. Instead of decrypting to a message, we find a string of comma delimited numbers. (Line breaks added for readability)

14, 1, 1, 2, 3, 12, 1, 1, 3, 5, 5, 2, 5, 3, 1, 12, 1, 1, 8, 2,
23, 1, 2, 5, 3, 10, 3, 5, 4, 5, 8, 2, 2, 3, 5, 15, 2, 6, 1, 1,
12, 3, 3, 15, 2, 14, 2, 4, 2, 1, 24, 4, 4, 21, 3, 8, 2, 1, 1, 1,
17, 2, 2, 1, 6, 26, 7, 2, 12, 1, 21, 4, 3, 12, 3, 12, 3, 5, 5, 5,
8, 2, 6, 5, 5, 16, 3, 3, 9, 1, 5, 3, 4, 2, 6, 6, 5, 4, 3, 1,
13, 1, 3, 13, 1, 10, 3, 2, 14, 1, 5, 2, 2, 5, 4, 8, 3, 4, 6, 3,
12, 1, 4, 5, 5, 26, 2, 6, 2, 15, 16, 5, 5, 2, 3, 24, 4, 4, 21, 5,
23, 1, 3, 6, 1, 14, 1, 6, 7, 5, 10, 2, 4, 13, 2, 10, 4, 1, 2, 10,
8, 3, 4, 6, 3, 15, 1, 3, 1, 1, 6, 6, 3, 15, 2, 9, 1, 3, 3, 4,
13, 3, 1, 5, 2

This element of the challenge stumped me for a few days. The numbers range from 1 to 26 suggesting an alphabetic cipher. After several days of trying various substitution, rotation, vigenere, and other ciphers, I took another look at the “pplwc” clue. A flash of insight leads me to deduce that the numbers are actually positional indexes with “pplwc” standing for Page, Paragraph, Line, Word, Character. Using this logic, I find that it does not work properly against the 2011 DBIR document; however, it does work against the 2008 DBIR document referenced in a previous clue. I will leave it as an exercise to the reader to decipher the final message.

Thanks again to all the DBIR authors for another fun challenge.

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts

For the second year in a row, Verizon Business has encoded a “Cover Challenge” in its annual Data Breach Investigation Report. This year I was the first place winner, submitting the correct solution after 1.5 weeks of puzzling.

Verizon 2010 Data Breach Investigation Report

Knowing about last year’s challenge, I took a quick look at this year’s report and didn’t immediately notice anything puzzle related. A few days later Verizon confirmed on their security blog that there was indeed a cover challenge. Game on.

The first thing that obviously stands out is the large fingerprint.  After visually scouring the fingerprint under a high zoom level, several possible words, letters, and numbers were discovered.

• The word”openssl” on the left edge near the middle.
• “p(F+)” or just “(F+)”  3/4 of the way down the right side
• “mc141″, “141″, “41″, or just “4″ on the right side almost to the bottom

Openssl is the most immediately interesting item, however none of these items seem to lead anywhere by themselves. Continuing the search throughout the report reveals a hidden block of text within the back cover. This text is hidden using the classic text hiding trick of assigning the same color to both the font and background color. The text is easily recoverable by copying and pasting or by overriding the PDF color settings in the options.

U2FsdGVkX1/igcsdctD3brMu4vDXkswNZZoHL6QVcI6eBlfN4aqvBBowRhf9wfsk
hb5RIGVSpphM2bJe33tVKh7koZ85V5ebFI1mPlXEhnKHO+er8EIyDRYuVvju08qv
u/jITmGEM4Mpk4gvL7aVeFB5lxoMFo0ds/CEA6zK80QprvV5B+c6+MWciIzLFJWI
/4OcO96UGM2riMKj2iy4JgmRxjEUyX/TKQEIB1s7WLh6cW30JpvgAI8wILVdTWpt
+gnIfyEGxio4Q2T9LM1ncA5K2P4lg/DsTiDIEEg3Ws4uW5sbz22qfE91frW7NnBg
t46Iy0WhZgw0+wj4DCLzF4GBnIkplanSMdA+hiwhdR629KL7O8X1ZLg5eFHmjS6C
VCXXuQJVSaVG77/5113N/eNMboD2RhXyq1kWzZZaW/lpJ8vIDs5OK7d1TPG6aVLJ
hINx3qPZzNvtK4r4KfZ5fhjUXLcufOpE46gGnD0aHW+SCcGl2k7NPqbYfGtYSwuJ
HYne4VTxR772vsV5RFgirw==

Recognizing this as base64 encoding, decoding it leads to the string “Salted__” followed by random bytes. After some quick Google searching for this string, I identified the format as an encrypted block which openssl creates when utilizing a random salt. You can see this working by using the openssl enc feature

openssl enc -in file_to_encrypt -des3 -e -base64 -salt -pass pass:"some password"

At this point we have our cipher text, probably containing a congratulatory message and instructions on how to submit the answer. Since this appears to be created using a salted algorithm via openssl, the answer is probably not solved via cryptanalysis as it was last year. Instead we need to find 2  missing  pieces of information: the crypto algorithm and the key. I begin trying various words and phrasing from the report as the key and brute forcing the algorithm using a simple ruby script to iterate over all the supported algorithms.

alg = [ "-aes-128-cbc", "-aes-128-cfb8", .... "-rc5-ofb" ]
alg.each { |a|
 puts "#{a}\n"
 system("openssl enc -a -d -salt -in puzzle_file #{a} -pass pass:'#{ARGV[0]}' ")
}

After several days of trying various methods including dictionary attacks, PDF object extraction, stego, random guessing, base64 encoding/decoding (base64 “(F+)” => “KEYrKQo=”, notice it begins with KEY. Was that just a strange coincidence?), Verizon begin posting clues which pointed to the F+ as being related to the key and that it probably meant “False Positive”. After trying several guesses around IDS false positive rates, I made the logic jump that there was a “p” in front of “(F+)” meaning the probability of a false positive and that it relates to fingerprint analysis.

Some quick Google searching leads to the fingerprint Wikipedia page where it states Sir Francis Galton calculated the false positive rate to be 1 in 64 billion. Trying various spacing combinations leads to the correct key “1in64billion”

Congratulations! You've solved the 2010 DBIR Cover Challenge. If you happen
to be the among the first three people to see this message and email us the
correct answer to the question below, you will receive a prize.
Who calculated the probability of a false positive in using fingerprint
analysis for identification?
Email your answer to dbir@lists.verizonbusiness.com

For completeness sake, the algorithm used was AES-256-CBC.

Thanks to Verizon Business for a fun challenge this year and thanks to the folks on twitter #DBIR for both leads and wild tangents.

Michael Oglesby

The Director of Tactical Security Services at TRUE, Michael specializes in security testing initiatives with vast network and application security assessment experience. He oversees a team of analysts in conducting SAST- and DAST-based services. Certifications include CISSP, CSSLP, QSA and CNSS 4011-4015. He is also the Verizon 2010 Data Breach Investigation Report Cover Challenge Winner and second place finisher in the 2011 competition.

Twitter - More Posts

President Obama’s new cyber security policy and the creation of a White House office for cyber defense is a step in the right direction. I think the new cyber boss can be effective regardless of title or hierarchical position within the White House.

According to the Cyberspace Policy Review referenced above, the Federal government cannot succeed in the many facets of securing cyberspace if it works in isolation. The public and private sectors’ interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Government and industry leaders both nationally and internationally need to delineate roles and responsibilities, integrate capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cyber security and reap the full benefits of the digital revolution.

Whatever the outcome cyber security need the same attention of law enforcement as other crimes.

Nathaniel James

Website - More Posts

Sun Microsystems’s CEO announced yesterday its intention (or is it now Oracle’s intention?) to launch an App Store for Java software a la Apple’s iTunes App Store for iPods and iPhones.  Slashdotters responded with typical jokes about how slow Java apps seem to be.  Jokes about molasses aside, is this a good idea?  Will it catch on?  Initial reactions are mixed.

If executed properly, I think a Java App Store may work.  The announcement indicates that Sun engineers will be reviewing all submissions prior to publishing the apps to the world in an effort to minimally evaluate them for “safety and content”, whatever that means.  If the evaluations are not too heavy-handed, this may work.  If the prices aren’t extravagant, Sun may reach a wide audience, indeed.

Brett Edgar

Brett is a Founder and the Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

Twitter - More Posts

We look forward to chatting with our customers, friends and anyone who wants to discuss ongoing security trends. I continue to be amazed with our team here at True Digital Security and I am excited that you will get the opportunity to know them a little better and in turn we will also get to know you.

Each week will be new posts about our digital culture, security trends, comments on weekly technology news stories and we will also look to you for contributions. We heartily invite your comments, tips and insights and look forward to hearing from you.

True Insight is

• Real-time insight from our industry leaders
• New ideas and fresh approaches to digital security
• Commentary on digital culture
• Up-to-date analysis on the ongoing evolution of network security

Subscribe now to participate in True Insight.

Jerry Dawkins
CEO, True Digital Security, Inc.

Jerald Dawkins

Dr. Jerald Dawkins is the CEO and Founder of TRUE and has extensive experience in regulatory compliance, technical risk assessments, penetration testing, web application vulnerability analysis and secure coding. Dr. Dawkins is the author of numerous publications and presents at national and international conferences. He holds the following certifications: U.S. Goverment Secret Clearance, CISSP, QSA, NSA IAM, and CNSS 4011-4015.