For a third year, Verizon Business has embedded a "Cover Challenge" in its annual Data Breach Investigation Report (DBIR). The challenge is an unspecified puzzle hidden within the document. I finished the puzzle in second place after having placed first last year. Congrats to Dan Caselden on his amazingly fast first place win this year.
If you want to solve the puzzles yourself, spoilers free, I suggest you read no further. Otherwise, here is how I solved this year's challenge. If you are interested in last year's solution check out my post from last year.
While scanning this year's DBIR in detail, several items immediately jump out:
- "aes-128-cbc" embedded in text on the cover (near the bottom left)
- "3Wolf" on the cover (on the white sunglass)
- "pplwc" at the bottom of the second to last page
- A block of encrypted data on the last page (text is in black matching the background)
U2FsdGVkX180AaM+aGDY0cUgudzihpyjBoJJEIwu5CW4aLf7EeoMz3FuwU0WrSmK
D+pq8WBiECoFNB1K0qesbQBtCkbrOZyufwWKEcy3KwTQfdG6LSiswvfHq0R1slNT
dKuZ0DREk3N5NK5BDzbrFwI+4znBihkILoatsKQ6uR0BlxoHQnoyNT/tYMKv/r/Q
1IDr5qedtUFhGIBSjKgRNg+kUeTzyi/U+jKSzLPR2BiBj2N4YqjCqvzVgFfsqVgU
asOjYIcxyPcRug6TL+OqRoiA8D1IoSRZ1egd7OxoBBx6vYFnsjCvZ7FQB9llGX/7
bAslhxlyQlm05K7zi4MRE8pjp7+S8o86GQqbwNB/R7oqvXjMva4smb9fvIz5xWLR
a8NGak2fYo7PlOtWYcg/o2+pX2SazaABum3uggTxaPAqs1XdTFlswkuRslshkj6o
OsPwv/+/WO4+PEYDseZW4tlcigq37i1Dy6SLBCk8d2CO5Lo9UqKyZWRNTxb6795z
/10O02TTBvFCv4O7uo13HRQw2xYqxsODzjxoZXnmffWhV2+59Dus1iHQJaSr6QGF
0GqrHD6vT54XKP8ph8M7f5pxBC6b8qdV2Gz3agDJEcsAvrfnC7wgdVhK0rqueZGL
zQVU2KoFte2xS2CTs4bqAOygsATBQ9CjQPYb4p1ay6zW4iE9XbcA7r80foQ69MmZ
Mk8iL22lfOMlECHcmKjCln7rGH9X0n/4/VMgrf4pKnHJeqCc58Trlf5LvjEoWJVW
BLc9nrBUeJZAo50s1q2EtBA0EICyz63uOnzbN543CGI=
The encrypted block is of the same format as last year. See last year's solution for more info on its format. At this point, we have an encrypted block and its encryption algorithm (no brute forcing this year). Now it's time to find the decryption key.
If you're familiar with your Internet memes, 3Wolf jumps out as a reference to the 3 Wolf Moon T-shirt meme from a few years ago. If you're not familiar with this meme, it's actually referenced by the DBIR authors on page 12. Following the link within the DBIR takes you to the Amazon page for the t-shirt. After some quick searching around, we find several customer images featuring some of the DBIR authors wearing 3wolf shirts as well as a larger picture of the man on the cover (Cover Guy). His picture's caption reads "Look at #MEANDMY3WMT !!"
Again, Internet savvy users will immediately recognize the twitter hash tag in the picture's caption. A quick search on twitter shows one result, user @TresL0b0sDude who has been regularly tweeting a link to http://bit.ly/dQ5a5H. Following the link takes you to yet another picture of the Cover Guy.
So far, this year's challenge has been much more involved than last year!
Close examination of this new picture reveals:
- "silent" on the eye picture
- "pw" on the cat picture
- A picture of the 2008 DBIR document
Googling the elements discovered in the picture reveals a promising result of a stenography tool called SilentEye is found. Installing and fiddling with the program's parameters, a file is unhidden within the Cover Guy picture by using a password of "cat". This file contains the phrase "H00000000wling @ zee moon!"
This phrase is actually the decryption key to the original block of text hidden on the back page on the DBIR. However, unlike last year, it seems we are not done. Instead of decrypting to a message, we find a string of comma delimited numbers. (Line breaks added for readability)
14, 1, 1, 2, 3, 12, 1, 1, 3, 5, 5, 2, 5, 3, 1, 12, 1, 1, 8, 2,
23, 1, 2, 5, 3, 10, 3, 5, 4, 5, 8, 2, 2, 3, 5, 15, 2, 6, 1, 1,
12, 3, 3, 15, 2, 14, 2, 4, 2, 1, 24, 4, 4, 21, 3, 8, 2, 1, 1, 1,
17, 2, 2, 1, 6, 26, 7, 2, 12, 1, 21, 4, 3, 12, 3, 12, 3, 5, 5, 5,
8, 2, 6, 5, 5, 16, 3, 3, 9, 1, 5, 3, 4, 2, 6, 6, 5, 4, 3, 1,
13, 1, 3, 13, 1, 10, 3, 2, 14, 1, 5, 2, 2, 5, 4, 8, 3, 4, 6, 3,
12, 1, 4, 5, 5, 26, 2, 6, 2, 15, 16, 5, 5, 2, 3, 24, 4, 4, 21, 5,
23, 1, 3, 6, 1, 14, 1, 6, 7, 5, 10, 2, 4, 13, 2, 10, 4, 1, 2, 10,
8, 3, 4, 6, 3, 15, 1, 3, 1, 1, 6, 6, 3, 15, 2, 9, 1, 3, 3, 4,
13, 3, 1, 5, 2
This element of the challenge stumped me for a few days. The numbers range from 1 to 26 suggesting an alphabetic cipher. After several days of trying various substitution, rotation, vigenere, and other ciphers, I took another look at the "pplwc" clue. A flash of insight leads me to deduce that the numbers are actually positional indexes with "pplwc" standing for Page, Paragraph, Line, Word, Character. Using this logic, I find that it does not work properly against the 2011 DBIR document; however, it does work against the 2008 DBIR document referenced in a previous clue. I will leave it as an exercise to the reader to decipher the final message.
Thanks again to all the DBIR authors for another fun challenge.