For the second year in a row, Verizon Business has encoded a "Cover Challenge" in its annual Data Breach Investigation Report. This year I was the first place winner, submitting the correct solution after 1.5 weeks of puzzling.
Verizon 2010 Data Breach Investigation Report
Knowing about last year's challenge, I took a quick look at this year's report and didn't immediately notice anything puzzle related. A few days later Verizon confirmed on their security blog that there was indeed a cover challenge. Game on.
The first thing that obviously stands out is the large fingerprint. After visually scouring the fingerprint under a high zoom level, several possible words, letters, and numbers were discovered.
- The word"openssl" on the left edge near the middle.
- "p(F+)" or just "(F+)" 3/4 of the way down the right side
- "mc141", "141", "41", or just "4" on the right side almost to the bottom
Openssl is the most immediately interesting item, however none of these items seem to lead anywhere by themselves. Continuing the search throughout the report reveals a hidden block of text within the back cover. This text is hidden using the classic text hiding trick of assigning the same color to both the font and background color. The text is easily recoverable by copying and pasting or by overriding the PDF color settings in the options.
U2FsdGVkX1/igcsdctD3brMu4vDXkswNZZoHL6QVcI6eBlfN4aqvBBowRhf9wfsk
hb5RIGVSpphM2bJe33tVKh7koZ85V5ebFI1mPlXEhnKHO+er8EIyDRYuVvju08qv
u/jITmGEM4Mpk4gvL7aVeFB5lxoMFo0ds/CEA6zK80QprvV5B+c6+MWciIzLFJWI
/4OcO96UGM2riMKj2iy4JgmRxjEUyX/TKQEIB1s7WLh6cW30JpvgAI8wILVdTWpt
+gnIfyEGxio4Q2T9LM1ncA5K2P4lg/DsTiDIEEg3Ws4uW5sbz22qfE91frW7NnBg
t46Iy0WhZgw0+wj4DCLzF4GBnIkplanSMdA+hiwhdR629KL7O8X1ZLg5eFHmjS6C
VCXXuQJVSaVG77/5113N/eNMboD2RhXyq1kWzZZaW/lpJ8vIDs5OK7d1TPG6aVLJ
hINx3qPZzNvtK4r4KfZ5fhjUXLcufOpE46gGnD0aHW+SCcGl2k7NPqbYfGtYSwuJ
HYne4VTxR772vsV5RFgirw==
Recognizing this as base64 encoding, decoding it leads to the string "Salted__" followed by random bytes. After some quick Google searching for this string, I identified the format as an encrypted block which openssl creates when utilizing a random salt. You can see this working by using the openssl enc feature
openssl enc -in file_to_encrypt -des3 -e -base64 -salt -pass pass:"some password"
At this point we have our cipher text, probably containing a congratulatory message and instructions on how to submit the answer. Since this appears to be created using a salted algorithm via openssl, the answer is probably not solved via cryptanalysis as it was last year. Instead we need to find 2 missing pieces of information: the crypto algorithm and the key. I begin trying various words and phrasing from the report as the key and brute forcing the algorithm using a simple ruby script to iterate over all the supported algorithms.
alg = [ "-aes-128-cbc", "-aes-128-cfb8", .... "-rc5-ofb" ]
alg.each { |a|
puts "#{a}\n"
system("openssl enc -a -d -salt -in puzzle_file #{a} -pass pass:'#{ARGV[0]}' ")
}
After several days of trying various methods including dictionary attacks, PDF object extraction, stego, random guessing, base64 encoding/decoding (base64 "(F+)" => "KEYrKQo=", notice it begins with KEY. Was that just a strange coincidence?), Verizon begin posting clues which pointed to the F+ as being related to the key and that it probably meant "False Positive". After trying several guesses around IDS false positive rates, I made the logic jump that there was a "p" in front of "(F+)" meaning the probability of a false positive and that it relates to fingerprint analysis.
Some quick Google searching leads to the fingerprint Wikipedia page where it states Sir Francis Galton calculated the false positive rate to be 1 in 64 billion. Trying various spacing combinations leads to the correct key "1in64billion"
Congratulations! You've solved the 2010 DBIR Cover Challenge. If you happen
to be the among the first three people to see this message and email us the
correct answer to the question below, you will receive a prize.
Who calculated the probability of a false positive in using fingerprint
analysis for identification?
Email your answer to dbir@lists.verizonbusiness.com
For completeness sake, the algorithm used was AES-256-CBC.
Thanks to Verizon Business for a fun challenge this year and thanks to the folks on twitter #DBIR for both leads and wild tangents.