RSSStrongWebmail apparently hacked after issuing $10K challenge
By Angela Gunn | Published June 4, 2009, 6:40 PM
Who among us doesn't love a good hack? After putting forth a $10,000 come-and-get-us challenge, it's possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz's Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.
The contest even gave hackers a head start, providing the target e-mail address (Support@StrongWebmailCorp.com) and that account's password. The idea was to point out StrongWebmail's unique value proposition -- voice verification through a pre-registered mobile number. The idea is that one's account setup includes a phone number at which the system can reach you. When you attempt to login to check mail, the system phones you with a three-digit number, which acts as a final verification before you hop into the inbox. The authentication is provided by Beverly Hills-based Telesign, which offers similar services to various Web sites.
An interesting version of ye olde something-you-own, something-you-know, right? The hacker challenge, therefore, was to circumvent that handset situation and get the three-digit number allowing them to check Mr. Berkovitz's schedule for June 26. (StrongWebmail also includes a calendar and to-do lists.) There were a few rules, such as not social-engineering someone on the inside, but otherwise the field of play was broad and clear.
Fidelity to those contest rules seems to be the last question keeping a team led by Secure Science's Lance James, Aviv Ruff, and Mike Bailey from claiming the prize. On Thursday, they delivered unto a trade-press reporter proof that they'd breached the system; the data retrieved in the breach was confirmed as correct by Mr. Berkovitz.
Naturally the group is being cautious with details, but it appears that a man-in-the-middle attack did the job once the researchers established a registered account on the service. Interestingly, a demonstration for the IDG reporter was thwarted by the free NoScript Firefox extension. So perhaps the moral of our story is that smart new approaches to online authentication are great, but you've truly got to love a piece of free software that rides herd on that pesky human element.
Gawd the lameness... 3 digit code you say? Wow, so difficult to brute-force... If you know the # of retries allowed, you can retry that # of times, dial again, and try X more random codes (probably 3). It doesn't really matter which #'s you try (it can be the same 555, 666, 777) or every time a different 3 (in case they have some repeat-code-black-listing system). Statistically, if you tried 10,000 times, you're basically guaranteed to RANDOMLY hit the code (not brute force). You have a 3 in 1000 chance again, and again, and again... You may have to come up with 10,000 IPs in case they black-list (or secretly ignore) "computers" that they flag as hacking, that is, of course, assuming they even thought that much through hehehe which is kinda doubtless judging by the outcome.
Calling out with a voice msg? If you know the # being dialed, you can fwd that # temporarilly with remote call forwarding, and set that up by calling all the local telcos and pretending to be a company's employee. Spoofing Caller ID will get you very far very fast.
Also, if the lines that make the outgoing verification calls have inbound connections, you can call those #'s and feed them a fake dialtone then detect the DTMF dialed to figure out who they think they're calling... I used to do just that in the old BBS days for those SysOp that THOUGHT they could use Callback Verification to identify me hehehe
This ain't a man in the middle attack...
Score: 1
|this reminds me of something....something something unsinkable something something.... I think it was a boat. lets see, faild to live up to it's claim...! oh right (Titanic).
Sarcasm aside, the moment you declare something unbreakable you soon after see it get broken. History shows us this over and over again. Good idea though, I do hope the service fixes said problem and does succeed.
Score: 0
|I have been timing this with a stopwatch, knowing it would fail quickly. This event speaks volumes about the SMS/TExt based delivery of passwords: It is still put into the application with the internet "in line" and vulnerable to Man in the Browser, MiTM,etc.
" Naturally the group is being cautious with details, but it appears that a man-in-the-middle attack did the job once the researchers established a registered account on the service."
It has also been amazing to see how many security and product management professionals delivering online managed services don't understand how the internet works. One VP recently told me," our SMS is reducing fraud by 40-70%." I think we can all see that the remaining 30% can brutalize both an institution or a company product, devastating a brand over night.
Phone based authentication, is fantastic and effective, so long as it is out of band. Again, the biggest problem is most companies, customers, and even software product managers, simply dont understand how attacks on the internet are implemented: Stick with the phone, but use out of band.
Score: 1
|Haha... that's great. I always love it when someone thinks they're un-hackable. The very fact that they feel that way almost always means they are. I'd love to see the details of this hack.
Score: 0
|