Hackers love a challenge. And more than that, they love cash.
That’s what Telesign found out this week. A provider of voice-based authentication software, the company challenged hackers to break into its StrongWebmail.com Web site late last week. The prize? US$10,000.
On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry.
The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz’s calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account.
However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, “if someone did it, we’ll kind of put our heads down,” he said.
Contest rules prevent the researchers from disclosing how they performed their attack, but they were also able to compromise a test StrongWebmail account set up by IDG News Service. The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
“We found multiple cross-site attacks that allow us to attack other users,” James said. “You have to have a registered account to launch the attack.”
StrongWebmail uses Telisign’s telephone authentication system to give webmail users another layer of security. Instead of logging in with a username and password, customers must also enter a secret code that gets telephoned to them whenever they want to log into the site.
Banks have been using these phone-based authentication servers to help fight cybercriminals who often steal usernames and passwords from victims.
But this kind of authentication — called two-factor authentication — can be thwarted by hackers using what’s known as a man-in-the middle attack. In this attack, the hacker’s software waits for the user to legitimately log into the Web site and then takes over. “They just wait for you to log in and they can do whatever they want,” James said.
James said that these contests might be fun, but they don’t provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example. “A bad guy won’t care about rules, he said.
Webmail security has gotten a lot of attention over the past year. In September a hacker gained access to Alaska Governor Sarah Palin’s e-mail account and published details of her correspondence on the Internet. A college student named David Kernell has been charged in that incident.
Whatever the contest’s outcome, Berkovitz says he hopes his contest gets users — and webmail providers like Google and Yahoo — thinking more about security. “We’re not claiming that this is the ultimate, ultimate solution,” he said. “But we’re trying to bring attention to the username and password portion.”