StrongWebmail apparently hacked after issuing $10K challenge
Who among us doesn't love a good hack? After putting forth a $10,000 come-and-get-us challenge, it's possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz's Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.
The contest even gave hackers a head start, providing the target e-mail address ([email protected]) and that account's password. The idea was to point out StrongWebmail's unique value proposition -- voice verification through a pre-registered mobile number. The idea is that one's account setup includes a phone number at which the system can reach you. When you attempt to login to check mail, the system phones you with a three-digit number, which acts as a final verification before you hop into the inbox. The authentication is provided by Beverly Hills-based Telesign, which offers similar services to various Web sites.
An interesting version of ye olde something-you-own, something-you-know, right? The hacker challenge, therefore, was to circumvent that handset situation and get the three-digit number allowing them to check Mr. Berkovitz's schedule for June 26. (StrongWebmail also includes a calendar and to-do lists.) There were a few rules, such as not social-engineering someone on the inside, but otherwise the field of play was broad and clear.
Fidelity to those contest rules seems to be the last question keeping a team led by Secure Science's Lance James, Aviv Ruff, and Mike Bailey from claiming the prize. On Thursday, they delivered unto a trade-press reporter proof that they'd breached the system; the data retrieved in the breach was confirmed as correct by Mr. Berkovitz.
Naturally the group is being cautious with details, but it appears that a man-in-the-middle attack did the job once the researchers established a registered account on the service. Interestingly, a demonstration for the IDG reporter was thwarted by the free NoScript Firefox extension. So perhaps the moral of our story is that smart new approaches to online authentication are great, but you've truly got to love a piece of free software that rides herd on that pesky human element.