It must have seemed like a good idea at the time. Telesign, a vendor of voice-based authentication software, challenged hackers to break into its StrongWebmail website late last week for a $10,000 prize.
Yesterday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the web mail account of StrongWebmail CEO Darren Berkovitz and reveal details of his 26 June calendar entry.
Berkovitz has confirmed that the hackers, led by Secure Science chief scientist Lance James and security researchers Aviv Raff and Mike Bailey, have provided accurate details but would not confirm that they had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, "if someone did it, we'll kind of put our heads down," he said.
Contest rules prevent the researchers from disclosing how they performed their attack, but they were also able to compromise a test StrongWebmail account set up by the IDG news service. The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine.
"We found multiple cross-site attacks that allow us to attack other users," James said. "You have to have a registered account to launch the attack."
StrongWebmail uses Telisign's telephone authentication system to give web mail users another layer of security. Instead of logging in with a username and password, customers must also enter a secret code that gets phoned to them whenever they want to log into the site.
Banks have been using these phone-based authentication servers to help fight cybercriminals who often steal usernames and passwords from victims.
But this kind of authentication - called two-factor authentication - can be thwarted by hackers using what's known as a man-in-the middle attack. In this attack, the hacker's software waits for the user to legitimately log into the website and then takes over. "They just wait for you to log in and they can do whatever they want," James said.
James said that these contests might be fun, but they don't provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example. "A bad guy won't care about rules, he said.
Webmail security has garnered a lot of attention over the past year. In September a hacker gained access to Alaska Governor Sarah Palin's mail account and published details of her correspondence on the Internet. A college student named David Kernell has been charged in that incident.
Whatever the contest's outcome, Berkovitz says he hopes his contest gets users - and webmail providers like Google and Yahoo - thinking more about security. "We're not claiming that this is the ultimate, ultimate solution," he said. "But we're trying to bring attention to the username and password portion."