Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Are You Smarter Than a Hacker? [CONTEST]

Data Security

They’ve broken into the largest retailers, key government agencies, and major social media companies, stealing tens of millions of credit card numbers, email addresses, and sensitive data. They’re experts at cracking codes, penetrating firewalls, and placing stealthy malware on our most guarded servers. Can the hackers be stopped?

Maybe, but it helps if you can think like a hacker. So to get you up to speed, we’ve worked out a hack puzzle for you. We’re offering the amazing Samsung Galaxy Tab 4  7.0 if you can solve it.  But first a little background.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The Background

At the Metadata Era, we’ve been writing about some of the tricks of the hacker trade, especially focusing on “password hashes”.  Remember them? No system stores the actual passwords—that’s way too dangerous. Instead they convert or “hash” our plain old words, using 1-way or trapdoor function, to create strange, long alphanumeric strings.

For a quick refresher on what makes for good hashing, read here.

So hashing protects passwords, right? Not always. Hackers like challenges, and they’re very good at working backwards, taking the hash value and finding a password that generates it, effectively breaking the 1-wayness.

SHA-1 (Secure Hash Algorithm) is a well-known hashing function, that’s now considered insecure by researchers. But hackers have had a part to play in making it breakable. SHA1 is susceptible to brute force attacks—hackers trying common passwords, calculating SHA1 hashes, and then recording results.

For example, here’s the SHA-1 hash of my secret password: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.  It’s a 40-character string—hackers will recognize it as the hexadecimal representation of the underlying 160 bits.

And it can be cracked with readily available online tools. Try using this reverse SHA lookup app, which searches an existing table of hashes.

Lesson learned: don’t pick obvious passwords!

One Bad Hashing Function

We’ll get to the contest in a second.  First, experts will tell you never to write your own hash function—it’s too difficult and should be left to crypto pros.

But it’s easy enough to come up with bad hash functions.

Here’s one based on what every school-age child knows about creating top-secret coded messages: replace each letter with a number, so that A changes to 1, B to 2, etc.  So “hack” becomes 8 1 3 11.

With this substitution method as a starting point, we now present the hash function: simply sum the coded numbers of the password. That’s it! So “hack” gets hashed to 23 ( =8+1+3+11).

It’s not a very good hash function for many reasons. It certainly fails 1-wayness since with a little thought one can find several passwords that have the same hash value. For example, “fake”—a good description of this hash function!— also works out to 23.

Better Hash Functions and the Contest

I tried to improve on the above bad function by adding some randomness or what’s known as salt.  You can think of salt as a secret sauce for instantly making passwords more complex, and therefore harder to work backwards from the hash value.

My improved hash function uses two secret numbers as the salt. The first number just multiplies the sum we calculated above (the addition of all the code values of the password). The second secret number multiplies the value of the first letter. And this new, improved hash function adds these two together.

Let assume 2 and 5 are my salt numbers. Then for the password “hack”, this function calculates 86 (=2*23+ 5*8).

Eureka, a great hash function!

As long as I keep the salt numbers secret, hackers will never work out the underlying password, right?

And now for the contest …

I released a description of the above function (with different salt values that I kept secret) to the hacker community, and gave them access to an online version of this hasher.

I recently learned that a 12-year old hacker had quickly broken my improved function.

She hashed two passwords, “articles” and “recitals”, to get hash values of 268 and 387. She boasted that she knew the salt numbers after just a few  calculations!

  1. Explain what she did to find the two salt values. By the way, no software programming was involved. She used simple algebra and an online calculator.

I then asked her to prove she cracked my code. I told her I hashed a four letter common English word to produce a hash value of 69. She replied quickly that my password had to start with the letter c. And then she revealed my secret word!

  1. How did she know my password began with a ‘c’?
  2. Tell us a four letter word that would produce the same hash value (69).

Email your answers to hacker contest and enter Contest in the subject.  

Answer all three questions correctly to be eligible for the Galaxy Tab 4 tablet computer (7” screen). Contest ends December 7, 2014—entries must be received by midnight (EST). Varonis employees and their immediate families and households are not eligible to enter.

 

Varonis Systems reserves the right to change the term and/or terminate the contest at any time and for any reason with prior notification.  All questions/issues as to eligibility of answers for winning the prize under this contest shall be determined by Varonis Systems in its sole and absolute discretion.

Andy Green

Andy Green

Andy blogs about data privacy and security regulations. He also loves writing about malware threats and what it means for IT security.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.