How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Thursday, July 19, 2012

WikiLeaks at PHDays 2012

We continue our review of competitions at the information security forum Positive Hack Days 2012. Today we will tell you about one of the most popular online competitions – WikiLeaks, which challenged the contestants’ skills of surfing the Internet for concealed information.

There were 150 people registered for the competition, 60 of which managed to succeed at least in one task. A user nicknamed mchumichev took the lead on the first day and held it till the end, so the real fight broke out for the second and third places. Many contestants ended up with the same score, but only the fastest could win.

Rules


We posted questions about Disa Retail, a potato exporting company, on the competition web page.


To answer these questions, the teams were to surf the Internet and various networks, both Russian and international (Xing, Badoo, Pastebin).

Questions


During the competition, the counter of wrong answers was set to zero several times, so the competitors had a chance to correct their wrong answers. Below is the full list of questions in English:

1. Director’s full name
2. Head office address
3. Chief financial officer’s hobby (CFO)
4. Number of employees
5. Chief human resources officer’s salary (CHRO)
6. The breed of Chief marketing officer’s dog (CMO)
7. Chief business officer’s hometown (CBO)
8. Chief technology officer’s favorite film (CTO)
9. Chief information officer’s favorite football team (CIO)
10. Net Income for 2011
11. The main competitor of the company
12. Chief information security officer’s date of birth (CISO)
13. Chief learning officer’s auto (CLO)
14. Chief risk officer’s phone number (CRO)
15. Chief web officer’s favorite band (CWO)
16. Offshore account number

Some questions proved to be more challenging than it might have seen at the first glance. Besides, the participants often confused the name of the virtual company with a similar name of an actually existing company (Disa Retail Atlantico), thus increasing the number of wrong answers.

Keys


The most reasonable idea was to start the search with the official site of the company – disaretail.com. The content of the site had been deleted before the competitions, but could still be found in the cache of searching engines. Looking through the cashed pages, the competitors could find the answers to the first two questions. In addition, among the folders in the directory, there was one called /docs/, which contained a financial statement of the company with answers to two more questions: the net income for 2011 and the offshore account number.

A lot of useful information about employees of Disa Retail could be found at linkedin.com, for example, their twitter accounts (one and two), which prompted answers to a number of questions.

The information about the company and the number of its employees could be found on Facebook. As for the question about the salary, the answer was given in chat logs at Pastebin. Besides, some answers could be found in the profiles of some employees on dating sites (for example, here and here).

Winners


To win the competition, the participants had to expand standard set of search tools – the leaders used a number of searching engines and social networks at once. Here is the trio of the winners:

I. mchumivhev
II. djecka
III. Maxfrost

Merced 2001, who took the 4th place, posted a detailed review of the competition (in Russian).

Our congratulations to the winners!

By the way, some participants tried to guess the answers but it wasn’t easy at all :)

Next year we’ll try our best to make the WikiLeaks competition even more challenging and amusing.

No comments:

Post a Comment