SC Company Xpress Group Issues Challenge at DEFCON
Tuesday, July 25, 2017
Posted by: Thomas Scott
DEFCON DATA BREACH $10K CHALLENGE
Xpress Group, Inc., founded in 1981, was one of the original developers of PC based income tax preparation, e-file and other technology we all rely on today. In 1985, Xpress’ founder realized to only true data protection was to protect data to a level, where, even if stolen, it could ‘NEVER’ be deconstructed and then reconstructed. Basically, even if there was a breach; ALL the data in your systems is protected. A very lofty goal.
Xpress offered a substantial bounty for over 14 years. Xpress processed millions of tax returns, hundreds of millions of emails, reports, updates and over $6 billion in eCommerce. Xpress even published the IRS e-file test returns, each year, and Xpress’ data files for each return. There was never a breach nor any data stolen.
Xpress's technology has recently gone through a rigorous update by Secure Web Apps to utilize the latest in technology. This is where you come in. We (XpressGroup Inc and Secure Web Apps) are asking you to use your advanced skills to breach the data protection so we can uncover what all else still needs to be done. Our nation is hemorrhaging data and IP. This cannot long continue and we hope to stop it. Towards this end we are offering $10K to breach our data protection technology in accordance with the terms of this ROE.
Rules of Engagement
- $10K Challenge covers only the period from 7/27/17 - 7/30/17, the days of DEFCON.
- You can access the challenge on at SecureWebApps.com/deacon. You will be taken to an IRS 1040 form where you can enter as little as the key (the 1st social security no) and 1 character of data and then download the encoded data to see the results. As entered data is available if the correct key is entered, please do not enter data that is real into the form. This should be a cryptologist's dream setup for breaking our data protection technology. Trust us when we say that constructing the data challenge took almost as much work as the technology itself.
- You could enter a key value that is in use, in which case you will be directed to enter another. Numbers and letters are valid in all fields.
- If you feel you must use AES-256 encryption, there is an option to wrap our data protection with AES-256 encryption. The key to decode AES-256 is the same for all and is on the website.
- Phishing, whaling, social engineering and other methods than direct attack of the encoded data are out of bounds. While we acknowledge and appreciate your skills in these areas, they do not help with testing the data protection technology.
- We are not interested in a copy of input data and the output encoding as proof you can break the encoding since you got to pick the input data. Nor is this a test of your ability to break the form.
- To win, you must provide us with how you were able to beat the data encoding. If you do, you will be asked to repeat your decoding process on five separate files we submit to you via email for verification of your methodology of breach.
- In the event that more than one verified data breach occurs during the time period of the challenge, the $10K bounty will be split among the winners.
- Report breaches to defcon@SecureWebApps.com. Please provide a way to contact you that is valid in case we have difficulty in recreating your data breach.
- Attack-back and law enforcement notification features are disabled during this challenge and for the server containing the data breach protection.
- If no one can breach the data protection during DefCon, we will continue the data challenge as a global challenge, albeit at a lesser bounty amount.
Thank you in advance for your participation! Let the fun begin...