The 12 Days of Christmas – all the answers to the #naksecquiz

We’ve just finished running our 12 Days of Christmas #naksecquiz.

For the first 12 working days of December, we revisited the big stories of 2014, one per day.

Each day, we included a quick quiz question related to the day’s material, and invited you to submit your answers.

And each day we gave away Naked Security T-shirts to 5 lucky winners.

We thought this would be a fun way of looking back over the ups and downs of the year.

A huge “Thanks!” to everyone who took part – we received close to 3000 answers to the 12 questions.

Close to 80% of the answers submitted were correct.

Here’s how you did:

Lots of you answered more than one question correctly, but only seven people got a perfect 12 out of 12:

We’ll let you know who’s won the Ueberprize, open to those who got every question correct, once we’ve told the winner…

…If they want to be identified, of course!

What were the topics?

We couldn’t include everybody’s favourite story, but here’s what we chose.

Click on the text Day N to view the story for each day.

Click on the text Day N+1 to view the question and answer for the previous day.

Day 1 – This much-maligned feline was completely innocent

Story: The game “Talking Angela” provoked a stream of comments from people who claimed it was a cover for paedophilia, even though all the evidence (and common sense) said that it was not.

Moral: Make sure brain is in gear before engaging mouth.

Day 2 – Microsoft waved goodbye to this fondly remembered ex-P

Story: XP passed over into unsupported mode in April 2014. But many diehard users said they would neither update to a more secure version of Windows, nor switch to a different operating system.

Moral: Do it for the rest of us, because XP’s insecurity doesn’t just hurt you.

Day 3 – This buffer overflow broke sysadmins’ hearts

Story: The “Heartbleed” bug affected any software using OpenSSL. Servers could be tricked into leaking random fragments of private data. No knowing what a hacker might get, so everyone scrambled to patch it.

Moral: Many eyes make all bugs shallow? Piffle. This bug was there for years.

Day 4 – This isn’t the iCloud hack you’re thinking of

Story: Numerous Aussies woke up one morning to find their iPhones locked and a $100 ransom demand displayed. Crooks had done a remote lock and wanted money to sell you back the unlock password.

Moral: Pick a proper password.

Day 5 – This software left the keys but threw away the lock

Story: The developers of the free and popular encryption software TrueCrypt suddenly announced, “It’s insecure. Don’t use it.” Seems they just decided they’d had enough. Goodbye users.

Moral: Buy Sophos’s SafeGuard product instead.

Day 6 – Clocking up a decade of mobile malware

Story: Mobile malware has been around for ten years already. It all started with Cabir, a Symbian virus for Nokia phones from 2004.

Moral: There’s nothing new under the sun.

Day 7 – Was it Gameover for CryptoLocker?

Story: Law enforcement took out a bunch of servers behind the infamous malware families Gameover and CryptoLocker. Sadly, new crooks appeared to fill the void.

Moral: Keep your guard up.

Day 8 – The amount of spam you can send is…

Story: SophosLabs in Hungary measured a single zombie-infected PC on a regular network connection sending 5,500,000 spams in a single week. 75% of the spam advertised dodgy pharmaceutical sales; the rest sent out malware.

Moral: Kill-a-zombie today.

Day 9 – This musical gift gave you too much

Story: Apple and U2 signed a deal to give you the new U2 album for free. But they didn’t ask you. Whether you wanted it or not, it just turned up in your iTunes.

Ask for permission. Even if you are Bono.

Day 10 – This bug was one shell of a shock

Story: The “Shellshock” bug was found in Bash, a command processor common on OS X and Linux. You could trick Bash into running commands a server wouldn’t notice, even if it was programmed to be really cautious.

Moral: Still think Linux and OS X have some sort of magic security shield?

Day 11 – Now you see it, now you…ah…still see it

Story: You could bypass Snapchat’s claimed “auto-deletion” of photos by fetching them onto a site called Guess what? got hacked.

Moral: You uploaded a selfie to the internet. What did you think was going to happen?

Day 12 – A tale of two passwords

Story: We went out of our way to convince you that there’s never a good reason to choose a weak password. You may as well choose a good one every time, especially if you use software to help you with the randomness.

Moral: There’s never a good reason to choose a weak password.

The Day 12 answer

Because there isn’t a Day 13 article, there isn’t anywhere to click for the answer to the final question from Day 12.

So here it is.

We asked you to make sense of the six characters MXIPCZ by using what we called a “Caesar Salad” cipher.

Shift 3 letters along 3 places; 2 letters along by 2; and 1 letter by 1.

For example, shifting MXIPCZ with the “shift key” 122333 would give NZKSFC, although that doesn’t make sense.

If you treat the possible keys as the permutations of the string 122333, denoting the amount to shift each letter, you’ll find there are only 720 (6x5x4x3x2x1) possible keys.

In fact, you only need the unique permutations (or combinations), of which there are just 60.

You could write a quick program to print them all out and then look for the obvious one. (We used Python and its itertools module.)

Or you could just write out three rows of characters, shifting each letter one, two or three characters in each row, like this:

  Scrambled = MXIPCZ

  Shifted 1 = NYJQDA
  Shifted 2 = OZKREB
  Shifted 3 = PALSFC

Now choose one character from each vertical column, and see if you can make anything like a word.

If you can, cross-check that it matches the “shift key” pattern of 3 letters by 3, 2 letters by 2 and 1 by 1.

We think the answer’s obvious: NAKSEC.