Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Defeating CAPTCHAs via Averaging

from [Alexander Klimov] Network Security [Permanent Link]
Subject: Re: Defeating CAPTCHAs via Averaging
Date: Tue, 30 Jan 2007 17:12:04 +0200 (IST) 
On Sat, 27 Jan 2007 noreply9871234@ich-habe-fertig.com wrote:

The detailed article (including sample images) is online here:
http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/


To extract a series of captchas with the same information (number)
in them, it is sufficient to repeatedly call their captcha
generator.


I am not sure I understand how you propose to build an automatic
system to attack it: If you can tell that two images contain the same
number then it is very likely that you can recognize the numbers
themselves (there are only 10 different digits). OTOH, if you have a
human in the loop, they can just use gimp to create the averaged
figure images from a single image per figure, and then use these
templates to calculate correlation in different places of a given
challenge.


Do not produce images with noise-like distortions. For example,
moving and rotaing individual letters by a large enough
distance/angle will spoil averaging by reducing the contrast in
averaged images.


If the number of distinct tuples (position, angle) is not a very large
number, the correlation attack will work anyway (and I doubt that it
is possible to make the number large, because the attacker can try to
start with a scaled down image and templates).

-- 
Regards,
ASK
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Atsphp 5.0.1 [Top Sites] [index.php] - Remote File Include, trzindan
Next by Date:  [ MDKSA-2007:030 ] - Updated bind packages fix DoS vulnerabilities, security
Previous by Thread:  Defeating CAPTCHAs via Averaging, noreply9871234
Next by Thread:  Re: Defeating CAPTCHAs via Averaging, Fred Leeflang
Indexes:  [Date] [Thread] [Top] [All Lists]