Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security SecProg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Account Lockouts

from [Jefferies, Darren] Network Security [Permanent Link]
Subject: RE: Account Lockouts
Date: Tue, 7 Dec 2004 10:26:41 +0800 
Hi All, I think the idea of using SIRDS to visually 'encode' the numerals is 
really good.  I had considered writing software to do exactly this several 
years ago. Sort of like a pseudo-holographic signature.  The problem with this 
method though is that most people can't see sirds.  I wrote a SIRDS generator 
several years ago and found that very few people I know are actually able to 
see them.  

I've given some thought to the whole captcha scenario and it seems to me that a 
good possibility would be using the same colormap for the foreground and 
background and using a fractal algorithm to generate two images with the second 
one being used as a 'template' for the text.  One possibility would be to use 
two different fractal algorithms to generate the pictures.  It would also be 
possible to use the same algorithm for both and 'rotate' the colour map.  If 
the numbers were made reasonably large, using small random 'waves' to shift the 
image of the numbers vertically and/or horizontally would also help make OCR 
techniques extremely difficult to apply.  The result of this would be a picture 
with the same colours throughout but the numbers would contrast to the human 
eye because of a different pattern in the colours.  Such a system would be very 
difficult to distinguish the numbers electronically and due to nearly infinite 
possibilities for the 'seed' values it would be difficult for a computer to 
figure out the algorithm.  Of course, for this to work, the seed values would 
have to change for every image sent.

Darren Jefferies

-----Original Message-----
From: The Amazing Dragon (Elliott Mitchell) [mailto:ehem@cs.pdx.edu]
Sent: Monday, 6 December 2004 2:22 PM
To: Mark Burnett
Cc: secprog@securityfocus.com
Subject: Re: Account Lockouts



From: Mark Burnett <mb@xato.net>
There has been some talk of CAPTCHA's in this thread and I wanted to comment 
on them further. Although CAPTCHA's are very effective at blocking automated 
abuse, in their current form they are not an effective long term strategy. 
The problem is that with our current image enhancement, OCR, and AI 
technology, they can be cracked with quite good accuracy. Their limited use 
and proprietary implementations still makes them useful for now but once 
someone releases a script kiddie tool to automate CAPTCHA cracking, they will 
become mostly ineffective. 



I'm surprised that no one has implemented one yet. Though OCR programs
are at least halfway there. In the absence of those, the method of using
a porn site and passing the image to someone to decode for you is very
effective.



Furthermore, I have seen many CAPTCHA implementations that are simply flawed. 
For example, instructing the user to select one of three choices means that a 
script can randomly guess and still be 33% accurate. Furthermore, I have seen 
e-mail systems that come with a collection of photos for CAPTCHA use but 
everyone with that program has the same exact photos. It would be trivial to 
build a tool to bypass that product's CAPTCHA feature. I have also seen image 
manipulations, such as excessive use of color or adding noise, which might 
seem confusing to humans but are quite meaningless to a computer program and 
do little to prevent automated interpretation. 



Using SIRDS as a transformation might be pretty effective against current
recognizers. Methods similar to the anti-copying protections on cheques
would be worthy of trying (displaying larger dots with larger spacings
and smaller dots with smaller spacings for a consistant color). Might be
interesting to use patterns similar to color-blindness tests, but then
you need to be able to count on someone to be color-sensitive (though you
can then use this as secondary protection, color-blind get a different
answer).

This still only works as long as someone doesn't produce an OCR that
recognizes them. Only a matter of time.


Someone earlier mentioned adding a secret question to the CAPTCHA, but you 
must be careful with that type of implementation. Before you ask a secret 
question, you first must know who the user is. This leads to continuity 
problems and might allow for attackers to brute-force usernames, which can 
also be a problem. 



And worse, it is simply another password. Adds difficulty, but it is just
another password. Worse, this is likely to be much easier to guess than
the original password.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \   (    |         EHeM@cs.pdx.edu      PGP 8881EF59         |    )   /
  \_  \   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
    \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Account Lockouts, Cunningham, Andy
Next by Date:  Re: Account Lockouts, Alexander Klimov
Previous by Thread:  RE: Account Lockouts, Cunningham, Andy
Next by Thread:  Web Application Security Consortium 'Guest Articles' Call for Papers, robert
Indexes:  [Date] [Thread] [Top] [All Lists]