Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Defeating CAPTCHAs via Averaging

from [Lou Katz] Network Security [Permanent Link]
Subject: Re: Defeating CAPTCHAs via Averaging
Date: Wed, 31 Jan 2007 14:20:30 -0800 
On Wed, Jan 31, 2007 at 12:55:41AM +0100, Fred Leeflang wrote:

Alexander Klimov wrote:

I am not sure I understand how you propose to build an automatic
system to attack it: If you can tell that two images contain the same
number then it is very likely that you can recognize the numbers
themselves (there are only 10 different digits).

Well if one of the stated conditions (being that the predominant
distortion in the captcha is of a noise-like nature) then you won't
need to find out if the numbers are identical or not. You will simply
find the number, something you wouldn't be able to do when the
distortion isn't noise-like. So when getting the same captcha several
times and averaging out the noise-like distortion will not result in
a number which OCR software can recognize then there can be a
(programmatic) conclusion that either 1) the distortion wasn't
noise-like, or 2) the numbers aren't identical in the repeteated gets.

So an automatic attack system would scan sites for captchas, try
doing the averaging trick, probably find a lot of negatives, but find
some positives.


I wonder if noise averaging can be trivially defeated (or at least made
more computationally expensive) by randomly changing the size of the
captcha images, with or without changing the size of the 'captcha'
characters/numbers.




OTOH, if you have a
human in the loop, they can just use gimp to create the averaged
figure images from a single image per figure, and then use these
templates to calculate correlation in different places of a given
challenge.

 

I don't think your understanding of averaging out noise is quite
the same as mine (or the author's?). There's no 'template' with
which you can filter out noise-like distortion. You need multiple
different images. 'noise-like' means random, so as many values
to the left of the average as to the right of the average of the noise.
Averaging will make the result go near the average as the word implies,
and make the noise 'disappear'.

OTOH, I'm not sure if averaging is the best technique to use. It certainly
is a technique that's could be done by somebody with average mathematical
skills. Particularly on the sample captchas, the contrast is high enough 
that
a discrete Fourier transform may be able to recognize it using just one 
captcha (no
I'm not volunteering)

Either way, when simple algoritms like averaging can decypher a captcha,
then it's not really a captcha, is it? :)

Regards,
Fred Leeflang


-- 
-=[L]=-
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Technika - Attack Scripting Environment, pdp (architect)
Previous by Thread:  Re: Defeating CAPTCHAs via Averaging, Fred Leeflang
Next by Thread:  Phorum HTML Injection Vulnerability, DoZ
Indexes:  [Date] [Thread] [Top] [All Lists]