Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [WEB SECURITY] Re: Defeating CAPTCHA

from [Gokhan Azaphan] Network Security [Permanent Link]
Subject: RE: [WEB SECURITY] Re: Defeating CAPTCHA
Date: Mon, 29 Aug 2005 17:31:33 +0300 
Please read the links at the bottom of the following link, they're
pretty enlighting indeed.

http://en.wikipedia.org/wiki/Captcha  

-----Original Message-----
From: Marian Ion [mailto:marian.ion@e-licitatie.ro] 
Sent: Monday, August 29, 2005 3:39 PM
To: victor@outblaze.com; robert@webappsec.org
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: RE: [WEB SECURITY] Re: Defeating CAPTCHA


        Maybe it will not be such a good ideea ... especially if some
mobile communication providers would have some network issues on a
critical moment ... And such a method will be based also on a
pre-defined algorithm, possibly easy to learn, to implement.

        On a longer term, maybe a faster implementation of IP6 will
bring some new logging / blocking possibilities (based, for example, on
"sender validation"), supported also by a strict legislation.
        Also, applications implementations (including CAPTCHA) based on
artificial intelligence will provide improved security on many IT
aspects. Neural nets are becoming smarter, and due to improved
optimisations brought by genetic algorithms, ants or bees algorithms,
are learning a lot faster than us, especially when discussing on
repetitive tasks.

        On short term ... better, non-repetitive CAPTCHAs, based on
random lengths and characters types, with several effects applied on the
generated image, are probably the best way.
        Also, the implementation of "expiration" events, based on time
passed without a reply message or manual (or automatic) validation, or
something similar would do good. And also some application filters, in
listing the records, to ignore/eliminate some garbage data.


Marian Ion






-----Original Message-----
From: victor [mailto:victor@outblaze.com] 
Sent: Monday, August 29, 2005 1:54 PM
To: robert@webappsec.org
Cc: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: [WEB SECURITY] Re: Defeating CAPTCHA

I was struck by the CAPTCHA issue a while back too, it happens to me 
that CAPTCHA reminded me of all these anti-piracy technique that have 
been developed over the past 2 decades.   Put this special data into 
that sector of the disc so pc-tools can't copy it or install this 
special cd checker to make sure the cd is not pirated.  We all know the 
result, finding a crack to all these protection is only a question of
when.

I would say CAPTCHA is too a case of trying to fight intelligent with 
more intelligent. which is an endless loop with no true winner.   And so

I wonder maybe a true solution to this abuser protection issue lies 
somewhere else.

I myself look at the setup this way, all these tool hacker uses depends 
on one thing to function, the question being presented as part of the 
signup/login procedure, because we must make the question presentable 
online and friendly enough for humand to process, it is bound to be 
possible to come up with some porgram to come up/brute force the answer.

So in another word, the existence of the question itself has made it 
possible for hacker to come up with software to defeat the protection.  
In a way, the solution has itself become the problem, so I am thinking 
maybe instead of trying to improve it.  We should look into eliminating
it.

I can see some good example out there that is going into that 
direction.  Many online banking service are taking advantage of SMS, 
sending user a passkey where they have to use to login to the service.

Or this implementation  pay pal has implemented, that debit user's 
credit card and ask user to use that sum as some form of passkey as one 
of the gentlemen here has pointed out.

These solution are very expensive compare to CAPTCHA but the direction 
seems to be more reliable and hack-profe.  If a better solution to 
CAPTCHA should be found, this maybe one direction you fellow might want 
to consider.

Tor.



robert@webappsec.org wrote:


This was linked off of slashdot

(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95) 

and explains some of the ways people are breaking CAPTCHA

(http://en.wikipedia.org/wiki/Captcha) based systems.


http://sam.zoy.org/pwntcha/

- Robert
robert_at_webappsec.org
http://www.cgisecurity.com


 




-- 
<!---------------------------------------------
                           Victor
                           Development Engineer
                           Outblaze Ltd
---------------------------------------------->


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/ 
  
 
Bu mesaj ve ekleri mesajda gonderildigi belirtilen kisi/kisilere ozeldir ve 
gizlidir.Bu mesaj tarafiniza yanlislikla ulasmis olsa da mesaj iceriginin 
gizliligi ve bu gizlilik yukumlulugune uyulmasi zorunlulugu tarafiniz icin de 
soz konusudur. Boyle bir durumda, lutfen gonderen kisiyi bilgilendiriniz ve 
mesaji sisteminizden siliniz. Mesaj ve eklerinde yer alan bilgilerin dogrulugu 
ve guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu 
bulunmamaktadir.Sirketimiz mesajin ve bilgilerinin size degisiklige ugrayarak 
veya gec ulasmasindan, butunlugunun ve gizliliginin bozulmasindan, virus 
icermesinden ve bilgisayar sisteminize verebilecegi herhangi bir zarardan 
sorumlu tutulamaz. 
This message and attachments are confidential and intended solely for the 
individual(s) stated in this message.If you received this message although you 
are not the addressee you are responsible to keep confidential the message. In 
that case please warn the sender and delete the message. The sender has no 
responsibility  for the accuracy or correctness of the information in the 
message and its attachments.Our company shall have no liability for any changes 
or late receiving,loss of integrity and confidentiality,viruses and any damages 
caused in anyway to your computer system
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RE: [WEB SECURITY] Re: Defeating CAPTCHA, Gokhan Azaphan <=
Previous by Date:  RE: [WEB SECURITY] Re: Defeating CAPTCHA, Marian Ion
Next by Date:  sql injection for MS Access, Mailing List
Previous by Thread:  Combatting automated download of dynamic websites?, Matthijs R. Koot
Next by Thread:  sql injection for MS Access, Mailing List
Indexes:  [Date] [Thread] [Top] [All Lists]