[WEB SECURITY] Fake Captcha Protection

Rohit Lists rklists at gmail.com
Wed May 7 00:52:51 EDT 2008


I know this may be a little late, but I thought I'd point out the
Simple Captcha project for Java developers -
http://simplecaptcha.sourceforge.net/. You can configure various
CAPTCHA options from the web.xml Servlet initialization parameters and
they provide a halfway decent configuration to use at
http://simplecaptcha.sourceforge.net/config.html.

If you were so inclined, you could change the parameters (and
therefore the style of the image) on a regular basis to force a cat
and mouse game for image analysis tools. This may not stop a
sophisticated tool, and certainly won't stop an attacker from hiring
somebody to key in the values. What it does do is raise the bar and
provide a deterrent against simple script kiddies. This is especially
true in cases where we don't many other alternatives, like when
attackers leverage user registration error messages (i.e. "This user
already exists") to perform user enumeration .

Cheers,

Rohit K. Sethi
Manager, Security Compass

On Wed, Apr 30, 2008 at 12:14 PM, Jeremiah Grossman
<jeremiah at whitehatsec.com> wrote:
>
>  On Apr 29, 2008, at 7:50 PM, Bil Corry wrote:
>
>
> > Bryan Sullivan wrote on 4/29/2008 7:21 PM:
> >
> > > I like Jeremiah's CAPTCHA effectiveness criteria – is this what you were
> trying to find?
> > >
> http://jeremiahgrossman.blogspot.com/2006/09/captcha-effectiveness-test.html
> > >
> >
> > Should Jeremiah's CAPTCHA ever be invented, it will simply drive more
> business to India:
> >
> > -----
> > Cyber criminals are employing sweatshops in India for as little as $4 a
> day to defeat anti-spam security checks, according to a recent analysis by
> net security firm Trend Micro. It reckons miscreants prefer to hire cheap
> labour rather than using automated techniques to defeat CAPTCHAs - that are
> only effective 30-35 per cent of the time - or malware-based approaches.
> >
> > <http://www.theregister.co.uk/2008/04/10/web_mail_throttled/>
> > -----
> >
> > Google has a couple of interesting patents that can infer a user's
> "ethnicity, reading level, age, sex and income":
> >
> > <http://yro.slashdot.org/article.pl?sid=08/03/22/1314253>
> >
> > I wonder if the technology can be extended to infer if the user is a bot
> or from a sweatshop in India?
> >
>
>
>  That's funny, I never thought of it that way. The test was not meant as a
> pass/fail for CAPTHA systems, but as the name in implies a way to measure
> their effectiveness at detecting humans from bots. No CAPTCHA system I've
> seen hits every mark perfectly, but that's OK. Should a really good CAPTCHA
> system force attackers to leverage humans to defeat it (as opposes to
> technology) then its done its job, only that the problem has now moved to
> something else.
>
>  For high value targets, we might consider something out of band like SMS,
> email, or some other creative ideas to drive up the $4 cost you mention.
>
>  Regards,
>
>  Jeremiah-
>
>
>
>
>
>
> ----------------------------------------------------------------------------
>  Join us on IRC: irc.freenode.net #webappsec
>
>  Have a question? Search The Web Security Mailing List
> Archives:http://www.webappsec.org/lists/websecurity/
>
>  Subscribe via RSS:http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list