Captcha

Captcha - Transcript

WEB CAPTCHA
HUMAN OR SCRIPT An AI approach to cryptography

Overview
Vulnerabilities Threats Controls 2 Precursors 4 Proposals 6 General Approaches 3 Deployment Options If time issues and links

Vulnerabilities
HTTP does not distinguish between human machine users HTTP SSL do not guarantee client software or user is benign Malicious bots can be anonymous and distributed Benign bots spider for searches etc

Threats to Web
Content Theft stealing paid data Copyright Infringement scraping content from one site to display on another out of context Unwanted spidering search engines may ignore robots txt or nofollow tags Poll Stuffing MIT vs CMU on 1 Web Spam unsolicited commenting abusing free email scraping addresses

Web Spam
Web comments discussions guest books Wikis many public forms are open to spam messages More eyeballs per message than e mail E mail spam is illegal but most Web spam is legal Bots collect email addresses on Web

Motives
Google more links higher ranking Profit ads for real product service Phishing bait and switch for identity theft financial theft Astroturfing promote agenda by simulating grassroots word of mouth Vandalism competition damage thrill revenge activism etc

Cracked Controls
IP tracking banning repurposed DDoS scripts IP masking hijacking User Authentication if not easily cracked use service like bugmenot com Moderation human review script makes own moderator account in DB Good start but may need more

CAPTCHA
Acronym for Completely Automated Public Turing test to tell Computers Humans Apart Dr Manuel Blum Reverse Turing test computers finding humans not humans finding computers A category not a specific solution

Precursors
Unpublished manuscript by Moni Naor first mentions automated Turing test in 1997 but not proposed or formalized Altavista patent in 1998 first practical example of using slightly distorted images of text to deter bots but only defeats stock OCR not custom OCR

Definition

In 2000 formalized by Luis von Ahn Manuel Blum Nicholas J Hopper of Carne A CAPTCHA is a cryptographic protocol whose underlying hardness assumption is based on an AI problem 1 www captcha net

Win Win
If cracked AI is advanced because a very difficult unsolved AI problem has been solved If not cracked steganographic cryptography is advanced 1

CAPTCHA net Proposals
Gimpy text distortion used by Yahoo routinely cracked improved Bongo visual puzzle like Mensa tests if 4 options guess works 25 Pix photographic recognition need large image DB or Google API Sounds voice synthesis distortion

Gimpy
Images of distorted text Frequently cracked and improved In current version 5 pairs of overlapped words User identifies 3 words Random placement font distortion background pattern Overlapping words need no noise

Bongo
Visual puzzle Computer can generate display but not solve If too many choices humans get it wrong If not enough choices computers can be effective with random guess

Pix
Photo Recognition Need large image DB Images need keywords Four images with same keyword shown Random subset of keywords as choices Poor implementations easy to crack color of top left pixel unique etc

General Approaches
Text ASCII Unicode Image Speech Animation 3 D Combinations of all above

ASCII Unicode 4Pt h4
Change text to look alike SPAM is P4M Fools simplest text matching Accented or non English chars Sp m Chars to words uce ftc gov uce at ftc dot gov URL HTML entities COPY becomes cent 48 Rho yen or 430P 59 Better than nothing but easy to crack It is not technically CAPTCHA

Image CAPTCHA
Presents one time password as an image humans can read but not scripts If image is too simple OCR can crack too complex human cannot read To beat OCR vary position warp noise background colors overlap randomness font angles language methods used Show filtered photos as well as words Can deny accessibility to vision impaired

Considering Accessibility
Government and everyone who does business with government must meet federal accessibility standards for disabilities Serious legal penalties Professional ethics requires everyone else to do the same with lesser consequences Often ignored by amateurs but at risk of being considered rude Very few CAPTCHAs are accessible Solution W3C use both image speech manual approval but chain only strong as weakest link

Speech CAPTCHA
Usually spells out one time password in synthesized or recorded voices Voice recognition cracks simple case Applied audio filters risk human misunderstanding Used with image CAPTCHA for increased accessibility If both use same OTP easier to crack

Animated CAPTCHA
Can use Flash MPEG animated GIF Often combined with speech Weaknesses of Image CAPTCHA apply Usually easier to crack due to extra data for pattern matching to analyze Much higher processor and traffic load Not practical in most cases

3D
Renders OTP in 3D space to image Reputedly the most difficult to crack Server needs good graphics card to be practical rare Can be combined with other methods Not yet common tEABAG 3D Might see more in future

Circumventing CAPTCHA
Social engineering can foil most CAPTCHAs How Scrape captcha from origin pose to human for free access to other content adult news search blogs User unaware of helping spammers

Which CAPTCHA
Even simplest CAPTCHA can beat vast majority of scripts Even best CAPTCHA can be cracked by dedicated sophisticated coders Weigh strength vs cost compute cycles bandwidth dollars Be careful not to violate accessibility laws or open new holes

Deploying CAPTCHA
Install existing software pro or free Use remote CAPTCHA service Develop own CAPTCHA or customize open source scripts

Existing Software
Hundreds or thousands of options Narrow choices by price server requirements standards compliance third party testing results Big targets cracking a popular control opens hundreds of sites to spammers Like antivirus ineffective unless frequently updated

CAPTCHA Svc Providers
Work even with servers not configured to generate images or sound Server sends encrypted OTP to service which sends image to client Code is easy to embed botblock Service updates itself automatically Saves bandwidth and processor time captchaS net experimental but free Trust issues when outsourcing security

Custom CAPTCHA
Starting from Open Source or public domain code not too difficult to customize Customizing can make your implementation resistant to all but direct assaults CAPTCHA volunteers may help you test and improve your algorithm Can be stronger than using a service or preconfigured software

CAPTCHA Beyond the Web
Prevent dictionary attacks in any password system Pinkas Sander Protect e mail systems from worms spam other malware if sender not in address book or message is suspect challenge sender with CAPTCHA Deter unwanted macro scripting of a standalone application

My Project
Survey CAPTCHA alternatives Select and install one Test on MAMP Mac PHP Deploy on LAMP Linux Evaluate and submit to my company for use with Wiki based CMS

Project Status
Several false starts First few selections either did not install did not meet requirements or failed accessibility tests Best bet now is on the service at http www captchas net Asked for two week extension to finish installation and paper