Entries Tagged "captchas"

Page 1 of 2

Breaking Semantic Image CAPTCHAs

Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, “I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs“:

Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the solvers. Recent work, however, presented a generic attack that can be applied to any text-based captcha scheme. Fittingly, Google recently unveiled the latest version of reCaptcha. The goal of their new system is twofold; to minimize the effort for legitimate users, while requiring tasks that are more challenging to computers than text recognition. ReCaptcha is driven by an “advanced risk analysis system” that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or solve a challenge by identifying images with similar content.

In this paper, we conduct a comprehensive study of reCaptcha, and explore how the risk analysis process is influenced by each aspect of the request. Through extensive experimentation, we identify flaws that allow adversaries to effortlessly influence the risk analysis, bypass restrictions, and deploy large-scale attacks. Subsequently, we design a novel low-cost attack that leverages deep learning technologies for the semantic annotation of images. Our system is extremely effective, automatically solving 70.78% of the image reCaptcha challenges, while requiring only 19 seconds per challenge. We also apply our attack to the Facebook image captcha and achieve an accuracy of 83.5%. Based on our experimental findings, we propose a series of safeguards and modifications for impacting the scalability and accuracy of our attacks. Overall, while our study focuses on reCaptcha, our findings have wide implications; as the semantic information conveyed via images is increasingly within the realm of automated reasoning, the future of captchas relies on the exploration of novel directions.

News articles.

Posted on April 8, 2016 at 6:39 AMView Comments

How Did the Feds Identity Dread Pirate Roberts?

Last month, I wrote that the FBI identified Ross W. Ulbricht as the Silk Road’s Dread Pirate Roberts through a leaky CAPTCHA. Seems that story doesn’t hold water:

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But [Nicholas] Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?

“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”

My guess is that the NSA provided the FBI with this information. We know that the NSA provides surveillance data to the FBI and the DEA, under the condition that they lie about where it came from in court.

NSA whistleblower William Binney explained how it’s done:

…when you can’t use the data, you have to go out and do a parallel construction, [which] means you use what you would normally consider to be investigative techniques, [and] go find the data. You have a little hint, though. NSA is telling you where the data is…

Posted on October 20, 2014 at 6:19 AMView Comments

New Developments in Captchas

In the never-ending arms race between systems to prove that you’re a human and computers that can fake it, here’s a captcha that tests whether you have human feelings.

Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you feel about it. Ostensibly robots (and trolls) won’t make it through because they’ll remark that a human rights activist’s murder makes them feel “aroused” instead of “upset.” And bots will still have to make it past standard Captcha hurdles before they can even pick one of the choices.

The easy way to attack this system is to create a library with all the correct answers.

How soon before Deckard has to come to our house to administer a test?

Posted on October 8, 2012 at 8:12 AMView Comments

New Attacks on CAPTCHAs

Nice research:

Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google’s home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of “crowding character together” for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design.

Posted on October 12, 2011 at 6:57 AMView Comments

Analyzing CAPTCHAs

New research: “Attacks and Design of Image Recognition CAPTCHAs.”

Abstract. We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security analysis of the representative schemes we have identified. For the schemes that remain unbroken, we present our novel attacks. For the schemes for which known attacks are available, we propose a theoretical explanation why those schemes have failed. Next, we provide a simple but novel framework for guiding the design of robust IRCs. Then we propose an innovative IRC called Cortcha that is scalable to meet the requirements of large-scale applications. Cortcha relies on recognizing an object by exploiting its surrounding context, a task that humans can perform well but computers cannot. An infinite number of types of objects can be used to generate challenges, which can effectively disable the learning process in machine learning attacks. Cortcha does not require the images in its image database to be labeled. Image collection and CAPTCHA generation can be fully automated. Our usability studies indicate that, compared with Google’s text CAPTCHA, Cortcha yields a slightly higher human accuracy rate but on average takes more time to solve a challenge.

The paper attacks IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004).

Posted on October 5, 2010 at 7:22 AMView Comments

Violating Terms of Service Possibly a Crime

From Wired News:

The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures — including CAPTCHA — at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites’ terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking Computer Fraud and Abuse Act, or CFAA.

But the government’s interpretation of the law goes too far, according to the policy groups, and threatens to turn what is essentially a contractual dispute into a criminal case. As in the Lori Drew prosecution last year, the case marks a dangerous precedent that could make a felon of anyone who violates a site’s terms-of-service agreement, according to the amicus brief filed last week by the Electronic Frontier Foundation, the Center for Democracy and Technology and other advocates.

“Under the government’s theory, anyone who disregards — or doesn’t read — the terms of service on any website could face computer crime charges,” said EFF civil liberties director Jennifer Granick in a press release. “Price-comparison services, social network aggregators, and users who skim a few years off their ages could all be criminals if the government prevails.”

Posted on July 19, 2010 at 1:11 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.