Building a better spam-blocking CAPTCHA
New approaches may give the CAPTCHA antispam technology a second chance
Computerworld - How do you let people create user accounts or post comments on your Web site without letting spam bots in? Simple -- make your users prove they're human. Many Web sites use CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) technology to try to tell the bots from the people.
CAPTCHA's idea is simple enough. It presents users with an image showing an obfuscated string of letters that they must type in to get an e-mail or social networking account, for instance, or to enter a comment on an online forum. The theory is that only humans can decipher the letters hidden in the image and type in the correct code, and for a time it was an effective tool to keep the bots out.
But while no one has yet come up with a computer that can fool people into thinking it's another person, computers are great at fooling other computers. These days, malware makers and spammers regularly trick the CAPTCHA systems at big-name Web sites such as Yahoo Mail, Gmail and Craigslist, and use these sites to automate their attacks.
So what can we do? Can CAPTCHA be saved?
The rise and fall of CAPTCHA
CAPTCHA was created in 2000 by researchers at Carnegie Mellon University, and by 2007, the technology was being used almost everywhere on the Web. For example, if you try to leave a comment on this story, you'll need to jump through a CAPTCHA hoop before you can leave a message.
Then, adding insult to injury, the crackers started releasing their work in the form of do-it-yourself CAPTCHA cracking software that anyone could use. For example, a program called CL Auto Posting Tool attempts to post bogus ads to Craigslist while automatically overcoming Craigslist's antispam protections.
These programs work by using OCR (optical character recognition) software to try to make sense of CAPTCHA's disguised text. If they fail, they try again. They take advantage of the fact that some CAPTCHA systems don't automatically give users a new CAPTCHA image to puzzle out. Instead, they'll let you, or a cracker program, keep working at the hidden text until it's solved.
Get one of these programs, aim it at the site you want to have bogus accounts on, and you can start spreading spam, anonymously flaming people you don't like, and sending thousands of people links to your malware-infested site.
It's not that the OCR-based cracker programs are that good. They're not. As CAPTCHA expert Sumeet Prasad from security firm Websense explained in a blog posting, while only 10% to 15% of the attempts on Hotmail are successful, a CAPTCHA cracker program needs only six seconds per attack. If a site allows an unlimited number of chances to crack a single image, that means it will take, on average, less than a minute to break in.
Because they are clearly insecure, CAPTCHA systems that allow unlimited or multiple attempts are becoming uncommon. Still, today's automated bots are capable of breaking even those systems that make users respond to a new CAPTCHA image after the first or second unsuccessful attempt. (On average, of course, the bots' efforts are less likely to work at one-try CAPTCHA systems.) That said, simple CAPTCHA systems, such as the ones that use random, non-malformed letters against a simple background, are still in common use and are easily breakable.
Another way to crack a badly designed CAPTCHA program is to reuse the session identification URL of a solved CAPTCHA image. In this case, either the cracker, or more likely a cracking program, first gets the right answer to a CAPTCHA. It then reconnects to the Web site with a URL containing the solved session identification information with a new username. Presto! You have an automated site cracker with a 100% success rate until the session ID eventually expires.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts