2008-09-14_OWASP_Israel_2008.ppt

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

CAPTCHAThe Image We All Love To Hate : 

CAPTCHAThe Image We All Love To Hate Shay Zalalichin and Avi Douglen Comsec Consulting http://www.ComsecGlobal.com/ Israel 2008 September 14

Introduction : 

2 Introduction Completely Automated Public Turing Test to Tell Computers and Humans Apart

CAPTCHA Techniques : 

3 CAPTCHA Techniques Background Colors Patterns Distortion Warping Perturbation Lines Text Non-Alpha Fonts Sizes Crowding Deformation Rotation

Common Uses : 

4 Common Uses Account Registration Blog Comments Contact Us Forms Data Enumeration Online Polls Search Engine Bots Worms Authentication Mechanism CSRF

Implementation Attacks – Example : 

5 Implementation Attacks – Example captcha_image.php?x=-8&y=20&l=12 (x + 12, y – 17) <input type="hidden" name=“cap" value="c4ca4238a0b923820dcc509a6f75849b"> - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

Implementation Attacks – More Example : 

6 Implementation Attacks – More Example Solution as part of Image Id Static Solution per Image Id Multiple Solution Attempts on Single Image Small number of repeated images / Limited solution space Dataflow Bypass

Attacks – Automatic Recognition : 

7 Attacks – Automatic Recognition Optical Character Recognition (OCR) Preprocessing Segmentation Classification Success Rates 20% success for Gmail 30-35% success for Hotmail 60-90% success for most others… Speech-to-Text

Slide 8: 

8 - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

Slide 9: 

9 - Mike Spindel and Scott Torborg, DEFCON 16, CAPTCHAs Are they hopeless

Slide 10: 

10

Other Approaches : 

11 Other Approaches

Slide 12: 

12

Slide 13: 

13

Attacks using the Human Factor : 

14 Attacks using the Human Factor CAPTCHA Proxies Pornography sites Games Etc. CAPTCHA Farms Cheap Workers Indian / Romanian / Far East / … Between 2$ - 4$ per 1000 CAPTCHAs

Slide 15: 

15 - Jeremiah Grossman, Blackhat 2008, Get Rich or Die Trying

Slide 16: 

16

Conclusion : 

17 Conclusion CAPTCHA doesn’t work What it does do, does badly And it’s broken, besides… Bad solution for the wrong problem In the meantime:Don’t use CAPTCHA for sensitive resources

authorStream Live Help