It's an interesting ambiance I regularly get around security people, Don't get me wrong but: that many people think that if something is broken it isn't secure.

Like some scripters think -and email me- when they bypassed some scripts I wrote. And say, hey it's broken! and I reply: I knew that, if you asked me first I could given you the holes it would saved you tons of free time. :)

Well clearly it doesn't say anything about it's security. Cause as we all probably know, everything that can be manufactured can be de-manufactured. So in the end that isn't the issue. Moreover I think the whole issue is to make alternatives and to broaden the trade-off, and not constantly try to rely on the old methods, which are broken too.

Still, one of the most strange forms of security in the real world are paper mail envelops in which we send all bank data, bank login credentials, account info, coupons, money, and all private stuff wrapped inside a thin paper.

Should we stop use it? of coarse not we trust other people don't we? ;-) *grin*

Anyway it's interesting to think about.

You also have to consider if using a CAPTCHA on your site if someone has no life at all they will attempt to break it to grab a few emails, or break into an account. The average site doesn't need such protection because not many sane people will waste their time with a small catch when they can go after big players like auction sites, banks etc and get a lot more. Reason I use a basic captcha on my site, and some email obfuscation, nothing more nothing less because if someone does take the time one day to spider for emails or brute force the login, well good for them. The average hacker will not waste their time. If someone really wanted to they can click get a pen and paper and manually write down all emails they can access, or manually try to break into an account. All captcha efforts useless but you did your best and kept most scripts/bots out.

@jungsonn - I completely agree with that sentiment, unfortunately this isn't a board about how nicely stuff works or usefulness, or how to make insecure apps. So our criticism of the technology from a security perspective is actually on-topic given that this is the web application security forum. Also, you yourself said you weren't aware of these issues, so clearly, it's worth talking through.

@CrYpTiC_MauleR - you're exactly right. As you probably already noticed I have no CAPTCHAs anywhere on this site or on ha.ckers.org. I have worked on them a lot in the past (built and broke them) and found only mild usefulness in them in certain specific circumstances. Most of the time they just confuse the issue and don't actually help the site in the way people seem to think they do. Granted, most people don't have the basic foundation to protect themselves like I do, so I can see why people get stuck in that mindset.

- RSnake
Gotta love it. http://ha.ckers.org

Oh sure it is, and really was. It's a great discussion and tons of fun to wrap my mind around. Learned a good piece here. I was just ranting some stuff I had in my mind, trying to put things into context again and to see the actual risk. Which included the use of Javascript to attack it -which obviously works- but is tough to deploy it on a large *automated* scale. So that got me thinking.

And indeed it a good use for small apps like registration forms etcetera. Any work in this field is good work and should continue.

As long as no one can launch an *automated* attack on CAPTCHA's with Javascript I really think they work, and aren't broken.



Edited 1 time(s). Last edit at 04/23/2007 04:47PM by jungsonn.

jungsonn Wrote:
-------------------------------------------------------
> As long as no one can launch an *automated* attack
> on CAPTCHA's with Javascript I really think they
> work, and aren't broken.


What logic are you using to determine that no one can launch an automated attack? Most automated spider systems I've worked on (Literally 85% out of dozens) are not simply winsock - they're using the MSTHML library (shdocvw) and doing things the same as Internet Explorer - javascript, vbscript, and css are inherently used as well as the ability to manipulate the document object model with your language of choice.



Edited 2 time(s). Last edit at 04/29/2007 08:04PM by NickWilliams.

Wow cool.

I know about SpiderMonkey, PHPJS, and other Javascript engines but I never saw a bot that could use it for automated SPAM.

But, If this can be done, I wonder why I never saw such bot? I had tons of websites over the last 10 years. And no bot could execute Javascript. Can you show me some please?

It really is rather trivial. The MSHTML/shdocvw.dll library allows direct implementation of Internet Explorer's rendering engine et all. To break the Hayes Captcha it's a matter of dropping in the shdocvw.dll active-x control (high level/simple implementation) and navigating the page, and then simply navigating to the javascript Trev has provided. You could also port the javascript over to your language of choice and interact with the dom from there. You can also spend a bit more time and access things at a lower level and control the most mundane parameters without the page ever really rendering, or doing so invisibly.

To read an email address that has been printed to the element via javascript it would be as simple as enumerating all the anchors on the page once it's loaded.

Dim Anchors as IHTMLElementCollection
Dim Anchor as HTMLAnchorElement
'
Set Anchors = Document.getElementsByTagName("A")
'
For Each Anchor In Anchors
'
If Instr(1,Anchor.href,"mailto:") > 0 Then MsgBox Anchor.href
'
Next Anchor

As for why you haven't seen it before... I don't know. I'm sure you haven't seen a lot of things - perhaps your websites aren't targets for email harvesting, etc. Search Engines of course don't support javascript because it's rather pointless, but that doesn't mean its impossible by any means. In fact, it's simpler to do things this way (and more robust).



Edited 3 time(s). Last edit at 05/01/2007 01:02AM by NickWilliams.

That sounds very plausible, obviously I think you are referring to spam zombies here? I've seen a chain of them around a few times, that was something completely different I was referring to.

I more or less meant bot software which spammers use themselfs on their deksktop ala Botmaster. Sure, anything can be smashed everyone knows that, but only a reasonable spammer only does it if he can earn something from it. Oh, and yes there are those guys who do it for fun, so it's not a one sided issue/comment and not intended that way.

I was moving to the point in saying that it has to be custom build, and if I change methods every 2 days, is it broken then? I guess not.

I'm referring to software specifically written to spam a service, blog, mine data, etc, whether it be in a spider-like system or targeted towards a specific service/domain such as Blogger.

If you want to update things every two days.. Why update the captcha? Why have a captcha at all? Why not just rename the form fields every two days?

My point was, javascript is not a barricade against bots - at least not any more than doing things *different* than the group being targeted.

Sites can shield against software like Botmaster by simply renaming the form fields or removing the footprint that allows the site to be found in the first place (ie "Powered by Wordpress").

You might as well just write something like "Type 123 in this box:" and make it an image - plain text, no squiggliness or the likes. Roaming bots won't know what to do, just as they won't know what to do when they come across some obscure captcha like Hayes'. Once the site IS a target.. It's compromised in a matter of an hour...

I'm still not quite sure you understand that this captcha can be *completely automated* from code (even if it required javascript) the same as the automation done by Botmaster, it's just a matter of implementing it. Noone's going to implement it for a shitty score, just as they wouldn't implement "if domain = roger's, then fill box with 123". The moment the Hayes' captcha is widely used (or is used for guarding a large score), it will be absolutely useless; as it stands now, it's no more effective than the "fill box with 123" method.



Edited 2 time(s). Last edit at 05/01/2007 06:09AM by NickWilliams.

I agree. In fact, that's exactly what I am doing on my site - renaming form fields for each request. That allows me to run phpBB (which is a *huge* target) without captcha and even without mandatory registration. I have lots of bots hitting the site but they never manage to post anything. Of course it takes only half an hour for somebody to figure out the algorithm and to write code for the spam bot. But as long as this code is only useful for my site and my site doesn't become another MySpace nobody will do it - it isn't worth the effort.

NickWilliams, removing "Powered by Wordpress" is unfortunately not enough. I have seen spammers coming from search requests like "XHTML: You can use these tags: <a href" - the "powered by" strings are obviously not reliable enough and spammers switch to characteristic strings of the particular scripts.

trev Wrote:
-------------------------------------------------------
> NickWilliams, removing "Powered by Wordpress" is
> unfortunately not enough. I have seen spammers
> coming from search requests like "XHTML: You can
> use these tags: <a href" - the "powered by"
> strings are obviously not reliable enough and
> spammers switch to characteristic strings of the
> particular scripts.


The real WTF is why anyone would write a bot to literally follow the SERP links directly rather than just navigating to the URL and dropping the referrer. I wasn't really saying remove just one footprint, I was just giving an example of an obvious one.

No, the bots don't send referrer headers :)
I had a few human spammers however - that's where I got the search requests from. Bots seem to use similar search requests, at least when I changed robots.txt to exclude post forms and such bot activity dropped significantly. Even though I still have "Powered by phpBB" there. And I was sure that you didn't mean removing just the one string - just wanted to make this point clear.

@NickWilliams Sure I understand it can be automated, everything can. I'm fully aware of that, thats just what I said. nothing tough about that in any way, but is it worth it to do? is it cost effective? if not, I still think CAPTCHA's aren't broken.

Automation cen be seen in different contexts. It is really automated if someone only has to load sites into his bot through Google for instance and hit submit. Takes 5 minutes and thats cost effective. Now, building custom scripts which takes much longer isn't cost effective.

Now, if one can mix up the code in a way it's hard to RegEx on, i can say it is _harder to automate_ and thereby I can say: it can be safe from automated submissions, because spammers don't have awful lot of time like we do to break something that is used on 20 websites. it's tricky what I said, and it surely was asking for explanation.

It definitely is cost effective to break CAPTCHAs depending on the site. If you are just talking about a 200 person site with no pagerank, no, not worth it. If you are talking about protecting an enterprise with it I would re-think the CAPTCHA you use. Anything that can be reverse engineered will be. Anything that can't will go through human CAPTCHA breaking factories. As long as it is worth more than fractions of a penny to solve, it is worth it to solve. It may take time for them to find the target, but at that point that's the only thing protecting the site - time.

- RSnake
Gotta love it. http://ha.ckers.org

Right, but security in general is only meant to slow down hackers, attackers, spammers, etc. That's the whole deal with security, and in fact the only reason security exist to keep the good guys good, and to slow down possible bad guys.

So when someone can slow down attacks, or make it more difficult to break it efficiently or make it more difficult to monetize it, I think it works.

Still I have trouble to understand why human captcha solvers are being used. And for what reason. What they solve and let's say post after it can be removed in a few mouse clicks. If humans solve them, Captchas aren't broken either, because they are human, and thereby solve the captcha.

Hence, Another method I used in some applications is what I called "Post Spam Resolving" where a script is daily actively searching all database records on Spam signiatures, and list them to be evaluated by humans to be removed.

So I really cannot say that the bad guys win and captchas lose, it's a trade-off.

Ronald Wrote:
-------------------------------------------------------
> Right, but security in general is only meant to
> slow down hackers, attackers, spammers, etc.
> That's the whole deal with security, and in fact
> the only reason security exist to keep the good
> guys good, and to slow down possible bad guys.


Actually, I really disagree with that. The goal of security is to stop attackers. We realise that we can't predict everything, so we accept that we'll lose at one point, but that doesn't mean our goal changes - if a system only slows an attacker, then it is not a security measure - it should be nothing more than a band-aid until something better can be implemented.

The only time simply slowing an attacker down is acceptable is when such an attack (e.g. brute force) is unsolvable because the attack does not exploit technology, but rather exploits a user's inability to choose a good password, or similar. CAPTCHAs are used there, and are useful, especially considering that having humans solve that many CAPTCHAs is infeasible. Sure, CAPTCHAs are also used to prevent SPAM, but SPAM is not a security problem - it may be one which we try to address, but it is not a security problem, there is no attack, it is simply automated usage.

Well theoretical security concepts are designed to stop them, but practical security concepts show that that is impossible. Nothing can be secured in the real world. So given this fact we can conclude this:

a.security does not exist in the real world, only in theory.
b.security does exists in the real world and can only slow down attacks, not stop them.

I'll go for B. for the main reason why this is standing firm ground, I can compare it to a bulletproof vest. That is also designed to slow down bullets, but with a huge caliber one can shoot right through it. Same with bulletproof glass, metal etc. I just use it as an analogy to the concept of security.

I'm not sure it hold enough water for the Captcha example, but in general if anything else, it's the best we can do.



Edited 1 time(s). Last edit at 05/10/2007 05:57AM by Ronald.

Okay, but the next question you have to ask yourself is where is the tradeoff? In biometrics it's similar to a crossover rating, but here we have to think about the cost benefit analysis from an attacker's perspective. Did that CAPTCHA slow down the people you want enough to in any way solve your issue? If you have to use offline analytics to pull down things for human review, CAPTCHAs haven't done their job. They may have slowed the scale by which you have to review by human eyes, but they certainly haven't stopped it. So the most important question here is have you stopped the bad guys from doing what they want to do? Ultimately CAPTCHAs are ineffective at that unless it makes it economically infeasible. Also, since most of them can be solved by computers anyway, it hasn't even solved the most basic requirement that it even be a human. So in my opinion while they may not be 100% broken in all cases, they have limited security value but tons of obfuscation value. So yes, good for keeping out a few kiddies, completely worthless for stopping the people who I worry most about.

- RSnake
Gotta love it. http://ha.ckers.org

So we can agree upon one thing then: It's useless to use a captcha.

Well, while where at it: Why have security at all.
cause every protection can be broken isn't it? I know some lock pickers who can open up every door under 2 minutes. Do they say that locks are useless now? No I can't recall that they said something like that. To their viewpoint, every customer doorlock can be opened under 2 minutes: So it's broken.

Is this feasible?

No, and you know why: One of the most used security philosophy today is build upon one thing: Preventing attacks, by slowing them down. It's impossible to stop everything in the end.

So are CAPTCHAs useless, are they broken? No, not for me.
I think one can't say it's broken, or useless. it all depends on the context where it is used and implemented.



Edited 1 time(s). Last edit at 05/12/2007 02:32PM by Ronald.

I'm not sure that's a good analogy. Locks keep out 99.99% of people who shouldn't have access, while CAPTCHAs keep out no one except (theoretically) robots (and blind people). Further, for me to break into 1000 doors, even if I'm good, by your math would take me 2 minutes x 1000 doors, assuming there is no travel time between them. CAPTCHAs, on the other hand, take far less time than that because of scale. You could do 1000 in 2 seconds if it were a weak CAPTCHA or if you had enough porn proxies set up, regardless of geographic location.

What you are getting at is the economy of the issue which is a different problem and one worth discussing, although I'm still not sure how this conversation ended up in this thread. It probably deserves a new thread since this has nothing to do with Heyes in particular. If it's worth a lot (like the contents of a house to be analogous to a dork lock) to break a CAPTCHA, no, CAPTCHAs fall down much faster than 2 minutes per. If it's worth next to nothing (instead of the contents of a house, all they get is a text link on some page) yes, a CAPTCHA has done it's job since it is not worth it to break the CAPTCHA.

And be careful, I never said they were useless. I actually said they do keep out the kiddies, but unfortunately, the kiddies are barely worth thinking about in most of the applications I work on. So while CAPTCHAs provide some incremental value, they are anything but "secure". Should you use them? Depends completely on what you are trying to solve. In most cases the answer is no, in my experience. However, certain things like brute force actually do help, since the name of the game is increasing the level of inconvenience for the robotic activity (similar to time delays in login screens after failed attempts).

I simply don't think you should think of CAPTCHAs as a security device, I think you should only think of them as a tool to slow down robotic activity, and that's it. I do think there is a lot of good security in the world, but CAPTCHAs do not fall into that category. Sorry if this isn't what you wanted to hear, but I've seen every CAPTCHA deployed in a large scale environment broken in real life (not just the lab). I'm not talking about my theories here. It just really is a pretty weak tool. While locks are also very susceptible to being broken, the physical annoyance and likelihood of getting caught are the few things that allow it to prevail. Don't forget that the anonymity of the Internet is one of the main causes for it being such a great place for attackers. Attackers don't have that luxury in real life for the most part.

- RSnake
Gotta love it. http://ha.ckers.org

Well I don't know, some "lock kiddies" or just people who walk in the streets are also no experts on locks. Still, they are designed to keep the good people good. They are no protection agains the people who really want to break in.

Normal people may take 3 days to open the same lock, an expert lockpicker does in under 2 minutes. So can I compare it? yeah I think I actually can.

So no lock is safe, should we stop use it then?

Cause like you said: The CAPTCHA fails to protect, because the experts can crack it. To me, that is a pretty useless statement in analogy with the lock. Because what it implies is what I said earlier: If that is the case, why have security at all.

Yesterday I saw an interesting news story in my country about a real world heist, know how they did it? they drove to a bank, and of coarse, the bank is protected. So they waited behind the bank. 2 bank employees where filling the ATM with money in the room where the bank robbers where waiting behind the back door. The robbers spilled gasoline on the door, so that the bank employees smelled the gasoline and opened the secured door to look where the smell was coming from, quickly the bank robbers did go in and took all the money.

A weak link, despite tons of steel doors and thick walls, and other security stuff. Smart idea, It kept out good citizens, but the bad guys won. They always win.

But it doesn't mean we should throw away barriers and perimeters. Is it?



Edited 1 time(s). Last edit at 05/17/2007 07:58AM by Ronald.

I actually don't think I ever said, "The CAPTCHA fails to protect, because the experts can crack it." What I said is that it does keep out kiddies, but they are rarely worth thinking about in most critical applications. It does slow down robots, but it doesn't stop attackers. So you have to weigh the value of what you are trying to protect. Please don't read into this too much, read it for what it says. I do think CAPTCHAs provide value - just not what most people use them for.

- RSnake
Gotta love it. http://ha.ckers.org

Continuing my quest for a non-image based captcha, I've released a new version of the HeyesCaptcha. Using research gathered from the last time, I think I've made this one far more secure against automation.

Can anyone automate it?
http://www.thespanner.co.uk/2007/05/26/heyes-captcha/

Heh, I saw this on php-planet before readin git here. Anyway... It's still entirely JavaScript based and can be automated. All you have to do is read a few variables, parse them a bit and md5 them. Totally doable.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Hi WhiteAcid the javascript creation is simple at the moment but it does change everytime you visit the page. The class I wrote could be expanded upon to include more complex code creation, in order to successfully pass the test you would have to get the javascript and have some sort of engine to parse it, although now it would be possible to write a simple one that could convert the javascript into php and therefore create the correct hash, I think with enough random code generation it would be very difficult to bypass without executing the javascript.

I'm going to release the code under GPL so I guess I will find out if it has been a waste of time or not :)

You could always embed an existing JavaScript engine into your solver and use that. Anything your browser can do another program can do.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

It was a technical challenge I set myself to see if I could create some code that couldn't easily be parsed without pressing a key and executing the javascript. I know what you are saying but if the parser doesn't know what to execute and it is complex enough to prevent regular expressions then maybe it's possible to prevent automation in this way.

Could you provide me an example on how to bypass this technique?

My programming skills, specifically embedding a JavaScript engine into a program aren't what they need to be to create a standalone app, instead I've made this bookmarklet which would solve the captcha:

HeyesCaptcha.prototype.complete = function() {seqK  = '';for (i=0; i<this.sequence.length; i++){x = this.sequence;seqK += x.substr(44,1);seqK += x.substr(81,1)}document.getElementById('sequence').value = seqK;this.count = 4;this.seconds = '';this.updateKey()};heyescaptcha.complete()

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Heh cool attack! So simple to bypass :)

What about if a random seed was used on the sequence though? So the length varies and the seed is removed on the server before the check. I could also randomise the function calls and also the method of assigning the sequence.

If I applied those techniques, could another method be created to easily bypass? I'm guessing that is would be more difficult to bypass on the server side.

You can make it harder but as long as you're sticking to JS it can always be solved programatically.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer