Windows Live Hotmail CAPTCHA Cracked, Exploited

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

Great

[esocid]

Who's killing kittens?

Cutest kitten /.ed.

Anything is better!

[RingDev]

KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

Re:Don't need new auth

[Anonymous Coward]

So what would stop me creating a batch of 1000 accounts, and just keeping them dormant for two weeks before sending them into battle?

I could even have them send mail to each other to lend a thin veneer of realism to discourage the account provider just wiping them automatically.

Re:Anything is better!

[rrahimi]

Not all of these solutions provide an acceptable level of accessibility, and that's a major concern.

Why allowing same computer multiples?

[Maxo-Texas]

Why are they allowing the same computer multiple accounts in the same day?
Why are they allowing the same account creation attempt to fail over three times?

Still... I guess as computers get smarter, this is unstoppable.

All my accounts are white-listed. If I don't know you, I don't see your email.

Re:Anything is better!

[Nos.]

I had been working on a community driven system of identifying media. It had the benefit of being useable by vision or hearing impaired persons. Users could upload a piece of media (generally audio or a picture). Users would then submit their best identification of that media. For example, you could have a picture of a cow. Users would submit "Cow", "Mammal", "Bovine", etc, or in the case of audio, it could be as simple as repeating the words in the audio, or answering a simple math test.

Another advantage, at least of the pictures, woudl be that it could handle multiple languages. The audio could simply be tagged as "en" or "fr".

The idea was then that a site owner could insert a bit of code to request the media, any language preference, and a list of the top n answers. They display the media in place of a captcha. The user submits the form, as well as their answer. Their answer is compared to the list of top n answers.

The system I was building would host all the media, so web masters would not incur extra bandwidth. Filenames would be randomly chosen, and changed on a regular basis.

Maybe I should resurrect it.

Re:Kitten Auth

[drawfour]

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.

Then a computer will be able to discern spam, and the problem will solve itself. Until we get to that point, though, we have to keep one-upping the spammers.

hotmail ?

[Tom]

From TFA:

Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none.

You've got to be kidding! hotmail.com (and all it's other TLDs) has been banned from my game four, maybe 5 years ago. I've been giving every mail from a hotmail account an automatic 2 points in SpamAssassin for at least three years.

For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.

Re:Anything is better!

[gnick]

If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register?

Real world...

[rueger]

Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...

Problem is that none of them really will work in the Real World (RW).

In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

Re:Not the last nail in the coffin by far...

[eobanb]

I love the idea of ReCAPTCHA and its novel side-effect of helping digitise old books. But that doesn't mean it won't be cracked eventually, especially not since a computer could look at the example given on ReCAPTCHA's website:

'This aged portion of society were distinguished from'

The OCR read 'portion' as 'pntkm.' This doesn't mean it's hard for computers to decipher, it just means that the OCR programme sucks. Hello! 'pntkm' is not a word. It's not caps, so it's probably not an acronym. It has no vowels, so it's not pronounceable. It also doesn't appear in any dictionary. Heck, even if it was scanned as some similarly-spelt word like 'abortion,' it makes no sense in the context of the sentence, and presumably if the software was sophisticated enough, it could recognise that.

Re:Kitten Auth

[corsec67]

Your solution doesn't account for one thing:

Botnets. If someone really wanted to make 10,000 accounts, just have each computer on a botnet make 1 account each, with a botnet of 10,000 computers. Different IPs, etc to make them difficult to differentiate from legitimate creations.

As computers get more powerful and AI gets better, CAPTCHAs have to get harder or they are broken.

And then there is the "porn for CAPTCHA" hack, where you have a second site where you have people solve a CAPTCHA to get access to porn, and then the hacker uses that solution to make an account on the original site. The only solution is to have a short timeout, but if the porn site gets enough traffic, even that isn't an issue.

AI may be hard, but it isn't impossible to have real intelligence used en masse.

Re:Anything is better!

[RingDev]

As opposed to the level of accessibility CAPTCHAs provide to blind/limited sight individuals?

And have you ever tried the audio CAPTCHAs? Talk about horrendous.

Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.

Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.

-Rick

Re:Anything is better!

[AmaDaden]

Yeah but all 'are you human' tests so far are crackable. The crack for the kitten test is to record all the unique pictures by constantly hitting the site and then mark the ones that are kittens manually. So when your bot goes there he only needs to compare the pictures he has that he knows are kittens to the ones he sees.

Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.

Re:Kitten Auth

[The Living Fractal]

The fatal flaw in your logic is in assuming that a human can discern spam.

Re:Great

[Goaway]

That only matters if somebody is trying to crack it. 99.999% of the time, nobody is, you're just getting hit by automated bots.

Re:Kitten Auth

[Anonymous Coward]

Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.

Then a computer will be able to discern spam, and the problem will solve itself.

The two problems are not really of the same nature. Solving a CAPTCHA means getting at least 5% of your answers correct, while solving the spam detection problem means getting at least 99% of your answers correct. If those two figures were the same (e.g. 70%), then we could indeed construct a spam filter from a universal CAPTCHA solver: the CAPTCHA question would be an email, and the answer would be whether it is spam. But the figures are vastly different, so unfortunately it's highly possible that we can't find any secure CAPTCHA *and* we can't find any reliable spam filter.

Re:Why allowing same computer multiples?

[Anonymous Coward]

Why are they allowing the same computer multiple accounts in the same day?

Because they don't want to inconvenience their human users, many of whom have perfectly valid reasons to want multiple accounts on the same computer in the same day.

All my accounts are white-listed. If I don't know you, I don't see your email.

How nice it must be for you to have a fixed, insular circle of acquaintances.

Re:Anything is better!

[Anonymous Coward]

Yeah but all 'are you human' tests so far are crackable.

"The giant green dragon breathed fire at the horrified princess as the chivalrous knight drew his bowstring. What word in the previous sentence describes the emotional state of the female?"

It is actually not that hard to write a program which is capable of GENERATING such challenges. It is much, much harder to write a program which is capable of comprehending them and answering the question. It does not depend on the ability to see or even hear, just the ability to somehow input the sentence into your brain and comprehend it.

Re:Anything is better!

[thegux]

From what I've seen of these KittenAuth things, though I don't know much about them, you're given 9 pictures, 3 of which are kittens, and you're asked to identify them? By my reckoning, the probability of any arbitrary 3 pictures being the 3 kittens is 1/84 (9C3), which I don't think is that small. You probably wouldn't get 1400 accounts a day out of it, but you'd get enough for it to be a problem.

Hey -- wait a second

[pclminion]

I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.

Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.

What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.

Re:1-900 number

[febuiles]

Internet's not only used in the US, remember that.

Re:Anything is better!

[Anonymous Coward]

Then maybe you should get a license to have kids... hell lets license everything that people have problems with... I can see your world would be a much better place.

Re:Anything is better!

[tehniobium]

If they tracked it to an IP (gee, 10.25.7.8.9 has registered 1400 accounts today!), now that I can see.

Now that would be clever appart from the fact that these guys have botnets and therefore thousands of ips to use when creating accounts.

Call me insane but I think the only long term solution we will ever find is manual moderation of account creation.

The alternative would be creating a more restricted relation between ip and computer. That way the ip user could be held responsible OR made aware of his/her malware problem.

Re:Hey -- wait a second

[kopo]

That's fine if you're presenting only spam emails as the CAPTCHA. But where would you get your corpus of legitimate emails? Pick a random existing user and show a message from his inbox?
Something tells me this wouldn't quite work.

Re:Anything is better!

[Anonymous Coward]

Should we really hold back the entire Internet just for a small minority of the users? I really don't think so. I have no qualms with offering a limited version of the Internet to you and everyone else that is sight-impaired so that the rest of us can benefit from advances in technology.

Sorry, I'm just being honest, and am not coddling you like other politically correct people. While I'm somewhat sympathetic to your problems, I just don't think you are so important that you should drag down the rest of us. We should try to accommodate you on a best-effort basis, and that's it.

Re:Don't need new auth

[quanticle]

The issue with your solution is that it completely destroys the reliability of the e-mail system. The reason we use e-mail is because we are certain that the messages we send will arrive in a timely, reliable fashion. If you remove that guarantee, then why would anyone use e-mail?

Re:Awesome article

[Culture20]

Canned response: you have spyware; you're not allowed to create an account on $FOO. Everyone wins, Google/Yahoo/Hotmail get slightly more secure, spambots are identified, and lusers eventually, after several failed attempts clean up their computing habits.

Re:Hey -- wait a second

[Nightspirit]

I haven't had a piece of spam go into my inbox in Outlook in over a year, it seems to be doing a good enough job.

Re:Great

[timeOday]

To build on your point, a good captcha must not only be difficult to solve automatically, it must also be easy to generate automatically! The whole point is to increase the ratio of costs between attacker and defender as high as possible, akin to trapdoor functions in crypto.

Re:Anything is better!

[jmcnaught]

Wow... I'm guessing you're really young and naive perhaps? Maybe you're just not aware what a hateful message it is you've just posted.

If a law were passed requiring business owners to install wheel-chair accessible ramps, does that count as the economy being dragged down? What about accessible bathrooms? Making websites accessible should be a lot easier than making mortar and brick spaces, so I don't really see what the big deal is.

And what exactly do you mean by purged? Asphyxiation trucks.. or left to die on their own?

Having "no respect whatsoever for those who just whine and try and get everyone to change to fit them" is a lot like saying that our society is perfect as it is and the criticism of those you perceive as weaker is invalid. Did you consider for a minute that the disabled you'd like to purge might have so much else to offer that even with the expense of accessibility factored in they bring a net benefit?