Windows Live Hotmail CAPTCHA Cracked, Exploited

eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

Awesome article

[kcbanner]

One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

Don't need new auth

[Intron]

What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.

Re:Great

[esocid]

Here's an alternate [blogspot.com] site explaining it. (Sorry for the blog, but everywhere else redirects to pcspy.
If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.

Crackers as a resource

[Idiomatick]

When a product is released you can usually assume it WILL be cracked. Why not use this for the good of all?

I certain there are many things in the field of AI where human input is needed. Maybe image recognition or something. When a project is thought up use THAT as the captcha. I'm sure captchas have helped propel text reading applications. I can barely read them sometimes, if they have been cracked this code can be easily applied to text readers. Lets move on to something else.

If it holds you win, if it gets cracked you win and switch projects.

It's a little complicated.

[khasim]

The point is to have different tactics to fight spam from different sources.

With Hotmail (and Gmail and such), I allow them to skip a lot of the checks that other domains go through. There's no need to waste processor cycles or net queries on those domains themselves.

Instead, they go straight to SpamAssassin where checks are run against ALL the addresses in the headers. And the content in the body. The mail admins at Hotmail and Gmail and such have a vested interest in reducing the spam in their systems. So simply rejecting the message at SMTP time should give them enough notice to shut down compromised accounts on their system.

Re:Not the last nail in the coffin by far...

[TimeTraveler1884]

I know it's bad form to reply to myself, but I'm on a roll. I just tried recaptcha again and it's easy to change one letter or two and pass. I'm not sure why everyone thinks recaptcha is so great when there is a good chance it will pass if the word is similar (I would say OCR similar) to the word in the captcha.

If you think about it, how could it know what the word really is? They are using the captcha to digitize books, which means they don't know exactly what the word is since they they are not employing dedicated people to enter the word. So the captcha validation is s only going to be as good as a first pass OCR scan.

1-900 number

[Deathlizard]

I'm actually surpried no one uses this. Google was close with their SMS registration but this could work just as well.

when you register, it gives you 2 easy to read captcha's (a verification number and password if you will), a simple picture and a 1-900 number thats $1.00 a call. When you dial it, it asks you to enter your verification number. then it asks for the password, which you would have to decode from the phone. (IE the password is vndka and you would have to enter 86352) finally it asks you what the picture is and you would have to say it (if the picture is a cat, you would say Cat, the 1-900 number then says "did you say cat?" in which you say yes or no. if it's a cat you're registered if not it says sorry, asks you to refresh your registration page to get a new challenge password and picture and hangs up.

The big advantage to this is it would be hard to script the phone conversation since you can change the prompt timing with random hold times and other voice information, and no spammer would want to pay the $1.00 a registration via script especially if there's any chance the script could fail. Of course a problem with this is a bot using your PC to ram up your phone bill, But it's not anything new in the spyware business since dialers have been around for years and if their already in your box dialing, they might as well skip spamming altogether and have you dial an offshore 1-900 in the middle of the night for $99.95 a minute.

Re:Kitten Auth

[Xogede]

Thinking of it, why not let the user try to decide whether a message is spam or not (instead of a CAPTCHA)? If this could be done in cooperation with SpamAssasin in a way similar to ReCAPTCHA, it could greatly improve the filter's quality.

Re:Awesome article

[Anonymous Coward]

Ehm, sorry for attaching under first (but unrelated) reply. IMO temporary solution for CAPTCHA may be CAPTCHA x 3 (or something like this) and hard work to invent another (more accurate) scheme. If spammers rely on, say, 1/4 chance of succeeding CAPTCHA, 3 consequential quests means 1/64 chace. You don't need 100% chance to fend off a spammer. What you need is to make cost of using your account by a spammer high enough. You may implement 2 x or 3 x CAPTCHA, and then find out some more efficient scheme. You may switch to invitation-only scheme and then look for accounts generating to many spamming accounts and disable them. You may treat tread malicious account creations as an ordinary spam and actively research / use hybrid techniques to fend off spammes (filtering accounts, just like spam itself).

Google succeeded in filtering spam messages. I suppose that CAPTCHA was an overlook for them and they'll develop some more efficient scheme of filtering spam accounts creation.

(BTW, Slashdot is also using CAPTCHA and pretends to be clever enough to require passing a quest to reedit a message. How do you think, does it improve overall process at all ? If I would be a spammer I wouldn't care about reediting, I'd just to send my spam again and again and would not use 'reedit' button at all.

Re:Invitations only

[Anonymous Coward]

Yep, but then you have an invite tree. Once you positively identify a spambot, you simply walk up and down the tree, banning everyone that matches a spambot behavior.

Re:Awesome article

[caramelcarrot]

Uh, so what's to stop google/MS/Yahoo just blocking each ip from signing up if it's having a high CAPTCHA failure rate, and attempting to create a large number of accounts in a short amount of time?

Re:Anything is better!

[Hal_Porter]

I'm sure you'll change your tune if something goes wrong with your senses.

Re:Awesome article

[terminal.dk]

It is not about failure rate, it is about # of accounts created. If more than 10 is created from a single IP address any day, then they could be supervised for correct behaviour (how are they used ? Sendign to each other is typical). If one of them is used to send spam, just de-activate all (or reset their passwords) created the same day from the same IP.

The CAPTCHA makes it more difficult for the script kiddie to create many accounts. But the logic should be in fingerprinting the account instead.