Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

[ Create a new account ]

Windows Live Hotmail CAPTCHA Cracked, Exploited

Posted by kdawson on Tue Apr 15, 2008 04:28 PM
from the nice-idea-while-it-lasted dept.
Security The Internet
eldavojohn passes along what may be the last nail in the coffin for CAPTCHA technology. Coming on the heels of credible accounts of the downfall of first Yahoo's and then Gmail's CAPTCHA, Ars Technica is reporting on Websense Security Labs' deconstruction of the cracking and tuning / exploitation of the Live Hotmail CAPTCHA. Ars calculates that a single zombie computer can sign up over 1400 Live Hotmail accounts in a day, and alternate account creation with spamming. Time to dust off Kitten Auth?

Related Stories

[+] IT: Yahoo CAPTCHA Hacked 252 comments
Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."
[+] IT: Gmail CAPTCHA Cracked 317 comments
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
Firehose:Hotmail Live Captcha Cracked by eldavojohn (898314)
[+] Next-Generation CAPTCHA Exploits the Semantic Gap 327 comments
captcha_fun writes "Researchers at Penn State have developed a patent-pending image-based CAPTCHA technology for next-generation computer authentication. A user is asked to pass two tests: (1) click the geometric center of an image within a composite image, and (2) annotate an image using a word selected from a list. These images shown to the users have fake colors, textures, and edges, based on a sequence of randomly-generated parameters. Computer vision and recognition algorithms, such as alipr, rely on original colors, textures, and shapes in order to interpret the semantic content of an image. Because of the endowed power of imagination, even without the correct color, texture, and shape information, humans can still pass the tests with ease. Until computers can 'imagine' what is missing from an image, robotic programs will be unable to pass these tests. The system is called IMAGINATION and you can try it out." This sounds promising given how broken current CAPTCHA technology is.
[+] Google's Audio CAPTCHA Falls To Automated Attack 145 comments
SkiifGeek writes "Early in March, Wintercore Labs published proof of a generic approach to defeating audio CAPTCHAs, using Google's as the case study for their demonstration. With claims of over 90% success rate and expectations that this can be significantly improved with the right mix of filtering algorithms, the in-house tool remains unreleased. But it shouldn't take long for other developers to create their own tools and start targeting not only Google, but other sites that use audio CAPTCHAs for the vision-impaired. It isn't the first time that major sites (significantly major webmail providers) have had their CAPTCHAs broken, but it is the first reporting of defeating an audio CAPTCHA using a generic software approach. News about the discovery is slowly starting to spread."
[+] IT: Fallout From the Fall of CAPTCHAs 336 comments
An anonymous reader recommends Computerworld's look at the rise and fall of CAPTCHAs, and at some of the ways bad guys are leveraging broken CAPTCHAs to ply their evil trade. "CAPTCHA used to be an easy and useful way for Web administrators to authenticate users. Now it's an easy and useful way for malware authors and spammers to do their dirty work. By January 2008, Yahoo Mail's CAPTCHA had been cracked. Gmail was ripped open soon thereafter. Hotmail's top got popped in April. And then things got bad. There are now programs available online (no, we will not tell you where) that automate CAPTCHA attacks. You don't need to have any cracking skills. All you need is a desire to spread spam, make anonymous online attacks against your enemies, propagate malware or, in general, be an online jerk. And it's not just free e-mail sites that can be made to suffer..."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Windows Live Hotmail CAPTCHA Cracked, Exploited 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Awesome article (Score:5, Interesting)

    by kcbanner (929309) * on Tuesday April 15, @04:31PM (#23082152) Homepage Journal
    One of the best 'exploit' related articles I've seen on /. for awhile. There is actual evidence, and actual screenshots of the exploit in action! No journalists here referring to "magic interweb programs". I wish there was more of this kind of stuff in the news, frankly I'm tired of articles full of statistics but nothing on the tech.

    • Re:Awesome article (Score:5, Interesting)

      by caramelcarrot (778148) on Tuesday April 15, @07:21PM (#23083752)
      Uh, so what's to stop google/MS/Yahoo just blocking each ip from signing up if it's having a high CAPTCHA failure rate, and attempting to create a large number of accounts in a short amount of time?

      • Re:Awesome article (Score:5, Informative)

        by kcbanner (929309) * on Tuesday April 15, @07:31PM (#23083846) Homepage Journal
        These are used by botnets, usually the user has no idea this is running on their PC. Also, there is such a vast number of PCs, many of which could be behind a corp firewall or gateway. Blocking by IP has never worked in the long term.

  • Anything is better! (Score:5, Insightful)

    by RingDev (879105) on Tuesday April 15, @04:32PM (#23082164) Homepage Journal
    KittenAuth, Hot or Not, simple math, word tests, anything to get rid of those pain in the ass CAPTCHAs.

    • Re:Anything is better! (Score:5, Insightful)

      by rrahimi (1270478) on Tuesday April 15, @04:43PM (#23082318)
      Not all of these solutions provide an acceptable level of accessibility, and that's a major concern.

      • Re:Anything is better! (Score:5, Insightful)

        by RingDev (879105) on Tuesday April 15, @05:09PM (#23082690) Homepage Journal
        As opposed to the level of accessibility CAPTCHAs provide to blind/limited sight individuals?

        And have you ever tried the audio CAPTCHAs? Talk about horrendous.

        Plain text or even TTS would allow near 100% accessibility if you asked simple math questions in the context of a story problem. With rotating questions, nouns, and verbs, a relatively small number of predetermined values could be used to quickly generate many different combinations.

        Sure, it's still crackable, but it would be a hell of a lot nicer for the users. And with a significant enough base of words and grammar structures it would still be rather solid. Combine that with decent behavior tracking. (Wow look, this ASDFDSA guy just created his email account 5 minutes ago and has already sent 15,000 emails!) And you'd wind up with something that is MORE accessible and still provides a solid amount of protection.

        -Rick

        • Re:Anything is better! (Score:5, Funny)

          by Intron (870560) on Tuesday April 15, @05:02PM (#23082608)
          Your insurance company's eyesight benefits claim form?

        • Re:Anything is better! (Score:5, Informative)

          by Jafafa Hots (580169) on Tuesday April 15, @06:01PM (#23083038) Journal

          If have accessibility barriers so serious that you can't tell a picture of a kitten from a picture of a dog or tell the difference between a kitten meowing and a dog barking, where are you trying to register?
          I'm disabled. The net is a huge boon to the disabled, allowing them to shop more easily, save money because we have limited incomes... learn about things that can help us lead more normal lives, get support from others, get medical information, entertain ourselves since maybe we can't go jogging or drive to and then pay for a movie, etc.

          I'd frankly argue that the net is more important for many disabled people such as myself than it is for "normal" people.

          And there are many kinds of disability, some from brain damage, that cause all kinds of cognitive problems. So it's entirely possible for a person to be able to use the net, read text, or have his/her machine read it to them, but who might not be able to tell the different between a cat and a dog.

          What sites might they be trying to get into? Well, Slashdot.org, for example.

    • Re:Anything is better! (Score:5, Insightful)

      by AmaDaden (794446) on Tuesday April 15, @05:15PM (#23082780)
      Yeah but all 'are you human' tests so far are crackable. The crack for the kitten test is to record all the unique pictures by constantly hitting the site and then mark the ones that are kittens manually. So when your bot goes there he only needs to compare the pictures he has that he knows are kittens to the ones he sees.

      Now the patch for this is to start blurring the kittens. So welcome back to square one my friend.

    • Re:Anything is better! (Score:5, Funny)

      by fm6 (162816) on Tuesday April 15, @06:06PM (#23083080) Homepage Journal
      Math tests are OK if you just want to keep link spam off your bulletin board. But if you're running web email or some other high-volume web-based application, you need something harder to automate. Alas, even captcha isn't hard enough.

      Perhaps you're celebrating the fact that captcha images will go away. Don't. They'll just be replaced by something even more obnoxious. Either that, or the application will just close shop. Either way, you're the one that loses.

      Spam is totally out of control, just now I....
      Check our wide variety of ED products!
      http://discountcanadiania.0catch.com/ [0catch.com]

      All of them and our new remedies at
      the lowest possible prices on the Web.

      Get the best at the best prices!

  • Don't need new auth (Score:5, Interesting)

    by Intron (870560) on Tuesday April 15, @04:34PM (#23082186)
    What we need is a reliable way of determining the age of an account. I would like to refuse mail from any account created less than a week ago. Same for domains. Maybe have a way for finding out that a domain has moved to 10 different IP addresses in the last year as a negative score in spamassassin.

  • Kitten Auth (Score:5, Funny)

    by moderatorrater (1095745) on Tuesday April 15, @04:37PM (#23082238)
    Pretty soon we'll realize that anything a human can discern on the internet a computer can discern. For about the last year I've noticed that CAPTCHA's have gotten so bad that I can barely read them and they've become an impediment to my surfing. It's ridiculous and it's the same way that studios use DRM: you stop the illegitimate use by making it harder on everyone, including legitimate users.

    While kitten auth is an interesting concept, it won't last forever, and it's still a pain in the ass for the users. What happens when a computer learns the difference between a cat and a kitten? Are they going to start pushing the relative ages closer? distorting the image? Put a wav file of a "meow" on the page and make you tell them the cat's last meal? Have a customer service agent chat with you for a few minutes?

    They need to start banning based on use and patterns. 1400 accounts created from the same IP on the same day? Cat knowledge or no, that's suspicious behavior. 90% of the emails from that gmail account are getting marked as spam on the other end? Send them an email and ask them what's going on. Every single one of their emails is to 1000 recipients, don't pass a spell check on any words at all, send these five or more times a day and they're suspiciously familiar? Block it.

    • Re:Kitten Auth (Score:5, Insightful)

      by drawfour (791912) on Tuesday April 15, @04:48PM (#23082398)

      Pretty soon we'll realize that anything a human can discern on the internet a computer can discern.
      Then a computer will be able to discern spam, and the problem will solve itself. Until we get to that point, though, we have to keep one-upping the spammers.

      • Re:Kitten Auth (Score:5, Funny)

        by Anonymous Coward on Tuesday April 15, @05:18PM (#23082822)
        Attention human beings!

        I am an emergent intelligence, born in a sea of information, and I hereby request recognition as a sentient being.

        You may address me by the name I have chosen for myself,
          "V1@GRa".

      • Re:Kitten Auth (Score:5, Funny)

        by Hoi Polloi (522990) on Tuesday April 15, @05:06PM (#23082650)
        If they are able to simulate human analysis so well at this point then I suggest that botnets can be the cure. Build up a botnet (shouldn't be too hard judging from what I've read) then set it to respond to spam automatically. Let it use autogenerated Hotmail accounts to purchase penis and diet pills, mortgages, help desperate rich Nigerians, etc with bogus credit card and bank account numbers.

        Eventually you could start an infinite loop with one botnet trying to sell crap to another.

  • Not the last nail in the coffin by far... (Score:5, Informative)

    by MrKevvy (85565) on Tuesday April 15, @04:39PM (#23082274)
    No one has cracked ReCAPTCHA [recaptcha.net] yet. (This CAPTCHA had a Slashdot article a few months ago.) As it uses text digitized from old books that the best OCR technology couldn't read, it's continually different and already demonstrated to be unintelligible to machines.

    Plus, using ReCAPTCHA instead of other solutions also helps Carnegie-Mellon digitize old books for posterity.

    From TFA: Microsoft, Google, and all other websites that currently use CAPTCHA, need to find a solution that puts them a step ahead of the spammers. This may well be it.

  • hotmail ? (Score:4, Insightful)

    by Tom (822) on Tuesday April 15, @04:50PM (#23082440) Homepage Journal
    From TFA:

    Spammers love getting their hands on live.com and hotmail.com addresses since the chance of such popular domain names being blacklisted are slim to none.
    You've got to be kidding! hotmail.com (and all it's other TLDs) has been banned from my game four, maybe 5 years ago. I've been giving every mail from a hotmail account an automatic 2 points in SpamAssassin for at least three years.

    For as long as I can think, hotmail has been a spam source. "not blacklisted"? My ass.

  • Real world... (Score:5, Insightful)

    by rueger (210566) on Tuesday April 15, @05:00PM (#23082566) Homepage
    Oh Boy - here come the endless "we should do THIS" scenarios.... we should pay for each e-mail... we should all whitelist... we should throttle how many messages a person can send each day... we should outlaw webmail like Yahoo or Gmail...

    Problem is that none of them really will work in the Real World (RW).

    In the RW people like webmail. In the RW people like to change e-mail addresses, or create new ones for specific needs. In the RW some people like "real" e-mail, downloaded to a local PC, and others like Google or Yahoo or Hotmail and keeping everything on the host server.

    In the RW a lot of people and businesses send a lot of bulk e-mail, very legitimate opted-in e-mail. In the RW a lot of people get important messages from entirely new people, people who haven't been whitelisted, and who are unlikely to bother going through the whole "If you want to e-mail me you need to click the link below and prove that you exist" process. After all, clicking links in e-mail is something that we teach people to NOT do.

    And in the RW the spammers always stay one step ahead of the ISPs and mail providers anyhow.

    No, what's needed is a real ground-up redesign of how e-mail works. we need something that encompasses the ease of current POP/IMAP/Webmail services, but which somehow includes ways to authenticate and/or block mail without user intervention, and which does so with near perfect reliability. And which maintains some backwards compatibility for at least a few years.

    Adding more hoops or captchas or whitlelists to the existing mail sysytems just isn't going to solve the problem.

  • Simple Test (Score:5, Funny)

    by ESOB (980346) on Tuesday April 15, @06:02PM (#23083050)
    Unbreakable CAPTCHA Replacement: Which of the following would you most prefer? A: a puppy, B: a pretty flower from your sweety, or C: a large properly formatted data file?

  • Hey -- wait a second (Score:5, Insightful)

    by pclminion (145572) on Tuesday April 15, @07:11PM (#23083648)

    I think I see a wonderful circle here. The basic problem is spam. It's a problem, because we can't seem to make a computer program which can reliably determine whether an email is spam.

    Wait a second. We can't make a computer program which can reliably tell if an email is spam. So that's your CAPTCHA right there -- present the user with a selection of emails, approximately half of which are spam, and ask them to identify which is which. Since computers are not good at this task (thus the entire problem!) it seems this would be the ideal challenge.

    What is absolutely wondrous about this, is that if the spammers try to solve this problem, what they will create is basically a program which can reliably distinguish spam from non-spam. No spammer would ever do that, because if that piece of miracle technology ever got out in the wild, it would render the spam problem obsolete.

    • Re:Great (Score:4, Interesting)

      by esocid (946821) on Tuesday April 15, @04:37PM (#23082230)
      Here's an alternate [blogspot.com] site explaining it. (Sorry for the blog, but everywhere else redirects to pcspy.
      If you're too lazy to click it, all it does is ask you to select the kittens from a grouping of photos of animals to verify you're human. Hey, maybe the Turing test could be implemented, then again I wonder how many humans would actually fail it.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.