CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 14th, 2008

High Success Rate Breaking Hotmail CAPTCHAs

Researchers from UK have devised a novel and inexpensive way of cracking Microsoft’s Windows Live Captchas with a success rate of more than 60 percent, a finding that further exposes weaknesses in a key measure designed to keep miscreants from infiltrating free online services. Using custom-written software, a standard desktop computer was able to correctly read the characters more than 60 percent of the time. Microsoft designed it with the goal that automatic scripts should not be more successful than 0.01 percent of the time.

While attacks on Captchas deployed by Microsoft, Google and Yahoo are nothing new, the latest research appears to show new strides in the breaking of such protections. Short for “completely automated public Turing test,” a way of distinguishing between computers and humans, most Captchas require end users to identify the letters depicted in a highly distorted image designed to be unreadable by computer scanners.

In many of the previous attacks, for instance, one against Hotmail that was observed by Websense in February, it was unclear if there was cheap human labor that was reading the Captcha images, and in any event, the scripts were successful no more than 35 percent of the time. Websense observed similar attacks on Gmail that succeed only about 20 percent of the time. A Google software engineer contends the attacks are being carried out in Russian sweatshops.

In January, researchers reported successfully cracking Yahoo’s Captcha. Yahoo updated its Captcha last month to make it more resistant to attack.

The latest attack observed by Websense seems to make similar strides. Scripts obtained by company researchers were able to successfully respond a Captcha challenge in about six seconds, leading them to deduce that the recognition is happening automatically, rather than relying on a human being.

The Newcastle researchers took a decidedly different approach. They figured out a way to isolate each of the eight characters that make up a Hotmail Captcha image. Defeating Microsoft’s so-called segmentation-resistant technology was a major accomplishment. It blends the characters together in an attempt to thwart optical character recognition. Once they were able to segment the image – usually in about 80 milliseconds using a PC with a Core 2 and 2 GB of random access memory – the machine could easily read the individual characters.

Share this article with others:

More on CyberInsecure:
  • Microsoft’s CAPTCHA Under Spammers Attack Again
  • List Of 10033 Phished Hotmail Account Passwords Posted Online, Still Available In Google’s Cache
  • Spammers Successfully Avoid IP Address-Based Reputation By Using Free E-mail Providers
  • Koobface Worm Creates A Low-cost, Distributed CAPTCHA Breaking Service
  • Pushdo Spam Botnet Pierces Microsoft Live Through Audio CAPTCHA

    • Posted in Microsoft, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Monday, April 14th, 2008 at 3:26 pm and is filed under Microsoft, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: High Success Rate Breaking Hotmail CAPTCHAs

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »