Attacks/Breaches
10/17/2013
11:16 AM
Connect Directly
RSS
E-Mail
50%
50%

Forget Captcha, Try Inkblots

Researchers propose using an inkblot-matching scheme, dubbed Gotcha, to defeat dictionary-based hacks of the Captcha system.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Psychoanalysis fans, rejoice: You might soon be able to log in to websites using inkblots. So goes the pitch for a new password mechanism developed by researchers at Carnegie Mellon University.

The three researchers have dubbed their new system Gotchas -- for Generating panOptic Turing Tests to Tell Computers and Humans Apart -- which they said boils down to "a randomized puzzle generation protocol, which involves interaction between a computer and a human," according to a summary of their research. They're scheduled to present a related "Gotcha Password Hackers!" paper at the 2013 ACM Workshop on Artificial Intelligence and Security (AISec) next month in Berlin.

Here's how a Gotcha works: First, an inkblot gets generated, and a user is asked to enter a text description. The site then stores both inkblot and description for whenever the user returns, at which point it displays the inkblot and asks the user to recognize their previous description from multiple potential selections.

Information security researchers have already tested inkblots -- which of course recall the Swiss Freudian psychiatrist and psychoanalyst Hermann Rorschach's pioneering, eponymous work -- as an authentication mechanism. But previous approaches forced users to recall the exact phrase they'd first used to describe the stored inkblot, which created a usability challenge, the Carnegie Mellon researchers argued. By comparison, the construction of their system "relies on the usability assumption that users can recognize the phrases that they originally used to describe each inkblot image," they said.

[ What other personal info is the National Security Agency grabbing? Read NSA Harvests Personal Contact Lists, Too. ]

One use for Gotcha would be to prevent attackers from grabbing password files from servers, then cracking them offline, which continues to be a pervasive problem. "Any adversary who has obtained the cryptographic hash of a user's password can mount an automated brute-force attack to crack the password by comparing the cryptographic hash of the user's password with the cryptographic hashes of likely password guesses," the researchers said in their paper. "This attack is called an offline dictionary attack, and ... [such attacks] are -- unfortunately -- powerful and commonplace." Indeed, numerous companies, including Gawker, LinkedIn, Sony and Zappos, have seen their users' passwords compromised in this manner.

By using Gotchas, businesses could "mitigate the threat of offline dictionary attacks against passwords by ensuring that a password cracker must receive constant feedback from a human being while mounting an attack," the researchers said. In other words, even if attackers recovered usernames and passwords via an offline dictionary attack, they'd still need a human to manually handle one or more Gotcha challenges before gaining access to any given account. From an economic standpoint, such attacks likely wouldn't be worth an attacker's time.

inkblot
New inkblot test?

As the name Gotcha suggests, the proposed new system might also serve as a replacement for the reviled Captcha tests currently employed by many sites as a challenge-response mechanism. Captcha -- based on the word "capture" -- is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. The technique, likewise developed at Carnegie Mellon, but back in 2000, was intended to allow a computer to tell if it was dealing with a human or another machine.

Since its debut, the Captcha has become a standard challenge-response system for everything from ticket-buying sites to online comment boxes. The underlying goal has always been to make the puzzles easy for real people to solve, and difficult -- if not impossible -- for a computer to conquer. Unfortunately, however, spam syndicates and online criminals keep improving their ability to bypass Captchas, in some cases by designing more automated attack tools, and in other cases by tricking people into solving a site's Captchas for them, for example by offering free porn.

Will the new Gotcha system be stronger than the Captcha that people have come to know and despise? To test that possibility, the Carnegie Mellon researchers have issued an open call to security researchers to try to break their inkblot-matching Gotcha construction techniques via their Gotcha Challenge website. "The goal of this challenge is to see if artificial intelligence techniques can be applied to attack our Gotcha construction," they said.

Participants can download five files associated with passwords generated using Gotcha inkblot-generating techniques. Depending on how tough these password files get cracked, website users might soon be describing inkblots. The psychoanalysis is optional.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/22/2013 | 10:10:19 AM
re: Forget Captcha, Try Inkblots
Great question, Terry, apologies if I didn't make that clearer. The short answer is (pulling from the related study):


To generate a challenge the computer first generates 10 inkblot images. The user then provides labels for each image (e.g., evil clown, big frog). During authentication the challenge is to match each inkblot image with the corresponding label.



Under the system proposed by the researchers, anyone who provides a username and password correctly, the first time, will only see one Gotcha, and then have to match that image with one of 10 responses which the user himself has already written. If he fails to match the response correctly, then the challenge/response system starts escalating. For example, maybe he'd see more Gotchas, be required to enter a "secret" word or experience timeouts that tell him to try again later.

The goal here isn't to block any one attack, per se, but to slow down attackers and arrest automated attacks. Making "breaking and entering" a manual effort could dissuade anyone who's harvested a site's credentials en masse -- for example by stealing its entire user database -- from bothering with a large-scale attack. Likewise, anyone who wanted to run automated scripts that buy tickets en masse (from Ticketmaster) to resell for a higher price would find blocks against that automation.

The researchers' study also makes some great points about how else their approach -- making illicit account access a manual endeavor -- might be applied. For example, they note that having a challenge-response system based on movie ratings (perhaps a few pairs of "which one is better than the other for you?") might also provide a relatively easy (for users) but tough (for attackers to easily/quickly bypass) way to further verify users' identities.

Just as with encrypting passwords, creating a system that creates a delay of a few seconds for any operation or account access will typically be tolerated by an individual end user, but anathema to an attacker, who wants to operate at scale.
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/18/2013 | 5:26:21 PM
re: Forget Captcha, Try Inkblots
I must be missing something on Gotcha. If they present a list of possible answers (say 10 for example), doesn't anyone have a 1 in 10 chance of guessing right? And of course in 10 tries max you'd be in. Obviously it must be more sophisticated than the way it was described above.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/18/2013 | 3:09:41 PM
re: Forget Captcha, Try Inkblots
Anything that could possibly be an improvement on Captcha would be welcome.
rogledi
50%
50%
rogledi,
User Rank: Apprentice
10/18/2013 | 2:13:00 PM
re: Forget Captcha, Try Inkblots
Let's remove the concept of captcha

http://keypic.com is a good way to do it!
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
10/18/2013 | 1:51:22 PM
re: Forget Captcha, Try Inkblots
Sounds like a plot to build a deeper psychological profile of website visitors and then market to them better. That's my conspiracy theory for today, at any rate.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
10/17/2013 | 8:09:11 PM
re: Forget Captcha, Try Inkblots
No, of course everyone sees that. That's why inkblots promise superior security.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/17/2013 | 7:34:52 PM
re: Forget Captcha, Try Inkblots
I'm seeing a dinosaur making love to a Volkswagen. Is that wrong?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/17/2013 | 6:54:46 PM
re: Forget Captcha, Try Inkblots
Anything that doesn't make me remember my permutation of alpha-numerics is an improvement, IMO. I think I have enough brain cells to recognize a pass phrase that I use for an ink blot. But then, again, it would depend on how similar are the options Gotcha spews out. It may indeed be just another gotcha for password management
Laurianne
50%
50%
Laurianne,
User Rank: Apprentice
10/17/2013 | 5:08:36 PM
re: Forget Captcha, Try Inkblots
The Captcha is much hated. The name Gotcha doesn't exactly sound appealing -- but the idea is intriguing.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant