Attacks/Breaches
6/20/2012
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Accordingly, any website that relies on Captchas shouldn't make that its only defense against automated attacks or spammers. "Human-based Captcha solving services pose a serious threat to Web security and challenge the whole concept of Captchas," said the report. "They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans."

For example, Imperva said that it reviewed a Captcha-defeating attack against a Brazilian government agency and saw what appeared to be an attack tool continually requesting refreshes of the security page containing a Captcha challenge. "It seems that the attack tool 'pressed' this button to gather more and more Captcha images, perhaps to create an offline dictionary for future use," said the report. With such a dictionary, the attack tool could take a screenshot of every Captcha, compare it with a dictionary of Captcha images that had been "solved" by humans, and then successfully bypass the Captcha security check.

Another attack detailed by Imperva was made against a Brazilian government agency that handles tax administration, validates the country's social security numbers, and also provides financial information for companies. Documents from this agency are required as a pre-condition to many other services in Brazil, like issuing a passport or getting a loan, according to the report.

To protect the site, the agency uses Captchas, as well as a rate limit, source IP limit--limiting the frequency of connections allowed from a given IP address range--and some other limitations to avoid a denial of service and automated access. But many corporate users--the report cites loan companies, banks, accounting offices, and law firms--actually purchase third-party software to bypass the Captchas and other security mechanisms to help them more rapidly access information about their customers.

Fortunately, attempts to automatically gather Captcha information or defeat such systems can leave telltale signs. For example, these requests often sport unusual rates of access--all originating from the same IP address--or use unusual HTTP headers. Accordingly, these techniques can be identified and used to block or throttle requests from suspect IP addresses. Blacklisting known bad sites and tracking reputation can also be employed to help identify which requests to block outright.

Imperva's report also recommends creating a baseline of normal behavior. "A site can create a profile of legitimate use in terms of rate of access, requested URLs, distribution, traffic volume, geo-location--[an] IP from [the] Ukraine trying to post in a Japanese blog," then require any user exhibiting suspicious behavior to jump through additional security hoops. As with other security tools, in other words, Captchas work best as part of a layered defense.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.