Attacks/Breaches
6/20/2012
02:46 PM
50%
50%

Hackers Offer Free Porn To Beat Security Checks

Spammers are enticing consumers with free porn or games in exchange for help cracking CAPTCHAs on targeted websites, security researchers say.

Accordingly, any website that relies on Captchas shouldn't make that its only defense against automated attacks or spammers. "Human-based Captcha solving services pose a serious threat to Web security and challenge the whole concept of Captchas," said the report. "They were originally intended to distinguish humans from computers, but now automated software is using actual humans to cheat the test and pass as humans."

For example, Imperva said that it reviewed a Captcha-defeating attack against a Brazilian government agency and saw what appeared to be an attack tool continually requesting refreshes of the security page containing a Captcha challenge. "It seems that the attack tool 'pressed' this button to gather more and more Captcha images, perhaps to create an offline dictionary for future use," said the report. With such a dictionary, the attack tool could take a screenshot of every Captcha, compare it with a dictionary of Captcha images that had been "solved" by humans, and then successfully bypass the Captcha security check.

Another attack detailed by Imperva was made against a Brazilian government agency that handles tax administration, validates the country's social security numbers, and also provides financial information for companies. Documents from this agency are required as a pre-condition to many other services in Brazil, like issuing a passport or getting a loan, according to the report.

To protect the site, the agency uses Captchas, as well as a rate limit, source IP limit--limiting the frequency of connections allowed from a given IP address range--and some other limitations to avoid a denial of service and automated access. But many corporate users--the report cites loan companies, banks, accounting offices, and law firms--actually purchase third-party software to bypass the Captchas and other security mechanisms to help them more rapidly access information about their customers.

Fortunately, attempts to automatically gather Captcha information or defeat such systems can leave telltale signs. For example, these requests often sport unusual rates of access--all originating from the same IP address--or use unusual HTTP headers. Accordingly, these techniques can be identified and used to block or throttle requests from suspect IP addresses. Blacklisting known bad sites and tracking reputation can also be employed to help identify which requests to block outright.

Imperva's report also recommends creating a baseline of normal behavior. "A site can create a profile of legitimate use in terms of rate of access, requested URLs, distribution, traffic volume, geo-location--[an] IP from [the] Ukraine trying to post in a Japanese blog," then require any user exhibiting suspicious behavior to jump through additional security hoops. As with other security tools, in other words, Captchas work best as part of a layered defense.

Security information and event monitoring technology has been available for years, but the information can be hard to mine. In our SIEM Success report, we provide a step-by-step guide to make the most of your SIEM system. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/22/2012 | 11:24:02 AM
re: Hackers Offer Free Porn To Beat Security Checks
The problem with Captcha is creating images that HUMANS can identify! I don't know how many times I've tried to get into a site via Catcha only to be told that what I've typed isn't correct, when clearly it is. And requesting a new Captcha image sometimes helps, and sometimes doesn't. Personally, I hope the computer security community comes up with something better and fast. I hate Captcha.
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/21/2012 | 2:04:14 AM
re: Hackers Offer Free Porn To Beat Security Checks
It sounds to me like traditional text-based CAPTCHAs are close to being dead in terms of effectiveness. I don't know if there is a solution to humans cracking them, but perhaps the use of images or puzzles will make a difference when it comes to some of the tools.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4231
Published: 2015-07-03
The Python interpreter in Cisco NX-OS 6.2(8a) on Nexus 7000 devices allows local users to bypass intended access restrictions and delete an arbitrary VDC's files by leveraging administrative privileges in one VDC, aka Bug ID CSCur08416.

CVE-2015-4232
Published: 2015-07-03
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856.

CVE-2015-4234
Published: 2015-07-03
Cisco NX-OS 6.0(2) and 6.2(2) on Nexus devices has an improper OS configuration, which allows local users to obtain root access via unspecified input to the Python interpreter, aka Bug IDs CSCun02887, CSCur00115, and CSCur00127.

CVE-2015-4237
Published: 2015-07-03
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv0...

CVE-2015-4239
Published: 2015-07-03
Cisco Adaptive Security Appliance (ASA) Software 9.3(2.243) and 100.13(0.21) allows remote attackers to cause a denial of service (device reload) by sending crafted OSPFv2 packets on the local network, aka Bug ID CSCus84220.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report