12:46 PM
Keith Ferrell
Keith Ferrell

CAPTCHA Cnondrum: Automated Attacks Trump Human-Entry Defenses

Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.

Automated attacks aimed at bypassing CAPTCHA -- those squiggly characters you have to enter to access some blogs and e-mail -- are getting better and faster at overcoming anti-spam defenses. In other words, the machines are beating us at what was supposed to be our game.CAPTCHA -- Completely Automated Public Turing Test to Tell Computers and Humans Apart -- approach to granting access to humans only (theoretically only humans could read and enter the distorted characters) has run into increasing bot problems.

Bots, it turns out, and more specifically bot-makers, are pretty good at putting together coordinated attacks that decipher the CAPTCHA characters and -- presto! -- get access to the targeted service, create accounts on that service (Hotmail, for instance) and use that address to dispatch waves of spam.

The current bot approach is troubling not just for its ability to overcome CAPTCHA defenses, but also because communications between the bot and a central server are encrypted, raising the attack sophistication stakes another level. The server does the deciphering, the bot receives and then enters the deciphered characters.

CAPTCHA bypasses are nothing new, of course, nor is there a lot CAPTCHA makers can do, other than continue to refine and reinvent their defenses. (Don't know about you, but for my tastes the trend toward making CAPTCHA images more and more vague, fuzzy and distorted has gone about as far as it can go -- I've seen some that machines might be able to figure out, but that were beyond my ability to decipher and enter.)

Identity verification -- simple verification that you're a real person -- keeps hitting these walls, as recent news of a facial recognition technology hack shows.

The point of all this for small and midsize businesses -- unless you're in the CAPTCHA business -- is simple: the bad guys are smart, automated, sophisticated, but for botnets to work they must first get access to vulnerable machines. Sealing your defenses against compromise may not solve the CAPTCHA conundrum -- not sure anything can -- but it ensures that you and your company's computers won't, at lest, be part of the problem.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.