Tuesday, August 15, 2006

Social engineering in internet security

CAPTCHA is a system to verify that an entity interacting with a system is a human or not. The main application of this system is when creating email accounts of major service providers. Because they are prone to misuse by spammers using automated scripts to create throwaway accounts, the CAPTCHA is used to control the spam accounts.

Simply put, it displays an image with letters and numbers embedded in it, along with optical distractions. The user is expected to type in the letters and numbers in the text box and the servers verifies if it is the same.
The assumption is that a computer program would not be able to make out precisely what the picture consists of and hence, the system can distinguish between humans and computer programs.

Sounds perfect, eh ? Let us see how indeed might a spammer break this. Advanced AI programs ? Too obvious and too complex. You can always increase the complexity in the image that renders a program useless. And then, you have to build a program that uses even more advanced neural networks to crack it, and so on. So, how to break this ?

Someone smart-ass with lot of time on his hands thought of an ingenious way of getting around these blocks. The solution is so amazing simple and blindingly obvious. Quoting from the slashdot story ...
"Spammers are now usings a new technique to circumvent the 'captchas,' the distorted text in graphics, that users must input to receive the free email account. The spammers have cracked the system by displaying the 'captchas' on free porn sites in real time. Since there are always a large number of people signing up for free porn, they do the work of decripting the 'captchas' which is then replayed back into the spammers program to create a new email account. Who thought that porn could be a hacking technique!"

This is just an example of a high technology being defeated by simple innovation. This goes for password security too - you can use 256-bit encryption to transmit passwords, MD5 or SHA hashing to store passwords, you can force people to remember passwords that are atleast 15 characters long and contain letters, number and special characters, and force users to change it every other week ... but all these can be defeated by the simplest methods by attacking the weakest link in the chain - people. Nothing (including a ban) can stop them from writing passwords down. Nothing can stop them from making it easy for them to remember (and others to guess).
There have been reports of biometric security being broken. RFID detectors can be fooled by wrapping RFID-tagged items in metal foils. Complex mechanisms can be defeated by the simplest techniques.
Bottomline: Most of so-called security measures are useless.


Post a Comment

Links to this post:

Create a Link

<< Home