Breaking CAPTCHA MultiMedia Security

1
Breaking CAPTCHA(Multi-Media Security)

• Isa Muqattash

2
Agenda

• Introduction
• Creation techniques
• Breaking CAPTCHA
• Future expectations

3
Introduction

• CAPTCHA Completely
• Automated
• Public
• Turing test to tell
• Computers and
• Humans
• Apart

4
History of CAPTCHA

• Reverse Turing Test
• Alta Vista (1997) URLs to Search Engines
• Solution by Andrei Broder, chief scientist.
• Reduced spam add-URL by 95
• Yahoo! (2000) Chat room problem
• Solution by CMU Gimpy, EZ-Gimpy
• PARC (2002) For research purposes
• Henry Baird UC Berkeley
• Product PessimalPrint
• First referenced technical publication

5
Properties of CAPTCHA

• The test's challenges can be automatically
  generated and graded 
• The test can be taken quickly and easily by human
  users
• The test will accept virtually all human users
  with high reliability while rejecting very few
• The test will reject virtually all machine users
• The test will resist automatic attack for many
  years even as technology advances

6
Creating CAPTCHA

• Pessimal Print (Image Degradation)
• Pseudorandom sequences
• Blurring
• Skewing
• Scaling
• Dithering
• Fonts
• Resolution

7
More on Creating CAPTCHA

• More sound techniques
• Rotation
• Segmented characters
• Non-uniform background
• Varied font thickness
• Computationally hard problems (AI hard)
• Various objects
• Animals
• Scenes
• Sports

8
Breaking CAPTCHA

• OCR based
• Difficult
• Non-uniform background
• SVM
• Some success, but not good enough
• Non-OCR based
• PWNtcha (49-100)
• Puremango.co.uk (Scripting)

9
More CAPTCHA Attacks

• Anti-cluttering processing
• Remove small objects
• Standard dictionary attack
• Trivial network attacks
• Pattern recognition techniques
• Segmentation Clustering pixels together
• By colored pixel density
• By distance

10
Distance between pixels

• Eucledian distance
• Dsqrt(dx2 dy2 dz2)
• Adjusted human vision distance
• r_bar (r1 r2)/2
• Dsqrt ( dr2 (2 r_bar/256)
  )
• ( 4dg2 )
• ( db2 (2 (255
  r_bar)/256) )

11
Vulnerable CAPATCHA

• http//linuxfr.org/user_new.html
• http//www.gandi.net/whois?len
• http//www.phpbb.com/phpBB/profile.php?moderegist
  eragreedtrue

12
The Future of CAPTCHA

• Insecure
• Attacks with success of 40 - 100
• As low as success of 10 is bad enough
• Not enough for authentication
• Are the generators really pseudorandom???
• Not feasible for blind, weak sight, and
  disordered
• More object and scene recognition (correct
  response not unique)
• 3D CAPTCHA

13
CAPTCHA SAMPLES

• www-users.cs.umn.edu/sampra/8980project
• www2.parc.com/istl/projects/captcha/captchas.htm

14
References

• http//www2.parc.com/istl/projects/captcha/history
  .htm
• http//www.w3.org/TR/2005/NOTE-turingtest-20051123
  /
• http//www2.parc.com/istl/projects/captcha/docs/pe
  ssimalprint.pdf
• http//sam.zoy.org/pwntcha/