Okay, last post about DNS Rebinding and then I’ll (probably) shut up about it for a while. If you haven’t already, please read posts one and two for context. As I was thinking about the best possible uses for DNS Rebinding I actually landed on something that is extremely practical for botnets, email scrapers, blog spammers and so on. One of their largest problems for most attackers/spammers is that they need to be able to scrape the search engines for targets and the only way to do that is to send a massive amount of traffic at them and if they use a small subset of machines they are also making themselves easy to block or subvert. Google typically tries to stop robots from scraping by showing a CAPTCHA. Wouldn’t it be easier and better if the attacker/spammer could use other people’s IP addresses? That’s the promise of DNS Rebinding, now isn’t it - unauthenticated cross domain read access from other people’s computers.

David Ross had a good post about how another practical defense against DNS Rebinding is using SSL/TLS, but since Google has opted not to secure their search engine, it becomes possible to use DNS Rebinding for its next logical use. Google hasn’t even fixed their other SSL/TLS woes so there’s pretty much no chance they’re going to secure the search engine any time soon. So DNS Rebinding gives the attacker IP diversity. An attacker can use DNS Rebinding to get other people to rip tons of information from Google without Google being able to block the real attacker. Since sites like Google do not respect the host header and they don’t use SSL/TLS an attacker can scrape information from these sites all they want - all the while using other people’s browsers. Now think comment spamming, polling fraud, brute force, and on and on… All of these become extremely easy and practical by burning other people’s IP addresses, instead of the attacker’s/spammer’s. Yes, DNS Rebinding is nasty, and unless the browser companies do something or every attacked web server on earth starts respecting the host header and/or using SSL/TLS it’s a problem that’s here to stay.

I know a lot of people think this is a complicated technique, but it’s really not that hard. It just requires some JavaScript (similar to BeEF or XSS Shell), a place to log data to log whatever the user saw when the attacker forced them to perform the action, a hacked up DNS server (like the simple DNS Rebinding server sample), a domain, a Firewall that is somehow linked to the attacker/spammer application and some Internet traffic to abuse. None of these things are out of reach for a decently skilled attacker. Anyway, I doubt it’s getting fixed anytime soon, which means DNS Rebinding essentially allows nearly free reign for attackers and spammers for the foreseeable future - and no one appears to be doing anything about it.

I normally steer very clear from articles like this, but I was totally fascinated when I heard this. Both rat neurons and human neurons were used to steer a robotic car. They did so completely without computer or human intervention. They literally “thought” about what they wanted to do to complete a task. Interesting take on a Cyborg - don’t start with a human and tear it down and replace it’s extremities with mechanical parts, start with a machine and introduce a blank slate of a human brain tissue. Now, that’s amazing in it’s own right. But where are the applications for us in security? The first thing I thought of was a super advanced system for anomaly detection, but honestly, computers are far better at processing large data sets than people are. Plus brain-masses (for lack of a better term) lack knowledge and experience, so it would take years for them to even understand what they were looking at, let alone be better than a true human analyst. However, there is one thing that struck me as something that people mostly would agree humans should be better at than computers - CAPTCHA breaking.

Image analysis in general - yes, it’s possible, but CAPTCHAs should be easy. Just like a child, you’d have to teach it the alphabet, colors, lines, shapes, and all the basics. Then you’ve have to give it a reward system so it wouldn’t fatigue (read the Terminal Man if you want to see why that part is potentially dangerously problematic). But assuming you can get all that done, there is no reason a human brain-mass shouldn’t be able to solve CAPTCHAs just like a human would. You wouldn’t need a head on it, or really anything else. You could have multi-core human brain-mass computers all shoved into a rack. Just need a way to feed them and you’ve got yourself the most effective human analog CAPTCHA breaking system ever built. Scary and morbid, but extremely effective against all fluctuations in CAPTCHA design, assuming they were taught the parameters.

So what is exactly the definition of a CAPTCHA? I’ve harped on this before. But let’s think about it. What exactly is the measure of a human? Is it cognitive abilities? Then are mentally retarded people no longer considered people? Is it a physical body part? Then are people who have had limbs removed no longer human? What exactly are we trying to measure with a CAPTCHA if indeed the truest definition of such a thing could exist? I think what we are attempting to ascertain most of the time is intent. And with a human brain-mass anti-CAPTCHA system, that would no longer be something we could do. The only thing what we currently think of as CAPTCHAs would still be effective at is increasing the cost of spam. Of course this is all science fiction and riddled with problems, not the least of which is expense. But there are unfathomable military applications for such things, where expense is no longer an obstacle. Skynet may be coming, but it might not be a computer - it might be human brain-mass. Scary.

I don’t have time for a full blown Google rant today, but I was forward this link today and I couldn’t believe my eyes. This is Google’s “What’s Up” CAPTCHA. You know, when I first heard about it it was described to me as “a picture and you have to tell it which way is up”. So my first reaction was “that’s a terrible CAPTCHA - only one in four chance.” Well, it’s not that bad. If you actually read the paper it’s actually a 1/22 chance (assuming no optimizations).

There are other problems with this though - like the fact that it relies on a set of pictures and someone has to make a judgment call on what is the correct position. I bet it’s easier to solve for humans, but it’s also fairly trivial for robots to solve too. CAPTCHA - what does that mean anyway? Let’s see if Google’s project meets the definition:

Completely Automated - Google employees need to make judgment calls ahead of time on each image orientation, so this requirement of a true CAPTCHA fails and incidentally adds a hidden cost to using the “What’s up” CAPTCHA, although it might not be huge, if you make the set small (which would cause other problems).

Public - well, as public as anything Google does is public. It’s not open source or anything, but it’s out there.

Turing Test to tell Computers - I would argue that it’s not a Turing test at all, because if you have a set of 45 robots that try only one guess a piece Google’s “What’s up” will fail to catch two of them. And again - that’s with zero optimizations. Second major failure making this not actually a CAPTCHA.

and Humans Apart - I think it fails this one as well, since blind people are humans. So are non JavaScript/Flash/CSS wielding users - I know I’m human. So that’s three major failures of one definition alone. Not great!

Someone with far greater math skills than I will some day create the mathematical proof that explains why CAPTCHAs aren’t technically achievable. It’s possible to create tests that are vaguely good at telling computers and humans apart (CAPVGTCHAs perhaps?) but unless my understanding of the universe is way off base, I think CAPTCHAs are modern day perpetual motion machines. Everyone thinks they get it and it can work, but it’s never been done, and no one has come even close, in my mind. Sorry, I know this wasn’t as good a Google rant as I normally come up with, but as one of their guys over there recently told me, “You don’t call, you don’t rant…” I know… too busy!

If the title of this post sounds awfully spammy, that’s because it is. Someone sent me a link to allbots.info and imagetotext.com today. Both of which are tied together into one system that allows someone to purchase a robot and the human CAPTCHA breaking necessary to create accounts in some of the largest social networking sites out there.

These include MySpace, Hi5, Facebook, Youtube, Gmail, and on and on… This reminds me a lot of XRumer which is also designed for the same purpose, but more for message boards and the like. Making hundreds of accounts, for spamming is getting more commonplace and accessible. Just plunk down your stolen PayPal or Google Checkout IDs and you’re off to the races! CAPTCHAs aren’t working folks - we’re just creating another micro-industry.

There’s an interesting link talking about the lawsuit that Rite Aid just settled regarding their accessibility issues. In part it was in regards to their in-store issues, but it was also about their online accessibility, specifically around CAPTCHAs. So I spent a little time doing some more research into other issues around CAPTCHAs and the blind and in fact there are even concerns around the audio CAPTCHAs for the deaf-blind users.

One thing that was interesting is that many of the sites that have been targeted for law suits and angst have been either online retailers or websites that are heavy text based websites (Typepad, Livejournal, etc…). I guess that makes perfect sense, I just hadn’t thought about it before. I would expect there to be a lot more of this in the future, so if you use CAPTCHAs I’d consider at least getting an audio version, as I’ve discussed countless times. An interesting thought though: spammers have made it harder on the blind. Yet another reason to hate spammers, I guess.

There’s an interesting link on MSNBC about malware that’s trying to solve CAPTCHAs. Basically it’s using an ruse of a sexy girl who tempts you with nudity if you type in some letters/numbers. The letters/numbers are, of course, to social networking sites, webmail or whatever. Very clever, but also very stupid at the same time.

One thing we’ve seen actually is pretty clever. Malware has the ability to do a lot, including re-writing webpages on the fly. However, the goal isn’t just to re-write some banners (yes, sometimes that is the goal) but sometimes it’s to steal information. And sometimes it makes sense from an attacker’s perspective to ask for an additional piece of information (like a social security number) on a form. What I haven’t seen is adding an additional CAPTCHA to a page, which would be totally invisible to the average user (unlike a stripper on your desktop, which is sort of the opposite of subtle).

Mark Burnett has a few good articles on my single favorite love-to-hate security measure, the CAPTCHA. Check the articles out here and here. They do a good job at explaining some of the high level problems with CAPTCHAs but don’t be fooled, this is only the tip of the iceburg as I’m sure Matt would agree. If you look on sla.ckers there is post after agonizing post where people are building and then breaking CAPTCHAs.

Jeremiah had a good post on this a year ago describing what makes an effective CAPTCHA. I’d like to go one further. I have actually never seen said mythical beast. I’m not even sure it can be done with the technology we have at our disposal. What I’m getting at is this. People have deficiencies and those deficiencies must be dealt with for them to be able to solve a puzzle. Some deficiencies are pretty dibilitating and include blindness. Okay, so we have audio CAPTCHAs to augment that issue. Then we have colorblind people. They too can use the audio CAPTCHAs.

Then we have things like pwntcha, pron proxies and a whole host of other ways to “break” CAPTCHAs in a way that they were not intended. Bummer. It’s getting to the point, where I cannot even fathom what a good CAPTCHA would look like. Everything is either far too hard for people to solve, or far too easy for computers to solve. The stuff that’s in the middle is usually bad for both. I’m up for an experiment. Can anyone point to a good example of a CAPTCHA anywhere on the Internet - one that meets all the rules outlined by Jeremiah’s post?

As mentioned on Ronald’s blog and a rather suspicious digg entry linking to a referral code (indicating that the person who dugg this is somehow related to the site) there is a CAPTCHA breaking service located at decodetowin. The site claims to be running a sweepstakes and the only way to win is to “decode” the CAPTCHAs. Here is text from the site:

What is Decode to Win? Decode to Win is a contest website in which you decode graphical messages to increase your chance at winning a prize. You get one point for every message you decode. At the end of each week, we pick a random user from the top 15 point holders and send him/her a prize offering. In some cases, we will send prizes to more than one user.

No doubt, signing up adds your name to validated spam lists - they get you coming and they get you going. Interesting premise though. It appears that they are breaking Google CAPTCHAs by the looks of it, but it’s difficult to know for sure unless you are Google. One interesting thing I noticed as I was testing it is that the first one succeeds while the following tries always fail until you reload the flash file. It’s unclear why they do this, but my guess is that it is likely that people will try more than once, and it is unlikely that they will sign up. So it’s worth getting them to try three or more times to see if they simply typoed the second try. It’s out the folks, no one should doubt that CAPTCHAs definitely are being broken. Thanks to Ronald to pointing this one out.

A few weeks ago Ben Maurer posted a link to a service called reCAPTCHA that attempts to solve the spam problem in the typical CAPTCHA way while solving another hard problem at the same time. reCAPTCHA is a part of a project to scan old books. But part of the problem with scanning using OCR is that you get crap results sometimes. Therein lies the reCAPTCHA idea - replaying that odd looking text to users and getting them to type the answers in, next to a real CAPTCHA. Knowing that one is correct assumes that the OCR image is valid.

So the next question you have is that what if someone doesn’t answer the second question at all or puts in something erroneous - that’s okay it uses a voting system to make sure more than one person agrees (I’m not sure on the specifics of the voting system). That makes for a pretty interesting system in a lot of ways. However, one comment made by “Anonymous” on Ben’s site caught my eye.

“Chinese radio scare alert: these people want to exploit your brainpower with their captcha tricks! It’s like enslaving humanity, one word at a time!”

You certainly get extra points for originality of your idea.

I’m sure nobody will get my Chinese radio reference though…

What Anonymous is referring to is the Chinese Lottery. It’s a theory in cryptography where you can force many people to do very small tasks to get the answer to a bigger problem (in the lottery example force the government supplied radios to perform small parts of a very large crypto problem). For instance, if they can somehow ask users to perform a math function that is somehow more efficient for a user to do than a computer, then it makes sense. There is another similar theory using biochemical reactions in a DESasour, where each cell of an organism combines to perform a computationally complex task, but given the volume of cells in any sizable creature, it would have enormous computing power.

Granted reCAPTCHA is terrible at this - it is far more efficient to perform any mathematical task with a computer than anything a human could do. The only way I could see this being used in a nefarious way, other than the CAPTCHA proxy idea is if part of what a government needed to do was OCR classified documents (this could be even more effective in other languages where translation services are at a premium). While possible, it sounds like quite a conspiracy theory to me. But Anonymous can rest assured that someone out there understood his reference!

One concept I have been playing with a lot lately is interesting ways to take the robot out of CAPTCHA solving, but still solving it subversively. Sure, we came up with the mechanical turk methods, the porn proxy, using kid’s games, and a variety of other low tech solutions. However, the other day, I came up with a concept for an actual service that does this. Let me explain:

CAPTCHAs or any automated Turing tests in general attempt to see if the consumer is a robot or not by throwing up an image to test if the human can read them. The reason why webmasters use them is so they can detect if the user is real or not. So webmasters have a need, and spammers also have a need. Webmasters want to detect if a user is really a person or not, and a spammer wants to solve those CAPTCHAs in whatever way is effective. So here’s the concept.

By setting up a central proxy with APIs for webmasters you can solve both problems at once. The webmaster gets to have unique CAPTCHAs by using the API to query the proxy. The proxy pulls a CAPTCHA from somewhere on the Internet that a spammer wants to break. The spammer uses their own API to decide if the consumer types in the correct password or not and sends back a decision back to the webmaster through the proxy. The webmaster then can allow the user to succeed or fail as they choose. The only motivation for the black-hat webmaster to do this is if they represent a lower value target than the websites that the spammer tends to attack and/or if they don’t care about other websites’ problems with security.

Of course this is entirely black-hat, and provides no good service whatsoever, but it does solve two different people’s problems at the same time. Of course this symbiosis does introduce latency by slowing the consumer down while they wait for the proxy and the spammer to validate the entry. Maybe a credit system would need to be put in place based on the latency time to ensure quality. This service exploits one of the two fatal flaws in CAPTCHAs - if it works perfectly although it can detect it is a person or not, it cannot detect their intentions (the second being that if it is created by a computer it can be read by a computer). Yah, evil, I know.