Friday, February 1, 2008

are you alive?

ok... so a friend n colleague of mine pointed out that the yahoo captcha has reportedly been effectively compromised...

as others have said, we've kinda seen this building for a while now.

but, mostly the responses i'm hearing from the sec community have all been centered around building a better captcha to save us from the coming onslaught of spam (and some more xss prolly)...

imho, it is a poor stop-gap to make this the focus of mitigating the issue. we know this is attack and defense. we know the goal-posts move. so stop trying to build a better wall! build a series of redundant walls that force your enemy into overlapping fields of fire. it is accepted practice that we have layers of security in other areas, so why aren't we doing more of it here?

a significant portion of code on web sites is dynamically generated already, so that makes our job easier. the most simple thing we can do is use multiple strong captchas, where a single one is psuedo-randomly picked for a given page render.

then, while you're at it (or mb instead) you can use other methodologies to add layers to determining humanity from script. we can make small transparent things look interesting to scripts. we can make fake forms that human users don't see. we can make invisible iframes too, but use em as tar pits for bots.

the point is that there are a range of simple tests that can be done to attempt to id bots without putting more burden on users or captcha developers.

some pages do this stuff already, but you can still take it further. say we say we have 10 tools in our toolbox. we don't have to walk onto the battlefield in rows and columns and never deviate. we can dynamically utilize between 3-7 tools on a given page render and randomize which tools are picked from the pool. we can use more attack-like tactics to raise the bar right back. we can obfuscate our code too... we can use polymorphic structures to try to confuse the bots... why are we giving our attackers static defenses to target?

anyway, bonus points if u recognize the reference in the title of this post, and a gold star if you get the irony... peace!

3 comments:

Jens "jdm" Meyer said...

I can't say I get the reference, but I do agree with you on this -- defense in depth can, and should, be employed for websites. But I don't think confusing bots with iframes is the answer. There is a limited number of permutations you can accomplish using invisible iframes, etc. and even those (probably) wouldn't pose too much of a problem for a bot. Especially when you're thinking about only a >10% success rate.

There are new captchas out there, like the cool 3d ones, but those are harder for some people to read too. I'm a little surprised there hasn't been more attention at breaking the audio captchas. I think that the visual captcha improvement idea is just to stall until we can implement a new technology to weed out bots.

rwnin said...

hrm, if i conveyed that invisible iframes alone would be an answer, then i failed to communicate my overall point.

what i'm saying is that invisible iframes, obfuscated code, honey-pot type hidden forms, and other methods can be used to add layers of defense to the captcha realm in ways which don't put further burden on the user.

by leveraging the fact that a bot is stupid, and must be programmed to expect the environment in which it operates, we can make the auth environment dynamic and probably significantly hamper bot efforts.

mb i should put together a test on this stuff...

i totally agree w/ audio captchas btw, but still think that any single technology will be attacked w/ higher rates of success than a layered defense...

Jens "jdm" Meyer said...

We should talk about this more. My bad for not including a link to your post :)