Tuesday, October 18, 2011

Interesting research on attacking CAPTCHAs

CAPTCHAs have been widely used as a defense against automatic attacks. In this interesting research, it has been shown that CAPTCHAs - like any other security mechanisms - are not the final solution! 
We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of "crowding character together" for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design. 

According to the paper, a CAPTCHA must be "segmentation resistant", which refers to the complexity of locating individuals characters (rather than recognizing what a character is) for an attack software.

Tuesday, October 11, 2011

The First Post

This is the first post of the "Thoughts on IT Security" blog. Here I want to write and share different things related to Information and IT Security world.
For now, look at this article from sophos.com's nakedsecurity blog about the threats facing children when using devices like IPad at school:

"I was chatting with a friend of mine whose 5-year-old twins start school this year. She was telling me about the list of school supplies they need: pencils, crayons, paper, iPad..
Say again?? Yep, she said iPad. It was a new policy this year for all students at the school to have an iPad. Apparently her twins are not allowed to share, so she will have to purchase two of them.
I sat back and started thinking about this. Besides the obvious price implications of demanding parents buy an expensive device for their young child, what was being done to ensure safe and secure surfing?"

Exactly the same situation happened for me. The writer explains different concerns and threat on this issue.