Article 1

Hackers crack CAPTCHA website security measures

Attackers are using optical character recognition and machine learning, as well as crowdsourcing
through third parties, to solve CAPTCHAs
Attackers are using optical character recognition and machine learning, as well as crowdsourcing
through third parties, to solve CAPTCHAs
Attackers are using optical character recognition and machine learning, as well as crowdsourcing
through third parties, to solve a CAPTCHA (Completely Automated Public Turing test to tell
Computers and Humans Apart).

CAPTCHA is a challenge-response test used to ensure that the response is generated by a person,
not a computer. Users are asked to read and type a string of distorted characters in order to ensure
that the user is a human, not a computer trying to access a website or account.

Attackers use automation in order to scrape data from websitesor add comments. Automation is
a real problem for web applications. Application owners introduced the CAPTCHA, which gives a
visitor to a website a test to determine whether it is human or automation, explained Tal Beery,
web security research team leader at Impervas Application Defense Center.

Using our array of honey pots, we were able to see attacks that bypassed the CAPTCHA and allowed
automation against these sites, he told Infosecurity.

Beery explained that spammers are using third parties to solve CAPTCHA, so-called crowdsourcing.
Through this technique, third parties establish networks of CAPTCHA-solving individuals who get
paid a small amount to solve thousands of CAPTCHAs. Spammers then hire these firms to bypass
CAPTCHAs for a modest price.

The Imperva report identified improved approaches to CAPTCHA that include using more difficult
CAPTCHAs with simple riddles and contextual semantics, which are more difficult for automated
tools to solve. These can be used when an automated web user is suspected.

In the report, Imperva advised anti-automation products to bolster CAPTCHA defenses with traffic-
based automation detection, behavioral analysis, content analysis, and blacklists. CAPTCHA should
be combined with other mechanisms against automation, Beery said.

The report recommended that CAPTCHA security should be balanced with a positive user
experience. This can be accomplished by using novel CAPTCHA methods that make the CAPTCHA
into something enjoyable, like a mini-game, and by minimizing the number of CAPTCHA challenges
that legitimate users encounter.

http://www.infosecurity-magazine.com/news/hackers-crack-captcha-website-security-measures/











Article 2
Strengthening CAPTCHA-based Web Security
Many of us are familiar with Web sites that force us to identify peculiar, warped letters in cluttered
images and enter them into a text box. One of the standard chores of registering with modern Web
services is the demonstration that we truly are human beings and not nefarious computer programs
set on causing mischief. Yet despite the warped and cluttered characters in these images becoming
harder to distinguish as each year passes, Web forums and blog comments still seem to be filled with
unwanted spam adverts. Clearly, the system is not working as well as it should. This paper therefore
addresses the topic of Web CAPTCHAs Completely Automated Public Turing tests to tell
Computers and Humans Apart and discusses how we might make them more effective and long
lasting without greatly inconveniencing everyday users [1].

Captchas are an important and widely used modern Internet technology. They reduce the ability of
automated agents to programatically exploit Webbased resources such as online email accounts,
online polls, Webbased comment systems, Webbased SMS portals and so on (CarnegieMellon
University, 2009; Pope and Kaur, 2005; von Ahn, et al., 2003). A captcha is a challenge that
authenticates users as human; human users are generally accepted to be much less able to exploit
Webbased resources than automated agents. Captchas require users to prove they are human by
conveniently exhibiting humanlevel intelligence in some manner (Turing, 1950; von Ahn, et al.,
2003). Generally, a user must correctly interpret an image, sound, or text phrase that has been
mathematically corrupted with noise, perturbations and transformations, though other types of
captcha exist (Baird and Bentley, 2005; Baird, et al., 2005; Bursztein, et al., 2010; Chow, et al., 2008;
Coates, et al., 2003; Gossweiler, et al., 2009; Microsoft, 2007; Misra and Gaj, 2006; Datta and Wang,
2006; ShiraliShahreza and ShiraliShahreza, 2007a; von Ahn, et al., 2003). The noise and
transformations are intended to make computerbased image or sound recognition effectively
intractable. In principle, this means that only humans can provide a correct response and thus gain
access to the Web resource protected by the captcha.

Unfortunately, in practice, captchas have not been quite so successful (Chellapilla and Simard, 2005;
Golle, 2008; Huang, et al., 2008; Mori and Malik, 2003; Moy, et al., 2004; Yan and El Ahmad, 2008a).
Generally, the essential problem in captcha design is the tradeoff between the difficulty of the
captcha for automated agents, and the convenience of the captcha for human agents. Figure 1
shows an example of a typical currentday captcha.

To date, the captchas that have been designed and implemented for high traffic sites such as
Google, Yahoo and MSN have proven vulnerable to attack (Bursztein, et al., 2011; Bursztein and
Bethard, 2009; Protalinski, 2008; VaughanNichols, 2008; Websense Security Labs, 2008a,b,c; 2009).
Designers of malicious automated agents have shown themselves to be very capable of overcoming
the obfuscation present within captchas, often combining simple heuristics with brute force attacks.
In addition to these attacks by realworld malicious users, Web security researchers engage in cat
andmouse style research in which captchas are designed and then broken, as an iterated and
evolving research challenge (Baird and Bentley, 2005; Baird, et al., 2005; Chellapilla and Simard,
2005; Golle, 2008; Huang, et al., 2008; Microsoft, 2007; Mori and Malik, 2003; Moy, et al., 2004; Yan
and El Ahmad, 2008a). This presents a problem for major Web sites relying upon captchas, as
researchers who successfully break a captcha system may indirectly assist malicious users. In
principle, research helps industrybased captcha system developers to produce robust and
convenient captchas. In practice, the delay between captcha systems being overcome and then
replaced by a newer and more successful captcha technique, allows malicious users a golden
opportunity to abuse Webbased resources.
http://firstmonday.org/ojs/index.php/fm/article/view/3630/3145
Article 3
Captcha Generation for Secure Web Services
Today internet has become a vital global tool for accessing services. Most of the time these internet
sites require registration to access these services .The proliferation of the publicly available services
on the Web is a boon for the community at large. But unfortunately it has invited new and novel
abuses. Programs (bots and spiders) are being created to steal services and to conduct fraudulent
transactions. Free online accounts are being registered automatically many times and are being used
to distribute stolen or copyrighted material. Recommendation systems are vulnerable to artificial
inflation or deflation of rankings. For example, EBay, a famous auction website allows users to rate a
product. Abusers can easily create bots that could increase or decrease the rating of a specific
product, possibly changing peoples perception towards the product. Automated computer
programs are always looking for a chance to enter these sites and sign up for the massive number of
accounts that is used to send spam email. This leads to wastage of resources on sites For this
purpose captcha is provided. It is used to verify whether the end user is human or not. In this paper
we are presenting a captcha using markov text and time variance. We examine three approaches of
captcha generation-Dictionary word, random string and markov text. Dictionary words are easy to
read but also easy to guess. Random strings are hard to guess and also hard to read and remember.
Markov text provides a way in between the two approaches. Along with the markov text algorithm
we use time variance concept. The captcha is refreshed after predefined time without affecting the
web page. Automated programs have enough time to apply processes and break the captcha
between the duration of form load and submit. Decreasing this duration may add to more security.