lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jan 2007 17:12:04 +0200 (IST)
From: Alexander Klimov <alserkli@...ox.ru>
To: bugtraq@...urityfocus.com
Subject: Re: Defeating CAPTCHAs via Averaging

On Sat, 27 Jan 2007 noreply9871234@...-habe-fertig.com wrote:
> The detailed article (including sample images) is online here:
> http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/
>
>> To extract a series of captchas with the same information (number)
>> in them, it is sufficient to repeatedly call their captcha
>> generator.

I am not sure I understand how you propose to build an automatic
system to attack it: If you can tell that two images contain the same
number then it is very likely that you can recognize the numbers
themselves (there are only 10 different digits). OTOH, if you have a
human in the loop, they can just use gimp to create the averaged
figure images from a single image per figure, and then use these
templates to calculate correlation in different places of a given
challenge.

> Do not produce images with noise-like distortions. For example,
> moving and rotaing individual letters by a large enough
> distance/angle will spoil averaging by reducing the contrast in
> averaged images.

If the number of distinct tuples (position, angle) is not a very large
number, the correlation attack will work anyway (and I doubt that it
is possible to make the number large, because the attacker can try to
start with a scaled down image and templates).

-- 
Regards,
ASK

Powered by blists - more mailing lists