SlideShare ist ein Scribd-Unternehmen logo

A CAPTCHA in the Rye

Imperva
Imperva

A CAPTCHA is a common security measure used to distinguish between humans and a “phony.” However, with hackers now deploying numerous methods to bypass CAPTCHAs, the line between real and phony isn’t clear and security professionals are forced to present CAPTCHAs sub optimally. This presentation reviews the use of CAPTCHAs as a security mechanism against malicious automation, examines the threat human-based CAPTCHA solving services pose to Web security, analyzes four case studies of CAPTCHA bypassing in the wild, and provides recommendations to improve the efficiency of existing CAPTCHA mechanisms by integrating with other automation detection measures.

TechnologieDesign
1 von 48
Downloaden Sie, um offline zu lesen
A CAPTCHA in the Rye Tal Be’ery, Web Research TL, Imperva
Webinar Agenda  Introduction to Imperva’s Hacker Intelligence Initiative  Automation on the Web + Good bots, bad bots  CAPTCHA + Caveats + Mitigation  Case study analysis  Summary of recommendations
Presenter: Tal Be’ery, CISSP  Web Security Research Team Leader at Imperva  Holds MSc & BSc degree in CS/EE from TAU  10+ years of experience in IS domain  Facebook “white hat”  Speaker at RSA, BlackHat, AusCERT  Columnist for securityweek.com
Imperva’s Hacker Intelligence Initiative CONFIDENTIAL
Hacker Intelligence Initiative (HII)  The Hacker Intelligence Initiative is focused on understanding how attackers operate in practice + A different approach from vulnerability research  Data set composition + ~50 real world applications + Anonymous Proxies  More than 18 months of data  Powerful analysis system + Combines analytic tools with drill down capabilities
HII - Motivation  Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Devise new defenses based on real data + Reduce guess work
HII Reports  Monthly reports based on data collection and analysis  Drill down into specific incidents or attack types  2011 / 2012 reports + Remote File Inclusion + Search Engine Poisoning + The Convergence of Google and Bots + Anatomy of a SQLi Attack + Hacker Forums Statistics + Automated Hacking + Password Worst Practices + Dissecting Hacktivist Attacks + CAPTCHA Analysis
WAAR – Web Application Attack Report  Semi annual  Based on aggregated analysis of 6 / 12 months of data  Motivation + Pick-up trends + High level take outs + Create comparative measurements over time
Automation on the Web CONFIDENTIAL
2012’s Web: Automation all over the place  Human traffic is in the minority Source: http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business
Good Automation  Search engines + E.g. GoogleBot  Validators + Link checkers + CSS/HTML/.. Format validators + Friendly vuln scan  RSS feed readers + IE RSS reader  B2B
Good Bot  A good bot is a polite bot  Introduces itself + User agent  Specifies a method to validate identity + Usually by reverse DNS  Keeps the house rules - adheres to robots.txt + Who can crawl + What can be crawled + Rate of crawling
Bad Automation I: Hacking  Web application hacking attacks RFI SQLi Manual 2% 12% Manual Automatic Automatic 98% 88% Source: http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
Bad Automation II: Comment Spamming  Abusing comment functionality to embed spam content
Bad Automation III: Site Scraping  Stealing site’s Intellectual Property + PII from government sites + Price quotes + Stealing media (images) from media sites  We will analyze some “in the wild” examples
CAPTCHA Defined CONFIDENTIAL
CAPTCHA Defined  Completely Automated Public Turing test to tell Computers and Humans Apart  A good CAPTCHA is a test + Easy for humans + Hard for computers  Can be used to fight automation
CAPTCHA Implementations  Hosted solutions + ReCAPTCHA - Acquired by Google  Application Add-ons + PHP CAPTCHA
CAPTCHAS Caveats  Bad implementations + Too easy for computers + Too hard for humans + Sometimes both   Can be defeated by “Artificial Artificial” (Artificial^2) Intelligence + Mechanical turk Source: http://www.johnmwillis.com/other/top-10-worst-captchas/
Bad CAPTCHA: Easy for Computers  Many are based on the character recognition problem  Can be broke with OCR based tool + CAPTCHA Sniper tool
Bad CAPTCHA: Easy for Computers  Low entropy  Example “what’s the animal in the picture”  10,000 animal pictures  Attackers can + Solve each picture once and bypass CAPTCHA forever + Guess thousands of times until they get it right – Computers don’t get bored in the process  Known to happen with many “Audio CAPTCHA”
Bad CAPTCHA: Easy for Computers  Attacker can force the specific CAPTCHA test  The servers validates the answer based on some value passed by the client + /captcha.jsp?test_id=1234&answer=cat  Attackers can solve a single test once and bypass CAPTCHA forever
Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
Bypassing CAPTCHA: Artificial^2 intelligence  Convincing humans to solve CAPTCHA + Money – Paying for micro jobs + Extortion – Shutdown Malware
Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
Detecting Automation: Additional Automation Tests  Adding defense dimensions + Augmenting CAPTCHA with other anti-automation measures  The combination of tests makes bypassing harder + Tests cannot be solved by merely exporting to humans  Invisible tests don’t change User Experience (UX)
Detecting Automation: Passive  Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience  Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes – Rate – Rate change (ramp-up speed) – Volume + Difficult to measure in an inherently noisy source (NAT)  Request Shape Indicators + Missing headers + Mismatch between headers and location
Detecting Automation: Passive
Detecting Automation: Active  Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent  Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value  Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded tags + Failure to access the resources implies that client is an automated script
Detecting Automation: Wisdom of the Crowds  Detected automation feeds into building fingerprints of tools and reputation data for sources  Leveraged when data is collected within a community  Recent regulatory changes endorse the concept of community  Drop requests matching fingerprints or coming from ill reputed sources
Detecting Automation: Challenges and Metering  Introduce changes to the response that require a true browser user-agent before letting any further requests within a session + Application / GW keeps sending the test for any request not in a validated session + A session is validated only if user-agent responds properly  Introduce changes to the response that (based on the previous enforcement) introduce client side latency + Challenge the client to solve a mathematical riddle + Partial hash collisions are a good example
Detecting Automation: CAPTCHA 2.0  Gamification - CAPTCHAs that are more fun for humans but hard for computers
Case Study Analysis CONFIDENTIAL
Case Study: Attacked Site  South American government tax agency  Displays tax statement per company unique ID  Protected against automation with CAPTCHA  Having the whole database offline would allow attackers to run arbitrary additional queries on the database to get financial information
Case Study: The CAPTCHA  5 random letters  Fairly easy to OCR
Case Study: CAPTCHA by Passing
Attack Characteristics  Few attempts per CAPTCHA until solved  Over TOR for anonymity  Requests lacked proper headers + User agent of known browsers + But Accept headers were missing  CAPTCHA solving requests sent in a very high rate
Summary and Recommendations CONFIDENTIAL
Summary Automation is a major phenomena – used by both good and bad guys CAPTCHA is a popular anti-automation tool but has caveats, and hackers are abusing them Augment CAPTCHA with other anti-automation measures – traffic shape, traffic rate Use community based anti-automation reputation service
Imperva in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
Webinar Materials 46 CONFIDENTIAL
Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link
www.imperva.com - CONFIDENTIAL -

Empfohlen

Rtp rsp16-distil networks-final-deck
Rtp rsp16-distil networks-final-deckRtp rsp16-distil networks-final-deck
Rtp rsp16-distil networks-final-deck
G3 Communications
 
8. cyber51-case-studies
8. cyber51-case-studies8. cyber51-case-studies
8. cyber51-case-studies
Doree Garcia, CCNA, OSWP
 
Redefining technical SEO & how we should be thinking about it as an industry ...
Redefining technical SEO & how we should be thinking about it as an industry ...Redefining technical SEO & how we should be thinking about it as an industry ...
Redefining technical SEO & how we should be thinking about it as an industry ...
WeLoveSEO
 
Alexis max-Creating a bot experience as good as your user experience - Alexis...
Alexis max-Creating a bot experience as good as your user experience - Alexis...Alexis max-Creating a bot experience as good as your user experience - Alexis...
Alexis max-Creating a bot experience as good as your user experience - Alexis...
WeLoveSEO
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
IOSRjournaljce
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET Journal
 

Empfohlen

Rtp rsp16-distil networks-final-deck
Rtp rsp16-distil networks-final-deckRtp rsp16-distil networks-final-deck
Rtp rsp16-distil networks-final-deck
G3 Communications
 
8. cyber51-case-studies
8. cyber51-case-studies8. cyber51-case-studies
8. cyber51-case-studies
Doree Garcia, CCNA, OSWP
 
Redefining technical SEO & how we should be thinking about it as an industry ...
Redefining technical SEO & how we should be thinking about it as an industry ...Redefining technical SEO & how we should be thinking about it as an industry ...
Redefining technical SEO & how we should be thinking about it as an industry ...
WeLoveSEO
 
Alexis max-Creating a bot experience as good as your user experience - Alexis...
Alexis max-Creating a bot experience as good as your user experience - Alexis...Alexis max-Creating a bot experience as good as your user experience - Alexis...
Alexis max-Creating a bot experience as good as your user experience - Alexis...
WeLoveSEO
 
CSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_GrossmanCSRF_RSA_2008_Jeremiah_Grossman
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
State of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLsState of the Art Analysis Approach for Identification of the Malignant URLs
State of the Art Analysis Approach for Identification of the Malignant URLs
IOSRjournaljce
 
Test slideshow
Test slideshowTest slideshow
Test slideshow
legacye
 
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing WebsitesIRJET - Chrome Extension for Detecting Phishing Websites
IRJET - Chrome Extension for Detecting Phishing Websites
IRJET Journal
 
Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Spam Wars
Spam WarsSpam Wars
Spam Wars
Maurice Green
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
guest20ab09
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data Security
Distil Networks
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
Phillip Maddux
 
Low Latency Fraud Detection & Prevention
Low Latency Fraud Detection & PreventionLow Latency Fraud Detection & Prevention
Low Latency Fraud Detection & Prevention
Sid Anand
 
A CAPTCHA in the Rye
A CAPTCHA in the RyeA CAPTCHA in the Rye
A CAPTCHA in the Rye
Imperva
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
DATA SECURITY SOLUTIONS
 
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Property Portal Watch
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
Ouzza Brahim
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays
 
IRJET- Different Implemented Captchas and Breaking Methods
IRJET- Different Implemented Captchas and Breaking MethodsIRJET- Different Implemented Captchas and Breaking Methods
IRJET- Different Implemented Captchas and Breaking Methods
IRJET Journal
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
Andrew McNicol
 
Captcha report
Captcha reportCaptcha report
Captcha report
RAJ SINGH MANDY
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
Eoin Keary
 
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome
 
Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
Imperva
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
Imperva
 

Weitere ähnliche Inhalte

Ähnlich wie A CAPTCHA in the Rye

Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
Distil Networks
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data Security
Distil Networks
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 

Ähnlich wie A CAPTCHA in the Rye (20)

Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?Are Bot Operators Eating Your Lunch?
Are Bot Operators Eating Your Lunch?
 
Spam Wars
Spam WarsSpam Wars
Spam Wars
 
GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007GNUCITIZEN Pdp Owasp Day September 2007
GNUCITIZEN Pdp Owasp Day September 2007
 
Ensuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data SecurityEnsuring Property Portal Listing Data Security
Ensuring Property Portal Listing Data Security
 
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...DevSecCon London 2018: How to fit threat modelling into agile development: sl...
DevSecCon London 2018: How to fit threat modelling into agile development: sl...
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Low Latency Fraud Detection & Prevention
Low Latency Fraud Detection & PreventionLow Latency Fraud Detection & Prevention
Low Latency Fraud Detection & Prevention
 
A CAPTCHA in the Rye
A CAPTCHA in the RyeA CAPTCHA in the Rye
A CAPTCHA in the Rye
 
The artificial reality of cyber defense
The artificial reality of cyber defenseThe artificial reality of cyber defense
The artificial reality of cyber defense
 
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
Distil Network Sponsor Presentation at the Property Portal Watch Conference -...
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
 
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
apidays Helsinki & North 2023 - API Security in the era of Generative AI, Mat...
 
IRJET- Different Implemented Captchas and Breaking Methods
IRJET- Different Implemented Captchas and Breaking MethodsIRJET- Different Implemented Captchas and Breaking Methods
IRJET- Different Implemented Captchas and Breaking Methods
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Captcha report
Captcha reportCaptcha report
Captcha report
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
DataDome's winning deck for 2019 FIC (Cybersecurity International Forum) "Pri...
 

Mehr von Imperva

Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
Imperva
 

Mehr von Imperva (20)

Cybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 SurveyCybersecurity and Healthcare - HIMSS 2018 Survey
Cybersecurity and Healthcare - HIMSS 2018 Survey
 
API Security Survey
API Security SurveyAPI Security Survey
API Security Survey
 
Imperva ppt
Imperva pptImperva ppt
Imperva ppt
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds Research: From zero to phishing in 60 seconds
Research: From zero to phishing in 60 seconds
 
Making Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to NarrativesMaking Sense of Web Attacks: From Alerts to Narratives
Making Sense of Web Attacks: From Alerts to Narratives
 
How We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over LunchHow We Blocked a 650Gb DDoS Attack Over Lunch
How We Blocked a 650Gb DDoS Attack Over Lunch
 
Survey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber SecuritySurvey: Insider Threats and Cyber Security
Survey: Insider Threats and Cyber Security
 
Companies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPRCompanies Aware, but Not Prepared for GDPR
Companies Aware, but Not Prepared for GDPR
 
Rise of Ransomware
Rise of Ransomware Rise of Ransomware
Rise of Ransomware
 
7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors7 Tips to Protect Your Data from Contractors and Privileged Vendors
7 Tips to Protect Your Data from Contractors and Privileged Vendors
 
SEO Botnet Sophistication
SEO Botnet SophisticationSEO Botnet Sophistication
SEO Botnet Sophistication
 
Phishing Made Easy
Phishing Made EasyPhishing Made Easy
Phishing Made Easy
 
Imperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense ReportImperva 2017 Cyber Threat Defense Report
Imperva 2017 Cyber Threat Defense Report
 
Combat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat IntelligenceCombat Payment Card Attacks with WAF and Threat Intelligence
Combat Payment Card Attacks with WAF and Threat Intelligence
 
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing ExponentiallyHTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
HTTP/2: Faster Doesn't Mean Safer, Attack Surface Growing Exponentially
 
Get Going With Your GDPR Plan
Get Going With Your GDPR PlanGet Going With Your GDPR Plan
Get Going With Your GDPR Plan
 
Cyber Criminal's Path To Your Data
Cyber Criminal's Path To Your DataCyber Criminal's Path To Your Data
Cyber Criminal's Path To Your Data
 
Combat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data SecurityCombat Today's Threats With A Single Platform For App and Data Security
Combat Today's Threats With A Single Platform For App and Data Security
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation FoundationHacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

A CAPTCHA in the Rye

  • 1. A CAPTCHA in the Rye Tal Be’ery, Web Research TL, Imperva
  • 2. Webinar Agenda  Introduction to Imperva’s Hacker Intelligence Initiative  Automation on the Web + Good bots, bad bots  CAPTCHA + Caveats + Mitigation  Case study analysis  Summary of recommendations
  • 3. Presenter: Tal Be’ery, CISSP  Web Security Research Team Leader at Imperva  Holds MSc & BSc degree in CS/EE from TAU  10+ years of experience in IS domain  Facebook “white hat”  Speaker at RSA, BlackHat, AusCERT  Columnist for securityweek.com
  • 4. Imperva’s Hacker Intelligence Initiative CONFIDENTIAL
  • 5. Hacker Intelligence Initiative (HII)  The Hacker Intelligence Initiative is focused on understanding how attackers operate in practice + A different approach from vulnerability research  Data set composition + ~50 real world applications + Anonymous Proxies  More than 18 months of data  Powerful analysis system + Combines analytic tools with drill down capabilities
  • 6. HII - Motivation  Focus on actual threats + Focus on what hackers want, helping good guys prioritize + Technical insight into hacker activity + Business trends of hacker activity + Future directions of hacker activity  Eliminate uncertainties + Active attack sources + Explicit attack vectors + Spam content  Devise new defenses based on real data + Reduce guess work
  • 7. HII Reports  Monthly reports based on data collection and analysis  Drill down into specific incidents or attack types  2011 / 2012 reports + Remote File Inclusion + Search Engine Poisoning + The Convergence of Google and Bots + Anatomy of a SQLi Attack + Hacker Forums Statistics + Automated Hacking + Password Worst Practices + Dissecting Hacktivist Attacks + CAPTCHA Analysis
  • 8. WAAR – Web Application Attack Report  Semi annual  Based on aggregated analysis of 6 / 12 months of data  Motivation + Pick-up trends + High level take outs + Create comparative measurements over time
  • 9. Automation on the Web CONFIDENTIAL
  • 10. 2012’s Web: Automation all over the place  Human traffic is in the minority Source: http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business
  • 11. Good Automation  Search engines + E.g. GoogleBot  Validators + Link checkers + CSS/HTML/.. Format validators + Friendly vuln scan  RSS feed readers + IE RSS reader  B2B
  • 12. Good Bot  A good bot is a polite bot  Introduces itself + User agent  Specifies a method to validate identity + Usually by reverse DNS  Keeps the house rules - adheres to robots.txt + Who can crawl + What can be crawled + Rate of crawling
  • 13. Bad Automation I: Hacking  Web application hacking attacks RFI SQLi Manual 2% 12% Manual Automatic Automatic 98% 88% Source: http://www.imperva.com/docs/HII_Automation_of_Attacks.pdf
  • 14. Bad Automation II: Comment Spamming  Abusing comment functionality to embed spam content
  • 15. Bad Automation III: Site Scraping  Stealing site’s Intellectual Property + PII from government sites + Price quotes + Stealing media (images) from media sites  We will analyze some “in the wild” examples
  • 16. CAPTCHA Defined CONFIDENTIAL
  • 17. CAPTCHA Defined  Completely Automated Public Turing test to tell Computers and Humans Apart  A good CAPTCHA is a test + Easy for humans + Hard for computers  Can be used to fight automation
  • 18. CAPTCHA Implementations  Hosted solutions + ReCAPTCHA - Acquired by Google  Application Add-ons + PHP CAPTCHA
  • 19. CAPTCHAS Caveats  Bad implementations + Too easy for computers + Too hard for humans + Sometimes both   Can be defeated by “Artificial Artificial” (Artificial^2) Intelligence + Mechanical turk Source: http://www.johnmwillis.com/other/top-10-worst-captchas/
  • 20. Bad CAPTCHA: Easy for Computers  Many are based on the character recognition problem  Can be broke with OCR based tool + CAPTCHA Sniper tool
  • 21. Bad CAPTCHA: Easy for Computers  Low entropy  Example “what’s the animal in the picture”  10,000 animal pictures  Attackers can + Solve each picture once and bypass CAPTCHA forever + Guess thousands of times until they get it right – Computers don’t get bored in the process  Known to happen with many “Audio CAPTCHA”
  • 22. Bad CAPTCHA: Easy for Computers  Attacker can force the specific CAPTCHA test  The servers validates the answer based on some value passed by the client + /captcha.jsp?test_id=1234&answer=cat  Attackers can solve a single test once and bypass CAPTCHA forever
  • 23. Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
  • 24. Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
  • 25. Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
  • 26. Bypassing CAPTCHA: Artificial Artificial  Can be very annoying Source: http://ordinarygaming.blogspot.co.il/2012/08/dear-captcha-i-hate-you-and-wish-you.html
  • 27. Bypassing CAPTCHA: Artificial^2 intelligence  Convincing humans to solve CAPTCHA + Money – Paying for micro jobs + Extortion – Shutdown Malware
  • 28. Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
  • 29. Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
  • 30. Bypassing CAPTCHA: Playing Strip CAPTCHA Source: http://www.ghacks.net/2007/12/07/melissa-strip-captcha-breaker-trojan/
  • 31. Detecting Automation: Additional Automation Tests  Adding defense dimensions + Augmenting CAPTCHA with other anti-automation measures  The combination of tests makes bypassing harder + Tests cannot be solved by merely exporting to humans  Invisible tests don’t change User Experience (UX)
  • 32. Detecting Automation: Passive  Passive Methods + Watch network traffic “as-is” + Non intrusive, do not affect user experience  Traffic Shape Indicators + We measure suspicious requests (rather than ALL requests) + Measured attributes – Rate – Rate change (ramp-up speed) – Volume + Difficult to measure in an inherently noisy source (NAT)  Request Shape Indicators + Missing headers + Mismatch between headers and location
  • 34. Detecting Automation: Active  Introduce changes into the server response + Test client’s reaction to changes + May affect user experience – use with care + Verify type of user agent  Browsers support Javascript and an appropriate DOM + Client is expected to complete some computation + Application / GW can validate the computed value  Browsers comply with HTML tags (IMG, IFRAME) + Client is expected to access resource referenced by embedded tags + Failure to access the resources implies that client is an automated script
  • 35. Detecting Automation: Wisdom of the Crowds  Detected automation feeds into building fingerprints of tools and reputation data for sources  Leveraged when data is collected within a community  Recent regulatory changes endorse the concept of community  Drop requests matching fingerprints or coming from ill reputed sources
  • 36. Detecting Automation: Challenges and Metering  Introduce changes to the response that require a true browser user-agent before letting any further requests within a session + Application / GW keeps sending the test for any request not in a validated session + A session is validated only if user-agent responds properly  Introduce changes to the response that (based on the previous enforcement) introduce client side latency + Challenge the client to solve a mathematical riddle + Partial hash collisions are a good example
  • 37. Detecting Automation: CAPTCHA 2.0  Gamification - CAPTCHAs that are more fun for humans but hard for computers
  • 38. Case Study Analysis CONFIDENTIAL
  • 39. Case Study: Attacked Site  South American government tax agency  Displays tax statement per company unique ID  Protected against automation with CAPTCHA  Having the whole database offline would allow attackers to run arbitrary additional queries on the database to get financial information
  • 40. Case Study: The CAPTCHA  5 random letters  Fairly easy to OCR
  • 41. Case Study: CAPTCHA by Passing
  • 42. Attack Characteristics  Few attempts per CAPTCHA until solved  Over TOR for anonymity  Requests lacked proper headers + User agent of known browsers + But Accept headers were missing  CAPTCHA solving requests sent in a very high rate
  • 44. Summary Automation is a major phenomena – used by both good and bad guys CAPTCHA is a popular anti-automation tool but has caveats, and hackers are abusing them Augment CAPTCHA with other anti-automation measures – traffic shape, traffic rate Use community based anti-automation reputation service
  • 45. Imperva in 60 Seconds Attack Usage Protection Audit Virtual Rights Patching Management Reputation Access Controls Control
  • 46. Webinar Materials 46 CONFIDENTIAL
  • 47. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link