Latest news
Video CAPTCHAs have been touted by its developer, NuCaptcha, as the best and most secure method of spotting bots trying to pass themselves off as human users.
Unfortunately for the company, researchers Elie Bursztein, Matthieu Martin, Shang Ping, Jonathan Aigrain, Mike Bailey and John Mitchell have managed to prove that over 90 percent of the company's video CAPTCHAs can be decoded by using their Decaptcha software in conjunction with optical flow algorithms created by researchers in the computer vision field of study.
Elie Bursztein shared their results and quite a few details about the research a blog post on Friday, saying that while discussing ongoing research is unorthodox in the security community, the numerous interactions he has had with various companies over the last 3 years made him realize many people rely on research results to design CAPTCHAs.
"In this context, it is our duty to provide them the best and most secure design guidelines possible," he commented. "I strongly believe in the example set by the cryptography community, that the best security is achieved through an open process and not with secrecy or isolation."
The post was also published months after they shared their search results with NuCaptcha, whom they advised on how to strengthen the technology.
"Our fix is based on a new design principle called tracking resistance," shared Bursztein. "Intuitively tracking resistance means you had object that have the same properties than the real CAPTCHA so the algorithm don’t know which object in the video he should track. When successfully implemented, tracking resistance makes video CAPTCHA secure against vision/machine learning attacks and more secure than standard text-based CAPTCHAs."
In short, they say that in order for video CAPTCHAs to be more secure, NuCaptcha needs to remove every feature that allows attackers to tell apart decoy moving objects and the real CAPTCHAs.
With the help of the researchers, NuCaptcha has worked on a fix for the problem, which includes heavier distortions and more crowded letters. They also mean to add inter-frame manipulation (video CAPTCHAs contain about 500 frames) in order to prevent the optical flow analysis.
Bursztein remains skeptical about this last solution, but said they will reserve their judgment until after they have a chance to test the new, improved CAPTCHAs.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
