Download - DMK BO2K7 Web

Transcript
  • 8/14/2019 DMK BO2K7 Web

    1/67

    copyright IOActive, Inc. 2006, all rights

    reserved.

    Black Ops 2007:

    Design Reviewing The Web

    AKA:Packets Will Be Involved

    Dan Kaminsky

    Director of Penetration Testing

    IOActive, Inc.

  • 8/14/2019 DMK BO2K7 Web

    2/67

    Introduction

    This is my seventh talk here at Black Hat, where

    previous subjects have included:

    Everything over SSH Massive Speed Network Scanning

    Everything over DNS

    Pattern Analysis

    Neutrality Verification

    New Target: The World Wide Web

    Why?

  • 8/14/2019 DMK BO2K7 Web

    3/67

    Thats Not A Moon, Thats A Web

    Browser

    LucasFilm

  • 8/14/2019 DMK BO2K7 Web

    4/67

    Mobile Too!

    LucasFilm

  • 8/14/2019 DMK BO2K7 Web

    5/67

    Where The Wild Things Are Rampant and persistent XSS/XSRF announcements

    Superbowl .WMF 0-day

    Two days before Superbowl, malicious image placed on

    web page

    1+M desktops compromised overnight

    DNS Rebinding Test By Dan Bonehs Team at Stanford

    Test flash applet placed on an Ad network, distributed

    across many web sites Applet acquired partial network connectivity to client LAN

    +100K networks exposed

  • 8/14/2019 DMK BO2K7 Web

    6/67

    These Are A Few Of My Favorite

    Things DNS? Tunneling? Behind Firewalls?

    I try to get out, but they pull me back in!

    DNS Rebinding is an old bug

    Dates back to 1996

    So old, people forgot about it, and started buildingsystems that didnt defend against it

    Dan Boneh of Stanford Universitys been driving the

    most thorough research Attack dates back to 1996 (Princeton Attack)

    Martin Johns revived the attack in August 2006

    RSnakes been pushing a lot of attention its way

    Effect: DNS Rebinding partially breaks the security

    policy of the web.

  • 8/14/2019 DMK BO2K7 Web

    7/67

    How Does The Web Work?

    Web pages are pulled together in the browser,

    from pieces that can come from all over the place

    You can even embed one web page insideanother one!

    This is an IFrame

    But what if someone embedded Hotmail, and

    you were logged in? Would they be able to

    read your mail?

  • 8/14/2019 DMK BO2K7 Web

    8/67

    The Same Origin Policy Look but dont touch

    A web page can embed Hotmail, but it cant look inside

    to see whats happening

    Access to look inside controlled by Same Origin Policy

    If foo.com has an iframe to foo.com, it can look inside.

    If foo.com has an iframe to bar.com, it can display

    bar.com to the user, but it cant peek inside and see what

    the user sees.

    If two things come from the same place, they must be

    trusted the same

    Same place = Same name, right?

  • 8/14/2019 DMK BO2K7 Web

    9/67

    The Bug Names dont host anything.

    Everything comes from IP addresses

    We use DNS to translate between a name we trust and an IP

    address we communicate with

    Foo.com -> 1.2.3.4

    Bar.com -> 3.4.5.6

    Assumption: The translations dont change

    Reality: Both foo.com and bar.com can return any IPaddress, at any time, whether they control that IP or not

    Bar.com can return an IP address of Foo.Coms

  • 8/14/2019 DMK BO2K7 Web

    10/67

    Now What? One moment, bar.com could point to a server in Europe

    The next moment, bar.com could point to the printer downthe hall

    Suppose your browser loaded a page from each address The content from the European server would be from

    bar.com

    The content from the printer down the hall would also befrom bar.com

    According to the Same Origin Policy, the server inEurope can do whatever it wants to your printer!

    The server cant get past your corporate firewall

    but it doesnt need to. Itll tell your browser what todo, and your browser will report back with whateveryour printer is up to.

  • 8/14/2019 DMK BO2K7 Web

    11/67

    Why The Attack Works Browser doesnt know bar.com from the external

    IP is any different from bar.com from the internalIP

    This is by design

    Major web sites have IP addresses spreadacross the world, and resources acquired fromthem need to be able to script against one

    another Detecting that theres a cross-IP scripting action

    happening is only the beginning what to do afterthat is what people are trying to figure out.

  • 8/14/2019 DMK BO2K7 Web

    12/67

    What is the canonical attack here?

    Firewall Bypass

    Most corporate networks draw a significant

    distinction between the externalnetwork andthe internalnetwork

    Things inside can route out

    Things outside cannot route in

    By bouncing off a lured browser, an attacker

    on the outside can access resources on the

    inside

  • 8/14/2019 DMK BO2K7 Web

    13/67

    Levels of Exploitation Level 1: Browser-Only

    One IFrame is from Europe, the other is down the hall.Same name, so they can script against eachother.

    The Win: Arbitrary HTTP Sites Level 2: Web Plugins

    MSXML* / XmlHTTPRequest / Silverlight

    The Win: HTTP + Web Services + Semi-ArbitraryHeaders

    Level 3: Socket Plugins Flash / Java, though different resources available

    through each

    The Win: Everything from L1+L2, plus various degreesof TCP or UDP access

  • 8/14/2019 DMK BO2K7 Web

    14/67

    Java Original Target of 1996 Princeton Attack

    From Applet interface, can only get high-port

    UDP and TCP to the actual calling app More widely deployed than I thought

    LiveConnect

    Ability for Javascript to call Sockets directly,

    without going through Applet interface Totally rebindable effect is high-port UDP and

    TCP to anyone

    FireFox and Safari only though

  • 8/14/2019 DMK BO2K7 Web

    15/67

    Flash

    Has worked hardest to make arbitrary socket

    connections work when theyre supposed to

    Most mature security model in the industry They dont handle rebinding well though

    Breaks what is otherwise a lot of really good

    work

    Effect: Arbitrary TCP, though you have to pull

    some tricks to get TCP ports below 1024

  • 8/14/2019 DMK BO2K7 Web

    16/67

    Mechanisms for rebinding an

    address

    Lots of ways to use a rebind, but how do youachieve it in the first place?

    How do you cause the DNS infrastructure toaccept your change of address?

    The entire architecture is designed to cacheacross hours to days, not to be swappable inseconds

    Three mechanisms Temporal

    Spatial

    Ridiculous

  • 8/14/2019 DMK BO2K7 Web

    17/67

    Traditional Rebinding: Temporal

    Modulation

    DNS records have a TTL field lets you declare how long a

    record should live in the infrastructure before a second query

    causes a new request to the original server

    Declare a 0 TTL and records will supposedly not cache Now every time the browser has a slightly different DNS

    request, you get an opportunity to provide a different

    location

    Problem: Some networks wont respect your low TTL.

    Some networks brag about that ;)

    You could wait until the network-enforced minimum TTL

    expires, but that takes time

  • 8/14/2019 DMK BO2K7 Web

    18/67

    Another Rebinding Mechanism:

    Spatial Modulation

    DNS responses can contain multiple addresses

    When bar.com is asked for its IP address, it

    returns both its address and the address of theprinter

    This can have a infinite TTL

    Problem: Which record will the browser choose?

    Totally random.

    Solution: Try again

    Seriously.

  • 8/14/2019 DMK BO2K7 Web

    19/67

    Spatial Error Resolution Case 1: Browser wants external, gets internal

    Fix 1: External resource is hosted on an unusual port, sothe internal connection will fail and thus retry to external.

    This has problems with outbound firewalls, though. Fix 2: Immediately after connecting, look for evidence inthe connected session that weve actually reached thecorrect server. If not, destroy the object that did theincorrect retrieve and keep trying until success.

    The trick: Retrieve the content with XMLHttpRequest

    so that you can actually destroy the object thatguessed incorrectly.

    Case 2: Flash/Java wants internal, gets external

    Fix: Look for magic token on incoming session. If magictoken is returned, destroy the object and try again. If no

    token, retry the applet a couple times just in case theresa extrusion firewall in the way.

  • 8/14/2019 DMK BO2K7 Web

    20/67

    Ridiculous? People are trying to use DNS TTLs as a security

    technology

    DNS TTLs are not a security technology Finally, something less a security technology

    than Virtual Machines

    Overriding a TTL, if you control the record, turns

    out to be very easy, and this is by design When something wasnt designed to be a

    security technology, dont be surprised when it

    isnt one

  • 8/14/2019 DMK BO2K7 Web

    21/67

    CNiping CNAME Records: DNS Aliases

    Instead of returning an address, return what theCanonical, or Official Name was, and then the

    address of that Canonical Name If you are allowed to be the resolver for that

    canonical name, your additional recordoverrides whatevers already in the cache, even

    if the TTL hasnt expired yet Its not a bug.

    Works against most, but not actually allname servers

  • 8/14/2019 DMK BO2K7 Web

    22/67

    CNiping Demo[0] dig 1.foo.notmallory.com

    ;; ANSWER SECTION:

    1.foo.notmallory.com. 120 INCNAME bar.foo.notmallory.com

    bar.foo.notmallory.com. 120 IN

    A 10.0.0.0

    dig bar.foo.notmallory.com bar.foo.notmallory.com. 111 IN

    A 10.0.0.0

  • 8/14/2019 DMK BO2K7 Web

    23/67

    CNiping Demo[1] dig 2.foo.notmallory.com

    2.foo.notmallory.com. 120

    IN CNAMEbar.foo.notmallory.com.

    bar.foo.notmallory.com. 120

    IN A 10.0.0.1

    dig bar.foo.notmallory.com

    bar.foo.notmallory.com. 118

    IN A 10.0.0.1

  • 8/14/2019 DMK BO2K7 Web

    24/67

    Review

    By swapping addresses out from

    underneath a web browser, we can get

    arbitrary TCP (and sometimes UDP)access to hosts reachable by the client.

    What can we do with this?

    Can we VPN into corporate networkswith nothing but a lured web browser?

    Sure! Its easy!*

    * Actually a pain in the ass, but heh

  • 8/14/2019 DMK BO2K7 Web

    25/67

    Concentration

    Three actors in this little dance

    The Browser, which has access to internal

    resources The Attacker, which wants access to those

    internal resources

    The Proxy, which sends code to the Browser to

    copy messages from the Attacker

    We will start with the Proxy, running software of

    my design. This software is called Slirpie.

  • 8/14/2019 DMK BO2K7 Web

    26/67

    Slirpie, The Proxy Multiprotocol Server, Built using POE

    Accepts TCP streams for Browser delivery, containing

    routing data

    Accepts HTTP requests for those routable streams

    Accepts DNS requests to direct routing

    Accepts XMLSocket requests to determine routing policy

    For Flash

    The basic theme is Attacker connects to Proxy, whichmanages the appropriate resources in Browser to

    service the Attackers connections.

  • 8/14/2019 DMK BO2K7 Web

    27/67

    A Bucket of Suckets Browser connects, establishes an IFrame called a

    Bucket

    A bucket is a collection of connection managers

    The bucket polls for new connections to establish Attacker connects to Proxy and requests a socket to

    10.0.0.1, port 80.

    Browser Bucket retrieves list of new connections,compares against the previous list, notices one new

    demand for 10.0.0.1:80. Bucket opens up a 2nd level IFrame for this new IP

    address.

    The IFRAME SRC attribute for the 2nd level IFrameis set to 10.0.0.1.foo.proxydomain.com. For now, it

    still resolves to the Proxys address. This 2nd level IFrame is called a Sucket.

  • 8/14/2019 DMK BO2K7 Web

    28/67

    Demo JSON {

    "10.0.0.1" : {

    "3" : {

    "from_browser_seq" : -1, "server_state" :

    "CONNECTED",

    "from_browser_ack" : -1,

    "to_browser" : {

    "1" : "YQo=", "0" : "Zm9vCg==",

    "3" : "Ywo=",

    "2" : "Ygo="

    },

    "dport" : 80,

    "dproto" : 6,

    "browser_state" :

    "CONNECTING", "to_browser_seq" : 3,

    "to_browser_ack" : -1,

    "from_browser" : {

    } }

    }

    }

  • 8/14/2019 DMK BO2K7 Web

    29/67

    How many DNS requests does it take to get

    to the center of your corporate network?

    Javascript alone will not open this Socket. Flash isnecessary.

    HaXe, a metalanguage, is used to compile both a Flash

    object and a Javascript interface to it. The Flash object is loaded, and directed to create aconnection to 10.0.0.1:80

    QUERY ONE: Load the movie from10.0.0.1.foo.proxyhost.com (actually Proxys IP)

    QUERY TWO: Load the security policycontrolling

  • 8/14/2019 DMK BO2K7 Web

    30/67

    Managing Dataflows 1) Data is received by Flash sent down into the

    Suckets DOM for eventual collection.

    2) Bucket prepares to send an update to the

    Proxy. It visits each Sucket, and retrieves thelatest list of updates.

    3) Proxy received the update, acknowledgesreception, and sends any replies in the update

    response. 4) Bucket receives the response, and tells eachSucket to parse their replies and send() them upthrough Flash.

  • 8/14/2019 DMK BO2K7 Web

    31/67

    But What Of Domains? Each of those IFrames inside the bucket is in a

    different domain than the bucket itself.

    Why can they push stuff up, or pull stuff down? Same Origin Policy allows two subdomains from

    the same domain to explicitly claim support for one

    another

    So we do that.

    Thanks Same Origin Policy!

  • 8/14/2019 DMK BO2K7 Web

    32/67

    And thats it!

    OK, a little bit of housekeeping for opening

    and closing sockets, and eventually entire

    suckets.

    Yeah, its a reimplementation of TCP in

    Javascript. Who else was going to write

    it? but what about the attacker? How does

    he open sockets?

  • 8/14/2019 DMK BO2K7 Web

    33/67

    Does anyone remember this?

  • 8/14/2019 DMK BO2K7 Web

    34/67

    Back In The Day, When I Was Young

    Im Not Runnin 95 Anymore SLiRP

    1995 era tool that turned shell connections (text only) into

    PPP connections (pretty pretty pictures)

    Was old school when I used it in my talk back in 2001 What SLiRP actually does: Given a stream of packets,

    create sockets and send the data in the packets into the

    sockets

    SLiRP was Userspace NAT

    Where to find SLiRP: Recent versions uh

    disappeared.

    Found in my ancient cool stuff archive

  • 8/14/2019 DMK BO2K7 Web

    35/67

    SLIRP and PPTP PoPToP: Linux PPTP Daemon

    PPTP: Horrifyingly hideous VPN protocol, ultimately

    uses a PPP encapsulated stream of packets

    PoPToP can hand this PPP stream to SLiRP fortermination

    Makes setting up a VPN link much easier

    Makes VPNing into a web browser possible.

    Normally, SLiRP would now handle sockets directly

    What if, instead, it gave the socket requests to Slirpie?

  • 8/14/2019 DMK BO2K7 Web

    36/67

    The General Idea The Attacker runs applications that use sockets.

    The sockets get their traffic sent over PPTP to SLIRP.

    SLIRP provides a set of streams to the Proxy.

    The Proxy tells the Browsers bucket to openappropriate suckets.

    The Browser opens suckets, which themselves providesockets.

    The Proxy mediates traffic between the Attackerssockets and the Browsers sockets.

    And it all just works.

    Nessus over IE: Nessie!

    WoW over IE: Wowie!

    Any TCP-based protocol should work.

  • 8/14/2019 DMK BO2K7 Web

    37/67

    What else can we use this for? Things other people have mentioned

    Click Fraud go to random web sites, do bad things

    SPAM er, you get Port 25 access too

    What else can we do? Stealth Tor go to a website, be involuntarily added to

    a worldwide proxy network

    Protect Network Neutrality

    P2P Networking?

    Java provides UDP support. Even through NATs,bidirectional UDP = ability to generate a cloud entirelyin the browser

    That one thing

  • 8/14/2019 DMK BO2K7 Web

    38/67

    IP OVER SPAM Defcon 14, TCP/IP Drinking Game

    How would you get around the great firewall ofChina?

    Correct Answer: Drop all RST packets,ignore the firewall trying to shut you down

    My Answer: Encapsulate data in SPAM.

    We have IP (or at least TCP) inbound

    We have SPAM outbound Uh

    You know, I was originally joking

  • 8/14/2019 DMK BO2K7 Web

    39/67

    Oh, People Are Interested In This

    Whole Network Neutrality Thing? Iwas unaware this was such a hot button subject when I

    started developing tools to detect problems with it

    First of all, we need to start using the correct language:

    We wish to detect Provider Hostility If youre sniffing my traffic, youre hostile.

    If youre altering my traffic, youre hostile.

    If youre censoring my traffic, youre hostile.

    If youre selling my traffic, youre very very hostile.

    Would the military bomb you for doing it to them?

    Youre hostile. Deal.

  • 8/14/2019 DMK BO2K7 Web

    40/67

    What Do We Need To Detect Provider

    Hostility?

    Downloading data from two separate sites, at two

    separate speeds, unfortunately doesnt tell us

    much

    Too many factors are conflated to determine

    what one thing is causing the problem

    What we want: Given identical network paths for

    two web sites, is the last mile provider hostile to

    content from one site vs. another?

    Detect differential speeds

    Correct content injection

  • 8/14/2019 DMK BO2K7 Web

    41/67

    SOMEBODY is buying this stuff Everyone who knows anyone who makes routers

    knows that carriers are desperately trying to buy

    routers that support hostility. There are repeated news articles about ISPs

    replacing ads and companies setting themselves

    up as ad replacers

    Can we monitor the spread of this problem? Can we defend Online Advertising against

    the Times Square effect?

  • 8/14/2019 DMK BO2K7 Web

    42/67

    The Times Square Effect Movies that show Times Square replace all the ads.

    No contractual obligation not to

    No real expectation from the viewer that this is reality

    its a movie Carriers are under no contractual obligation to host the web

    sites they say they are

    Provider In The Middle attacks might very well beprofitable!

    Web sites and ads

    Users tolerate them

    Businesses would pay dearly to be top ranked on Google

    Google Times Squared would not begood.

  • 8/14/2019 DMK BO2K7 Web

    43/67

    A Modest Proposal For Correcting

    Corruption WARNING: This is hideous

    Why the web cant go 100% SSL/TLS yet

    Ignoring perf, most web sites are aggregated on one

    IP, with Host: multiplexing SSL/TLS didnt get an equivalent to the Host: header

    to determine which certificate to present until veryrecently, and most downlevel clients dont support

    One idea: We use SSL/TLS only to acquire loaders,

    which acquire content from existing CDN mechanism butrefuse to inject into the DOM unless a HMAC or TigerTree check is passed

    Can definitely do from Flash or Silverlight, possiblyfrom simple AJAX as well

    Building a system to do this, codenamed NDK Not DOMokun

  • 8/14/2019 DMK BO2K7 Web

    44/67

    A Reminder The commercial people are why we have strong

    crypto in the browser in the first place. Thanks

    credit card craving commerce people! Feds: If you like sniffing traffic, require the

    providers to need a warrant before going hostile.

    Ad replacement will spread web crypto like

    nothing else ever has. Now: Is it possible to get better data regarding the

    inevitability of all of this?

  • 8/14/2019 DMK BO2K7 Web

    45/67

    The Transparent Proxy Gem Some consumer networks have transparent proxies

    These take all traffic outbound on Port 80 and coalesceonto a single proxy instance that uses the Host: headerto route requests to the correct destination

    Arbitrary TCP = Arbitrary Headers

    So an attacker can go back to the IP address thatprovided the applet, and ask for Host: www.fark.com itllget routed to Fark instead of to the original host

    What this means

    Since the same infrastructure ultimately hosts allweb content, all sites (once theyre cached in proxy)come from the same host

    A speed test against this transparent (easily detectable)proxy for various sites will directly yield information about

    hostility

    http://www.fark.com/http://www.fark.com/
  • 8/14/2019 DMK BO2K7 Web

    46/67

    The Silent Censor Detector Even if theres no transparent proxy, a filter box

    can still limit traffic for web requests with non-preferred Host: headers.

    Using Flash, we can impersonate being a Host: forany site on the Internet when we provide a speedcheck.

    The thinking is that the attacker/provider wontmonitor the IP address used to contact Host:www.whatever.com, and will thus equally ratelimit traffic with that Host: no matter whatprovider.

    http://www.whatever.com/http://www.whatever.com/
  • 8/14/2019 DMK BO2K7 Web

    47/67

  • 8/14/2019 DMK BO2K7 Web

    48/67

    Well We want to spoof sites on the Internet.

    We want to know what these sites would see.

    We want to be able to respond as if we were thesesites.

    We dont want the real sites to interfere with our

    interference.

    Good luck! That would requiresequencenumbers.

    Wed have to know where in the TCP stream an

    attacker was, and thats clearlynot possible

  • 8/14/2019 DMK BO2K7 Web

    49/67

    OMG ACTIVEX FTW

  • 8/14/2019 DMK BO2K7 Web

    50/67

    PACKET CLAUS IS COMING TO

    TOWN

  • 8/14/2019 DMK BO2K7 Web

    51/67

    Introducing: INSPECTOR PAKKET What normally stops Mallory from pretending to be a random

    site on the Internet?

    Mallory doesnt know sequence numbers client will

    accept Mallory has to compete with real server for the sending of

    data

    What do we have?

    A sniffer that will leak sequence numbers to Mallory

    What can Mallory now do?

    Send data to the client that itll accept

    Send a RST to the server so itll shut down the

    session it has with the client

  • 8/14/2019 DMK BO2K7 Web

    52/67

    Go Pakket Go! About that RST

    RST is a TCP Reset message it shuts down a socketrather unceremoniously

    Requires correct SEQ#, but dont worry, we have that When Mallory spoofs Bob to Alice, Alice is going to ACK toBob

    Normally, Bob will send RSTs back to Alice, since theresno associated session

    Thankfully, Bob is usually running a firewall that longsince shut down its connection for Aliceand so dropsall of Alices ACKs that have been stimulated by Mallorystraffic!

    And just to be clear, how is Mallory getting those ACKs?

    AJAcks: TCP Acks over AJAX

  • 8/14/2019 DMK BO2K7 Web

    53/67

    Go Go Pakket Pwn The goal is to identify the applications being used on the

    network, but some of these devices can go much further;those from a company like Narus, for instance, can lookinside all traffic from a specific IP address, pick out the HTTP

    traffic, then drill even further down to capture only trafficheaded to and from Gmail, and can even reassemble emailsas they are typed out by the user.

    Given a colluding client, I can:

    Impersonate anyone who doesnt ACK my traffic

    Generate arbitrary traffic that is completelyindistinguishable from theirs

    Provide deep packet inspectors with a whole newrealm of content to inspect.

    I recommend inspecting this information. Deeply.

  • 8/14/2019 DMK BO2K7 Web

    54/67

    Conclusions DNS Rebinding threatens the boundaries of your network

    There are multiple rebinding mechanisms and many

    major use cases for each of them; this will not be an easy

    problem to fix. The web could use some real work on its underlying

    security models

    We may need to consider applying integrity, and perhaps

    encryption to all web traffic due to provider hostility

    There are mechanisms for detecting such hostility thatshould be deployable shortly.

  • 8/14/2019 DMK BO2K7 Web

    55/67

    [extra slides]

  • 8/14/2019 DMK BO2K7 Web

    56/67

    My Process Sit down

    Relax

    Put some music on Start writing code

    Get totally distracted

    Write something completely differentthan intended

    Find out later why

  • 8/14/2019 DMK BO2K7 Web

    57/67

    A Fun Little Distraction Dotplots??? WTF!

    Best feedback Ive ever gotten

    Dotplots are a mechanism for visually analyzing similarity

    across a dataset See last years talk for details

    So I decided to port last years talk to WinAMP.

    Im listening to music

    I like pretty pictures

    I should like listening to music that generates pretty

    pictures!

    Be nice to code something that Id never show at Black Hat!

  • 8/14/2019 DMK BO2K7 Web

    58/67

    The Chemical Brothers,

    Where Do I Begin

  • 8/14/2019 DMK BO2K7 Web

    59/67

    +30% vs. -30% tempo

  • 8/14/2019 DMK BO2K7 Web

    60/67

    LudiVu: Realtime Audio Visualizer Images are based directlyon spectral similarity

    How similar is what Im hearing now, to what Ive heard

    for the last n seconds?

    Bass = Red Midrange = Green

    Treble = Blue

    Our auditory system almost certainly does this too

    Always good to match what the ear is up to

    Our auditory system almost certain does this better

    Amazingly apocalyptically nave similarity metric!

  • 8/14/2019 DMK BO2K7 Web

    61/67

    What We See Visual Hash of auditory segments, based on mutual

    similarity/dissimilarity across frequencies

    Reflects overall timbre of what were hearing

    Vertical lines representing repeated structures in the music Lines close = Fast Tempo

    Lines far away = Slow Tempo

    Tradeoff between visual hash and structure detection

    Blur less, get better visual hashing

    Blur more, get better structure detection

  • 8/14/2019 DMK BO2K7 Web

    62/67

    So Why Is This At Black Hat? Im doing web research!

    One of my friends, Zane Lackey, knows

    AJAX quite well and is in town We go out for beers.

    Me: So Im working on this really cool

    thing, it makes pictures from sound!

    Zane: What, for Audio CAPTCHAs?

    Me:

  • 8/14/2019 DMK BO2K7 Web

    63/67

    Whatsa CAPTCHA? CAPTCHA: Completely Automated Public Turing test to tell

    Computers and Humans Apart

    Used to bind access to a resource to the presence of ahuman

    Web sites use them to suppress bots

    So I get this email, in response to me breaking CAPTCHAs...

    CAPTCHA is quite annoying. I use a few programs tosend "auto-messages" and to "steal friends" from others'pages. They had a way around the CAPTCHA system for

    a while, but not anymore. Check out www.xxx.com andwww.yyy.com. I dunno, I have 5 different accounts, and Iadd 300 people a day on each one, so imagine - I'mtyping 250+ CAPTCHA codes a day on this damn thing.;)

  • 8/14/2019 DMK BO2K7 Web

    64/67

    AmIHumanOrNot The general idea is to use a humans superior

    ability at figure/ground separation to differentiatehuman/machine

    Image Captchas: Text, distorted and overlaid withlines and other non-text shapes

    Problem: Blind people cant get in

    Audio Captchas: Speech, distorted and overlaid

    with quieter speech Humans get a 10db boost in perception simplyby paying conscious attention

    Problem: Audio is actually easier to hack.

  • 8/14/2019 DMK BO2K7 Web

    65/67

    Detecting 8

  • 8/14/2019 DMK BO2K7 Web

    66/67

    and 9

  • 8/14/2019 DMK BO2K7 Web

    67/67

    Tips For Building Better Audio

    CAPTCHAs

    Dont actually make your speech much louder than

    your noise

    Easy to sync on regions of high volume Expand your vocabulary

    Use a sentence, rather than words in isolation,

    as were much better at parsing them

    Ask a question, perhaps?

    My name is Bob. How many letters are in my

    name?