45 research outputs found
Loyalty cards and the problem of CAPTCHA: 2nd tier security and usability issues for senior citizens
Information Security often works in antipathy to access and useability in communities of older citizens. Whilst security features are required to prevent the disclosure of information, some security tools have a deleterious effect upon users, resulting in insecure practices. Security becomes unfit for purpose where users prefer to abandon applications and online benefits in favour of non-digital authentication and verification requirements. For some, the ability to read letters and symbols from a distorted image is a decidedly more difficult task than for others, and the resulting level of security from CAPTCHA tests is not consistent from person to person. This paper discusses the changing paradigm regarding second tier applications where non-essential benefits are forgone in order to avoid the frustration, uncertainty and humiliation of repeated failed attempts to access online software by means of CAPTCHA
Human-artificial intelligence approaches for secure analysis in CAPTCHA codes
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has long been used to keep automated bots from misusing web services by leveraging human-artificial intelligence (HAI) interactions to distinguish whether the user is a human or a computer program. Various CAPTCHA schemes have been proposed over the years, principally to increase usability and security against emerging bots and hackers performing malicious operations. However, automated attacks have effectively cracked all common conventional schemes, and the majority of present CAPTCHA methods are also vulnerable to human-assisted relay attacks. Invisible reCAPTCHA and some approaches have not yet been cracked. However, with the introduction of fourth-generation bots accurately mimicking human behavior, a secure CAPTCHA would be hardly designed without additional special devices. Almost all cognitive-based CAPTCHAs with sensor support have not yet been compromised by automated attacks. However, they are still compromised to human-assisted relay attacks due to having a limited number of challenges and can be only solved using trusted devices. Obviously, cognitive-based CAPTCHA schemes have an advantage over other schemes in the race against security attacks. In this study, as a strong starting point for creating future secure and usable CAPTCHA schemes, we have offered an overview analysis of HAI between computer users and computers under the security aspects of open problems, difficulties, and opportunities of current CAPTCHA schemes.Web of Science20221art. no.
SoK: The Ghost Trilemma
Trolls, bots, and sybils distort online discourse and compromise the security
of networked platforms. User identity is central to the vectors of attack and
manipulation employed in these contexts. However it has long seemed that, try
as it might, the security community has been unable to stem the rising tide of
such problems. We posit the Ghost Trilemma, that there are three key properties
of identity -- sentience, location, and uniqueness -- that cannot be
simultaneously verified in a fully-decentralized setting. Many
fully-decentralized systems -- whether for communication or social coordination
-- grapple with this trilemma in some way, perhaps unknowingly. We examine the
design space, use cases, problems with prior approaches, and possible paths
forward. We sketch a proof of this trilemma and outline options for practical,
incrementally deployable schemes to achieve an acceptable tradeoff of trust in
centralized trust anchors, decentralized operation, and an ability to withstand
a range of attacks, while protecting user privacy.Comment: 22 pages with 1 figure and 8 table
Peningkatan Sistem Keamanan Autentikasi Single Sign On (SSO) Menggunakan Algoritma AES dan One-Time Password Studi Kasus: SSO Universitas Ubudiyah Indonesia
Single Sign On (SSO) merupakan model autentikasi independen yang diimplementasikan Universitas Ubudiyah Indonesia (UUI) menggunakan Message-Digest Algorithm 5 (MD5) dan web service NuSOAP berbasis bahasa pemograman PHP. Sistem ini berjalan pada protokol Hypertext Transfer Protocol (HTTP). Faktanya penggunaan protokol HTTP ini sangat rentan terhadap berbagai jenis serangan karena data dikirim dalam bentuk plaintext tanpa ada proses enkripsi dan penerapan algoritma MD5 pada autentikasi login juga rentan terhadap serangan dictionary attacks dan rainbow tables. Disisi lain, Penggunaan web service NuSOAP juga menciptakan celah keamanan karena pengiriman dan penerimaan payload tidak dienkripsi. Saat ini diketahui sudah ada beberapa metode yang dapat digunakan untuk meningkatkan pengamanan kerentanan tersebut diantaranya yaitu menggunakan Hypertext Transfer Protocol Secure (HTTPS), Secure Hypertext Transfer Protocol (SHTTP) dan Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). Namun beberapa hasil penelitian terkait memperlihatkan masih terdapat beberapa kelemahan dari penggunaan HTTPS, SHTTP dan CAPTCHA. Penelitian ini mengusulkan penggunaan algoritma Advanced Encryption Standard (AES) dengan pembangkit kunci dinamis dan metode One-Time Password (OTP) berbasis sinkronisasi waktu dengan kombinasi salt untuk meningkatkan keamanan pada autentikasi SSO UUI. Hasil pengujian menunjukkan penerapan algoritma AES dan OTPÂ dapat mengamankan proses autentikasi SSOÂ dari serangan dictionary attack dan rainbow table
The robustness of animated text CAPTCHAs
PhD ThesisCAPTCHA is standard security technology that uses AI techniques to tells computer and
human apart. The most widely used CAPTCHA are text-based CAPTCHA schemes. The
robustness and usability of these CAPTCHAs relies mainly on the segmentation resistance
mechanism that provides robustness against individual character recognition attacks.
However, many CAPTCHAs have been shown to have critical flaws caused by many
exploitable invariants in their design, leaving only a few CAPTCHA schemes resistant to
attacks, including ReCAPTCHA and the Wikipedia CAPTCHA.
Therefore, new alternative approaches to add motion to the CAPTCHA are used to add
another dimension to the character cracking algorithms by animating the distorted
characters and the background, which are also supported by tracking resistance
mechanisms that prevent the attacks from identifying the main answer through frame-toframe
attacks. These technologies are used in many of the new CAPTCHA schemes
including the Yahoo CAPTCHA, CAPTCHANIM, KillBot CAPTCHAs, non-standard
CAPTCHA and NuCAPTCHA.
Our first question: can the animated techniques included in the new CAPTCHA schemes
provide the required level of robustness against the attacks? Our examination has shown
many of the CAPTCHA schemes that use the animated features can be broken through
tracking attacks including the CAPTCHA schemes that uses complicated tracking
resistance mechanisms.
The second question: can the segmentation resistance mechanism used in the latest standard
text-based CAPTCHA schemes still provide the additional required level of resistance
against attacks that are not present missed in animated schemes? Our test against the latest
version of ReCAPTCHA and the Wikipedia CAPTCHA exposed vulnerability problems
against the novel attacks mechanisms that achieved a high success rate against them.
The third question: how much space is available to design an animated text-based
CAPTCHA scheme that could provide a good balance between security and usability? We
designed a new animated text-based CAPTCHA using guidelines we designed based on the
results of our attacks on standard and animated text-based CAPTCHAs, and we then tested
its security and usability to answer this question.
ii
In this thesis, we put forward different approaches to examining the robustness of animated
text-based CAPTCHA schemes and other standard text-based CAPTCHA schemes against
segmentation and tracking attacks. Our attacks included several methodologies that
required thinking skills in order to distinguish the animated text from the other animated
noises, including the text distorted by highly tracking resistance mechanisms that displayed
them partially as animated segments and which looked similar to noises in other
CAPTCHA schemes. These attacks also include novel attack mechanisms and other
mechanisms that uses a recognition engine supported by attacking methods that exploit the
identified invariants to recognise the connected characters at once. Our attacks also
provided a guideline for animated text-based CAPTCHAs that could provide resistance to
tracking and segmentation attacks which we designed and tested in terms of security and
usability, as mentioned before. Our research also contributes towards providing a toolbox
for breaking CAPTCHAs in addition to a list of robustness and usability issues in the
current CAPTCHA design that can be used to provide a better understanding of how to
design a more resistant CAPTCHA scheme
Application of information theory and statistical learning to anomaly detection
In today\u27s highly networked world, computer intrusions and other attacks area constant threat. The detection of such attacks, especially attacks that are new or previously unknown, is important to secure networks and computers. A major focus of current research efforts in this area is on anomaly detection.;In this dissertation, we explore applications of information theory and statistical learning to anomaly detection. Specifically, we look at two difficult detection problems in network and system security, (1) detecting covert channels, and (2) determining if a user is a human or bot. We link both of these problems to entropy, a measure of randomness information content, or complexity, a concept that is central to information theory. The behavior of bots is low in entropy when tasks are rigidly repeated or high in entropy when behavior is pseudo-random. In contrast, human behavior is complex and medium in entropy. Similarly, covert channels either create regularity, resulting in low entropy, or encode extra information, resulting in high entropy. Meanwhile, legitimate traffic is characterized by complex interdependencies and moderate entropy. In addition, we utilize statistical learning algorithms, Bayesian learning, neural networks, and maximum likelihood estimation, in both modeling and detecting of covert channels and bots.;Our results using entropy and statistical learning techniques are excellent. By using entropy to detect covert channels, we detected three different covert timing channels that were not detected by previous detection methods. Then, using entropy and Bayesian learning to detect chat bots, we detected 100% of chat bots with a false positive rate of only 0.05% in over 1400 hours of chat traces. Lastly, using neural networks and the idea of human observational proofs to detect game bots, we detected 99.8% of game bots with no false positives in 95 hours of traces. Our work shows that a combination of entropy measures and statistical learning algorithms is a powerful and highly effective tool for anomaly detection