CAPTCHAs - Building and Breaking

Presented at The Eleventh HOPE (2016), July 23, 2016, 11 p.m. (60 minutes)

CAPTCHAs are the most common form of web activity security and they play an important role in regulating online activity. CAPTCHAs keep bots and "blackhats" from abusing online resources by proving a user's humanity via solving a challenge that consists of a hard AI problem. CAPTCHA development is a constantly evolving arms race with new styles and designs being created by site administrators and broken by attackers every day. In order to keep the world wide web usable, site administrators must constantly work on developing new methods and improving CAPTCHAs to prevent automated abuse. This talk will cover the basics of what CAPTCHAs are, what type of security they provide, the major types of CAPTCHAs, and how to attack them. The speakers will also discuss criteria used when designing their CAPTCHA framework and cover some academic literature that is relevant to the field. They will look at popular tools and services currently used to attack CAPTCHAs and provide some insight into the current state of bot identification. A fresh new CAPTCHA design will be presented that uses human emotion recognition as the "hard AI" challenge. Speakers will demonstrate how they have achieved their desired usability, scalability, and robustness levels via a real world implementation. An overview of the tools and tool chain used (MS Emotion API, GIMP, Google APIs, Python, Django) to create the CAPTCHA challenges will be detailed. The session will conclude with a user study and provide an analysis of the results with a discussion about some of the limitations of the project.

Presenters:

• dr_dave
  dr_dave is currently a PhD candidate at Rutgers Business School - Newark. He holds a BS in comp info sys from ASU, an MS in infotech from Rutgers, an MS in comp sci from NJIT, and is currently attempting to grind through a PhD in management science/infosys from Rutgers. He enjoys biking, long walks on the beach, and contemplating the finer points of everything the realms of cyber and information security have to offer.
• r3dfish
  R3dfish has a passion for emerging technologies and pursues many projects dealing with the implementation of bleeding edge software, open source operating systems, and infant programming paradigms in order to solve the problems posed by the widespread adoption of current technologies. He has experience developing the full web stack, Django/Python, mobile apps, and Wi-Fi pineapple apps. He enjoys conversations about old school phreaking.

Links:

• https://xi.hope.net/schedule.html#-captchas-building-and-breaking- (Conference Schedule)
• https://infocon.org/cons/2600/The Eleventh HOPE (2016)/The Eleventh HOPE (2016) CAPTCHAs - Building and Breaking.srt (subtitles)
• https://infocon.org/cons/2600/The Eleventh HOPE (2016)/The Eleventh HOPE (2016) CAPTCHAs - Building and Breaking.mp4
• https://www.youtube.com/watch?v=lMAzERU6t24

Similar Presentations:

• ToorCon San Diego 17 (2015) / PixelCAPTCHA - A Unicode Based CAPTCHA Scheme
• Black Hat Asia 2016 / I'm Not a Human: Breaking the Google reCAPTCHA
• DEF CON 16 (2008) / CAPTCHAs: Are they really hopeless? (Yes)