[support] Question on keeping the bad guys out

MBR mbr at arlsoft.com
Tue Feb 4 22:17:04 UTC 2014 

THE PROBLEM:

I've helped a number of people whose sites have this problem.  It seems 
that CAPTCHA ("_C_ompletely _A_utomated _P_ublic Turing test 
<http://en.wikipedia.org/wiki/Turing_test> to tell _C_omputers and 
_H_umans _A_part") has been broken by the black hats.  CAPTCHA asks the 
submitter of a form to demonstrate that he can perform a task that a 
computer is assumed to be unable to do.  Google "CAPTCHA broken" and 
you'll find lots of articles.  OCR (optical character recognition) 
software has been around for decades.  CAPTCHA's distort the letters in 
the hope of making the OCR software's task more difficult.

But the black hats don't even need to do that. 
http://www.theguardian.com/technology/2008/aug/28/internet.captcha 
explains that the most successful CAPTCHA-breaking schemes involve 
social engineering.  When the program that's trying to convince your 
website that it's human receives a CAPTCHA image to solve, it can pass 
it on to real humans to solve, and then send their solution back to your 
website.  There are even business models where the bad guys pay people 
in third-world countries a small amount of money to do this.

TEMPORARY SOLUTION:

So, what's the answer.  For the moment, the most effective approaches I 
know of involve a kind of inverted Turing test. Instead of asking the 
human to prove he's not malware, trick the malware into demonstrating 
it's not human.  One way to do this is to note how quickly responses 
come back.  If they come back faster than a human could type them, then 
they're being sent by a machine. Another way is to insert extra <input> 
tags into your forms and use CSS to hide them.  They won't be displayed 
by the browser, so a human won't fill those fields in.  But a piece of 
software pretending to be a browser operated by a human usually isn't 
coded to fetch the CSS and figure out which fields it shouldn't fill in. 
So it will fill in all the fields in the form, and the software on your 
server can then tell that the submission is not from a human.

Of course, with a little work the malware can be made to handle both of 
these tests.  You wouldn't even have to write the code to fetch the CSS 
and figure out whether an input field is visible.  It already exists in 
every browser.  You'd just have to lift the right sections of the code 
from a browser, and maybe convert it into a different programming 
language.  As for timing, it's trivial to introduce a random delay 
before the malware sends its response.

So, these tests probably won't work for very long.

TEMPORARY SOLUTION FOR DRUPAL SITES:

When I went looking for Drupal modules that implement these approach, I 
found Botcha, Honeypot, Spamicide, and Spambot. Initially I tried Botcha 
but it was a struggle to get it installed, and then it didn't seem to 
work properly.  I then looked more closely at the statistics for each of 
the modules I was considering.  I found that Botcha and Spamicide had 
critical bugs that had gone unfixed for a couple of months - not a good 
sign. Especially since the reported bug in Spamicide bug was that on 
installation it wiped the default/files directory.  Spambot showed as 
unmaintained.

That left Honeypot, which impements both the timing test and the 
invisible input field test.  It didn't have any bugs of severity 
"Critical", but did have one whose severity was "Major".  So I read the 
bug report on that.  It didn't sound like anything that would destroy 
data or stop the website from functioning.  So that seemed like the best 
solution.

Immediately after I installed the Honeypot module, the bogus 
registrations dropped from about 10 to 15 per hour to about 4 per day.  
So, it seems to be the best available solution for now.  But I fully 
expect the bad guys to improve their software in the near future to get 
around these tests.  When that happens, we'll be back to square one.

    Mark Rosenthal


On 2/4/2014 2:22 PM, john boris wrote:
> I am working on a new site (Drupal 7) and I have reCaptcha module 
> installed which includes the image captcha as well. This still isn't 
> keeping out the gnats trying to get logins. I have the site set that 
> all new users need to verified with a valid email and the admin needs 
> to authorize the new user but it still hasn't stopped them. I am 
> looking for other ideas where I can limit these issues. I am getting 
> about 15 a day and they seem to be growing.
> I have a few mandatory fields setup but I don't want to make it 
> totally a pain for new users to put in the valid info.
>
> This might be just a cost of having the thing open for new users but 
> if anyone can give me some other ideas on how to stem the tide I would 
> appreciate it.
>
> Thanks in advance.
>
> -- 
> John J. Boris, Sr.
> Online Services
> www.onlinesvc.com <http://www.onlinesvc.com>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20140204/8ce60715/attachment.html

More information about the support mailing list