[support] Question on keeping the bad guys out
MBR
mbr at arlsoft.com
Tue Feb 4 22:17:04 UTC 2014
THE PROBLEM:
I've helped a number of people whose sites have this problem. It seems
that CAPTCHA ("_C_ompletely _A_utomated _P_ublic Turing test
<http://en.wikipedia.org/wiki/Turing_test> to tell _C_omputers and
_H_umans _A_part") has been broken by the black hats. CAPTCHA asks the
submitter of a form to demonstrate that he can perform a task that a
computer is assumed to be unable to do. Google "CAPTCHA broken" and
you'll find lots of articles. OCR (optical character recognition)
software has been around for decades. CAPTCHA's distort the letters in
the hope of making the OCR software's task more difficult.
But the black hats don't even need to do that.
http://www.theguardian.com/technology/2008/aug/28/internet.captcha
explains that the most successful CAPTCHA-breaking schemes involve
social engineering. When the program that's trying to convince your
website that it's human receives a CAPTCHA image to solve, it can pass
it on to real humans to solve, and then send their solution back to your
website. There are even business models where the bad guys pay people
in third-world countries a small amount of money to do this.
TEMPORARY SOLUTION:
So, what's the answer. For the moment, the most effective approaches I
know of involve a kind of inverted Turing test. Instead of asking the
human to prove he's not malware, trick the malware into demonstrating
it's not human. One way to do this is to note how quickly responses
come back. If they come back faster than a human could type them, then
they're being sent by a machine. Another way is to insert extra <input>
tags into your forms and use CSS to hide them. They won't be displayed
by the browser, so a human won't fill those fields in. But a piece of
software pretending to be a browser operated by a human usually isn't
coded to fetch the CSS and figure out which fields it shouldn't fill in.
So it will fill in all the fields in the form, and the software on your
server can then tell that the submission is not from a human.
Of course, with a little work the malware can be made to handle both of
these tests. You wouldn't even have to write the code to fetch the CSS
and figure out whether an input field is visible. It already exists in
every browser. You'd just have to lift the right sections of the code
from a browser, and maybe convert it into a different programming
language. As for timing, it's trivial to introduce a random delay
before the malware sends its response.
So, these tests probably won't work for very long.
TEMPORARY SOLUTION FOR DRUPAL SITES:
When I went looking for Drupal modules that implement these approach, I
found Botcha, Honeypot, Spamicide, and Spambot. Initially I tried Botcha
but it was a struggle to get it installed, and then it didn't seem to
work properly. I then looked more closely at the statistics for each of
the modules I was considering. I found that Botcha and Spamicide had
critical bugs that had gone unfixed for a couple of months - not a good
sign. Especially since the reported bug in Spamicide bug was that on
installation it wiped the default/files directory. Spambot showed as
unmaintained.
That left Honeypot, which impements both the timing test and the
invisible input field test. It didn't have any bugs of severity
"Critical", but did have one whose severity was "Major". So I read the
bug report on that. It didn't sound like anything that would destroy
data or stop the website from functioning. So that seemed like the best
solution.
Immediately after I installed the Honeypot module, the bogus
registrations dropped from about 10 to 15 per hour to about 4 per day.
So, it seems to be the best available solution for now. But I fully
expect the bad guys to improve their software in the near future to get
around these tests. When that happens, we'll be back to square one.
Mark Rosenthal
On 2/4/2014 2:22 PM, john boris wrote:
> I am working on a new site (Drupal 7) and I have reCaptcha module
> installed which includes the image captcha as well. This still isn't
> keeping out the gnats trying to get logins. I have the site set that
> all new users need to verified with a valid email and the admin needs
> to authorize the new user but it still hasn't stopped them. I am
> looking for other ideas where I can limit these issues. I am getting
> about 15 a day and they seem to be growing.
> I have a few mandatory fields setup but I don't want to make it
> totally a pain for new users to put in the valid info.
>
> This might be just a cost of having the thing open for new users but
> if anyone can give me some other ideas on how to stem the tide I would
> appreciate it.
>
> Thanks in advance.
>
> --
> John J. Boris, Sr.
> Online Services
> www.onlinesvc.com <http://www.onlinesvc.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20140204/8ce60715/attachment.html
More information about the support
mailing list