Comments for MBs Windows Security

Comment on A bad month for CAPTCHAs by MustLive

MustLive — Thu, 06 Dec 2007 18:47:26 +0000

In reality, the only function that CAPTCHA on my blog serves is to reduce the number of spam comments

Mark, your site is about security, so you need reliable captcha. Previous and current one are not reliable enough, so you need more secure captcha.

which I have very much enjoyed following

I’m glad that you like it. I hope many people, especially security guys and web developers enjoyed my MoBiC project.

On a side note, I decided to change my own CAPTCHA.

It’s good, because previous captcha was very weak, but new one is unsecure too. As you alrady know from my artcile about Cryptographp captcha.

And after I checked today your new captcha (which is using Cryptographp plugin + additional checks) it is vulnerable. This captcha is vulnerable for session reusing with constant captcha
bypass method + bypassing additional protections. I have written you all details in email. So your captcha need to be improved.

The best way to improve on these is to prove me wrong.

Like I told you, current captcha is unreliable ;-). Man, no need to look for OCR (or cheap work force) when there are holes in captcha. Like I told in Month of Bugs in Captchas using vulnerabilities to bypass captchas is more effective way. So until there are holes in some captcha, it can be reliable.

MustLive, you got any good OCR scripts?

No, Mark, I have not such scripts. I’m only interesting in a posteriori vulnerabilities (holes in algorithms), not a priori vulnerabilities (holes in idea). So I’m as security auditor interesting only in holes in captchas (others two bypassing methods, OCR and cheap work force, is less interesting for me).

Comment on A bad month for CAPTCHAs by Test

Test — Thu, 06 Dec 2007 17:16:19 +0000

Test :-)

Comment on These CAPTCHAs are just not working out by mb

mb — Fri, 30 Nov 2007 16:37:35 +0000

Comment on China caught hacking, good thing our government does not do that by Test

Test — Fri, 30 Nov 2007 03:38:22 +0000

Captcha bypass test.

Comment on Pakistan Wants to Learn How to Hack? by Saqib Saud

Saqib Saud — Sat, 17 Nov 2007 12:42:39 +0000

I am from Pakistan.I just stumbled at you blog.

This information is really interesting.

Comment on Pakistan Wants to Learn How to Hack? by SEO Pakistan

SEO Pakistan — Sat, 17 Nov 2007 07:27:31 +0000

Interesting find! Being a Pakistani and an Internet addict, I never search for such a phrase but I’d tend to believe in ur finding…

Comment on VMWare Guest Isolation Vulnerability by mb

mb — Fri, 19 Oct 2007 17:41:55 +0000

I don’t use VMWare ACE, so I wouldn’t be able to answer that.

Comment on VMWare Guest Isolation Vulnerability by grant

grant — Fri, 19 Oct 2007 17:16:42 +0000

How does this apply to the new VMWare ACE product? does it face the same problem? Does it have countermeasures that would address this vulnerability (image encryption for example?)

Comment on These CAPTCHAs are just not working out by MustLive

MustLive — Wed, 17 Oct 2007 12:51:16 +0000

Mark!

Your captcha is vulnerable (as you can see from my Captcha bypass tests). Which is very ironical, because you wrote about captchas security in this article. So you need to find more secure captcha for yourself (without those weaknesses which you mentioned in this post). I’ll write you an email about this hole.

This captcha (plugin) will be in my Month of Bugs in Captchas. The official announcement of my new project will be very soon.

Comment on These CAPTCHAs are just not working out by MustLive

MustLive — Wed, 17 Oct 2007 12:40:49 +0000

Captcha bypass test 3.

Comment on These CAPTCHAs are just not working out by MustLive

MustLive — Wed, 17 Oct 2007 12:40:09 +0000

Captcha bypass test 2.

Comment on These CAPTCHAs are just not working out by MustLive

MustLive — Wed, 17 Oct 2007 12:39:32 +0000

Captcha bypass test.

Comment on These CAPTCHAs are just not working out by MustLive

MustLive — Fri, 12 Oct 2007 15:43:07 +0000

Nice article

Comment on These CAPTCHAs are just not working out by Anne Kowalski » Blog Archive » Are CAPTCHAs Useless?

Anne Kowalski » Blog Archive » Are CAPTCHAs Useless? — Thu, 13 Sep 2007 05:13:19 +0000

[...] These CAPTCHAs are just not working out [...]

Comment on China caught hacking, good thing our government does not do that by rgl

rgl — Sat, 08 Sep 2007 00:50:42 +0000

This matter is not only concerning the US and British governments, but also the IT systems of Germany (and even probably those of other nations) have been illegally accessed by Chinese attackers, too.
An official newspaper article by “Spiegel”, which is one of the German big news publishers reported this incident in detail on August 25th, 2007: http://www.spiegel.de/netzwelt/tech/0,1518,501954,00.html
Unfortunately this German speaking article has not been published in the international website of the newspaper (http://www.spiegel.de/international/).
But there are two smaller articles on the US website of the “Financial Times”:
Beijing pledges crackdown on international hackers:
http://www.ft.com/cms/s/0/9b4cfc4e-54fe-11dc-890c-0000779fd2ac.html
China pledges to combat hacking: http://www.ft.com/cms/s/0/fd754098-54fe-11dc-890c-0000779fd2ac.html

Altogether not political interests alone, but as well economical motivation drives those attackers:
For years now there have been warnings of industrial espionage by national and international security advisors addressed especially to small and medium enterprises out there who still does not secure their perimeter infrastructure properly, either due to lack of knowledge or sometimes even simply because of reluctance to investments in seemingly “non-profit business areas”.
In view of this development I do not feel very surprised by this current escalation, at all.