Newcastle University duo expose IT security flaws

Oct 22 2008 by Paul James, The Journal

COMPUTER experts in Newcastle took a fraction of a second to crack security systems behind the biggest names in global email.

The Newcastle University scientists exposed failings in Microsoft and Yahoo’s spam filters, which the companies believed were secure enough to prevent abuse.

Fortunately for the two internet giants, Dr Jeff Yan and PhD student Ahmad Salah El Ahmad took their findings straight to the companies to help them improve their systems.

Their work centred on the tests designed to prevent automated attacks, where a computer is set up to constantly bombard an online system with junk, which is known as CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart).

Sites which used the security systems included Microsoft’s Hotmail, MSN and Windows Live and the Yahoo email service.

It emerged during the research that cheap labour in developing countries was being hired to trawl through the security systems which use pictures of wavy, distorted letters which have to be deciphered and typed into a box before users can access websites and email accounts.

The codes have become standard technology used to defend against automated ‘bots’ – which can grab thousands of free email accounts in order to continuously spread junk emails or post adverts on blogs – and are used by Microsoft, Yahoo, Google and many others.

But Dr Yan’s research also showed computers were able to break the codes much more easily than previously thought.

Using an ordinary desktop computer, Dr Yan and Mr El Ahmad used a seven- step method – which took less than 80 milliseconds – to bypass Microsoft’s security scheme. His findings have been released now that the companies concerned have addressed the issues raised by the research.

Dr Yan said: “There were suggestions that cheap labour was behind this increase and that CAPTCHA security was good enough, but low-paid people in developing countries were being hired to decode it manually.

“Our research showed that computers, not people, were able to break this code much more easily than previously thought.

“In our view, unfortunately all the different versions only provided a false sense of security as they were all open to our simple, low-cost segmentation attacks.”

But he said the steps taken to make it harder for computers to decipher the codes could also make it more difficult for humans.

Dr Yan and Mr El Ahmad are currently designing a ‘tool box’, which will contain a collection of methods to allow companies to evaluate the strength of future systems.