M-ETH: Man in the middle – Ethernet
Over a year ago I presented at LaCon'09 a custom PCI NIC which allows to perform Man in the middle of the whole network traffic flowing through the device.
The idea behind this PCI Card is once it is plugged into a computer the whole traffic can be inspected, analyzed and, of course, modified when required in a transparent way to the user.
All the above should be achieved producing a network pci card so that a regular IT guy wouldn't be able to notice a diference between M-ETH and other NICs.
Another required feature for M-ETH is it must be platform-independant, I don't want it to be tied to any Operating System.
Vulnerability Engineering
In this article we are going to use some metrics from Software Engineering and apply them to the Vulnerability Research World. We are going to define a new term which will allow us get a probabilty showing how likely is an application to have a vulnerability during its lifetime and also will give an idea of the Software Reliability.
Let's start defining two well-known metrics MTTR and MTBF but within our context:
- MTTR (Mean Time To Repear): Specify the average time a company takes to fix a vulnerability.
- MTBF (Mean Time Between Failures): We are going to use this metric as the average time between to reported vulnerabilities.
Software Reliability can be calculated by the next formula:
to give prospective to the article we are named this value VFP (Vulnerability Free Probability) which shows how likely is NOT an application to have a bug during its lifetime.
See Artica Demo Client and IceSphere in action
Download Video (24 mb)
Do not hesitate to contact us if you need further information
Toward a new generation of audio captchas
It seems the post "Breaking Gmail's audio Captcha" has been slashdotted so many interesting discussions have emerged as a result. It's worth noting that there is nothing specially exciting in the approach used to break the google audio captcha, merely a bunch of signal analysis and pattern recognition principles applied. Almost any Voice Recognition / Audio processing software developer can break not only that captcha but, nowadays, any other.
I was planning to write about audio captchas may pose a future attack vector for spammers, but after googling a couple of minutes I stumbled upon the following offer: http://www.getafreelancer.com/projects/C-C-Audio-Services/Recognize-Voice-Captcha-Google.html
Unfortunately the future is right now.
Breaking Gmail’s Audio Captcha
A week ago I came across this interesting post at the Websense blog, anyway I guess everybody is already aware that a bot was spotted breaking Gmail's image captcha. According to the post, the success rate is about 20%, which from spammers point of view is really profitable and sure more than enough for its purposes. However what caught my attention, while reviewing the gmail signup page, was the Audio Captcha.
First off, it is worth noting the “cat&dog” Asirra captcha from Microsoft Research, that’s a really good captcha, has kept the success rate of those who tried to break it (computer vision gurus) below of 60%. Why? I think the problem with most of the captchas is that are using a complex solution to show so simple challenges: obfuscated, deformed and distorted image to represent short alphanumeric sequences. On the other hand we have the “cat&dog” style Captchas that implement a simple solution to show a really complex challenge for automated agents: Are you seeing cat or dogs in this perfectly clean picture? A question too hard to answer if you are not human.
The Gmail's Audio Captcha suffers a similar error. It is a wav file embedded within the webpage, once loaded it plays limited series of numbers . Twice. Btw, I don’t understand why that alphanumeric obsession...Anyway, let's begin. In this post I am going to show how that captcha can be broken just by using fourier analysis.
You should play the captcha before continuing Look for this image 
within the signup page.
The first obvious error is the use of fixed patterns that clearly identify where the sequence begins and where it ends.
We can listen to the numbers, in background there are distorted voices.Taking into account that human beings are visual entities ( this is the reason because everybody can spot Wally in a crowded place but only trained individuals could distinguish a distorted tone while an orchestra is playing) my question was: “If you are still capable of distinguishing easily the numbers played in the captcha, why an automated agent couldn’t do so?”
So let’s try to find out the answer by taking a look at the waveform of a random Gmail's audio captcha
