Hack attack

Jeff Yan and a colleague at Newcastle have developed a tool to help web companies beat the spammers

October 30, 2008

Flaws in an online security system that is widely used to curb automated hacking have been exposed by a computing expert from Newcastle University.

Jeff Yan, a lecturer at the School of Computing Science, uncovered the vulnerability of the "Captcha" system, which is used to protect global email services and websites from attacks, with the help of Ahmad Salah El Ahmad, a PhD student.

Together the pair developed a quick, low-cost technique that enabled automated "bots" to crack the shield, which aims to check that users are human by asking them to read and retype a series of letters depicted in uneven, indistinct and mosaic-like form.

If malicious hackers had developed the same technique, and some believe they had, it would have allowed them to greatly increase the quantity of spam originating from free email accounts operated by Microsoft, Yahoo, Google and others. These companies have now tightened up their systems as a result of Dr Yan's work, which is credited with a recent reduction in online irritations such as junk email and adverts placed automatically on blogs.

ADVERTISEMENT

Dr Yan, who is Chinese, trained as a computer security researcher as an undergraduate in Shanghai before travelling to the UK to do a PhD at the University of Cambridge. He said he was drawn by the chance to work with a world-renowned expert in the field.

"I was determined to do my PhD with Ross Anderson (professor of security engineering) at Cambridge because he had a big reputation in the field, and even in China I knew of him as a brilliant researcher," he said.

ADVERTISEMENT

After completing his PhD, he taught for a year at the Chinese University of Hong Kong. In 2005, he moved back to the UK to take up a post at Newcastle.

He said that his work in exposing flaws in the Captcha security system was a field of research he found exciting, but which also made a difference to internet users by helping companies maintain the highest levels of security.

Although email providers have already altered the letter-test as a result of his work, he said ensuring that the letters were disguised in a way that would fool computers but still be decipherable to humans remained a challenge.

"It is a matter of striking the right balance," he said. "The idea of Captcha is a good one, but the devil is in the detail, and this is where future work needs to focus."

ADVERTISEMENT

Dr Yan and Mr El Ahmad are now designing a "toolbox" of algorithms and attacks to allow companies to evaluate the strength of future Captchas.

john.gill@tsleducation.com.

Register to continue

Why register?

  • Registration is free and only takes a moment
  • Once registered, you can read 3 articles a month
  • Sign up for our newsletter
Register
Please Login or Register to read this article.

Sponsored

ADVERTISEMENT