Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

Summary: Websense says that hackers have streamlined their anti-CAPTCHA tools and can attack Microsoft's Live Hotmail service in about 6 seconds.Websense has been on the CAPTCHA case for a while and the latest attack on Microsoft's Hotmail is an evolutionary leap because hackers' tools are automated and operating almost instantaneously.

TOPICS: Microsoft, Security

Websense says that hackers have streamlined their anti-CAPTCHA tools and can attack Microsoft's Live Hotmail service in about 6 seconds.

Websense has been on the CAPTCHA case for a while and the latest attack on Microsoft's Hotmail is an evolutionary leap because hackers' tools are automated and operating almost instantaneously. CAPTCHAs are viewed as a spam defense and a way to distinguish humans and computers. Google says CAPTCHAs are still useful, but others beg to differ.

The steps of the CAPTCHA eluding attack are similar to previous attacks, according to Websense. A bot hooks into Internet Explorer, observes account names, uses IE to sign up for Hotmail accounts, grabs CAPTCHA and breaks it, creates multiple accounts and then spams away.

The big difference: "Unlike Live Mail Anti-CAPTCHA and Gmail Anti-CAPTCHA operations in the past, the current attack is aggressive and instantaneous in terms of CAPTCHA breaking host turn-around time," said Websense. Total response time? Six seconds.

Topics: Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yahoo is implementing CAPTCHA at the send...

    level. So every mail you send requires you enter a capycha response. Totally not acceptable.

    This is why large networks like Google, MS Live, etc. will simply not serve the enterprise like all the bloggers think.

    It is impossible to efficiently manage a network of Googles size when it come to serving IT up to businesses. Someone will always be there to hack the security scheme. Then your data and your services are open to public consumption.
  • Who The HECK Uses Hotmail Anymore?

    I dumped hotmail and Yahoo a long time ago, and I've recently dumped Gmail as well.

    I'd rather use the less-inconspicuous mail on my own domain than have something like this happen.
    • I think we are going to see more ....

      people, especially in the enterprise, have your way of thinking.

      Companies can not afford to have anyone take care of their IT but themselves. Whether it is small, or large, a company is the only one that can be trusted with its IT. Whether it's E-mail or any other service.

      Larry keeps touting Web 2.0, cloud computing, etc. But these ideas are simply not going to fly in the long run.

      Get a clue Larry.
      • i agree

        web computing is inherently flawed as a lot of users like to control their environment rather than hand all their data over to google/MS etc as attacks on their services render the data hackable. On the other hand, there is the matter of security in your own small environment, any body can get hacked as bots are always out there looking for an opening. i have one account with GoDaddy with my own domain and email address but in the long run I plan on converting my desktop at home into a server so i can take that away too. just cannot trust other ppl with my data.
    • Live Mail & services are worth the slight risk..

      We love Live mail, the fact it's integrated into most mobile handsets these days makes it even more attractive & easy to use.

      The Team
    • Millions of people

      Because we don't want to have to run our own servers. Of course we don't use it for anything really important, but
      And using your own email because it's inconspicuous? Come on. Obscurity is not security bud.
      And hey msn has cut the spam a lot, I don't get hardly any any more. even my honeypot email gets nothing really.
      And for secure mail I use entrust anyway so. Ya lots of people still use hotmail and have no issues.
  • RE: Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

    Do we actually have proof of this 6 second claim?

    Is this a flaw particular to HotMail's implementation ?
  • RE: Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

    The distorted text captcha idea is inherently flawed. OCR is a well-known technology, and the distortion is a bigger hindrance to many humans than it is to the 'bots. "Is there proof of the 6-second claim?" is the wrong question.

    However, those who predict the demise of web services based on breaking captchas should think again. Anybody *paying* for web services will surely be using strong authentication to prove their identity, not merely that they are human.
    • Also...

      Correct me if I'm wrong, but isn't there evidence out there that captcha's are very often broken by bots? So, given that, it's hardly surprising to see that hotmail's is broken as well.
  • It's way past time for bio IDs

    Just create a cheap little usb thingy that I can stick my index finger on. No more logins. No more captchas. No more passwords. Just my finger.

    An added benefit is that it will make it a lot easier and cheaper for Homeland Security to track where you are, thereby saving us tax money...:)
    • The problem with bio IDs

      Soooo, what happens when Mr. Badguy wants to break into
      your bank account online? Oh, all he needs is your finger...

      Ok, chances are that won't happen. Not only that,
      Mythbusters have cracked it. So have many others. Just
      google for "fingerprint scanner hacked" and see how many
      ways fingerprint scanners can fail.

      Now, suppose you stick your index finger in the USB
      device, it pricks your finger & checks your DNA as well.
      That makes it a *bit* more difficult. Still, don't you share
      DNA with your parents and offspring?

      I haven't heard of "easy" ways to crack retinal scanning
      (believe it or not, I'm not a security freak). I know many
      people have issues with staring into a laser scanner. I'm a
      Vista fan, but even I'd have issues with trusting a MS
      powered retinal scanner :)
      • FIXED: The problem with bio IDs

        The current state of the art in biometrics involves a two-faceted approach. For example voice/retinal/finger-print biometrics coupled with an auxiliary channel that can't be intercepted by a "man-in-the-middle" attack, like a phone call. It can be totally automated, of course, but dosn't it seem like overkill to get into your email?

        Perhaps if it were for just setting the account up...
    • BIO IDs... the problem

      So here's why you're wrong about BIO IDs (particularly fingerprint devices)...

      1) It is a known fact that fingerprint devices (anything sub-$100/ea or so) can be broken with a soft gummibear...
      2) The *good* fingerprint readers (that can tell between a live human and a gummibear) are too expensive and not-very-portable thereby making them a failure for on-the-go computing...

      The answer? I honestly don't know but let's not blow this out of proportion... it's not like a CAPTcha is being used for authentication into your personal data - it's just used to try and separate humans from machines... and that delta is closing every day so in my humble opinion - it's a lost battle anyway.

      Rafal.Los (RX8volution)
      • "The *good* fingerprint readers"

        such as the ones from Authentec can distinguish between live and dead fingers as well as attempts to place a membrane with a false print over a finger that has had its finger print removed by abrasion or acid. I know because I have had opportunity to consult for them in the past. Can't say any more due to NDA limits.

        These scanners are becoming mainstream and falling in price very quickly. They are certainly cheaper than an upgrade to Vista and certainly much more valuable...
    • This topic isn't secure identification

      The purpose of CAPTCHA is HIP (Human Interactive Proof), not personal identification. The fact is, AI (Artificial Intelligence) will defeat any kind of HIP eventually.

      My question is why would anyone want to create a bunch of email accounts any way? Just to annoy admins? Spammers don't need real accounts to send spam. Just check your junk email folder.
  • RE: Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

    Gmail CAPTCHA was broken in earlier so who is calling kettle back?
    Also not everyone is "invited" to gmail so it would be hard to get all of those hotmail users to migrate to gmail. Also gmail is still in beta so beware of lost data and downtime.if you have read the terms of service.
    This "breaching" will never end and we in user and manufacture side will need to constantly be creating new methods of authentication to thwart these crackers (hackers gone bad).
  • i found a really easy way to stop bots

    if they try to submit a form on a page without actually downloading the content.. i redirect them back to the main page.

    I also log the IP's to a databse, if they try a second time, i auto-add them to a blocklist, which redirects them to a help page.

    The big issue with services of any kind is security versus accessibility... its hard to balance, but usually an admin can find a healthy one.
  • RE: Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds

    Would some form of change to the image make it more difficult to decipher? I know the we play a cat and mouse. Every time it gets hacked add more static to the image making it more difficult.

    Or change it all togher.

    Will MS now bring out the Animal CAPTHCA.Asirra

  • Hotspam - makes no difference anyway.

    Hotmail has been the biggest scourge in the email space for many years now, thanks to the humongously mind blowing signal to noise ratio of around 1:10000, i.e., 10000 spam for each real mail sent or received.

    I dont know anyone still using hotmail or windows live mail or whatever the heck microsoft calls it these days, for any real use.
    • Allow me to introduce myself...

      Just as a bit of background, I've used Yahoo, Gmail, Hotmail, Live mail, ISP provided mail, no-name web mail, IBM Mainframe based mail, Notes, Outlook, Eudora, etc. ad nauseum. Been around a while and have the grey to prove it.

      And, I've maintained and used my hotmail account continuously since the '90s. Recently, I've re-evaluated where I'm keeping my mail and have returned to using hotmail/live mail as my primary accounts because they work better with the way that I do things. It may not be 'fashionable' but then I've always preferred function to fashion.

      So, now you know someone who uses hotmail! ;-)

      Steve G.