I’ve been working with Stratum Security for the past couple of months on ThreatSim (@ThreatSim), which we are happy to announce to the world today! ThreatSim is a web-based phishing attack simulator to help companies assess how vulnerable their network and internal assets may be to phishing attacks. Not only does ThreatSim track who is clicking on phishing emails, but we’re also making an exfiltration agent available, which simulates transmitting sensitive data from the local network out to the internet.
I’ve been playing around with the Text CAPTCHA demo page and wondered how well WolframAlpha is at logic questions. As it turns out, Wolfram is pretty smart! Although, since a CAPTCHA requires an exact answer, some of the results from WolframAlpha are logically correct, but are not exactly correct. If someone wanted to use WolframAlpha to crack the text CAPTCHA technology, they could build in filters and such to narrow down answers to what the CAPTCHA is likely looking for.
Out of 10 demo questions, 3 failed and 7 were correct (although, 4 had the correct answer but would fail a CAPTCHA if the exact answer was not parsed out). Here are the results:
Text CAPTCHA: What is seven hundred and forty four as a number?
Text CAPTCHA: The 7th letter in the word “central” is?
WolframAlpha: the word
Text CAPTCHA: Which word in this sentence is all IN capitals?
WolframAlpha: capitals IN
Text CAPTCHA: Which word contains “z” from the list: zoologist, midwifery, spiderweb, crimps?
Text CAPTCHA: The 2nd colour in purple, yellow, arm, white and blue is?
Text CAPTCHA: Of the numbers seventy six, 2, 50 or forty, which is the lowest?
Text CAPTCHA: What is the 7th digit in 9686561?
Text CAPTCHA: Which of these is a colour: monkey, bank or purple?
WolframAlpha: colour purple
Text CAPTCHA: The day of the week in chips, house, bank, mouse, trousers or Friday is?
Text CAPTCHA: If a person is called Mary, what is their name?
WolframAlpha: called Mary
Update: There’s a discussion going on over at Hacker News, if you want to check it out!
Update 2: WolframAlpha can generate a CAPTCHA image of each of these text questions, as to make it harder for a bot to decode AND answer the question! Check it out: http://www.wolframalpha.com/input/?i=CAPTCHA+What+is+seven+hundred+and+forty+four+as+a+number%3F
Update 3: There is more discussion going on over at Reddit for you guys looking for more insights….
Update 4: Looks like someone put together a script that knows the format of the Text CAPTCHA questions. It was posted on Hacker News.
Working as a security consultant, I’ve come to be much more paranoid about my privacy over the years. One thing that I do is shred anything that has my name on it. I don’t need anyone rummaging through my garbage to write my biography or cash in on my identity!
I could go on, but why? Read about someone else’s trash….