Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


D-Link’s CAPTCHA – A Big Question on Security

As per the security report, it took nearly a week for the researchers at SourceSec to detect a flaw in the implementation of CAPTCHA (completely automated public Turing test to tell humans and computers apart) by D-Link in its routers, which was originally meant to stop the malware that changes DNS from attaining its goal automatically.

SouceSec stated that the flaw in implementation allowed a malware/attacker to obtain Wi-Fi Protected Access (WPA) passphrase that too by means of merely user-level access, and without a properly solved CAPTCHA. This is apparently because the authentication system based on CAPTCHA was improperly integrated into some of the pages.

Further, a combination of simple JavaScript code using anti-DNS (Domain Name System) may be implemented without having the need for attacker to install the malware on router. Rather, the assault can be launched by visiting a site. In other words, a D-Link user's visit to a site with its router may simply result in downloading of malware on his/her system, all due to this malicious flaw.

Earlier in 2007, security firm Symantec revealed that a botnet-created worm could easily and successfully launch an attack on D-Link routers. However the purpose of the worm could not be discovered, but it was also able to launch DDoS attacks, i.e. distributed denial of service attacks, on other routers or Internet servers. With this news, a fear has evolved that the routers might now be the prime targets of cybercriminals.

The evidence of router assaults are, though, not clear at the moment, but these attacks could include various aspects. The most convenient way to access routers is by means of either usernames or user default passwords (as they are generally not changed by the users) or merely using simple hacking tactics that use common possibilities, resulting in router being assaulted by malware distributors.

According to security experts, CAPTCHA is simply insufficient to stop the malicious activities of hackers as this authentication technique is being continuously targeted by cybercriminals. There is solid evidence of particular CAPTCHA code been broken by malware authors, which is most of the time sufficient to hack compromise this technique.

Related article: Duo Use Spyware to Perpetrate ID Theft

» SPAMfighter News - 5/23/2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page