The battle by Microsoft to secure its Live Hotmail system from spammers appears to have failed yet again with the news that the latest version of its CAPTCHA authentication system has been broken.According to a detailed analysis of the latest hack by security company Websense, spammers have come up with a new scheme to fool the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) that takes possible attack scenarios to new levels of sophistication.The process starts in the same way as did previous CAPTCHA-breaking attacks, using bot-controlled zombie PCs under remote control to fill in the main fields - name, password, country - asked for by Hotmail during signup. The CAPTCHA image presented by Hotmail is then uploaded to a remote server for image decoding, before being sent back to the client for the attempt to create the fake account to proceed.The latest hack comes only months after Microsoft had previously altered CAPTCHA to beat similar attacks, having suffered more than one 'break' in 2008.Websense's analysis of the hack suggests that this process will be successful in one out of every five to 8 attempts, or between 12 and 20 percent of the time, more than enough given the possible volume of account creation to offer the spammers a healthy return. The CAPTCHA image analysis itself is said to take only 20 to 25 seconds per attempt, per machine. More at; http://www.infoworld.com/article/09/02/17/Spammers_break_Live_Hotmails_CAPTCHA_yet_again_1.html
