Hack attack

Jeff Yan and a colleague at Newcastle have developed a tool to help web companies beat the spammers

October 30, 2008

Flaws in an online security system that is widely used to curb automated hacking have been exposed by a computing expert from Newcastle University.

Jeff Yan, a lecturer at the School of Computing Science, uncovered the vulnerability of the "Captcha" system, which is used to protect global email services and websites from attacks, with the help of Ahmad Salah El Ahmad, a PhD student.

Together the pair developed a quick, low-cost technique that enabled automated "bots" to crack the shield, which aims to check that users are human by asking them to read and retype a series of letters depicted in uneven, indistinct and mosaic-like form.

If malicious hackers had developed the same technique, and some believe they had, it would have allowed them to greatly increase the quantity of spam originating from free email accounts operated by Microsoft, Yahoo, Google and others. These companies have now tightened up their systems as a result of Dr Yan's work, which is credited with a recent reduction in online irritations such as junk email and adverts placed automatically on blogs.

Dr Yan, who is Chinese, trained as a computer security researcher as an undergraduate in Shanghai before travelling to the UK to do a PhD at the University of Cambridge. He said he was drawn by the chance to work with a world-renowned expert in the field.

"I was determined to do my PhD with Ross Anderson (professor of security engineering) at Cambridge because he had a big reputation in the field, and even in China I knew of him as a brilliant researcher," he said.

After completing his PhD, he taught for a year at the Chinese University of Hong Kong. In 2005, he moved back to the UK to take up a post at Newcastle.

He said that his work in exposing flaws in the Captcha security system was a field of research he found exciting, but which also made a difference to internet users by helping companies maintain the highest levels of security.

Although email providers have already altered the letter-test as a result of his work, he said ensuring that the letters were disguised in a way that would fool computers but still be decipherable to humans remained a challenge.

"It is a matter of striking the right balance," he said. "The idea of Captcha is a good one, but the devil is in the detail, and this is where future work needs to focus."

Dr Yan and Mr El Ahmad are now designing a "toolbox" of algorithms and attacks to allow companies to evaluate the strength of future Captchas.


Please login or register to read this article

Register to continue

Get a month's unlimited access to THE content online. Just register and complete your career summary.

Registration is free and only takes a moment. Once registered you can read a total of 3 articles each month, plus:

  • Sign up for the editor's highlights
  • Receive World University Rankings news first
  • Get job alerts, shortlist jobs and save job searches
  • Participate in reader discussions and post comments

Have your say

Log in or register to post comments