Aug 11 2009

Create A Simple Captcha With PHP and GD

Everyone hates captchas. I know I do. It sucks but they are a necessary evil. Most captchas are difficult (sometimes impossible) to read and they will consistantly drive visitors from your site. I’ve been on sites where the captcha was so hard to decipher that I’ve never gone back.

During the development of a new site I was forced to create one of these evil entities. It was surprisingly simple and painless. The captcha that I outline here is very, very simple and should never be used in production without a fair amount of tweaking.

Having developed my site using php I naturally turned to the GD library.

Firstly I generated a random string to display on the captcha :


//generate a random alphanumeric string of a specific length
function gen_random_string($length) 
{
  $characters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWZYZ".
        "abcdefghijklmnopqrstuvwxyz";
  $real_string_length = strlen($characters) - 1;
  for($p=0;$p<$length;$p++)
  { $string .= $characters[mt_rand(0, $real_string_length)]; }
  return $string;
}

//add to session array so other scripts can access it for the comparison
$_SESSION['image_text']= gen_random_string(8);

//split into character array - str_split only works in PHP 5
$text_array = str_split($_SESSION['image_text']);


Now that I have my string I need to create the image. Make sure that GD is installed on your php apache server.

//create the image with a background image
$NewImage =imagecreatefrompng("bg1.png");
$cntr = 0;
foreach($text_array as $letter)
{
  //generate a random color for each letter
  $r = rand(0,200);
  $g = rand(0,200);
  $b = rand(0,200);
  $textcolor = imagecolorallocate($NewImage, $r, $g, $b);

  //random horizontal spacing
  $spacing = (rand(5,10)+($cntr*10));
  
  //add the character to the image
  imagestring($NewImage, 5, $spacing, rand(0,10), $letter, $textcolor);
  $cntr++;
}


The code above will generate a GD captcha image with random coloring and random horizontal and vertical spacing on top of a background image.
Now we just need to output it.

//output the headers than the image as a PNG
header('Content-type: image/png');
header('Cache-Control: max-age=0');
header('Expires: '.gmdate('r',time()-3600*24*365));
header('Pragma:');
ImagePNG($NewImage);
imagedestroy($NewImage);


So if I called this file simple-captcha.php I could call it with this html:

<img id='captcha' name='captcha' src="simple-captcha.php">


Here is what it looks like :

This captcha can be strengthened by using other GD image functions such as imagefilledellipse and imageline to create artifacts in the background. It also helps to use different fonts and to change the angle of the letters.

Share

May 14 2009

Apple Hires Former OLPC Security Director

imamac writes “It seems Apple is seeking to beef up security by hiring Ivan Krstic, the one-time director of security architecture at One Laptop per Child. ‘Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it’s rather trivial to launch exploits against the Mac.'”

Read more of this story at Slashdot.


Share

May 13 2009

Schneier Says We Don’t Need a Cybersecurity Czar

Trailrunner7 writes “Threatpost.com reports that security guru Bruce Schneier says not only should the NSA not run cybersecurity for the federal government, no one should. ‘Really what I think is it shouldn’t be anybody. We do better without a top-down hierarchy. Our economic and political systems work best when there isn’t a dictator in charge, when there isn’t one organization in charge. My feeling is there shouldn’t be one organization in charge. Not only shouldn’t it be the NSA, it shouldn’t be anybody,’ Schneier said.”

Read more of this story at Slashdot.


Share

May 13 2009

Apple and Microsoft Release Critical Patches

SkiifGeek writes “Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft’s single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn’t the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn’t gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate.”

Read more of this story at Slashdot.


Share

May 12 2009

Break-In Compromises 160k Medical Records At UC Berkeley

nandemoari writes “Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians.”

Read more of this story at Slashdot.


Share

May 12 2009

Brain Scanning May Be Used In EU Security Checks

An anonymous reader writes with this excerpt from the Guardian: “Distinctive brain patterns could become the latest subject of biometric scanning after EU researchers successfully tested technology to verify identities for security checks. The experiments, which also examined the potential of heart rhythms to authenticate individuals, were conducted under an EU-funded inquiry into biometric systems that could be deployed at airports, borders and in sensitive locations to screen out terrorist suspects.” The same article says that “The Home Office, meanwhile, has confirmed rapid expansion plans of automated facial recognition gates: 10 will be operating at major UK airports by August.” I wonder what Bruce Schneier would have to say about such elaborate measures.

Read more of this story at Slashdot.


Share

May 11 2009

3,800 Vulnerabilities Detected In FAA’s Web Apps

ausekilis sends us to DarkReading for the news that auditors have identified thousands of vulnerabilities in the FAA’s Web-based air traffic control applications — 763 of them high-risk. Here is the report on the Department of Transportation site (PDF). “And the FAA’s Air Traffic Organization, which heads up ATC operations, received more than 800 security incident alerts in fiscal 2008, but still had not fixed 17 percent of the flaws that caused them, ‘including critical incidents in which hackers may have taken over control of ATO computers,’ the report says. … While the number of serious flaws in the FAA’s apps appears to be staggering, Jeremiah Grossman, CTO of WhiteHat Security, says the rate is actually in line with the average number of bugs his security firm finds in most Web applications. … Auditors were able to hack their way through the Web apps to get to data on the Web application and ATC servers, including the FAA’s Traffic Flow Management Infrastructure system, Juneau Aviation Weather System, and the Albuquerque Air Traffic Control Tower. They also were able to gain entry into an ATC system that monitors power, according to the report. Another vulnerability in the FAA’s Traffic Flow Management Infrastructure leaves related applications open to malware injection.”

Read more of this story at Slashdot.


Share

May 11 2009

NSA Wages Cyberwar Against US Armed Forces Teams

Hugh Pickens writes “A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets’ task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools’ networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, special authorizations is allowed to take down a US network. NSA tailored its attacks to be just ‘a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.’ The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems.”

Read more of this story at Slashdot.


Share

May 11 2009

Viral Art: A Gallery Of Security Threats

Using pieces of disassembled code, API calls, memory addresses and subroutines associated with virus threats, the data was analyzed by frequency, density, and groupings. Algorithms were then developed and two commissioned artists mapped the data to the inputs of the algorithms, which then generated virtual, 3D entities.


Share

May 9 2009

Tata Building $7,800 Apartments in Mumbai

theodp writes “What do you do for an encore after you’ve shown the world it’s possible to build a ,000 car? Ratan Tata, head of India’s giant Tata conglomerate, now plans to build, 30 miles outside of Mumbai, 1,200 tiny apartments that will sell for ,800 to ,400 each. Sure, they’re small (floor plans), but keep in mind that you can pay a quarter of a million bucks for a 250-sq.-ft. studio in the East Village. Time reports that Tata has had to beef up security to handle the rush of buyers who want to plunk down their 0 deposits (yes, that’s two hundred dollars!). Who would’ve thought you could make IKEA homes look pricey?” The Businessweek.com article says that the apartments are aimed at someone making ,000 to ,000 per year (Time says ,000). In Mumbai, a call center operator with 10 to 20 years of experience barely qualifies at ,400 annually. 70% of the country’s 1.2 billion people live on 1/20 as much.

Read more of this story at Slashdot.


Share