Slashdot Mirror
Transec, a Secure Authentication Tag Library
Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?
Seriously now. Are we going to inconvenience ourselves just because a few programs out there do Bad Things?
The solution isn't to work around the baddies but to eliminate them altogether.
If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.
"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?"
Well, it does now.
This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.
This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.
I've heard about it many times as well and even seen a proof-of-concept.
Anyway, it could easily be implemented, and that's the point. I think a good solution would be Deja Vu or something similar, with lots of information (tens of known pictures), so that you need to grab lots of screenshots before actually having a chance.
But even in Deja Vu, you're only delaying the attack. With enough information, it is possible to crack it too.
Why can't we have a TCB that is really Trusted? A secure operating system is all that takes to divert these attacks (granted it's easier said than done).
Utinam logica falsa tuam philosophiam totam suffodiant!
Here's their demo app.
I don't understand why this has made it's way onto Slashdot? It's an image map. With a PIN pad. Besides the fact it looks like a solution looking for a problem, I don't see the innovation. This could very easily be replicated in praticially any web scripting language of your choice.
Entrepreneur : (noun), French for "unemployed"
When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.
Monstar L
With Java implementations being now under GPLv2 (and could go to v3 when ready), are we about to see some domino effect ?
.... maybe they should bring a new TLD : .bin :P
Let's "GPL the world" !
Not sure MS will like this game
Probably a mistake in the article... but if they just randomly rotate the keypad, then
take (mouse x-min(mouse x))/key size, and you get 10 possible pins. Try 10, and you are done.
If they randomly permute, then things would be a bit harder. If they randomly permute and have OCR-resistant digits, the pin would be very secure (though, if enough money is involved, a cracker would probably be ready to actually look at the image...)
nothing new here, china has been doing it for online payments for the last few years, some are activex, some are javascript, some are java. but all i know is that they piss me off from a usability point. but in this context of a voting booth i guess it would be touch screens?
They also don't ask you to enter the whole PIN, but only a few randomly selected digits ("Please enter the 3rd and 5th digit of your PIN"), so an attacker who grabs the screen only once still doesn't have enough information. I think that's pretty smart.
... in a slightly (and IMHO better) way. Try the following: go to https://logitelnet.socgen.com/, then enter a bogus 8-digit client number like 12345678 in the upper left entry (below "Code client"), and validate. The system then asks for your PIN using a random keypad. Not only does the position of the keys change, but also the position of the keypad on the page. Of course it doesn't defeat screen grabbing but it's enough for mouse/key loggers.
Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.
I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.
OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.
Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.
Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.
Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.
Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:
1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.
2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.
Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I don't get it...t =48&VSID=6d7fc48bd716da9ea9996168a1d6880b :/
Why not use something like this:
http://www.vasco.com/products/product.html?produc
It's a little calculator-like device, which only changes one 6-digit number into another 6-digit number. I don't know the workings behind it, but it's a unique calculation per device, and they're cheap and easy to use.
You just log into a webpage, enter the number on the back or a logincode if the number is registered to a login, input the (changing per page-reload) 6-digit number on the screen onto the calculator, type in the code you receive from the little thing onto the webpage, and you're in.
Anyone who would want to hack the account, would have to have physical access to your particular calculator, know the pass of the calculator, and be able to interpret the numbers on the screen (guess that screenshot-taking malware could do that part). No way any piece of malware could get thru this.
If someone hacks their way into your account with this security thing, You'd have some serious other problems to worry about, like getting rid of that rope around your wrists, tied to the chair you're sitting on with an apple lodged in your mouth
Perhaps it'd be interresting if a government could supply these things to their citizens, and have 1 webpage they could do everything on, from filling in their tax forms, to change a home address etc.
Manuals are your last resort only
No idea. Next question.
At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.
Their scheme it like this: when they ask you for your PIN, they give you a keyboard which has buttons like [1 or 4], [3 or 5], [2 or 8], so there are five buttons. You can input your password even with someone looking over your shoulder and they won't know what your password is, because the buttons are ambiguous and the numbers are grouped randomly. They would have to be able to watch you a few times until they can be sure of your password. This reduces the search space for a brute force attack, but as the account is locked up after three incorrect tries, it doesn't really matter.
Not that it helps much anyway. A man in the middle attack will defeat this easily, where the bad guy will just proxy whatever challenge he gets from the bank and get access to his account. We need to make users less stupid - good luck fixing that!
The image is a map, when you click it, coordinates are POSTed to the server, that replies with a new image.
Grab the coordinates and the image, and you can stich together the password with close to no effort.
Dead on. In the face of malware and rootkits, the only secure passwords are those which can never be re-used. My personal favorite is having the secure site SMS a one-time password to my cell phone. Sure, it's a little inconvenient, but not as inconvenient as having a hacker root me with a keylogger/mouselogger/screengrabber/whatever and drain my brokerage account into his bank in Nigeria.
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.
Sometimes I would swear my brain explodes at our slowness to learn.
The only true solution is one time pads. They are unhackable, and only a minor inconvenience.
I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.
[x] auto-moderate all posts by this user as insightful
Are supposed to log in how?
Has nobody thought of the screen readers? This will just lock out the handicapped users, unless an alternative method is developed for them. Thus, the solution is not practical for any business.
m s_bryan.php/
http://lyricslist.com/lyrics/artist_albums/19/ada
If you're looking for a solution that will remain secure even with a keylogger, screengrabber, person over your shoulder or CIA microwave monitor tap try...
1. Please enter your username
2. Please enter the 2nd and 6th letter of your password.
Randomize the digits asked for in 2 and hide password fields.
How do you know the machine your typing on isnt replaced with one thats built for harvesting your passwords ?
http://www.intellipool.se/ - Intellipool Network Monitor
The summary is wrong (or should be) it may be available under a non-GPL license for cash too, but if someone wants to use a GPL product in their commercial app, that's fine. They just have to abide by the GPL.
At the risk of starting another flame war about why we should care about the blind...This system is unusable by the blind using a screen reader. You are unable to detect the location of the "buttons". I tested it with both the MacOS built in screen reader (VoiceOver) and a window add on (Jaws) screen reader.
So, in the U.S.,unless your looking to have the National Federation of the Blind, American Council of the Blind or the Justice Department come after you in court you would be well advised not to implement it in a commercial setting unless you have an alternate means of providing services.
And no, providing a physical store thirty miles down the road is not an alternate means, the blind don't drive remeber?
Avantages of the Micromata solution:
- It does not require JavaScript. It just requires a mouse and the browser feature used (input type=image) is available in every graphical web browser since more than 8 years ago.
- It is quite resistant to HTTP spying, as spying HTTP POST request is not enough to replay
The reason people aren't using this more widely even though it's obvious is that it's also not a very good solution, for many reasons.
If you want something secure, use one time passwords or an authentication token.
And if you think you might have spyware on your computer, reinstall, preferably an operating system that is less susceptible.
First of all, it's a matter of time to get the whole password. It's nice for one-time pads but then again, why bother asking for only part of it?
Second, you could redirect the transfer and execute a classic man in the middle, where you simply cut the user off the moment he logged in and take over.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
While developing the Polyas (German) online voting system,
Why do those companies seem to attract the most incompetent developers?
Micromata invented a component
[sarcasm]What else did the "invent"? The mouse? Sex? Combining peanut butter and jelly?[/sarcasm] Using these kinds of inputs has a long tradition.
for secure PIN/password input via untrusted, insecure browsers.
It's not secure, not even close to it. And it has big usability problems. The approach is of some use in some applications, but for an on-line voting system, there are so much better things you can do, like send people a list of one-time passwords along with their voter registration card.
Of course, that presumes that on-line voting is even a good idea, which it isn't.
ING (ingdirect.com, online money market) has been doing this keypad/pin authentication for a few years now. Nothing new here, move along...
I had this idea for a secure keyboard. You could make a keyboard (or adapter dongle) which is capable of encrypting each character you type with a public key (PGP style). Once you browse to a secure site that supports it, a browser plugin would send your keyboard the public key and the keyboard would then encrypt everything you type using that key and the browser will send the result directly back to the website. You'd have to use a protocol that lets you detect a man in the middle attack (and I'm sure they must exist).
:)
There's probably some massive flaw with this idea that I haven't thought of?
They are still widely in use, but if you are up-to-date in Java web application technologies, you are probably aware that JSP is dead. This is not a troll. JSP is rapidly being pushed out by alternatives like Facelets (which is used to define JavaServer Faces views), Tapestry, and Wicket. All of these are XML, disallow any logic in the view (thus encouraging proper MVC), and do not require a mountain of boilerplate code to extend. Why anyone would use JSP these days is totally beyond my understanding. Confusing and hard to maintain, JSP is rapidly diminishing and releasing a new library targeting it is like announcing some great new technology for Windows 95.
Why bother.
That's virtually identical to what ING Direct does, which was discussed in a previous thread. The problem is that a sophisticated keylogger could also capture screenshots and mouse coordinates. From that the PIN could easily be determined.
One-time-pads are not a panacea either.
Let's assume you had a booklet of codes, a true OTP, that you used to log in to your bank. For each login you'd tear off the top sheet and use the next code.
That would still be susceptible to phishing. I could set up a site purporting to be your bank, and convince you to log into it. In doing so, you'd give me your next OTP code, which I could then use to log into your account and steal your money.
It would be a step up over conventional passwords, granted, but I'm not sure that it would be necessarily better than existing rotating-numbers tokens (RSA SecureID, etc.), which are not OTPs, but use secure enough PRNGs that the methods of attack against them are generally phishing/social-engineering rather than cryptographic. (And the electronic tokens have the advantage of the code you type in this minute not being good 15 minutes from now.) I guess that giving a booklet of randomly printed codes would be cheaper than handing out electronic tokens, so maybe the booklet method would be good for banking/mass-market, or in developing countries where the tokens would be unfeasibly expensive, but I'm not sure they're more secure.
Three-factor authentication (know, have, are) would still seem to be the most secure, and even with a synchronized PRNG in the form of a SecureID or SmartCard, you still have the problem of MITM attacks.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
For those of use that suffer with Section 508 accessibility requirements, using this technology in voting and other (U.S.) government applications would be a show stopper. A screen reader would not be able to interpret the images, and if you put ALT="Your PIN is 1234", that defeats the whole purpose.
One assumes they're doing this over SSL, so grabbing the coordinates and the image shouldn't be trivial. If you can do that, then you can conduct a MITM attack and basically the whole system is hosed; I don't think they're claiming (or, if they are, they're foolish) to be secure against that.
I'm still not convinced that you can do any kind of secure authentication if the client machine into which you type the password (whether it's typed as text or onto an imagemap or via any other means) is assumed to be untrusted and compromised with malware. If the machine is rooted, then you really can't believe anything it's presenting to you. The user cannot tell what site it's really sending data to, or whether it's actually using an encrypted connection, or anything else.
I suspect that the best way around compromised Windows machines is to do the authentication off-computer, using a USB key or SmartCard that's tamper-resistant and never sends anything down the wire to the computer in the clear. The computer would only act as an insecure conduit, passing packets from the authentication dongle to the bank's computer and back. You'd still have the problem of MITM, I think (although maybe not quite so bad, if the key was primed with the bank's fingerprints and public keys), and social-engineering/phishing, but it would basically stop password snooping. The only ways to combat social attacks are via user education, and that's decidedly 'nontrivial.'
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This approach does not fly with me, I wouldn't use it in a million years.
I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?
It's definitely possible to write a screen capture program that can copy a region, window or even the entire screen. There are numerous shareware programs which will allow you to do this. Some even allow you to perform screen-grabs across the network. Even the MSDN developers CD proved an example program to do this. Other programs
demonstrate how to intercept the main keyboard event handler, so you can implement hot-key applications.
So combining the two is theoretically possible.
But why bother grabbing the screen - most passwords just show up as *******'s anyway, so all a malware writer has
to do is log keyboard events.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
If I have access to your machine - its over. Nothing, not even one time pads will help. I can simply redirect you to a fake site. When you enter your code from your pad, you aren't logging in, just giving me access to your account.
Even one time pads are not going to work. It's a shared key protocol so you have to worry about key transmittion and storage. It is a lot more hassle than it is worth. An issued smart card with your private key for RSA transactions would be a better option.
Would you rather have a new key for every transaction or a trustworthy proven asymetrical encryption scheme?
Nihilism means nothing to the dancing peasants
keylogging and screen capture around the mouse has long been a staple feature of backorifice 2000 and netbus, along with the ability to shutdown/reboot the remote computer, copy/delete files, and view the user's webcam.
whether or not these sorts of features have propagated into general malware i'm not sure. but do applications exist that perform these functions for nefarious purposes? yes.
The demo page is full of typo errors and it just doesn't work with Firefox. Now THAT is secure since nothing goes anywhere...
Obviously, they are dual licensing the software, but they need to make a clearer distinction between the two licenses. The (presumedly fee-based) proprietary use license allows closed source redistribution. But both GPLv1 or GPLv2 require redistribution to be open source, and prohibit use restrictions.
But then they wouldn't be the first to misunderstand the term "proprietary" to mean "commercial". If I'm wrong, Redhat needs to give me my money back.
It seems like every time someone mentions keyboardless computing I have ten more web forms with required text fields to type into.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Not only does the page itself give one a method for bypassing it (which is, really, horribly trivial) - "f at all, only by intercepting all mouseclicks plus each single referred picture an agressor could be succesfull, because the virtual keybourd is randomly rotated after each entry." But, it could also be foiled by writing a piece of software to simply intercept said image and replace it with its own. Said software would then have the coordinate -> character mappings required to snoop the password.
So.. it's designed to protect against keyloggers. If a keylogger can get installed on your box, then any of the above pieces of software can too. Gee, that sure helps! (rolls eyes)
You are right. Having reliable soldiers delivering truckloads of ballotboxes from reliable regions to our safe central counting center (and reliably burning truckloads of ballotboxes from those other regions...)
is SO much better. So much more... reliable.
Where are we going and why are we in a handbasket?