Slashdot Mirror
Transec, a Secure Authentication Tag Library
Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?
If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.
"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?"
Well, it does now.
This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.
This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.
When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.
Monstar L
They also don't ask you to enter the whole PIN, but only a few randomly selected digits ("Please enter the 3rd and 5th digit of your PIN"), so an attacker who grabs the screen only once still doesn't have enough information. I think that's pretty smart.
This could very easily be replicated in praticially any web scripting language of your choice.
Exactly. It doesn't require any client-side processing. That's the beauty of it. This means you can TURN OFF javascript and it will still work.
As for the innovation- it allows a user to enter their pin while reducing the chance that it's snooped by malware, which is a Good Thing. It also makes it a lot harder for said malware to replicate the response compared to keyboard entry- because in addition to protecting your code, it also acts as a (primitive) captcha, making reasonably sure that whoever is entering the code is human.
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.
I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.
OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.
Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.
Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.
Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.
Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:
1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.
2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'd imagine this would be most useful to run in my home server, so I could contact it from anywhere without having to trust the computer I'm using. And yeah, I'd rather inconvenience myself with this password entry method than with cleaning up the mess when someone hijacks the server.
Funny you should mention "terrorists" in your subject and then say this. After all, the War on Terror has been completely unsuccesfull in eliminating them. I think that it's been adequately proven that you can't eliminate baddies, you just have to design systems that can withstand badness.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
How do you know the operating system in a particular machine is actually the Trusted version, and not a hacked version that's masquerading as the trusted one ?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.
Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.
You are right to some degree, but also wrong.
Their idea seems to be that the computer might be compromised, but the server is secure - so if the server creates the images, you can at least be secure against automated attacks - i.e. without human intervention. (because the attacker does not have access to the algorithm that created the images) This can work for as long as there are some tasks that humans can do and computers not.
If the computer is the last step in the authentication, then you are right. If you have a small little device that tells you "in this step use a->1, d->2, f->3 etc." then transaction can be secure even through a comprimised computer.
The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.
Sometimes I would swear my brain explodes at our slowness to learn.
The only true solution is one time pads. They are unhackable, and only a minor inconvenience.
I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.
[x] auto-moderate all posts by this user as insightful
Are supposed to log in how?
At the risk of starting another flame war about why we should care about the blind...This system is unusable by the blind using a screen reader. You are unable to detect the location of the "buttons". I tested it with both the MacOS built in screen reader (VoiceOver) and a window add on (Jaws) screen reader.
So, in the U.S.,unless your looking to have the National Federation of the Blind, American Council of the Blind or the Justice Department come after you in court you would be well advised not to implement it in a commercial setting unless you have an alternate means of providing services.
And no, providing a physical store thirty miles down the road is not an alternate means, the blind don't drive remeber?
so the chances of the man in the middle intercepting a code he can re-use are extremely slim.
That is a correct statement, but misses the point. It would be nice for a man-in-the-middle to get a reusable value, but it isn't necessary for a successful attack. The man-in-the-middle can clean out your account during the session you have successfully set up. I saw a demo of this with a person setting up a man-in-the-middle attack on his own brokerage account using a device which generated one-time passwords for the account. He bought a share of one stock, but the man-in-the-middle did a completely different transaction (bought a share of a competitor's stock).