Hi Guys!

Hi Guys!

How have you all been doing? Hope you are doing well...

We have done it and I’m proud of it! Although it may not be outstanding enough to warrant a HD from our lectures but I think it will be among the top few! :)

Wish that all of you will be attending the convo. Cos I just realised that we have not yet taken a proper group photo!

Well, I have also started on my new job and it has been a month now and it is not easy, totally new job scope and new environment, but still in IT. Late nights everyday, or should I say very early morning, since started work. Work place very, very near where HC is working, if he is still there. Hello, neighbour! :)

Lastly, I wanna thanks you guys for being great teammates and comrades. Couldn't have done it without you.

Till then... ;)

Update: Mission Completed

Well done everyone. Thanks for the effort everyone had put in during the last 4 months. Indeed it's a tough one with many many sleepless nights. We survived and the feeling is shiok.

- Thanks our supervisor, Han Chiang. Who have been guiding us along these months.

- Thanks Alan for providing your server, cables and equipment. Not forgeting your house, aircon, cha shew PAO.

- Thanks Sebas for sacrificing and coming all the way to the East. Thanks for your petrol and car coupons.

- Thanks adrian for making the mov, and recording your voice.

- Many many thanks to others who in one way or another help make this project a success.

Keep in touch guys. Bon Voyage Sebas. Bring some Japanese gals back for Alan.


And for the accessors who are looking at this page.. Kindly note the following..

- a cd menu is created, just click on the links u wanna see.
- the website inside the CD is more updated that the live one running at epic4security.no-ip.com; website flash FLA source also available for you.
- everything is swee swee done for u, if u would wanna compile and deploy our project, a little ANT script is created.. you just gotta do "ant compile deploy start". Make sure your graphics card is OPEN GL supported to run Java3D
- For the customizer, a little jar file is created for u to just double click. But first you gotta get your MySQL running with the database schema.. then again..
- SQL script to create, insert is also done for you.

If we missed out anything, leave us a comment, pls be gentle on us.. HAHA :)

Technical: MPEG movie

This section is reserved for the MPEG movies stuffs. 

Epic4Security will not release any information on the movie, the contents, or how the movie is created yet. Pls visit after 11 Apr for more updates.

Technical: Measures against SQL-injection attacks

This section is reserved for article on preventing SQL-injections attacks against EpiCaptcha.

We are using database, so there is a risk to SQL-injections.

How is SQL-injection done?

i.e To login to a site, we need to enter 2 parameters; username and password.

The site validate it by calling a POST method to a servlet/jsp i.e http://epic4security.com/login.jsp?username=blabla&password=blabla.

Over at login.jsp, there is a SQL statement, i.e "SELECT username, password from TABLE where USERNAME = 'username' AND PASSWORD = 'password'";

What an attacker can do is enter the following in the field of username & password:

Username = admin

Password = pass' OR username = 'admin

So he alter the SQL statement to:

"SELECT username, password from TABLE where USERNAME = 'username' AND PASSWORD = 'pass' OR username = 'admin'";

Dangerous right?

Prevention

Thus to prevent this from happening, what we can do is:

1) check length of parameter

2) hash it to a message digest i.e SHA256 or SHA512

Technical: Voice Clips in MP3 format

To generate audio challange as an aid to the Text Captcha. We wanted to use one of the our voices, but then we thought it would be more attractive if you hear a woman speaking to you.

1) Cepstral Text to Speech Software is used to generate the audio clips. Website here.

A-Z, 0-9 and majority of the symbols can be read out. However, some like ` < > , . " : ( ) - cannot be interpreted by Cepstral.

So we gotta manually type in the english word, i.e for symbol &, we type ampersand. Guide follow from http://a4esl.org/q/h/9901/nr-keyboard.html.

The following audio are generated.
a) a - z (small caps)
b) A - Z (big caps)
c) 0 - 9 (numbers)
d) other symbols of the keyboard.

2) The audio clips are then edited and compressed to 32bits MONO using Blaze Media Pro, thereby reducing the size of each audio to abt 7-19kb. Website here.

Updates: Replaced SHA-1 with SHA-512

Following up with the advise given by our supervisor, and with the fact that SHA-1 has been broken. We replaced the old SHA-1 Message Digest Algorithm with SHA-512.

Some notes about SHA. It stands for Secure Hash Algorithm. It computes a fixed-length message digest (String) of an input message of any length. The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-224, SHA-256, SHA-384, and SHA-512 are classify under SHA-2.

Differences among them is the bit length of the digest they produce. SHA-512 produce a 64-char String.



From the diagram above, obtained from Wikipedia, till date no attacks have been found against SHA-2.

After searching on google, hoping to find an example of how to implement SHA-512 on Java .. there were none ... then we found something similar. Since Java 1.4.2, there is the Java Cryptographic Extension (JCE). It support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.

So now what we have to do is change
MessageDigest md = MessageDigest.getInstance("SHA-1");
to
MessageDigest md = MessageDigest.getInstance("SHA-512");

and increase the HASH length in the CACHE table to 64.

My full method() code below


public static String SHA(String text)

throws CaptchaException {
MessageDigest md = null;
try {
// Can be MD5 (128bit), SHA-1(160bit), SHA-256, SHA-384,SHA-512
md = MessageDigest.getInstance("SHA-512");
byte data[] = md.digest(text.getBytes("UTF-8"));

StringBuffer buf = new StringBuffer();
for (int i = 0; i < data.length; i++) {
int halfbyte = (data[i] >>> 4) & 0x0F;
int two_halfs = 0;
do {
if ((0 <= halfbyte) && (halfbyte <= 9))
buf.append((char) ('0' + halfbyte));
else
buf.append((char) ('a' + (halfbyte - 10)));
halfbyte = data[i] & 0x0F;
} while(two_halfs++ < 0);
}
return buf.toString();
}
// might be thrown by MessageDigest.getInstance
catch (NoSuchAlgorithmException e) {
throw new CaptchaException(e.getMessage());
}
// might be thrown by text.getBytes
catch (UnsupportedEncodingException e) {
throw new CaptchaException(e.getMessage());
}
}

Meeting 26 March 2008

Text CAPTCHA Demo, Design and Implementation Review

Discussion:
Alan showing the demo on the Text CAPTCHA with validation and logging to block attacks to supervisor.

Conclusions:
· CAPTCHA design
- Some characters are difficult to be identified. Need to fine tune it.
- The contrast between the text and the background for the blue color design of the captcha is difficult to be identified by user. Either remove the color “blue” or change the text color.

· CAPTCHA implementation
- The text remains unchanged after refresh. Need to kill the session every time after each refresh.
- Current hashing algorithm used is SHA1, hash algorithms MD5 and SHA1 had been broken.
Need to change to other hashing algorithm, suggested SHA256 or SHA512.

· CAPTCHA design methodology
- The CAPTCHA engine should be portable. The engine should be able to be used on as a
mobile application as well as a web based plug-in.

Action items
Fine Tune CAPTCHA Design by ALAN

Kill Session Every Time After Each Refresh by LEXIS
Change Current Hashing Algorithm to SHA256 or SHA512 by LEXIS

Image CAPTCHA Demo, Design and Implementation Review.

Discussion:
Alan demo the new CAPTCHA design to supervisor. Supervisor review and comments.

Conclusions:
· Current image CAPTCHA has too few images, low permutation, thus is subjected to brute force attacks.
· Need to increase the amount of images, required to have a huge database.
· Suggested to implement the image and text CAPTCHA together, images and text appear at random.


Action items
Increase amount of images to enlarge database by TEAM
Implement image and text CAPTCHA together by LEXIS and ALAN


CAPTCHA Customizer Demo and Review.

Discussion:
Alan demo the CAPTCHA customizer to supervisor. Supervisor review and comment.
Conclusions:
· Position Module
- The grid coordinates cannot be seen clearly as the font size is too big which causes
overlapping, reduce the font size to make it clearer and change the font color if need to.
- Need to limit the range of position as the character will be out of range when a user enter a
value wider than the interface.

· Purge Logs Module
- The position of the “date” label is wrong, need to reposition it.
- The logs are unable to delete according to the specific date. Need to rectify it.

Action items
Change the font size of the grid coordinates by ALAN
Limit the range of position by ALAN
Reposition of the “date” label by ALAN
Delete logs according to the specific date by ALAN

Presentation Slides, Demo and MPEG Video

Discussion:
The team discusses with supervisor the content to show in the presentation slides and demo.
Conclusions:
· Presentation Slides
- Show the logging policy
- Can state the flaw of the image CAPTCHA if implement standalone and the solutions to it. Can
state it in the report if there’s no intention of including it in the presentation slides.


· Demo
- For the customizer, demo only 1 or 2 of the more important functions as there are too many
functions in it.

· MPEG Video
- A video on our presentation with the presentation slides and demo.
- Can use it as a rehearsal of our presentation and demo.

Action items
Power Point Slide by SEBASTIAN
MPEG Video by LEXIS

Project Development at Alan's Place

Today is public holiday. And we are spending it wisely as time is running out fast. We achieve the followings today.

EPIC CAPTCHA Screen Shot

In white

In Red

In Blue

Can you identify the char in these image?

I think you can, but OCR tools can not !

Result reading from FreeOCR V1:

White : ’JC5'£ l‘¥[€[

Red : 2Z' lT'·E'¥N

Blue : 2G! grip

The correct answer should be

White : O53RLZ4B

Red : ZZ'BC#08

Blue : 32O48L@=

Have you got it ?

Meeting : 15 March 2008

CAPTCHA Design
Alan update on CAPTCHA 3D text design V4.0 now can be displayed in red, blue, yellow and green color.

CAPTCHA customizer
Alan demo on CAPTCHA customizer tools V4.0 which updated base on comments given by Supervisor.

· Users enter field must implement with error entry checking.
· Remove the unused field to prevent confusion from users.
· Preview of the effect should reflect to the actual value entered by users.

CAPTCHA Answer Validation
Lexis update the CAPTCHA validation system V1.1 which developed based on J2EE Form-based Authentication service to the team.

Discussion:
1. CAPTCHA answer given by end users can be validated accurately.
2. J2ME validation system has been developed. It will use the same validation structure with normal web version. End users now able to use the J2ME enable device to request and answer to the CAPTCHA challenge.
3. Validation data is now stored in database instead of Hash Table which use hip memory. CAPTCHA answer validation timestamp is set to 300 sec.

Action:
Lexis and Alan will need to combine the CAPTCHA text design with the validation system.



Logging

Sebastian and Adrian has come out with a Logging system which can prevent users from attacking the CAPTCHA system.

1. The following users information will be logged :
· Session ID
· IP address
· Time request the CAPTCHA challenge
· CAPTCHA status ( Not Answer / Correct / Incorrect)

2. Three policies have been designed in order act as the guideline to filter the possible attackers:

Policy 1
Problem : Attacker keep request a new captcha in short period but different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS request more than 100 times in 60 sec, BLOCK for 12 hours

Policy 2
Problem : Attacker keep request a new captcha but does not give any answer with different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , no. na / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours

Policy 3
Problem : Attacker keep request a new captcha by trying the possible answers (Brute Force) different SESSION ID
How : Prevent them can keep request
By : Check if this IP ADDRESS , incorrect / no request in last 1 Hour is more than 50 %, BLOCK for 12 Hours

3. The value for the following field can be adjusted by system admin in order to suite their service needs and condition:
· Pass time to be checked.
· Repeat times of requesting.
· Percentage of users not answer or given incorrect answer.
· Block duration.

Action:
Adrian and Sebastian will continue implement the descript design to the log system.

New CAPTCHA design
Team has decide to implement the image base CAPTCHA into our current CAPTCHA design.

Discussion:

The following are the new image CAPTCHA design features :

1. Need the users to identify the object inside the image.
2. Simple object image will be used, for instant cat, dog, car and etc.
3. Image will be overlayed with designed frames in order to prevent attacker from having the standard image scanning algorithm.
4. The image will be also be rotated in order to increase the image security.
5. The design will be "prove of concept" ideal as it might need huge image database in order to prevent the brute force attack.
6. Image CAPTCHA will be implemented into 3D text CAPTCHA. Hence user will get different base of CAPTCHA randomly.

Action items
Image CAPTCHA implementation, by TEAM

Voice Features
Team decided to add the voice features to the current 3D TEXT CAPTCHA design.

Discussion:
The purposes of the voice system implementation are:

-To help the handicap internet users (mainly blind) to solve the CAPTCHA challenge.
-To help elderly who has poor eyesight due to age problem for identifying the CAPTCHA challenge.
-To help internet users who can not identifying CAPTCHA challenge characters.

The voice of each character is stored in MP3 format in order increase the voice streaming speed. In order to prevent the attacker to break the CAPTCHA challenge by reading the voice file name of each characters, all the CAPTCHA challenge voice files are concatenated into a single MP3 files called “CAPTCHA.mp3” before streaming to the client tier. Below diagram illustrates how the voice concatenation works.
Action:
Image CAPTCHA implementation, by TEAM

Attendance :
- SEAH CHOON YEE, SEBASTIAN
- CHEE SUEN SIANG, ALAN
- CHIA U-MENG, ADRIAN
- OW WAI LEONG, LEXIS

Technical: To Solve Relative FilePath on Servlets

This will solved the issue of using a relative path in the servlet.

Snippet of the Servlet ReadFromFile.java:

import javax.servlet.*;
import javax.servlet.http.*;
import java.io.*;

public class ReadFromFile extends HttpServlet {
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {

res.setContentType("text/html");

ServletOutputStream out = res.getOutputStream();
out.println("<html>");
out.println("<head><title>Read From File</title></head>");
out.println("<body>");

// print the file
InputStream in = null;
try {
  in = new BufferedInputStream
  /**
   * I placed this servlet at $TOMCAT/webapps/ROOT/WEB-INF/classes/
   * The code "req.getRealPath" will point u to $TOMCAT/webapps/ROOT
   * So I create another folder called library under ROOT, and place my test.txt inside.
   */
  (new FileInputStream(req.getRealPath("/library/test.txt")) );
  int ch;
  while ((ch = in.read()) !=-1) {
     out.print((char)ch);
  }
 }
 finally {
       // close the InputStream
       if (in != null) in.close();
 }
 out.println("</body></html>");
}
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletExceptio
{
  doGet(request, response);
}
}

Technical: Using Apache Ant

Ant is a tool for automating software build, i.e compile and execution. It is similar to our "make" files, except that it is written in Java and requires the Java2 Platform.

You code whatever you want Ant to do in a XML, and by default it is named build.xml

We can do the following with Ant to ease our job:
- Compile Java Servlets
- Creating the JAR File
- Deploy/Clean up our Project
- Start/Stop Tomcat

Meeting: 06 Mar 2008 (w/ Supervisor)

CAPTCHA Design
Team demo the CAPTCHA 3D text design V4.0 which currently still work in Java Applet platform to the supervisor.

Discussion:

Supervisor satisfy with the CAPTCHA design and feedback with the following comment :

· Need to change some of the font type to other which is easier to be identified by the users.
· Try to implement multicolor CAPTCHA design.
· Need to adjust some of the characters angles to make their shading and shadow more obvious to be identified.

Action:

Above suggestion will be updated by ALAN and Sebastian in newer CAPTCHA design.

CAPTCHA customizer
Team demo the CAPTCHA customizer tools V3.0 to the supervisor. Below are some of the print screen from the CAPTCHA customizer tools.

Discussion:

Supervisor satisfy with the CAPTCHA customizer design and feedback with the following comment :
· Users enter field must implement with error entry checking.
· Remove the unused field to prevent confusion from users.
· Preview of the effect should reflect to the actual value entered by users.

Action:

Above suggestion will be updated by ALAN in newer CAPTCHA Customizer Tools version.

CAPTCHA Answer Validation

Team demo the CAPTCHA validation system V1.0 which developed based on J2EE Form-based Authentication service to the supervisor.

Discussion:
Supervisors satisfy with the validation system and feedback with the following comment:

· The validation must be secure to prevent attackers from by pass the CAPTCHA system.
· Only 1 set of server code needed to be developed in order to validate the answer from normal computer web and J2ME users.
· CAPTCHA validation answer should store in DATABASE system instead of Hash Table which use hip memory.

Action :
Lexis and Sebastian will update the Supervisor feedback in newer validation system.

Logging

Team discussed with Supervisor regarding the logger design:
Discussion: Team explained to Supervisor regarding the implementation of log system to the CAPTCHA system. The following are the details:

1. Log system will log the following details of the visitors:
· IP address
· MAC address (Prevent NAT)
· Access date/time
· CAPTCHA challenge
· CAPTCHA answer

2. If a visitor request the CAPTCHA challenge more than 5 times within 24 hours, the system will block the visitors from requesting a new CAPTCHA again for 12 hours. This can prevent DoS attack by stoping an attacker keep requesting for new CAPTCHA to jam the server traffic.

3. The log system could prevent the following attacks :
· An attacker who is trying to do brute force attack to break the CAPTCHA answer.
· An attacker who trying the request the CAPTCHA challenge to drain the server resource.

Supervisor approves the log design and gives green light for team to implement it to the current CAPTCHA design.

Action:
Adrian and Sebastian will start the design and actual implementation of the log system.

CAPTCHA design for session 2

The Game based CAPTCHA ideal is rejected by Supervisor.

Discussion:
Supervisor advice that hackers could try to write an “object moving” script to break the game. Hence he advice us to come out with other CAPTCHA design like image or Chinese character CAPTCHA.

Action:
Team will need to come out with another CAPTCHA design.

Attendance :

- TAN HAN CHIANG

- SEAH CHOON YEE, SEBASTIAN

- CHEE SUEN SIANG, ALAN

- CHIA U-MENG, ADRIAN

- OW WAI LEONG, LEXIS

Technical: Login Authentication

When you try to access a protected web resource, the web container activates the authentication mechanism that has been configured for that resource. You can specify the following authentication mechanisms in J2EE:

- HTTP basic authentication
- Form-based login authentication
- Client certificate authentication
- Mutual authentication
- Digest authentication

We will focus more on Form-based login authentication. I will show u in a while how this is related to our captcha structure.

With form-based authentication, the following things occur:

A client requests access to a protected resource.
If the client is unauthenticated, the server redirects the client to a login page.
The client submits the login form to the server.
If the login succeeds, the server redirects the client to the resource. If the login fails, the client is redirected to an error page and prompt user to try again.

In reference to our captcha structure, the username refers to the Session ID. Each connection to the server established a unique SessionID. Password is the captcha String. The captcha String will be generated using a Time SEED. The SessionID and its associated captcha String is stored in a Cache in a HashMap. Upon authentication, successful or failed, the session will be forced invalidated, and the record is removed from the cache.


Form-based authentication is not particularly secure. Why? In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. This form of authentication can expose your user names and passwords. If someone can intercept the transmission, the user name and password information can easily be decoded. However all these can be solved by securing all connections are over SSL.

Technical: To get the Mac address of a host

In JDK 1.6 a new method is added in the java.net.NetworkInterface class, this method is getHardwareAddress().

This simple example below will illustrate:

import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.net.UnknownHostException;

public class MacAddress {

public static void main(String[] args) {
try {
InetAddress address = InetAddress.getLocalHost();

/*
* Get NetworkInterface for the current host and then read the
* hardware address.
*/
NetworkInterface ni = NetworkInterface.getByInetAddress(address);
byte[] mac = ni.getHardwareAddress();

/*
* Extract each array of mac address and convert it to hexa with the
* following format 08-00-27-DC-4A-9E.
*/
for (int i = 0; i < mac.length; i++) {
System.out.format("%02X%s", mac[i], (i < mac.length - 1) ? "-" : "");
}
} catch (UnknownHostException e) {
e.printStackTrace();
} catch (SocketException e) {
e.printStackTrace();
}
}
}

Meeting: 26 Feb 2008 (Group)

CAPTCHA customizer
Alan update on CAPTCHA customizer tools V3.0. The following customizer modules has been included :


- CAPTCHA Display Size
- CAPTCHA Customizer Fonts Extrusion
- CAPTCHA Customizer Fonts Choosing Design
- CAPTCHA Customizer Charactors Choosing
- CAPTCHA Customizer character scaling
- CAPTCHA Customizer Angles Rotation
- CAPTCHA Position Text Position

Discussion:
Team has discussed on the GUI of the CAPTCHA Customizer Tools:
- Customizer tools layout frame should keep consistent for every module.
- Preview features should be included in every module.
- Fix value field should be hided to prevent confusion from users.

Above suggestion will be updated again by ALAN in newer CAPTCHA Customizer Tools version.

CAPTCHA Answer Validation
Team has decided to implement the CATPCHA answer validation system by using J2EE Form-based Authentication service. It act as a gateway for users authentication and authorization issues.

Team will need to implement the service to meet the needs of :

- Running in both normal pc web and J2ME application.
- Only 1 set of server code needed in order to validate the answer from normal pc web and J2ME users.
- Able be the only gateway for end users to access other web application resource.

Lexis and Sebastian will start the implementation.

Logging
Team dicussed about the logger design :

- Log system will log the following details of the visitors:
* IP address
* MAC address (Prevent NAT)
* Access date/time
* Access counter
* CAPTCHA challenge
* CAPTCHA answer

- If a visitor request the CAPTCHA challenge more than 5 times within 24 hours, the system will block the visitors from requesting a new CAPTCHA again for 12 hours. This can prevent DoS attack by stoping an attacker keep requesting for new CAPTCHA to jam the server traffic.

CAPTCHA design for session 2
Team has decided to program a simple gaming style CAPTCHA to prevent DoS attack. The following picture illustrate the CAPTCHA ideal.

- It will be 4 x 4 , 16 grid game.
- User will use either keyboard/Mouse to move object.
- User will need to move the yellow object to the pink object in order to complete the challenge.
- There will be obstacles to prevent user from having a straight moving path for the object.

Plan and Test Case

Discussion:
Test Plan schedule and Test Case format has been designed by Lexis and Sebastian. Hence team will need to start do testing for the application developed base on RUP phase timeline.


Conclusion:
Sebastian and Adrian are assigned to do all the testing for the application

Attendance :
Sebastian Seah
Lexis Ow
Alan Chee
Adrian

Recorded by Sebastian

Updates: Captcha Customizer v1 - Display

The Captcha Customizer Display customizing design is created. Users can change the values in the textfield to change the image size of the output captcha image.

Technical: MDlet HTTPS

Brief introduction on the needs of a HTTPS connection. To ensure a secure channel between the server and client. The server and client both derive a session key from this secret value, which is used to encrypt all subsequent traffic sent between them.

Actually it's very simple to do HTTPS connections.

MISLEADING SOLUTION:

Previously, instead of the ContentConnection Class, we changed to the HttpsConnection Class:

HttpsConnection hc = (HttpsConnection)Connector.open(url);

We got errors like:

SOLUTION:

Based on the article here, we realised that it's the issue of "Unknown Certificates". This is because the certificates are created by us, thus it is not represented in the keystore of the J2ME Wireless Toolkit.

The J2ME Wireless Toolkit contains a tool called MEKeyTool, purpose is to manage the public keys of certificate authorities. It is found in the "installation_dir/bin".

To list keys in the default keystore:

mekeytool -list

Now, we gotta import the keystore used in tomcat into the Wireless Toolkit:

mekeytool -import -alias tomcat -keystore "z:\.keystore" -storepass changeit

Now we do a -list, you can observe it is in our keystore. Pointers to take note, when creating the certificate in tomcat, you MUST key in the "url_used" when they prompt you for FIRST NAME. I used the IP 10.211.55.2, so FIRST NAME is 10.211.55.2. Or else you will get the "Certificate does not contain the correct site name" error.

Since we now know that it's the configuration portion that causes us the problem, not the problem with the code. All we have to do is construct a HTTPS Connection String. So instead of this:

String url = "http://localhost:8080/"

ContentConnection connection = (ContentConnection) Connector.open(url);

we change it to this:

String url = "https://localhost:8443/"

ContentConnection connection = (ContentConnection) Connector.open(url);

WA LA!!

Technical: MySQL commands

Feel free to add SQL commands here. Easy reference record for us.


Set root password: mysqladmin -u root password "your-chosen-passwd"

Login as root: mysql -u root -p

Show databases: show databases;

Use database: use "database_name";

Create database: create database "database_name";

Remove database: drop database "database_name";

Create table: create table cache (sessionid VARCHAR(32) NOT NULL PRIMARY KEY, challange VARCHAR(32));

Updates: Captcha Customizer v1 - Font Extrusion

The Captcha Customizer Font Extrusion design is created. User can change the values in the textfields and the resulting changes will be shown in the preview graph.

Updates: Captcha Customizer v1 - Fonts

The Captcha Customizer Fonts choosing design is created. User can choose the desire fonts from the drop down list and the style of the font will be shown in the preview panel.

The list of fonts is drawn from the system's fonts folder.



The "add" and "delete" function is in progress.

Technical: Tomcat wouldnt start under windows, Java1.6

Tomcat5.5/6 just wouldn't start on windows. We gotta use parallels to test J2ME over Mac's Tomcat.

The messages showing in the jakarta_service_yyyymmdd.log file were:

[174 javajni.c] [error] The specified module could not be found.
[947 prunsrv.c] [error] Failed creating java C:\Java\bin\client\jvm.dll
[1202 prunsrv.c] [error] ServiceStart returned 1

To solve this, copy msvcr71.dll (found in $JAVA_HOME\bin) to the $WINDOWS/system32 directory.

Extracted from here.

Updates: Test Cases

Prior to our product testing, pls refer to the sample test case (Login Example).

I have included it in our groups. File name is "!TestCaseForm(login).doc"

Updates: Captcha Customizer v1 - Text

The Captcha Customizer text choosing design is created. Users can select and unselect characters he/she wants to appear in the captcha design.

Updates: Captcha Customizer v1 - Scale

The Captcha Customizer character scaling design is created. User can change the values in the textfield and the resulting changes will be shown in the preview graph.

Meeting: 13 Feb 2008 (Group)

MINUTES OF THE GROUP MEETING OF EPIC4SECURITY, HELD ON MONDAY, 13 February 2008, AT 7.30PM IN THE SIM STUDENT LOUNGE.

1. Matters Arising Lexis and Alan reported that they found some codings on a OCR to be implemented as a Java Application to show demo on a "OCR attack against our captcha".	Action by:
2. Documentation 2.1 Website Lexis reported that website is done, however it is lacking of contents. Alan suggested to start off with the About Us/Our Team section. The following will be added: a) Project Name b) Group Members c) Individual Tasks d) Supervisor Name e) Assessor Names f) Date last modified 2.2 Test Cases and Test Plan Based on the RUP methodology, we are at the Construction Phase and beta testing of our prototype should begin anytime. A test plan and test scenario with test cases should be drawn out. Format of the test document will based on RUP. Lexis is tasked to draft out the documents' format by 17 Feb.	Lexis Lexis
3. Captcha Design 3.1 Review on our design v3.2. Sebastian suggested that we should improved the visibility of the current design. He suggested to include more lighting, however this may affect the load time of the captcha word. Alan is tasked to add 1 more light and also monitor the load it gives to the tomcat server. Alan is also tasked to work with more colours other than the current white/black. Also to reduce complexity of the design, sebastian suggested to reduce on the angle rotations of the characters. Z-axis rotation will be removed. X and Y-axis rotation will be obtain from a range of given values. X: Max=20, Min=-20, can=0; Y: Max=45, Min=25 & Max=-25, Min=-45; Also suggested that type of Fonts to be revised, as current fonts have look-alike symbols like '1' and "I", or "I" and "l". A revised prototype with new features would be submitted by Alan by 20 Feb. 3.2 Finalised on Captcha Design. Sebastian annouced that the team will finalise the design of the current design with the above mentioned adjustments, and concentrate to develop a new captcha design idea. 3.3 Customizer Tool The group decided to include a customizer tool, which allows easy customization of the captcha design. It will have a simple user-interface targetted to end-users. It will be implemented as a local application, only accessible by the administrator of the organisation. This application will produce/edit a configuration/profile text file which is read in by the captcha program. It allows user to change the following features: a) type of font used b) no. of characters used c) colours d) scaling/frame size e) angle used Alan is assigned to work on the customizer tool and is authorised to add in other features based on his judgement. Lexis will assist him. They are expected to make their deliveries by 30 Feb to be reviewed by the team. 3.4 New Captcha Design Alan suggested to implement a simple game, in a web applet form. This game requires mouse clicks interaction from the user. The game plan will be such, the user controls a main character, and he is supposed to move the character to a specific destination. However in between the character and its desintation, there will be obstacles and dead zone in which will void the game play. We will be taking advantage of collision detection and terrian following in Java3D. Research must be done on the following before commencment of the new design: a) Can a bot handle mouse clicks? b) Can applet talk to servlet? c) Load time of the applet?	Alan Alan Alan Alan, Lexis Alan, Lexis
4. System Design 4.1 Validation Sebastian reported that the current implementation for the validation of captcha is fairly proper and insecure. The current technique is using Session ID passed from the client to the server, and comparing the same Session ID obtained by the server, then validate the associate captcha keyword used by it. No matter how hard is our captcha, attackers can bypass even without typing the captcha by simply re-using the session ID of a known CAPTCHA image. The validation algorithm needs to be revised. Lexis suggest the research of HMAC, stands for keyed-Hash Message Authentication Code which is a more secure scheme. Research of finding should be submitted by 20 Feb and implementation should take place by 30 Feb. 4.2 Logging Sebastian reported that attackers can also flood our captcha server by performing a continuous request of the captcha image and doing nothing in return. Adrian suggest that by the use of logging, we can overcome this problem. Adrian is tasked on the logging part. He will capture: a) IP address of visitor b) M.A.C address (Can this prevent NAT)? c) Date and Time d) Session ID Create a module to check visitors based on log file. It should check if a visitor request more than 5 times of captcha and blocks it if necessary. This is to prevent users from continuously enter a wrong captcha and keep request for a new captcha or those who try to access illegal web url. 4.3 Server Adrian is tasked to ensure that the server is able to run the respective java servlets. 4.4 MIDlet The current MIDlet is unable to support HTTPS. It uses DataInputStream over a contentConnection. To work with HTTPS, javax.microedition.pki.* is required and a HttpsConnection will replace the current contentConnection. Lexis and Sebastian are tasked to research into this and perform the relevant testing with Adrian's server over HTTPS. They are expected to delivery results by 25 Feb.	Sebastian, Lexis Adrian Adrian Sebastian, Lexis
5. Presentation Debrief During the presentation, there were some questions by Adrian Choo. As there are uncertainity in one of the questions regarding image/text captcha, Alan is assigned to follow up with an email with Adrian Choo, to clarify the question he asked. Alan will forward the reply to the team.	Alan
6. A.O.B 6.1 Adrian will be away from 17 Feb to 21 Feb. 6.2 Lexis will be on ICT from 19 Mar to 29 Mar.
There being no other matters, the meeting was closed at 9.59pm.

Sebastian will notify us the venue, date and time for the next meeting. Happy New Year to all.

Attendance:
Sebastian Seah
Lexis Ow
Alan Chee
Adrian Chia

Recorded by: Lexis

Updates: Captcha Customizer v1 - Angles

The Captcha Customizer Angles rotation design is created. Users can change the values in the textfield and resulting changes will bw shown in the preview graph.

Updates: Captcha Customizer v1 - Position

The Captcha Position customizer design is created. User can change the values in the textfield and effect of the new values will be shown in the graph.

Updates: Captcha Customizer v1

Captcha Customizer v1 is developed.



The screenhot above is the mainframe the user will see when he/she launches the customizer. The "Epic 4 Security" logo has an effect whereby when the user clicks on it, the system default web browser will open automatically and bring the user to the "Epic 4 Security" web site.

Technical: Applet Servlet Communication

We decided that the "New Captcha" will be implement in a Java3D interactive game form which requires interaction with the user. The only way is perhaps through a Java Applet...

Now what worry us is whether can applet talk to servlet?

Heaven's on our side. We found a nice example showcasing Applet and Servlet communication. It shows how data is sent to a servlet from an applet and how the applet receive an answer from the servlet.

http://www.frank-buss.de/echoservlet/index.html

More comments will be added once we get the hang out of the codes.

Updates: End of Session Debrief

We had our first presentation yesterday. Thanks everyone for the effort you have put in. Everything was smooth, no cock-ups and we made our delivery as targeted. These are the questions arrowed to us during the presentation. We will brainstorm it during the weekend and will have this on our Agenda for this coming Monday's group meeting (04 Feb 2008).

1) RUP - How we apply to our project?

2) Show a Attack on our Captcha.

3) How we prevent OCR attacks (Prove it. How it actually done it)

4) How we prevent brute force (Prove it.)

5) How are we better than market's Captcha (Prove it)

6) Either Text/Picture Captcha or Extra picture with Text? (Blur ?!?)

Technical: Image Format

The captcha image output by the servlet have been change to Portable Network Graphics (PNG) instead of JPEG File Interchange Format (JPG).

Meeting: 30 JAN 2008 (w/ supervisor)

Session 1 Technical Report Review
ALAN checking with supervisor regarding the system flow diagram, use case diagram and content listings.

Below are the feedback from Supervisor :

System flowchart
- Should not have breakdown of function calls
- If there is input into a particular function, indicate it using text and arrow direction, do not use function block to indicate
- Advisable to include a brief explanation for the flow

CAPTCHA flow chart
- Change to sequence diagram
- include sequence number
- Advisable to include a brief explanation for the sequence

Use case diagram
- should have 2 users
*Customer
*Administrator for maintaining the product

OCR readings records acquired from product testing.
Sebastian checking with supervisor regarding which section of the technical report should we include the OCR reading result acquired from product testing.

OCR readings records can be either under
- Test plans
- Conclusions
- Product analysis

Brute force attack calculation.
Team checking with Supervisor regarding the brute force attack information.

Below are the calculation explained by Supervisor:
CAPTCHA text is formed by 8 characters with a choice of 46 characters in each position.

46 pow 8 = 20,047,612,231,936 sample space

To get brute force attack computation time required:

(sample space /2) . time taken

time taken = time needed by our system in order to validate a single end user’s answer.

Time taken is to the time needed by our system in order to validate a single end user’s answer.

Discuss with Supervisor regarding Session 1 presentation.
Supervisor reviewed the contents of team presentation slides and feedback :

- RUP methodology should be explained briefly.
- Highlight the differences between our CAPTCHA and those in the market
- Advisable to show the calculation of the brute force attack on our CAPTCHA.
- Advisable to explain the resources used to generate our CAPTCHA image
- Advisable to demo or show some OCR readings on our CAPTCHA
- Suggested using a wireless modem to provide access point to allow mobile phones to connect to.
- Advisable to provide handouts for final presentation


Progress Report submission by team leader
Sebastian submitted Progress Report for session 1 to Supervisor. Some of the suggestion by Supervisor regarding the report format.

- Advice to show our process base on gantt chart that we proposed in proposal.
- Advice to write a summary of what we have done in phase 1.
- Advice to write what we are going to do in phase 2.

Additional CAPTCHA design features suggestion.
LEXIS suggested include additional CAPTCHA feature which allow customers to edit the CAPTCHA design effects to suite their application. Supervisor has reviewed and will confirm with Adrian Choo to see whether the adding feature will be considers as part of the project scope or is the extra features.- Supervisor advice team to come out with a non-text based CAPTCHA in order to score high points.

New CAPTCHA design suggestion.
LEXIS suggested to design a animated CAPTCHA which require end users interaction. It requires end users to use the mouse pointer to point the path in order for an object X to move from A to B. In the meantime, there will be some objects like rock or tree which might block the object X from moving in a straight path. Hence it need end users to find a way in order to reach B which only human can do.

But this design will not be able to apply to mobile devices usage. Supervisor will confirm with Adrian Choo regarding the new design suggested which it only allows to run in computer platform.