Meeting: 13 Feb 2008 (Group)

MINUTES OF THE GROUP MEETING OF EPIC4SECURITY, HELD ON MONDAY, 13 February 2008, AT 7.30PM IN THE SIM STUDENT LOUNGE.

1. Matters Arising Lexis and Alan reported that they found some codings on a OCR to be implemented as a Java Application to show demo on a "OCR attack against our captcha".	Action by:
2. Documentation 2.1 Website Lexis reported that website is done, however it is lacking of contents. Alan suggested to start off with the About Us/Our Team section. The following will be added: a) Project Name b) Group Members c) Individual Tasks d) Supervisor Name e) Assessor Names f) Date last modified 2.2 Test Cases and Test Plan Based on the RUP methodology, we are at the Construction Phase and beta testing of our prototype should begin anytime. A test plan and test scenario with test cases should be drawn out. Format of the test document will based on RUP. Lexis is tasked to draft out the documents' format by 17 Feb.	Lexis Lexis
3. Captcha Design 3.1 Review on our design v3.2. Sebastian suggested that we should improved the visibility of the current design. He suggested to include more lighting, however this may affect the load time of the captcha word. Alan is tasked to add 1 more light and also monitor the load it gives to the tomcat server. Alan is also tasked to work with more colours other than the current white/black. Also to reduce complexity of the design, sebastian suggested to reduce on the angle rotations of the characters. Z-axis rotation will be removed. X and Y-axis rotation will be obtain from a range of given values. X: Max=20, Min=-20, can=0; Y: Max=45, Min=25 & Max=-25, Min=-45; Also suggested that type of Fonts to be revised, as current fonts have look-alike symbols like '1' and "I", or "I" and "l". A revised prototype with new features would be submitted by Alan by 20 Feb. 3.2 Finalised on Captcha Design. Sebastian annouced that the team will finalise the design of the current design with the above mentioned adjustments, and concentrate to develop a new captcha design idea. 3.3 Customizer Tool The group decided to include a customizer tool, which allows easy customization of the captcha design. It will have a simple user-interface targetted to end-users. It will be implemented as a local application, only accessible by the administrator of the organisation. This application will produce/edit a configuration/profile text file which is read in by the captcha program. It allows user to change the following features: a) type of font used b) no. of characters used c) colours d) scaling/frame size e) angle used Alan is assigned to work on the customizer tool and is authorised to add in other features based on his judgement. Lexis will assist him. They are expected to make their deliveries by 30 Feb to be reviewed by the team. 3.4 New Captcha Design Alan suggested to implement a simple game, in a web applet form. This game requires mouse clicks interaction from the user. The game plan will be such, the user controls a main character, and he is supposed to move the character to a specific destination. However in between the character and its desintation, there will be obstacles and dead zone in which will void the game play. We will be taking advantage of collision detection and terrian following in Java3D. Research must be done on the following before commencment of the new design: a) Can a bot handle mouse clicks? b) Can applet talk to servlet? c) Load time of the applet?	Alan Alan Alan Alan, Lexis Alan, Lexis
4. System Design 4.1 Validation Sebastian reported that the current implementation for the validation of captcha is fairly proper and insecure. The current technique is using Session ID passed from the client to the server, and comparing the same Session ID obtained by the server, then validate the associate captcha keyword used by it. No matter how hard is our captcha, attackers can bypass even without typing the captcha by simply re-using the session ID of a known CAPTCHA image. The validation algorithm needs to be revised. Lexis suggest the research of HMAC, stands for keyed-Hash Message Authentication Code which is a more secure scheme. Research of finding should be submitted by 20 Feb and implementation should take place by 30 Feb. 4.2 Logging Sebastian reported that attackers can also flood our captcha server by performing a continuous request of the captcha image and doing nothing in return. Adrian suggest that by the use of logging, we can overcome this problem. Adrian is tasked on the logging part. He will capture: a) IP address of visitor b) M.A.C address (Can this prevent NAT)? c) Date and Time d) Session ID Create a module to check visitors based on log file. It should check if a visitor request more than 5 times of captcha and blocks it if necessary. This is to prevent users from continuously enter a wrong captcha and keep request for a new captcha or those who try to access illegal web url. 4.3 Server Adrian is tasked to ensure that the server is able to run the respective java servlets. 4.4 MIDlet The current MIDlet is unable to support HTTPS. It uses DataInputStream over a contentConnection. To work with HTTPS, javax.microedition.pki.* is required and a HttpsConnection will replace the current contentConnection. Lexis and Sebastian are tasked to research into this and perform the relevant testing with Adrian's server over HTTPS. They are expected to delivery results by 25 Feb.	Sebastian, Lexis Adrian Adrian Sebastian, Lexis
5. Presentation Debrief During the presentation, there were some questions by Adrian Choo. As there are uncertainity in one of the questions regarding image/text captcha, Alan is assigned to follow up with an email with Adrian Choo, to clarify the question he asked. Alan will forward the reply to the team.	Alan
6. A.O.B 6.1 Adrian will be away from 17 Feb to 21 Feb. 6.2 Lexis will be on ICT from 19 Mar to 29 Mar.
There being no other matters, the meeting was closed at 9.59pm.

Sebastian will notify us the venue, date and time for the next meeting. Happy New Year to all.

Attendance:
Sebastian Seah
Lexis Ow
Alan Chee
Adrian Chia

Recorded by: Lexis