Hi Guys!
How have you all been doing? Hope you are doing well...
We have done it and I’m proud of it! Although it may not be outstanding enough to warrant a HD from our lectures but I think it will be among the top few! :)
Wish that all of you will be attending the convo. Cos I just realised that we have not yet taken a proper group photo!
Well, I have also started on my new job and it has been a month now and it is not easy, totally new job scope and new environment, but still in IT. Late nights everyday, or should I say very early morning, since started work. Work place very, very near where HC is working, if he is still there. Hello, neighbour! :)
Lastly, I wanna thanks you guys for being great teammates and comrades. Couldn't have done it without you.
Till then... ;)
Wednesday, November 26, 2008
Saturday, April 12, 2008
Update: Mission Completed
Well done everyone. Thanks for the effort everyone had put in during the last 4 months. Indeed it's a tough one with many many sleepless nights. We survived and the feeling is shiok.
- Thanks our supervisor, Han Chiang. Who have been guiding us along these months.
- Thanks Alan for providing your server, cables and equipment. Not forgeting your house, aircon, cha shew PAO.
- Thanks Sebas for sacrificing and coming all the way to the East. Thanks for your petrol and car coupons.
- Thanks adrian for making the mov, and recording your voice.
- Many many thanks to others who in one way or another help make this project a success.
Keep in touch guys. Bon Voyage Sebas. Bring some Japanese gals back for Alan.
And for the accessors who are looking at this page.. Kindly note the following..
- a cd menu is created, just click on the links u wanna see.
- the website inside the CD is more updated that the live one running at epic4security.no-ip.com; website flash FLA source also available for you.
- everything is swee swee done for u, if u would wanna compile and deploy our project, a little ANT script is created.. you just gotta do "ant compile deploy start". Make sure your graphics card is OPEN GL supported to run Java3D
- For the customizer, a little jar file is created for u to just double click. But first you gotta get your MySQL running with the database schema.. then again..
- SQL script to create, insert is also done for you.
If we missed out anything, leave us a comment, pls be gentle on us.. HAHA :)
- Thanks our supervisor, Han Chiang. Who have been guiding us along these months.
- Thanks Alan for providing your server, cables and equipment. Not forgeting your house, aircon, cha shew PAO.
- Thanks Sebas for sacrificing and coming all the way to the East. Thanks for your petrol and car coupons.
- Thanks adrian for making the mov, and recording your voice.
- Many many thanks to others who in one way or another help make this project a success.
Keep in touch guys. Bon Voyage Sebas. Bring some Japanese gals back for Alan.
And for the accessors who are looking at this page.. Kindly note the following..
- a cd menu is created, just click on the links u wanna see.
- the website inside the CD is more updated that the live one running at epic4security.no-ip.com; website flash FLA source also available for you.
- everything is swee swee done for u, if u would wanna compile and deploy our project, a little ANT script is created.. you just gotta do "ant compile deploy start". Make sure your graphics card is OPEN GL supported to run Java3D
- For the customizer, a little jar file is created for u to just double click. But first you gotta get your MySQL running with the database schema.. then again..
- SQL script to create, insert is also done for you.
If we missed out anything, leave us a comment, pls be gentle on us.. HAHA :)
Friday, April 4, 2008
Technical: MPEG movie
This section is reserved for the MPEG movies stuffs.
Epic4Security will not release any information on the movie, the contents, or how the movie is created yet. Pls visit after 11 Apr for more updates.
Thursday, April 3, 2008
Technical: Measures against SQL-injection attacks
This section is reserved for article on preventing SQL-injections attacks against EpiCaptcha.
We are using database, so there is a risk to SQL-injections.
How is SQL-injection done?
i.e To login to a site, we need to enter 2 parameters; username and password.
The site validate it by calling a POST method to a servlet/jsp i.e http://epic4security.com/login.jsp?username=blabla&password=blabla.
Over at login.jsp, there is a SQL statement, i.e "SELECT username, password from TABLE where USERNAME = 'username' AND PASSWORD = 'password'";
What an attacker can do is enter the following in the field of username & password:
Username = admin
Password = pass' OR username = 'admin
So he alter the SQL statement to:
"SELECT username, password from TABLE where USERNAME = 'username' AND PASSWORD = 'pass' OR username = 'admin'";
Dangerous right?
Prevention
Thus to prevent this from happening, what we can do is:
1) check length of parameter
2) hash it to a message digest i.e SHA256 or SHA512
Wednesday, April 2, 2008
Technical: Voice Clips in MP3 format
To generate audio challange as an aid to the Text Captcha. We wanted to use one of the our voices, but then we thought it would be more attractive if you hear a woman speaking to you.
1) Cepstral Text to Speech Software is used to generate the audio clips. Website here.
A-Z, 0-9 and majority of the symbols can be read out. However, some like ` < > , . " : ( ) - cannot be interpreted by Cepstral.
So we gotta manually type in the english word, i.e for symbol &, we type ampersand. Guide follow from http://a4esl.org/q/h/9901/nr-keyboard.html.
The following audio are generated.
a) a - z (small caps)
b) A - Z (big caps)
c) 0 - 9 (numbers)
d) other symbols of the keyboard.
2) The audio clips are then edited and compressed to 32bits MONO using Blaze Media Pro, thereby reducing the size of each audio to abt 7-19kb. Website here.
1) Cepstral Text to Speech Software is used to generate the audio clips. Website here.
A-Z, 0-9 and majority of the symbols can be read out. However, some like ` < > , . " : ( ) - cannot be interpreted by Cepstral.
So we gotta manually type in the english word, i.e for symbol &, we type ampersand. Guide follow from http://a4esl.org/q/h/9901/nr-keyboard.html.
The following audio are generated.
a) a - z (small caps)
b) A - Z (big caps)
c) 0 - 9 (numbers)
d) other symbols of the keyboard.
2) The audio clips are then edited and compressed to 32bits MONO using Blaze Media Pro, thereby reducing the size of each audio to abt 7-19kb. Website here.
Friday, March 28, 2008
Updates: Replaced SHA-1 with SHA-512
Following up with the advise given by our supervisor, and with the fact that SHA-1 has been broken. We replaced the old SHA-1 Message Digest Algorithm with SHA-512.
Some notes about SHA. It stands for Secure Hash Algorithm. It computes a fixed-length message digest (String) of an input message of any length. The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-224, SHA-256, SHA-384, and SHA-512 are classify under SHA-2.
Differences among them is the bit length of the digest they produce. SHA-512 produce a 64-char String.
From the diagram above, obtained from Wikipedia, till date no attacks have been found against SHA-2.
After searching on google, hoping to find an example of how to implement SHA-512 on Java .. there were none ... then we found something similar. Since Java 1.4.2, there is the Java Cryptographic Extension (JCE). It support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
So now what we have to do is change
MessageDigest md = MessageDigest.getInstance("SHA-1");
to
MessageDigest md = MessageDigest.getInstance("SHA-512");
and increase the HASH length in the CACHE table to 64.
My full method() code below
public static String SHA(String text)
throws CaptchaException {
MessageDigest md = null;
try {
// Can be MD5 (128bit), SHA-1(160bit), SHA-256, SHA-384,SHA-512
md = MessageDigest.getInstance("SHA-512");
byte data[] = md.digest(text.getBytes("UTF-8"));
StringBuffer buf = new StringBuffer();
for (int i = 0; i < data.length; i++) {
int halfbyte = (data[i] >>> 4) & 0x0F;
int two_halfs = 0;
do {
if ((0 <= halfbyte) && (halfbyte <= 9))
buf.append((char) ('0' + halfbyte));
else
buf.append((char) ('a' + (halfbyte - 10)));
halfbyte = data[i] & 0x0F;
} while(two_halfs++ < 0);
}
return buf.toString();
}
// might be thrown by MessageDigest.getInstance
catch (NoSuchAlgorithmException e) {
throw new CaptchaException(e.getMessage());
}
// might be thrown by text.getBytes
catch (UnsupportedEncodingException e) {
throw new CaptchaException(e.getMessage());
}
}
Some notes about SHA. It stands for Secure Hash Algorithm. It computes a fixed-length message digest (String) of an input message of any length. The five algorithms are denoted SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. SHA-224, SHA-256, SHA-384, and SHA-512 are classify under SHA-2.
Differences among them is the bit length of the digest they produce. SHA-512 produce a 64-char String.
From the diagram above, obtained from Wikipedia, till date no attacks have been found against SHA-2.
After searching on google, hoping to find an example of how to implement SHA-512 on Java .. there were none ... then we found something similar. Since Java 1.4.2, there is the Java Cryptographic Extension (JCE). It support for a wide range of standard algorithms including RSA, DSA, AES, Triple DES, SHA, PKCS#5, RC2, and RC4.
So now what we have to do is change
MessageDigest md = MessageDigest.getInstance("SHA-1");
to
MessageDigest md = MessageDigest.getInstance("SHA-512");
and increase the HASH length in the CACHE table to 64.
My full method() code below
public static String SHA(String text)
throws CaptchaException {
MessageDigest md = null;
try {
// Can be MD5 (128bit), SHA-1(160bit), SHA-256, SHA-384,SHA-512
md = MessageDigest.getInstance("SHA-512");
byte data[] = md.digest(text.getBytes("UTF-8"));
StringBuffer buf = new StringBuffer();
for (int i = 0; i < data.length; i++) {
int halfbyte = (data[i] >>> 4) & 0x0F;
int two_halfs = 0;
do {
if ((0 <= halfbyte) && (halfbyte <= 9))
buf.append((char) ('0' + halfbyte));
else
buf.append((char) ('a' + (halfbyte - 10)));
halfbyte = data[i] & 0x0F;
} while(two_halfs++ < 0);
}
return buf.toString();
}
// might be thrown by MessageDigest.getInstance
catch (NoSuchAlgorithmException e) {
throw new CaptchaException(e.getMessage());
}
// might be thrown by text.getBytes
catch (UnsupportedEncodingException e) {
throw new CaptchaException(e.getMessage());
}
}
Thursday, March 27, 2008
Meeting 26 March 2008
Text CAPTCHA Demo, Design and Implementation Review
Discussion:
Alan showing the demo on the Text CAPTCHA with validation and logging to block attacks to supervisor.
Conclusions:
· CAPTCHA design
- Some characters are difficult to be identified. Need to fine tune it.
- The contrast between the text and the background for the blue color design of the captcha is difficult to be identified by user. Either remove the color “blue” or change the text color.
· CAPTCHA implementation
- The text remains unchanged after refresh. Need to kill the session every time after each refresh.
- Current hashing algorithm used is SHA1, hash algorithms MD5 and SHA1 had been broken.
Need to change to other hashing algorithm, suggested SHA256 or SHA512.
· CAPTCHA design methodology
- The CAPTCHA engine should be portable. The engine should be able to be used on as a
mobile application as well as a web based plug-in.
Action items
Fine Tune CAPTCHA Design by ALAN
Kill Session Every Time After Each Refresh by LEXIS
Change Current Hashing Algorithm to SHA256 or SHA512 by LEXIS
Image CAPTCHA Demo, Design and Implementation Review.
Discussion:
Alan demo the new CAPTCHA design to supervisor. Supervisor review and comments.
Conclusions:
· Current image CAPTCHA has too few images, low permutation, thus is subjected to brute force attacks.
· Need to increase the amount of images, required to have a huge database.
· Suggested to implement the image and text CAPTCHA together, images and text appear at random.
Action items
Increase amount of images to enlarge database by TEAM
Implement image and text CAPTCHA together by LEXIS and ALAN
CAPTCHA Customizer Demo and Review.
Discussion:
Alan demo the CAPTCHA customizer to supervisor. Supervisor review and comment.
Conclusions:
· Position Module
- The grid coordinates cannot be seen clearly as the font size is too big which causes
overlapping, reduce the font size to make it clearer and change the font color if need to.
- Need to limit the range of position as the character will be out of range when a user enter a
value wider than the interface.
· Purge Logs Module
- The position of the “date” label is wrong, need to reposition it.
- The logs are unable to delete according to the specific date. Need to rectify it.
Action items
Change the font size of the grid coordinates by ALAN
Limit the range of position by ALAN
Reposition of the “date” label by ALAN
Delete logs according to the specific date by ALAN
Presentation Slides, Demo and MPEG Video
Discussion:
The team discusses with supervisor the content to show in the presentation slides and demo.
Conclusions:
· Presentation Slides
- Show the logging policy
- Can state the flaw of the image CAPTCHA if implement standalone and the solutions to it. Can
state it in the report if there’s no intention of including it in the presentation slides.
· Demo
- For the customizer, demo only 1 or 2 of the more important functions as there are too many
functions in it.
· MPEG Video
- A video on our presentation with the presentation slides and demo.
- Can use it as a rehearsal of our presentation and demo.
Action items
Power Point Slide by SEBASTIAN
MPEG Video by LEXIS
Discussion:
Alan showing the demo on the Text CAPTCHA with validation and logging to block attacks to supervisor.
Conclusions:
· CAPTCHA design
- Some characters are difficult to be identified. Need to fine tune it.
- The contrast between the text and the background for the blue color design of the captcha is difficult to be identified by user. Either remove the color “blue” or change the text color.
· CAPTCHA implementation
- The text remains unchanged after refresh. Need to kill the session every time after each refresh.
- Current hashing algorithm used is SHA1, hash algorithms MD5 and SHA1 had been broken.
Need to change to other hashing algorithm, suggested SHA256 or SHA512.
· CAPTCHA design methodology
- The CAPTCHA engine should be portable. The engine should be able to be used on as a
mobile application as well as a web based plug-in.
Action items
Fine Tune CAPTCHA Design by ALAN
Kill Session Every Time After Each Refresh by LEXIS
Change Current Hashing Algorithm to SHA256 or SHA512 by LEXIS
Image CAPTCHA Demo, Design and Implementation Review.
Discussion:
Alan demo the new CAPTCHA design to supervisor. Supervisor review and comments.
Conclusions:
· Current image CAPTCHA has too few images, low permutation, thus is subjected to brute force attacks.
· Need to increase the amount of images, required to have a huge database.
· Suggested to implement the image and text CAPTCHA together, images and text appear at random.
Action items
Increase amount of images to enlarge database by TEAM
Implement image and text CAPTCHA together by LEXIS and ALAN
CAPTCHA Customizer Demo and Review.
Discussion:
Alan demo the CAPTCHA customizer to supervisor. Supervisor review and comment.
Conclusions:
· Position Module
- The grid coordinates cannot be seen clearly as the font size is too big which causes
overlapping, reduce the font size to make it clearer and change the font color if need to.
- Need to limit the range of position as the character will be out of range when a user enter a
value wider than the interface.
· Purge Logs Module
- The position of the “date” label is wrong, need to reposition it.
- The logs are unable to delete according to the specific date. Need to rectify it.
Action items
Change the font size of the grid coordinates by ALAN
Limit the range of position by ALAN
Reposition of the “date” label by ALAN
Delete logs according to the specific date by ALAN
Presentation Slides, Demo and MPEG Video
Discussion:
The team discusses with supervisor the content to show in the presentation slides and demo.
Conclusions:
· Presentation Slides
- Show the logging policy
- Can state the flaw of the image CAPTCHA if implement standalone and the solutions to it. Can
state it in the report if there’s no intention of including it in the presentation slides.
· Demo
- For the customizer, demo only 1 or 2 of the more important functions as there are too many
functions in it.
· MPEG Video
- A video on our presentation with the presentation slides and demo.
- Can use it as a rehearsal of our presentation and demo.
Action items
Power Point Slide by SEBASTIAN
MPEG Video by LEXIS
Subscribe to:
Posts (Atom)
