Transec, a Secure Authentication Tag Library

Lado Kumsiashvili writes, "Micromata has placed Transec, a secure authentication JSP tag library, under the GPL. While developing the Polyas (German) online voting system, Micromata invented a component for secure PIN/password input via untrusted, insecure browsers. Transec is freely embeddable and redistributable for non-commercial projects; a commercial license is also available. Spyware in the form of Browser Helper Objects and keyloggers can capture user keyboard input even if it is encrypted. Transec enables user authentication using a 100% server-side control — only images and coordinates are transferred to the untrusted browser. The browser sends coordinate information of each click on this imagemap directly back to the server, and the server responds with a new image. If the browser is infected by malware, it can't give up the PIN/password since the browser doesn't know this information. The Java code and a demo application are available at the Transec homepage." I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

Lots o mouse clicks

[null etc. (524767)]

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

If so, the malware must go after specific types of clicks - for example, maybe it looks at the URL and form action to determine whether it's worth capturing the images. Otherwise, a typical day of perusing Digg articles could result in megabytes upon megabytes of captured images. And unlike text data, image data is hard to sieve for gold.

Re:

[Opportunist (166417)]

Current malware is already able to discriminate between "interesting" and "non interesting" sites. Even keyloggers only steal from pages that interest them. It is (not would be) the same for screenshot taking malware.

Heh...

[by Anonymous Coward]

"I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?"

Well, it does now.

I'm skeptic

[cucucu (953756)]

This is assumed to counter keyloggers.
But if the bad guys have enough control of your the machine to install a keylogger, then what's going to stop them from installing a "screen logger" that keeps successive screenshots in a special directory on the hard disk.

This "new" product does not work around the principle that software cannot secure a computer for which you adversary has physical access.

Screen Capture

[DieNadel (550271)]

I have heard tales of malware that can grab a screen capture in the vicinity of the cursor at any mouse-click. Does anyone know if such a threat actually exists?

I've heard about it many times as well and even seen a proof-of-concept.

Anyway, it could easily be implemented, and that's the point. I think a good solution would be Deja Vu [zdnet.com] or something similar, with lots of information (tens of known pictures), so that you need to grab lots of screenshots before actually having a chance.

But even in Deja Vu, you'r

Re:Screen Capture

[ultranova (717540)]

Why can't we have a TCB that is really Trusted? A secure operating system is all that takes to divert these attacks (granted it's easier said than done).

How do you know the operating system in a particular machine is actually the Trusted version, and not a hacked version that's masquerading as the trusted one ?

I don't get it.

[XorNand (517466)]

Here's their demo app [micromata.de].

I don't understand why this has made it's way onto Slashdot? It's an image map. With a PIN pad. Besides the fact it looks like a solution looking for a problem, I don't see the innovation. This could very easily be replicated in praticially any web scripting language of your choice.

Re:I don't get it.

[mrjb (547783)]

This could very easily be replicated in praticially any web scripting language of your choice.
Exactly. It doesn't require any client-side processing. That's the beauty of it. This means you can TURN OFF javascript and it will still work.

As for the innovation- it allows a user to enter their pin while reducing the chance that it's snooped by malware, which is a Good Thing. It also makes it a lot harder for said malware to replicate the response compared to keyboard entry- because in addition to protecting your code, it also acts as a (primitive) captcha, making reasonably sure that whoever is entering the code is human.

Re:

[XorNand (517466)]

Right, but what's with all the hype about Java and the GPL? Server-size image maps don't need Javascript to work. Unless I'm totally missing something here (which is possible) I could cook together a PHP class that does this exact same thing in less than an hour.

Doesn't ING direct already do something like this?

[antifoidulus (807088)]

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

Right, they do that already

[ewn (538392)]

They also don't ask you to enter the whole PIN, but only a few randomly selected digits ("Please enter the 3rd and 5th digit of your PIN"), so an attacker who grabs the screen only once still doesn't have enough information. I think that's pretty smart.

Re:

[Opportunist (166417)]

Something like that delays the attack until the attacker knows enough numbers to make a qualified guess (attempt it and hope that one of the 3 attempts he has is for numbers he already logged). I wouldn't read too much into that kind of security.

Re:

[antifoidulus (807088)]

You are taking a very binary view of security(either it is secure or it is not). According to that view than anything that anyone could concievably access isn't secure because a determined enough attacker can potentially get access to it. It's like saying "I could put a lock on my front door, but a master locksmith could open it in seconds, therefore it is useless to put a lock on my door" While that may be true, the number of master locksmiths who want to get in and want to take my stuff is very, very s

One time pads. The only solution.

[plierhead (570797)]

When I log on to my account, instead of typing in a PIN, I press buttons on a "virtual" keypad, ie a bunch of images. They will also randomly assign letters to each number(different every time you log in) so you can still type them if you want without a keylogger figuring out what your pin is.

The trouble is, anyone who owns your PC and has installed a keylogger can just as easily spy on your display and see what you are clicking.

Sometimes I would swear my brain explodes at our slowness to learn.

The only true solution is one time pads. They are unhackable, and only a minor inconvenience.

I would give blood to be able to use a one time pad for my online banking. The trouble is, the industry, and Joe Public, still don't take IT security seriously. And this is totally a mindset. Some marketing guru should wake up to the possibilities of the one time pad - potentially the greatest chick puller since the circular waterbed - and get us the hell out of this horrendous hacky world.

Re:

[antifoidulus (807088)]

Um, if the attacker has complete access to your screen(and takes enough screenshots to monitor every mouse click, a hell of a lot of bandwidth I might add) then what is to prevent him from looking at your one time pad? I know one time pads are "algorithmically secure" but they are only as secure as your pad. If they control your computer, it wouldn't be all that hard to look at your pad. How big is your pad? If it starts to repeat then it is no longer secure. Are you asking the bank to store a huge pad

Re:

[antifoidulus (807088)]

First, I know what one time pads are, and I have read a lot of material on old cryptography techniques, but you still missed the very point! Supposed you have a one time pad and an attacker manages to get a keylogger onto your computer(this is the situation we are talking about, ING Direct is an online bank end of story, if you didn't know that then you really should not have hit the reply button because it's offtopic). So you carefully type in your one time pad into the computer. Guess what, since the a

Randomly rotated?

[leehwtsohg (618675)]

Probably a mistake in the article... but if they just randomly rotate the keypad, then
take (mouse x-min(mouse x))/key size, and you get 10 possible pins. Try 10, and you are done.

If they randomly permute, then things would be a bit harder. If they randomly permute and have OCR-resistant digits, the pin would be very secure (though, if enough money is involved, a cracker would probably be ready to actually look at the image...)

Re:

[leehwtsohg (618675)]

You are right to some degree, but also wrong.

Their idea seems to be that the computer might be compromised, but the server is secure - so if the server creates the images, you can at least be secure against automated attacks - i.e. without human intervention. (because the attacker does not have access to the algorithm that created the images) This can work for as long as there are some tasks that humans can do and computers not.

If the computer is the last step in the authentication, then you are right. If y

OPIE

[sonicattack (554038)]

Using images as a PIN-code isn't making things much more secure, if the same images are used every time. The credentials are still sent in a way that can be logged. It's just an extra annoyance for those who want to steal your password.

I use one-time passwords for accessing my home computer over SSH. Anyone can log my keystrokes, or look over my shoulder how much they want. The password is generated by an OPIE client running on my cell phone, and is valid only once.

OPIE clients run on virtually any kind of device. Just as long as you don't run it on the actual computer which you use to access the server, this is a more secure solution.

Using OPIE on untrusted servers would still present the security problem of initial passphrase synchronization between server and OPIE client - unless the passphrase is sent to the user by some secure channel, unlikely to be snooped.

Yes, such a threat exists

[Opportunist (166417)]

Without breaking NDAs I can verify that such malware exists, in the wild. So far this functionality (taking screenshots) has not been used widely, but the necessary functions are there, screenshots are taken, it's just not been necessary to use them.

Picture shots would certainly increase security and raise the bar for malware writers. Current BHOs are able to manipulate the data stream on the fly, so you can never be sure what you send to your bank, and whether the data your bank sends to you is actually also displayed. With a picture, this becomes harder to manipulate.

Harder. Not impossible. Many malware BHO families are already prepared for this kind of defense and are working on a way around it (or already found a way around it). Any claim to make malware impossible is a lot of smoke screen and even more snake oil. The best defense against such attacks are still:

1. Using non-mainstreamy software. Malware is a business, target is the mass market. So the further you're from the "masses", the higher the chance that the malware can't strike you. Using Firefox instead of the omnipresent IE is a good step. Defeats a good deal of malware. Taking a step further and using a Mac or Linux almost eliminates the threat. That doesn't mean MacOS or Linux are more secure (I'll spare you and me the discussion), that simply means that their market share is smaller and thus it is less interesting for malware writers.

2. Using a brain when connecting to the 'net. Clicking everything and using mainstream apps is a surefire way to catch some kind of infection. Even with current anti-malware tools installed. No antivirus is able to catch everything (and they usually are at least one day behind the malware writers). No security tool is able to intercept all invasion attempts (Windows simply offers way too many entry points). Software is no replacement for brains and common sense.

Re:

[MichaelSmith (789609)]

Software is no replacement for brains and common sense.

Now there's a quote I can put to good use in my day job!

Broken by design.

[drolli (522659)]

At least in their demo the entropy in the assignment between the coordinates and the numbers input is completely missing. Not a good "encryption" or "security" scheme.

Not secure

[dk.r*nger (460754)]

The image is a map, when you click it, coordinates are POSTed to the server, that replies with a new image.
Grab the coordinates and the image, and you can stich together the password with close to no effort.

Re:

[ultranova (717540)]

Seriously now. Are we going to inconvenience ourselves just because a few programs out there do Bad Things?

I'd imagine this would be most useful to run in my home server, so I could contact it from anywhere without having to trust the computer I'm using. And yeah, I'd rather inconvenience myself with this password entry method than with cleaning up the mess when someone hijacks the server.

The solution isn't to work around the baddies but to eliminate them altogether.

Funny you should mention "terro

Good luck. No chance in hell.

[Opportunist (166417)]

You're dealing with people who register a domain in Uzbekistan, run the server in the Ukraine and sit in Moldavia. With these three countries being placeholders for pretty much every country from the former East Block east of Poland. Now try to get ANY kind of help from law enforcement there concerning computer crimes.

Those law enforcement organisations there have real problems to deal with, they have no spare manpower for petty things like computer crimes. I say that so I don't say they don't want to stand up against organized crime 'cause they have families.