SRS PRESENTATION

Ronen Mendezitsky & Alon Weiss

HASTACWebsite Protection

System

Overview

An online security system for ASP.NET websites

Helps fighting brute-force attacks on secured systems

Uses innovative methods to stop rogue OCR software that cracks the widely-used CAPCHA

Adds an image (“Challenge”) that has a question embedded. The user must answer it in order to log-in or register.

Contract

What ASP.NET webmasters need: The most non-intrusive software

component to plug-in to their website, easily deployed and maintained

A friendly and simple utility to remotely configure the system

The system should use minimal CPU, HDD, and bandwidth resources.

Research

Most Capchas today are either low-grade and crude Unix scripts, or in-house developed

Most of them have been either reverse engineered or easily cracked using rogue OCR programs in real-time

Captchas are becoming more complex in order to deal with these rogue programs

Top-Level Design

Requirements and boundaries for design: Variable Complexity

Simple yet full-featured management software Allow for a much larger Q&A space

Fast response Minimal resource usage Easy integration Generated image should be small and

compressible

The Problem

Password-protected websites encounter: Brute-force attacks consume a lot of

bandwidth Cracking attempts by automated bots Creation of accounts in bulk by automated

bots Account list is generated by bots and

posted on the internet, which is then used by bots to leech off the site.

The Customers

Asp.net websites (around 30%)

Apache Microsoft Sun

NCSA Other

Competition

Product: Strongbox Vendor: Ray Morris ( bettercgi.com ) Link:

http://www.bettercgi.com/strongbox/

Price: 150$ per site (one-time)  A 5 letter image-based code protection.

Competition

Product: T4wsentry.pl Vendor: Fisher Technologies, Inc. Link:

http://www.tools4webmasters.com/t4wsentry.htm

Price: 65$ per site (one-time)  a Perl script that requires the user to log-

in from a specific page, in order to access the restricted area of the website

Competition

Product: Pennywize Vendor: Zarvon P/L Link: http://www.pennywize.com/ Price: 30$-170$ (monthly rate)

  An IP-Based protection system

Competition

Product: BotDetect Vendor: LANAP software Link: http://www.lanapsoft.com Price: 60$-100$ per site (one-time)  Supports up to 50 different CAPTCHA

types at variable length and image size, producing different file formats

The Proposed product

A challenge is introduced to a user at the log-in page in a form of an image.

Each image contains many elements A challenge is embedded in the image Answering the challenge correctly allows

successful human verification

Challenges

Making Question and Answer space be as large as possible

Use as little bandwidth as possible SQL Database access and HDD I/O should be

minimal Image manipulation algorithms should be

developed to render OCR useless The system has to be user friendly, both to the

user and to the website administrator The system should be upgradable with plug-ins

Criteria for success

Success: Meeting all the requirements described

Failure: Poor integration, Challenge & Response quality, and resource usage. Bad plug-in support

Use Cases

A webmaster of a single website that has no protection and a lot to secure requires authentication to his sensitive content

A group of webmasters wish to create a single sign-in solution for their websites

A specific service requires high-fidelity human authentication, such as e-voting systems, polls, forms, public & free e-mail services, all to avoid mass junk data from being stored or sent using the service.

Initial Plan and Progress

Research and Development of the HASTAC algorithmResearch brute-force techniques of CAPTCHA-protected websitesInvestigate integration methods with current ASP.NET websitesBuild administration interface ("Back-Office") for the system

Define the main software modules and their integration

Perform stress-testing on the algorithm

SRS PRESENTATION

Ronen Mendezitsky & Alon Weiss

HASTACWebsite Protection

System