Global ETD Search

121	A Multidisciplinary Analysis of Cyber Security in the Swedish Space Industry : Evaluating the possibilities for stakeholder cooperation and distributed ledger technology Palmqvist, Linnea, Nilsson, Hillevi January 2022 (has links) During the last decades, the space sector has gone through many changes; more private actors have joined, the dependence on space assets has increased, and the threat of cyberwarfare and private cyber attacks is growing. With this recent development, one wonders how we can ensure cyber security in such a specific industry. This is a multifaceted matter since there is a need to have technical solutions and to ensure that stakeholders take their responsibility, both of which will be considered in this thesis. Thirteen qualitative interviews with Swedish space stakeholders were conducted to understand the current industry landscape and which aspects should be prioritised for the future. We found that all Swedish actors must begin to cooperate, both state and businesses should contribute to a change in priority and technical experts should have more influence. The results were also applied and evaluated with the Multistakeholder Model. We examined distributed ledger technology and which adjustments were needed to make it applicable to satellites to include a technical aspect. We found that an update of the underlying structure and the choice of Proof of Stake as a consensus method could make distributed ledgers less demanding of computational power and storage. School of Entrepreneurship Cyber Security space space industry satellite Unibap Entreprenörskolan cybersäkerhet rymd rymdindustri satellit Unibap Engineering and Technology Teknik och teknologier
122	Kategorisering på uppfattningar om digitala hot på webbapplikationer : Med en studie som visar de ekonomiska konsekvenserna av cyberattacker / Categorization of conceptions about digital threats on web applications : With a study showing the economic consequences of cyber attacks Alyoussef, Elyas January 2022 (has links) Detta examensarbete tar upp digitala hot mot webbapplikationer och kategoriserar allmänhetens uppfattning om dem. Digitala hot är oftast kopplade till ekonomiska konsekvenser varvid även dessa kommer att studeras. Målet med detta arbete är att bidra till en vetenskaplig artikel i framtiden, som kan vara värdefull för allmänheten, samt för framtida arbete och sysselsättning. För att analysera samlade uppfattningar användes konstant jämförande metoden. Resultatet avslöjar flera spännande fynd för teori och praktik, där uppfattningar om cybervärlden presenteras för att kunna förstå mer hur andra ser på cybersäkerhet idag. Det visar även betydande variationer bland deltagarnas uppfattningar och att informationssäkerhet, även om den gradvis utvecklas, har en lång väg tills den blir en obruten del av affärsverksamheten och arbetskraftens verklighet. Denna studie kan även fungera som en guide för de olika uppfattningarna om cyberattacker eftersom den ger en översikt över de idag mest relevanta cyberattackerna. Arbetet kompletterades med en studie som belyser ekonomiska konsekvenser av cyberattacker. Utöver detta studerades även cyberattacken mot Coop under sommaren 2021. / This thesis presents a categorization of conceptions about digital threats on web applications with a study showing the economic consequences of cyber-attacks. The aim of this thesis is to contribute to a scientific article, which can be valuable to the public, as well as for future work and employment. Constant comparison method was used to analyse aggregate perceptions. The results reveal several exciting findings for theory and practice, where perceptions of the cyber world were presented in order to understand more how others see cybersecurity today. It also shows significant variations among the participants' perceptions. This shows that information security, even if it is gradually developed, has a long way to go until it becomes an unbroken part of the business. This study can also serve as a guide for the different perceptions of cyber-attacks as it provides an overview of the most relevant cyber-attacks today. This thesis was supplemented with a study that highlights the economic consequences of cyberattacks. In addition to this, the cyber-attack on Coop during the summer of 2021 was also studied. Security cyber-attack economic digital threats web applications cyber security. Säkerhet cyberattack ekonomi digitala hot webbapplikationer cybersäkerhet. Computer Systems Datorsystem
123	IoT Security Assessment of a Home Security Camera Hjärne, Nina, Kols, Ida January 2021 (has links) The amount of IoT devices in society is increasing.With this increase there is an inherently higher risk of hackersexploiting the vulnerabilities of such a device, accessing sensitivepersonal information. The objective of this project was to assessthe security level of a home security camera through findingvulnerabilities and exploiting them. The method used for thiswas to analyze the system and its communication, threat modelthe system to identify threats, perform vulnerability analysisand exploit the vulnerabilities through penetration testing. Theattacks on the system did not succeed and the system wasdeclared secure in the vulnerability analysis. From the aspectstested in this project, it can be assumed that safety precautionshave been taken to secure the home security camera frommalicious hackers. / Antalet IoT-produkter i samhället ökar ochmed fler och fler uppkopplade produkter i våra hem ökarrisken att hackare utnyttjar produkters sårbarheter för ondaavsikter, till exempel för att komma åt känslig personlig data.Målet med det här projektet var att hitta sårbarheter i ensäkerhetskamera för hemmet, attackera dem och utifrån resultatetbedöma hur säker produkten är. Detta gjordes genomatt analysera systemet och dess kommunikation, göra en hotmodellför att identifiera hot, genomföra sårbarhetsanalys ochsedan penetrationstesta hoten. Hackningsattackerna misslyckadesoch produkten bedömdes som säker i sårbarhetsanalysen.Utifrån de aspekter som testades i projektet kunde det bedömasatt grundläggande säkerhetsåtgärder vidtagits för att skyddasäkerhetskameran från hackare. / Kandidatexjobb i elektroteknik 2021, KTH, Stockholm security camera cyber security ethical hacking vulnerabilities threats penetration testing IoT privacy Elektroteknik och elektronik
124	Automated security analysis of a SCADA system Duisembiyeva, Akzharkyn January 2020 (has links) Supervisory control and data acquisition (SCADA) is a computer system for analysing, and monitoring data, as well as, controlling a plant in industries such as power grids, oil, gas refining, and water control. SCADA belongs to the category of critical systems that are needed to maintain the infrastructure of cities and households. Therefore, the security aspect of such a system has a significant role. The early SCADA systems were designed with the operation as the primary concern rather than security since they were a monolithic networked system without external access. However, the systems evolved, and SCADA systems were embedded with web technologies for users to monitor the data externally. These changes improved the efficiency of monitoring and productivity; however, this caused a problem of potential cyber-attacks to a SCADA system. One such example was Ukraine’s power grid blackout in 2015. Therefore, it is beneficial for the security of a SCADA system to create a threat modeling technique that can understand the critical components of SCADA, discover potential threats, and propose possible mitigation strategies. One issue when creating a threat model is the significant difference of SCADA from traditional Operational Technology (OT) systems. Another significant issue is that SCADA is a highly customisable system, and each SCADA instance can have different components. Therefore, for this work, we implemented a threat modeling language scadaLang, which is specific to the domain of a SCADA system. We started by defining the major assets of a SCADA system, attackers, entry surfaces, and built attacks and defense strategies. Then we developed a threat modeling domain-specific language scadaLang that can create a threat model for a particular instance of SCADA taking the differences in components and connections into account. As a result, we achieved a threat modeling language for SCADA, ensured the reliability of the results by peer-reviewing of an engineer familiar with the domain of the problem, and proposed a Turing test to ensure the validity of the result of scadaLang as the future development of the project. / Supervisory control and data acquisition (SCADA) är ett datorsystem för att analysera och monitorera data samt kontrollera anläggningar för industrier såsom energisystem, olja, raffinering av gas och vatten. SCADA tillhör den kategori av kritiska system som krävs för att bibehålla städer och hushålls infrastruktur. Därför är säkerhetsaspekten av ett sådant system av stor roll. De tidiga SCADA systemen var utformade med funktionen som huvudsaklig oro istället för säkerheten då de var monolitiska nätverkssystem utan extern åtkomst. Systemen utvecklades emellertid och SCADA systemen blev inbyggda med webbteknologier så att användare kan monitorera data externt. De här förändringarna förbättrade effektiviteten av monitorering och produktivitet men skapade problemet med potentiella cyber-attacker mot SCADA systemen. Ett sådant exempel är Ukrainas energy systems elavbrott som skedde 2015. Därför är det fördelaktigt för säkerheten av SCADA systemen att skapa en hotmodelleringsteknik för att bättre förstå de kritiska komponenterna av SCADA, hitta potentiella hot och föreslå potentiella förmildrande strategier. Ett problem för utvecklingen av en hotmodell är den stora skillnaden mellan SCADA från traditionella nätverkssystem inom industri. Ett annat stort problem är att SCADA är ett justerbart system och varje SCADA instans kan ha olika komponenter. Därför utvecklar vi i detta arbete ett språk för hotmodellering scadaLang som är specifikt för domänen SCADA system. Vi började med att definiera de huvudsakliga komponenterna av SCADA system, angriparna, attack ytorna och även bygga attacker samt försvarsstrategier. Sen utvecklade vi ett språk för hotmodelleringen som är domänspecifikt, scadaLang som kan skapa en hotmodell för en specifik instans av SCADA där skillnaderna på komponenter och sammankopplingar tas till hänsyn. Som resultat har vi skapat ett språk för hotmodellering för SCADA,verifierat resultat med hjälp av en ingenjör med domänkännedom och föreslagit ett Turing test för att förbättra verifieringen av resultatet som ett framtida arbete. threat modeling DSL MAL cyber security SCADA hotmodellering DSL MAL cybersäkerhet SCADA Elektroteknik och elektronik
125	Exploring the Dynamics of Software Bill of Materials (SBOMs) and Security Integration in Open Source Projects Ambala, Anvesh January 2024 (has links) Background.The rapid expansion of open-source software has introduced significant security challenges, particularly concerning supply chain attacks. Software supply chain attacks, such as the NotPetya attack, have underscored the critical need for robust security measures. Managing dependencies and protecting against such attacks have become important, leading to the emergence of Software Bill of Materials (SBOMs) as a crucial tool. SBOMs offer a comprehensive inventory of software components, aiding in identifying vulnerabilities and ensuring software integrity. Objectives. Investigate the information contained within SBOMs in Python and Gorepositories on GitHub. Analyze the evolution of SBOM fields over time to understand how software dependencies change. Examine the impact of the US Executive Order of May 2021 on the quality of SBOMs across software projects. Conduct dynamic vulnerability scans in repositories with SBOMs, focusing on identifying types and trends of vulnerabilities. Methods. The study employs archival research and quasi-experimentation, leveraging data from GitHub repositories. This approach facilitates a comprehensive analysis of SBOM contents, their evolution, and the impact of policy changes and security measures on software vulnerability trends. Results. The study reveals that SBOMs are becoming more complex as projects grow, with Python projects generally having more components than Go projects. Both ecosystems saw reductions in vulnerabilities in later versions. The US Executive Order of 2021 positively impacted SBOM quality, with measures like structural elements and NTIA guidelines showing significant improvements post-intervention. Integrating security scans with SBOMs helped identify a wide range of vulnerabilities. Projects varied in critical vulnerabilities, highlighting the need for tailored security strategies. CVSS scores and CWE IDs provided insights into vulnerability severity and types. Conclusions. The thesis highlights the crucial role of SBOMs in improving software security practices in open-source projects. It shows that policy interventions like the US Executive Order and security scans can significantly enhance SBOM quality, leading to better vulnerability management and detection strategies. The findings contribute to the development of robust dependency management and vulnerability detection methodologies in open-source software projects. Supply chain SBOM Software Bill of Materials US Executive Order May 2021 Open-Source Software Vulnerability cyber security. Software Engineering Programvaruteknik
126	Security threats to critical infrastructure: the human factor Ghafir, Ibrahim, Saleem, J., Hammoudeh, M., Faour, H., Prenosil, V., Jaf, S., Jabbar, S., Baker, T. 24 January 2020 (has links) Yes / In the twenty-first century, globalisation made corporate boundaries invisible and difficult to manage. This new macroeconomic transformation caused by globalisation introduced new challenges for critical infrastructure management. By replacing manual tasks with automated decision making and sophisticated technology, no doubt we feel much more secure than half a century ago. As the technological advancement takes root, so does the maturity of security threats. It is common that today’s critical infrastructures are operated by non-computer experts, e.g. nurses in health care, soldiers in military or firefighters in emergency services. In such challenging applications, protecting against insider attacks is often neither feasible nor economically possible, but these threats can be managed using suitable risk management strategies. Security technologies, e.g. firewalls, help protect data assets and computer systems against unauthorised entry. However, one area which is often largely ignored is the human factor of system security. Through social engineering techniques, malicious attackers are able to breach organisational security via people interactions. This paper presents a security awareness training framework, which can be used to train operators of critical infrastructure, on various social engineering security threats such as spear phishing, baiting, pretexting, among others. Critical infrastructure security Security awareness Cyber security training Work-based security training
127	Vulnerabilities in Outdated Content Management Systems : An Analysis of the Largest WordPress Websites. Ekstam Ljusegren, Hannes January 2023 (has links) The rapid growth of the internet over the past two decades has been accompaniedby a significant increase in cyberattacks, including ones targeting websites. Among thevast number of websites, approximately 50% are built using popular Content ManagementSystems (CMS) such as WordPress, Shopify, and Wix. Furthermore, websites created usingCMS platforms may be more attractive targets for attackers due to common frameworksand shared vulnerabilities. This study examines the prevalence of security vulnerabilitiesin the category "Vulnerable and Outdated Components" in these CMS-created websiteswith a focus on the WordPress CMS. From scanning one million of the largest websites,version information of WordPress and related extensions is collected and matched againstexploits in publicly available databases (exploit databases). The study finds that approxi-mately 65% of the WordPress websites are up-to-date, and that approximately 1.1% of thelargest websites running WordPress are susceptible to severe vulnerabilities to the Word-Press Core, and more to plugin vulnerabilities. The study also finds that 70% of all severepublic exploits both recently and historically spawn from 3 categories, including cross-sitescripting attacks, cross-site request forgery, and SQL injection. Based on the results gath-ered, a well-designed demonstration showcasing two vulnerabilities is develo Vulnerability analysis Cyber Security Computer Security WordPress CMS Cyberattacks Exploits Outdated Components Cyber Threats Demonstration Computer Engineering Datorteknik
128	Penetration Testing and PrivacyAssessment of Top-RankedHealth and Fitness Apps : An Empirical Study / Penetrationstestning och Integritetsbedömning av Toppklassade Hälso-och Fitnessappar : En Empirisk Studie Forsberg, Albin January 2024 (has links) Mobile health applications (mHealth apps), particularly in the health and fitness category, have experienced an increase in popularity due to their convenience and availability. However, this widespread adoption has raised concerns regarding the security and privacy of user data within these apps. This study investigates the security and privacy risks associated with ten top-ranked Android health and fitness apps, a set which accounts for 237 million downloads. By utilizing tools such as MobSF, Qualys SSL, and CLAUDETTE, we performed a static, dynamic, server-side, and privacy policy analysis in order to gain comprehensive insights into the security and privacy posture of the investigated mobile health and fitness apps. The results from the analysis revealed vulnerabilities in coding practices, hardcoded sensitive information, insecure encryption configurations, misconfiguration, and extensive domain communication. For instance, our analysis revealed that all apps stored their database API key directly in the code, with eight apps additionally exposing the database URL. Furthermore, six apps employed insecure encryption methods, such as CBC mode with PKCS5/PKCS7 padding (five apps) and ECB mode (two apps).In total, the apps interacted with 404 distinct domains. Notably, two apps communicated with more than 230 domains each, while a third app connected with over 100 domains. Despite these findings, developers demonstrated improved awareness and proficiency in addressing privacy and security risks compared to previous studies in the field. The study underscores the importance of continuous research to comprehensively understand the security and privacy landscape of health and fitness apps. Security Privacy Pentesting Cyber Security Vulnerability Assessment Testing Mobile Health Applications Vetting Health and Fitness Applications Computer and Information Sciences Data- och informationsvetenskap
129	Security Analysis of ECC Based Protocols Khatwani, Chanchal 01 January 2017 (has links) Elliptic curve cryptography (ECC) is extensively used in various multifactor authentication protocols. In this work, various recent ECC based authentication and key exchange protocols are subjected to threat modeling and static analysis to detect vulnerabilities, and to enhance them to be more secure against threats. This work demonstrates how currently used ECC based protocols are vulnerable to attacks. If protocols are vulnerable, damages could include critical data loss and elevated privacy concerns. The protocols considered in thiswork differ in their usage of security factors (e.g. passwords, pins, and biometrics), encryption and timestamps. The threatmodel considers various kinds of attacks including denial of service, man in the middle, weak authentication and SQL injection. Countermeasures to reduce or prevent such attacks are suggested. Beyond cryptanalysis of current schemes and proposal of new schemes, the proposed adversary model and criteria set forth provide a benchmark for the systematic evaluation of future two-factor authentication proposals. Thesis University of North Florida UNF Computer and Systems Architecture
130	Protecting Bare-metal Systems from Remote Exploitation Abraham Anthony Clements (6618926) 15 May 2019 (has links) The Internet of Things is deploying large numbers of bare-metal systems that have no protection against memory corruption and control-flow hijacking attacks. These attacks have enabled unauthorized entry to hotel rooms, malicious control of unmanned aerial vehicles, and invasions of privacy. Using static and dynamic analysis these systems can utilize state-of-the-art testing techniques to identify and<br>prevent memory-corruption errors and employ defenses against memory corruption and control-flow hijacking attacks in bare-metal systems that match or exceed those currently employed on desktop systems. This is shown using three case studies.<br><br>(1) EPOXY which, automatically applies data execution prevention, diversity, stack defenses, and separating privileged code from unprivileged code using a novel<br>technique called privileged overlaying. These protections prevent code injection attacks, and reduce the number of privileged instruction to 0.06% verses an unprotected<br>application.<br><br>(2) Automatic Compartments for Embedded Systems (ACES), which automatically creates compartments that enforce data integrity and code isolation within bare-metal applications. ACES enables exploring policies to best meet security and performance requirements for individual applications. Results show ACES' can form 10s of compartments within a single thread and has a 15% runtime overhead on average.<br><br><div>(3) HALucinator breaks the requirement for specialized hardware to perform bare-metal system testing. This enables state-of-the-art testing techniques –e.g., coverage based fuzzing – to scale with the availability of commodity computers, leading to the discovery of exploitable vulnerabilities in bare-metal systems. <br></div><div><br></div><div>Combined, these case studies advance the security of embedded system several decades and provide essential protections for today’s connected devices.</div> Computer Engineering Applied Computer Science Computer System Security Computer Communications Networks Embedded Systems Computer Security Embedded Systems Security Bare-Metal Internet of Things Memory Corruption cyber security

Search results