Global ETD Search

31	Testing and Improving the Security of a Mobile Application / Testning och förbättring av säkerheten i en mobilapplikation Gyulai, Sofia, Holmgren, William January 2019 (has links) When making new software systems, security testing should always be included in the process. In this thesis, attacks were identified and performed against a system consisting of two servers and an Android application. A penetration test was also performed against parts of the system. If an attack was successful, this was considered a vulnerability. The attacks that were identified and performed were a NoSQL injection attack a man-in-the-middle attack and reverse engineering. Through the man-in-the-middle attack and reverse engineering, breaching security properties such as confidentiality and integrity was possible. The NoSQL injection attack was not successful in breaching neither. No results from these could be used to exploit the system further. Countermeasures were taken to secure against the discovered vulnerabilities, and new instances of the attacks were performed after this as well. The overall conclusion is that the system is now secure against our implementations of the attacks performed in this thesis. security testing android mobile application penetration testing attack Computer and Information Sciences Data- och informationsvetenskap Computer Sciences Datavetenskap (datalogi)
32	CPT Prediction of Soil Behaviour Type, Liquefaction Potential and Ground Settlement in North-West Christchurch Van T Veen, Lauren Hannah January 2015 (has links) As a consequence of the 2010 – 2011 Canterbury earthquake sequence, Christchurch experienced widespread liquefaction, vertical settlement and lateral spreading. These geological processes caused extensive damage to both housing and infrastructure, and increased the need for geotechnical investigation substantially. Cone Penetration Testing (CPT) has become the most common method for liquefaction assessment in Christchurch, and issues have been identified with the soil behaviour type, liquefaction potential and vertical settlement estimates, particularly in the north-western suburbs of Christchurch where soils consist mostly of silts, clayey silts and silty clays. The CPT soil behaviour type often appears to over-estimate the fines content within a soil, while the liquefaction potential and vertical settlement are often calculated higher than those measured after the Canterbury earthquake sequence. To investigate these issues, laboratory work was carried out on three adjacent CPT/borehole pairs from the Groynes Park subdivision in northern Christchurch. Boreholes were logged according to NZGS standards, separated into stratigraphic layers, and laboratory tests were conducted on representative samples. Comparison of these results with the CPT soil behaviour types provided valuable information, where 62% of soils on average were specified by the CPT at the Groynes Park subdivision as finer than what was actually present, 20% of soils on average were specified as coarser than what was actually present, and only 18% of soils on average were correctly classified by the CPT. Hence the CPT soil behaviour type is not accurately describing the stratigraphic profile at the Groynes Park subdivision, and it is understood that this is also the case in much of northwest Christchurch where similar soils are found. The computer software CLiq, by GeoLogismiki, uses assessment parameter constants which are able to be adjusted with each CPT file, in an attempt to make each more accurate. These parameter changes can in some cases substantially alter the results for liquefaction analysis. The sensitivity of the overall assessment method, raising and lowering the water table, lowering the soil behaviour type index, Ic, liquefaction cutoff value, the layer detection option, and the weighting factor option, were analysed by comparison with a set of ‘base settings’. The investigation confirmed that liquefaction analysis results can be very sensitive to the parameters selected, and demonstrated the dependency of the soil behaviour type on the soil behaviour type index, as the tested assessment parameters made very little to no changes to the soil behaviour type plots. The soil behaviour type index, Ic, developed by Robertson and Wride (1998) has been used to define a soil’s behaviour type, which is defined according to a set of numerical boundaries. In addition to this, the liquefaction cutoff point is defined as Ic > 2.6, whereby it is assumed that any soils with an Ic value above this will not liquefy due to clay-like tendencies (Robertson and Wride, 1998). The method has been identified in this thesis as being potentially unsuitable for some areas of Christchurch as it was developed for mostly sandy soils. An alternative methodology involving adjustment of the Robertson and Wride (1998) soil behaviour type boundaries is proposed as follows:  Ic < 1.31 – Gravelly sand to dense sand  1.31 < Ic < 1.90 – Sands: clean sand to silty sand  1.90 < Ic < 2.50 – Sand mixtures: silty sand to sandy silt  2.50 < Ic < 3.20 – Silt mixtures: clayey silt to silty clay  3.20 < Ic < 3.60 – Clays: silty clay to clay  Ic > 3.60 – Organics soils: peats. When the soil behaviour type boundary changes were applied to 15 test sites throughout Christchurch, 67% showed an improved change of soil behaviour type, while the remaining 33% remained unchanged, because they consisted almost entirely of sand. Within these boundary changes, the liquefaction cutoff point was moved from Ic > 2.6 to Ic > 2.5 and altered the liquefaction potential and vertical settlement to more realistic ii values. This confirmed that the overall soil behaviour type boundary changes appear to solve both the soil behaviour type issues and reduce the overestimation of liquefaction potential and vertical settlement. This thesis acts as a starting point towards researching the issues discussed. In particular, future work which would be useful includes investigation of the CLiq assessment parameter adjustments, and those which would be most suitable for use in clay-rich soils such as those in Christchurch. In particular consideration of how the water table can be better assessed when perched layers of water exist, with the limitation that only one elevation can be entered into CLiq. Additionally, a useful investigation would be a comparison of the known liquefaction and settlements from the Canterbury earthquake sequence with the liquefaction and settlement potentials calculated in CLiq for equivalent shaking conditions. This would enable the difference between the two to be accurately defined, and a suitable adjustment applied. Finally, inconsistencies between the Laser-Sizer and Hydrometer should be investigated, as the Laser-Sizer under-estimated the fines content by up to one third of the Hydrometer values. CPT liquefaction soil canterbury earthquakes canterbury earthquake sequence Ic value soil behaviour type Christchurch earthquake sequence settlement cone penetration testing
33	Penetration Testing in a Web Application Environment Vernersson, Susanne January 2010 (has links) As the use of web applications is increasing among a number of different industries, many companies turn to online applications to promote their services. Companies see the great advantages with web applications such as convenience, low costs and little need of additional hardware or software configuration. Meanwhile, the threats against web applications are scaling up where the attacker is not in need of much experience or knowledge to hack a poorly secured web application as the service easily can be accessed over the Internet. While common attacks such as cross-site scripting and SQL injection are still around and very much in use since a number of years, the hacker community constantly discovers new exploits making businesses in need of higher security. Penetration testing is a method used to estimate the security of a computer system, network or web application. The aim is to reveal possible vulnerabilities that could be exploited by a malicious attacker and suggest solutions to the given problem at hand. With the right security fixes, a business system can go from being a threat to its users’ sensitive data to a secure and functional platform with just a few adjustments. This thesis aims to help the IT security consultants at Combitech AB with detecting and securing the most common web application exploits that companies suffer from today. By providing Combitech with safe and easy methods to discover and fix the top security deficiencies, the restricted time spent at a client due to budget concerns can be made more efficient thanks to improvements in the internal testing methodology. The project can additionally be of interest to teachers, students and developers who want to know more about web application testing and security as well as common exploit scenarios. penetration testing exploit XSS code injection CSRF web application security vulnerability assessment methodology Computer Sciences Datavetenskap (datalogi)
34	Aplikace pro penetrační testování webových zranitelností typu Denial of Service / Penetration Testing Application for DoS Based Web Vulnerabilities Vrána, Jaroslav January 2011 (has links) This work deals with a issue of a DoS vulnerability in web applications. At first, there are described principles of a computer security, general principles of the DoS and a penetration testing. Further text describes a OWASP Testing Guide v3 for the DoS in web applications. There is a design of own application on basis own experiences. This application is implemented and tested by the web applications.
35	Ethical Hacking of an IoT camera / Etisk hackning av en IoT-kamera Hellesnes, Nicolai January 2021 (has links) With the fast growing popularity of IoT devices, a new entry point for cyber attacks is emerging. As IoT devices such as security cameras become more widely used in settings where security and privacy can be considered a key concern, more research about these devices must be done to ensure that the security requirements are met. In this thesis the home security camera Reolink E1 Zoom has been evaluated. The security of the device was evaluated with a 7 step method which consisted of pre-engagement, information gathering, threat modeling, vulnerability analysis, exploitation, post exploitation, and reporting. The threat modeling and penetration testing was conducted on the IoT device with a focus on the web application. The result of the penetration testing was that one vulnerability was discovered, an XSS attack, with many other security issues not directly leading to an exploit also being discovered. The vulnerability discovered was reported to the manufacturer as detailed in the thesis. The conclusion is that the security of the IoT device was lacking in certain areas. / IoT har med en snabbt växande popularitet öppnat för nya potentiella problem med cyberattacker. Då IoT-enheter som säkerhetskameror börjar användas i en större utsträckning i sammanhang där säkerhet och integritet har högsta prioritet, måste mer forskning kring säkerheten av dessa enheter utföras. Detta för att kunna säkerställa att säkerhetskraven är uppnådda. I denna avhandlingen har säkerheten av IoT-enheten Reolink E1 Zoom analyserats. Säkerheten av enheten hara analyserats med hjälp av en 7-stegsmetod som bestod av förberedning, informationssökning, hotmodellering, säkerhetsanalys, efter-exploatering, samt rapportering. hotmodelleringen samt penetrationstestningen som genomfördes på enheten fokuserade på webbapplikationen. Resultatet av penetrationstestningen var att en sårbarhet hittades, en XSS-attack, ett flertal andra säkerhetsproblem som inte direkt ledde till en sårbarhet identifierades också. Sårbarheten som identifierades blev rapporterad till företaget enligt beskrivelsen i rapporten. Slutsaten är att säkerheten av IoT-enheten har brister inom vissa områden. security IoT camera IoT penetration testing threat modeling säkerhet IoT-kamera IoT penetrationstestning hotmodellering Computer Sciences Datavetenskap (datalogi)
36	Penetration Testinga Saia Unit : A Control System for Water, Ventilation, and Heating in Smart Buildings / Penetrationstestning av en Saia enhet : Ett kontrollsystem för vatten, ventilation, och värme i smarta byggnader. Dzidic, Elvira, Jansson Mbonyimana, Benjamin January 2021 (has links) The concept of Smart Buildings and automated processes is a growing trend. Due to a rapidly growing market of buildings that relies on the Internet, improper security measures allow hackers to gain control over the whole system easily and cause devastating attacks. Plenty of effort is being put into testing and securing the devices within a smart building in order to contribute to a more sustainable society. This thesis has evaluated the security of a control system for water, ventilation, and heating in smart buildings by using ethical hacking, where the testing is based on a systematic and agile pentesting process. The penetration testing was conducted using the method Black- box testing, and the testing was based on a threat model that was created to identify vulnerabilities. The results from the penetration tests did not find any exploitable vulnerabilities. However, flaws in the system, such as data being transferred in clear text and unlimited login attempts, that need to be addressed to avoid further problems, were found. The conclusion from evaluating the control system affirms that the strength of the password has a significant role, but that system can still be exposed to other hacking techniques, such as ”Pass the hash”. / Begreppet smarta byggnader och automatiserade processer är en växande trend. På grund av en snabbt växande marknad av byggnader som är beroende av Internet, har bristfälliga säkerhetsåtgärder resulterat i att hackare enkelt kan få kontroll över hela systemet och orsaka förödande attacker. Ansträngningar läggs på att testa och säkra enheterna i en smart byggnad för att bidra till ett mer hållbart samhälle. Denna avhandling har utvärderat säkerheten för ett styrsystem för vatten, ventilation och uppvärmning i smarta byggnader med hjälp av etisk hacking, där testningen baseras på en systematisk och agil pentestning process. Penetrationstestningen genomfördes genom att använda sig av metoden Blackbox testning, medan testningen baserades på en hotmodell som skapades för att identifiera sårbarheter. Resultaten från penetrationstesterna hittade inga sårbarheter att dra nytta utav. Dock hittades brister i systemet, bland annat att data överförs i klartext och att användaren har oändligt många inloggningsförsök, som måste åtgärdas för att undvika framtida problem. Slutsatsen från utvärderingen av styrsystemet bekräftar att styrkan på lösenordet har en signifikant roll, men att systemet ändå kan vara utsatt av andra hackningstekniker så som ”Pass the hash”. Smart Buildings IoT Saia Penetration Testing Security Smarta Byggnader IoT Saia Penetrationstestning Säkerhet Computer and Information Sciences Data- och informationsvetenskap
37	Internet of things security in healthcare : A test-suite and standard review Johansson, Michael January 2018 (has links) Internet of things is getting more and more popular in healthcare as it comes with benefits that help with efficiency in saving lives and reduce its cost, but it also presents a new attack vector for an attacker to steal or manipulate information sent between them. This report will focus on three properties in the definition of security, confidentiality, integrity and access control. The report will look into what challenges there is in healthcare IoT today through a literature review and from those challenges look into what could minimise these challenges before a device gets into production. The report found that the lack of standardisation has lead to errors that could be easily prevented by following a guideline of tests as those from the European Union Agency for Network and Information Security, or by running a penetration test with the tools brought up in the report on the device to see what vulnerabilities are present. Internet of Things Healthcare Security Privacy Penetration testing Internet of Things Sjukvård Säkerhet Integritet Penetrationstest Computer Sciences Datavetenskap (datalogi)
38	A cybersecurity audit of the Garmin Venu Antal, Oliver January 2023 (has links) The presence of smart wearables has established itself as a norm of the 21 st century, but the state of their trustworthiness from the viewpoint of personal safety remains debatable. The information gathered by such devices has great potential for personal safety risks and must be handled safely. Previous work on the Garmin Venu watch gave room for relevant future work. This thesis aims to perform further evaluation of this smartwatch in unexplored areas. The work took inspiration from the relatively new “PatrIoT” penetration testing methodology, developed in-house at the Network and Systems Engineering lab, customized for penetration testing of Internet of Things devices. This project examined a broad surface on the watch including network traffic, data over USB connection, a few details in the watch’s update mechanism, probed for some memory attack mitigations, fuzz testing of some functions in the Software Development Kit’s Application Programming Interface, and some more. According to these investigations, the watch is perceived as safe. A deeper look into some investigations is left for future work. / Bärbara enheter har blivit en normal del av 21:a århundradet, men deras pålitlighet från ett personligt säkerhetssynvinkel är diskutabelt. Informationen som samlas in av dessa har stort potential för att orsaka personliga säkerhetsrisker och måste hanteras säkert. Tidigare utförda undersökningar av Garmin Venu-smartklockan lämnade utrymme för relevant framtida arbete. Det här examensarbetet siktar på att utföra ytterligare undersökningar av denna smartklocka. Arbetet tog inspiration av det relativt nya “PatrIoT” intrångstestmetodologin, internt utvecklad av personalen i avdelningen för nätverk och systemteknik, skräddarsydd för intrångstestning av Sakernas Internet-enheter. Det här projektet undersökte en bred attackyta på klockan, inkluderande datatrafik, data över USB-anslutning, några detaljer i klockans uppdateringsmekanism, undersökte närvaron av några mekanismer för minnesbaserade attacker, försök till störningsattacker i programvaruutvecklingssatsens applikationsprogrammeringsgränssnitt, med flera. Enligt dessa undersökningar uppfattas klockan vara säker. En djupare undersökning av dessa aspekter lämnas till framtida arbete. IoT wearables cybersecurity penetration testing sniffing fuzzing sakernas internet bärbara enheter cybersäkerhet intrångstestning avlyssning störningsattacker Computer and Information Sciences Data- och informationsvetenskap
39	Are Children Safe with Smart Watches? : Security Analysis and Ethical Hacking on Children’s Smart Watches / Är barn säkra med smarta klockor? : Säkerhetsanalys och etisk hacking på barns smarta klockor Tian, Yaqi January 2023 (has links) There are more and more parents that are considering to purchase smart watches for their kids. The children’s smart watches on the market are usually equipped with many practical functions like the GPS positioning, the camera and the messaging. Among all the smart watches for children, the ones that can be connected via a mobile application called SeTracker are popular for the acceptable prices. These smart watches may have different brands although they come from the same manufacturer company and share the common service and database. The security of the mobile application is essential to the security of the products. But are they designed in a secure way? There were reports about vulnerabilities of the products previously. Unfortunately, the security requirements do not stop upon solving those vulnerabilities. In this project, it was found that the parents can track the kids and communicate with them through the mobile application, but their accounts might be logged on the attacker’s phone at the same time. And it is surprisingly easy to get the password of the users because it is stored in a local file using simple substitution cipher. There are other examples of insecure design in the products. Among them are the unlimited attempts to send and enter verification codes used for changing the password. It seems that the server does not have a complete logging and monitoring mechanism to prevent abnormal behaviors. The security analysis and penetration testing of this project would provide an example of the mobile hacking, and it will also raise a warning on the security of smart devices. / Det finns fler och fler föräldrar som funderar på att köpa smarta klockor till sina barn. De smarta barnklockorna på marknaden är vanligtvis utrustade med många praktiska funktioner som GPS, kamera och meddelanden. Bland alla smarta klockor för barn är de som kan kopplas upp via en mobilapplikation som heter SeTracker populära för de acceptabla priserna. Dessa smarta klockor kan ha olika märken även om de kommer från samma tillverkarföretag och delar den gemensamma tjänsten och databasen. Säkerheten för den mobila applikationen är väsentlig för produkternas säkerhet. Men är de designade på ett säkert sätt? Det fanns rapporter om sårbarheter i produkterna tidigare. Tyvärr slutar inte säkerhetskraven när man löser dessa sårbarheter. I det här projektet fann man att föräldrarna kan spåra barnen och kommunicera med dem via mobilapplikationen, men deras konton kan vara inloggade på angriparens telefon samtidigt. Och det är förvånansvärt lätt att få användarnas lösenord eftersom det lagras i en lokal fil med hjälp av enkla ersättnings-chiffer. Det finns andra exempel på osäker design i produkterna. Bland dem är de obegränsade försöken att skicka och ange verifieringskoder som används för att ändra lösenordet. Det verkar som om servern inte har en fullständig loggnings- och övervakningsmekanism för att förhindra onormalt beteende. Säkerhetsanalysen och penetrationstesten av detta projekt skulle ge ett exempel på mobilhackning, och det kommer också att väcka en varning om säkerheten för smarta enheter. Security analysis Penetration testing Smart watches Mobile Applications Säkerhetsanalys Penetrationstestning Smarta klockor Mobilapplikationer Computer and Information Sciences Data- och informationsvetenskap
40	Using Semantic Data for Penetration Testing : A Study on Utilizing Knowledge Graphs for Offensive Cybersecurity / Användning av Semantisk Teknologi för Sårbarhetstestning : En Studie för att Applicera Kunskapsgrafer för Offensiv Cybersäkerhet Wei, Björn January 2022 (has links) Cybersecurity is an expanding and prominent field in the IT industry. As the amount of vulnerabilities and breaches continue to increase, there is a need to properly test these systems for internal weaknesses in order to prevent intruders proactively. Penetration testing is the act of emulating an adversary in order to test a system’s behaviour. However, due to the amount of possible vulnerabilities and attack methods that exists, the prospect of efficiently choosing a viable weakness to test or selecting a fairly adequate attack method becomes a cumbersome task for the penetration tester. The main objective of this thesis is to explore and show how the semantic data concept of Knowledge Graphs can assist a penetration tester during decision-making and vulnerability analysis. Such as providing insight to attacks a system could experience based on a set of discovered vulnerabilities, and emulate these attacks in order to test the system. Additionally, design aspects for developing a Knowledge Graph based penetration testing system are made and discussions on challenges and complications for the combined fields are also addressed. In this work, three design proposals are made based on inspiration from Knowledge Graph standards and related work. A prototype is also created, based on a penetration testing tool for web applications, OWASP ZAP. Which is then connected to a vulnerability database in order to gain access to various cybersecurity related data, such as attack descriptions on specific types of vulnerabilities. The analysis of the implemented prototype illustrates that Knowledge Graphs display potential for improving data extracted from a vulnerability scan. By connecting a Knowledge Graph to a vulnerability database, penetration testers can extract information and receive suggestions of attacks, reducing their cognitive burden. The drawbacks of this works prototype indicate that in order for a Knowledge Graph penetration testing system to work, the method of extracting information needs to be interfaced in a more user-friendly manner. Additionally, the reliance on specific standardizations create the need to develop several integration modules. Semantic data penetration testing Knowledge Graphs vulnerability analysis threat modelling web application data analysis Computer Sciences Datavetenskap (datalogi)

Search results