Global ETD Search

11	Android Environment Security Andersson, Gustaf, Andersson, Fredrik January 2012 (has links) In modern times mobile devices are a increasing technology and malicious users are increasing as well. On a mobile device it often exist valuable private information that a malicious user is interested in and it often has lower security features implemented compared to computers. It is therefore important to be aware of the security risks that exist when using a mobile device in order to stay protected.In this thesis information about what security risks and attacks that are possible to execute towards a mobile device running Android will be presented. Possible attack scenarios are attacking the device itself, the communication between the device and a server and finally the server. Android mobile device penetration testing exploit OWASP application security root Computer Sciences Datavetenskap (datalogi)
12	Statistické metody detekce anomálií datové komunikace / Statistical anomaly detection methods of data communication Woidig, Eduard January 2015 (has links) This thesis serves as a theoretical basis for a practical solution to the issue of the use of statistical methods for detecting anomalies in data traffic. The basic focus of anomaly detection data traffic is on the data attacks. Therefore, the main focus is the analysis of data attacks. Within the solving are data attacks sorted by protocols that attackers exploit for their own activities. Each section describes the protocol itself, its usage and behavior. For each protocol is gradually solved description of the attacks, including the methodology leading to the attack and penalties on an already compromised system or station. For the most serious attacks are outlined procedures for the detection and the potential defenses against them. These findings are summarized in the theoretical analysis, which should serve as a starting point for the practical part, which will be the analysis of real data traffic. The practical part is divided into several sections. The first of these describes the procedures for obtaining and preparing the samples to allow them to carry out further analysis. Further described herein are created scripts that are used for obtaining needed data from the recorded samples. These data are were analyzed in detail, using statistical methods such as time series and descriptive statistics. Subsequently acquired properties and monitored behavior is verified using artificial and real attacks, which is the original clean operation modified. Using a new analysis of the modified traffics compared with the original samples and an evaluation of whether it has been some kind of anomaly detected. The results and tracking are collectively summarized and evaluated in a separate chapter with a description of possible further attacks, which were not directly part of the test analysis.
13	The effect of stress on the explore-exploit dilemma Ferguson, Thomas 05 April 2022 (has links) When humans are faced with multiple options, they must decide whether to choose a novel or less certain option (explore) or stick with what they know (exploit). Exploration is a fundamental cognitive process. Importantly, when humans attempt to solve the explore-exploit dilemma, they must effectively incorporate both feedback and uncertainty to guide their actions. While prior work has shown that both acute (short-term) and chronic (long-term) stress can disrupt how humans solve the explore-exploit dilemma, the mechanisms of how this occurs are unclear. For example, does stress disrupt how people integrate feedback to guide their decisions to explore or exploit, or does stress disrupt computations of uncertainty regarding their choices? Importantly, the use of electroencephalography as a tool can help reveal the impact of stress on explore-exploit decision making by measuring neural signals sensitive to feedback learning and uncertainty. In the present dissertation, I provide evidence from a series of experiments where I examined the impact of both acute and chronic stress on the explore-exploit dilemma while electroencephalographic data was collected. In experiment 1, I exposed participants to an acute stressor and then examined their decisions to switch or stay – as a proxy for explore and exploit decisions – in a multi-arm bandit paradigm. I found tentative evidence that the acute stress response disrupted both the feedback learning signal (the reward positivity) and the uncertainty signal (the switch P300). In experiment 2 I adopted a computational neuroscience approach and directly classified participants decisions as explorations or exploitations using reinforcement learning models. There was only an effect of the acute stress response on feedback signals, in this case, the feedback P300. In experiments 1 and 2, I used contextual bandit tasks where the reward probabilities of the options shifted throughout, and there was no behavioural effect of acute stress on task performance or exploration rate. However, in experiment 3, I examined a learnable bandit where one option was preferred. Again, using computational modelling and electroencephalography, I found tentative evidence that the acute stress response disrupted the feedback learning signals (the feedback P300) and stronger evidence that acute stress disrupted the uncertainty signal (the exploration P300). As well, I observed that the acute stress response reduced task performance and increased exploration rate. Lastly, in experiment 4, I examined the impact of chronic stress exposure on explore-exploit decision making and electrophysiology – while I found no effects of chronic stress, I believe future research is necessary. Taken together, these findings provide novel evidence for the neural mechanisms of how the acute stress response impacts the explore-exploit dilemma through disruptions to feedback learning and assessments of uncertainty. These findings also highlight how theories of the P300 signal may not be properly capturing the varied role of the P300 in cognition. / Graduate Explore-Exploit Acute Stress Chronic Stress Reinforcement Learning Decision Making Bandit Task
14	Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angrepp Linnér, Samuel January 2008 (has links) <p>Att genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö.</p><p>Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering.</p> / <p>A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization.</p><p>The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting.</p> Penetration test black box gray box white box vulnerabilities exploit methodology checklist nmap metasploit xss sql-injection security Penetrationstest internt blackbox graybox whitebox sårbarheter exploit metodik checklista nmap metasploit xss sql-injection säkerhet Computer science Datalogi
15	Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angrepp Linnér, Samuel January 2008 (has links) Att genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö. Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering. / A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization. The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting. Penetration test black box gray box white box vulnerabilities exploit methodology checklist nmap metasploit xss sql-injection security Penetrationstest internt blackbox graybox whitebox sårbarheter exploit metodik checklista nmap metasploit xss sql-injection säkerhet Computer Sciences Datavetenskap (datalogi)
16	The analysis of the State autonomy after democratization of Taiwan - case study of ¡§Bin-nan industril exploit¡¨ Tsai, Long-yue 16 December 2005 (has links) Abstract ¡§The economic miracle of Taiwan¡¨ is the result of heavy interference of the State into economic development. After democratization, the State is not as convenient as it was with the authoritative period, as far as economic sector is concerned. The case for Bin-nan industrial exploit should be able to increase national income for 1%, but stalled for 11 years, it stays at the origin. It means that the State has lost the autonomy in forming and setting up policies that are closely related to the welfare of the public. Utilizing the Model of The theory of Claus Offe¡¦s system analysis for exploring the changes in autonomy of state after democratization, aided with case for Bin-nan industrial exploit, we discussed the economic, legitimate, and political sub-system and made throughout interpretation. It is clear that in the highly controversial case for Bin-nan industrial exploit, the State slowed down the pace of development approval in exchange of support of the administration of the public and left the capitalists to communicate and negotiate with the local and social groups. The State expressed its support of the project orally on the one hand and assist in administration operations to avoid capital flee on the other hand, which avoid the non-support of current administration from the public due to full support of capitalist, which may lead to the legitimacy crisis of the administration. During the economic development process after democratization of Taiwan, the State is still holding the dominating position in the implementation of mercantilism and is still playing the initiative role in economic development and continues in promoting capital accumulation and in pushing industried technology. The will in developing economy has indicated that the State has its preoccupies position, so the State inevitably has dual consideration in the selection of autonomy policy, which is expecting continuous capital accumulation and securing the consent from the people for its legitimate ruling base. stste autonomy Claus Offe the State case for Bin-nan industrial exploit
17	Software Security Analysis : Managing source code audit Persson, Daniel, Baca, Dejan January 2004 (has links) Software users have become more conscious of security. More people have access to Internet and huge databases of security exploits. To make secure products, software developers must acknowledge this threat and take action. A first step is to perform a software security analysis. The software security analysis was performed using automatic auditing tools. An experimental environment was constructed to check if the findings were exploitable or not. Open source projects were used as reference to learn what patterns to search for. The results of the investigation show the differences in the automatic auditing tools used. Common types of security threats found in the product have been presented. Four different types of software security exploits have also been presented. The discussion presents the effectiveness of the automatic tools for auditing software. A comparison between the security in the examined product and the open source project Apache is presented. Furthermore, the incorporation of the software security analysis into the development process, and the results and cost of the security analysis is discussed. Finally some conclusions were drawn. Software security audit exploit closed source open source buffer overflow Computer Sciences Datavetenskap (datalogi) Software Engineering Programvaruteknik
18	Penetration Testing in a Web Application Environment Vernersson, Susanne January 2010 (has links) As the use of web applications is increasing among a number of different industries, many companies turn to online applications to promote their services. Companies see the great advantages with web applications such as convenience, low costs and little need of additional hardware or software configuration. Meanwhile, the threats against web applications are scaling up where the attacker is not in need of much experience or knowledge to hack a poorly secured web application as the service easily can be accessed over the Internet. While common attacks such as cross-site scripting and SQL injection are still around and very much in use since a number of years, the hacker community constantly discovers new exploits making businesses in need of higher security. Penetration testing is a method used to estimate the security of a computer system, network or web application. The aim is to reveal possible vulnerabilities that could be exploited by a malicious attacker and suggest solutions to the given problem at hand. With the right security fixes, a business system can go from being a threat to its users’ sensitive data to a secure and functional platform with just a few adjustments. This thesis aims to help the IT security consultants at Combitech AB with detecting and securing the most common web application exploits that companies suffer from today. By providing Combitech with safe and easy methods to discover and fix the top security deficiencies, the restricted time spent at a client due to budget concerns can be made more efficient thanks to improvements in the internal testing methodology. The project can additionally be of interest to teachers, students and developers who want to know more about web application testing and security as well as common exploit scenarios. penetration testing exploit XSS code injection CSRF web application security vulnerability assessment methodology Computer Sciences Datavetenskap (datalogi)
19	Threat Analysis of Smart Home Assistants Involving Novel Acoustic Based Attack-Vectors Björkman, Adam, Kardos, Max January 2019 (has links) Background. Smart home assistants are becoming more common in our homes. Often taking the form of a speaker, these devices enable communication via voice commands. Through this communication channel, users can for example order a pizza, check the weather, or call a taxi. When a voice command is given to the assistant, the command is sent to cloud services over the Internet, enabling a multitude of functions associated with risks regarding security and privacy. Furthermore, with an always active Internet connection, smart home assistants are a part of the Internet of Things, a type of historically not secure devices. Therefore, it is crucial to understand the security situation and the risks that a smart home assistant brings with it. Objectives. This thesis aims to investigate and compile threats towards smart home assistants in a home environment. Such a compilation could be used as a foundation during the creation of a formal model for securing smart home assistants and other devices with similar properties. Methods. Through literature studies and threat modelling, current vulnerabilities towards smart home assistants and systems with similar properties were found and compiled. A few vulnerabilities were tested against two smart home assistants through experiments to verify which vulnerabilities are present in a home environment. Finally, methods for the prevention and protection of the vulnerabilities were found and compiled. Results. Overall, 27 vulnerabilities towards smart home assistants and 12 towards similar systems were found and identified. The majority of the found vulnerabilities focus on exploiting the voice interface. In total, 27 methods to prevent vulnerabilities in smart home assistants or similar systems were found and compiled. Eleven of the found vulnerabilities did not have any reported protection methods. Finally, we performed one experiment consisting of four attacks against two smart home assistants with mixed results; one attack was not successful, while the others were either completely or partially successful in exploiting the target vulnerabilities. Conclusions. We conclude that vulnerabilities exist for smart home assistants and similar systems. The vulnerabilities differ in execution difficulty and impact. However, we consider smart home assistants safe enough to usage with the accompanying protection methods activated. / Bakgrund. Smarta hemassistenter blir allt vanligare i våra hem. De tar ofta formen av en högtalare och möjliggör kommunikation via röstkommandon. Genom denna kommunikationskanal kan användare bland annat beställa pizza, kolla väderleken eller beställa en taxi. Röstkommandon som ges åt enheten skickas till molntjänster över internet och möjliggör då flertalet funktioner med associerade risker kring säkerhet och integritet. Vidare, med en konstant uppkoppling mot internet är de smarta hemassistenterna en del av sakernas internet; en typ av enhet som historiskt sett är osäker. Således är det viktigt att förstå säkerhetssituationen och riskerna som medföljer användningen av smarta hemassistenter i en hemmiljö. Syfte. Syftet med rapporten är att göra en bred kartläggning av hotbilden mot smarta hemassistenter i en hemmiljö. Dessutom kan kartläggningen fungera som en grund i skapandet av en modell för att säkra både smarta hemassistenter och andra enheter med liknande egenskaper. Metod. Genom literaturstudier och hotmodellering hittades och sammanställdes nuvarande hot mot smarta hemassistenter och system med liknande egenskaper. Några av hoten testades mot två olika smarta hemassistenter genom experiment för att säkerställa vilka hot som är aktuella i en hemmiljö. Slutligen hittades och sammanställdes även metoder för att förhindra och skydda sig mot sårbarheterna. Resultat. Totalt hittades och sammanställdes 27 stycken hot mot smarta hemassistenter och 12 mot liknande system. Av de funna sårbarheterna fokuserar majoriteten på manipulation av röstgränssnittet genom olika metoder. Totalt hittades och sammanställdes även 27 stycken metoder för att förhindra sårbarheter i smarta hemassistenter eller liknande system, varav elva sårbarheter inte förhindras av någon av dessa metoder. Slutligen utfördes ett experiment där fyra olika attacker testades mot två smarta hemassistenter med varierande resultat. En attack lyckades inte, medan resterande antingen helt eller delvis lyckades utnyttja sårbarheterna. Slutsatser. Vi konstaterar att sårbarheter finns för smarta hemassistenter och för liknande system. Sårbarheterna varierar i svårighet att uföra samt konsekvens. Dock anser vi att smarta hemassistenter är säkra nog att använda med medföljande skyddsmetoder aktiverade. smart home assistants threats voice interface vulnerability exploit smarta hemassistenter hotbild röstgränssnitt sammanställning attack Computer and Information Sciences Data- och informationsvetenskap
20	Near Field Communication Security concerns & applicable security in Android Bengtsson, Filip, Madrusan, Matteo January 2020 (has links) Near Field Communication (NFC) is being used more frequent in smart devices, this raises security concerns whether the users information is secure from attackers. The thesis examines the threats that NFC on Android smartphones are exposed to, its countermeasures, as well as existing protocols that ensures the integrity and confidentiality of the users data. The results were achieved by a literature study, a questionnaire sent to companies that create products related to the subject as well as an experiment that was divided into two parts. The first part examined what information can be extracted from a debit card stored on an Android smartphone. The second part included a relay attack in which a purchase would be made with a victim’s debit card by using Android smartphones. The results shows that it is difficult to conduct any attack on the smart devices because of the limited range of NFC as well as the protocols available for making purchases with debit cards stored on smart devices disallows unauthorized applications and hardware to attack cards stored in smart devices. Near field communication active NFC security protocol security exploit standard security protocol NFC attack countermeasures Computer Sciences Datavetenskap (datalogi)

Search results