Assessing the vulnerabilities and securing MongoDB and Cassandra databases

Due to the increasing amounts and the different kinds of data that need to be stored in the databases, companies, and organizations are rapidly adopting NoSQL databases to compete. These databases were not designed with security as a priority. NoSQL open-source software was primarily developed to handle unstructured data for the purpose of business intelligence and decision support. Over the years, security features have been added to these databases but they are not as robust as they should be, and there is a scope for improvement as the sophistication of the hackers has been increasing. Moreover, the schema-less design of these databases makes it more difficult to implement traditional RDBMS like security features in these databases. Two popular NoSQL databases are MongoDB and Apache Cassandra. Although there is a lot of research related to security vulnerabilities and suggestions to improve the security of NoSQL databases, this research focusses specifically on MongoDB and Cassandra databases. This study aims to identify and analyze all the security vulnerabilities that MongoDB and Cassandra databases have that are specific to them and come up with a step-by-step guide that can help organizations to secure their data stored in these databases. This is very important because the design and vulnerabilities of each NoSQL database are different from one another and hence require security recommendations that are specific to them

Development of traceability solution for furniture components

Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáIn the contemporary context, characterized by intensified global competition and the constant evolution of the globalization landscape, it becomes imperative for industries, including Small and Medium Enterprises (SMEs), to undertake efforts to enhance their operational processes, often through digital technological adaptation. The present study falls within the scope of the project named “Wood Work 4.0,” which aims to infuse innovation into the wood furniture manufacturing industry through process optimization and the adoption of digital technologies. This project received funding from the European Union Development Fund, in collaboration with the North 2020 Regional Program, and was carried out at the Carpintaria Mofreita company, located in Macedo de Cavaleiros, Portugal. In this regard, this study introduces a software architecture that supports the traceability of projects in the wood furniture industry and simultaneously employs a system to identify and manage material leftovers, aiming for more efficient waste management. For the development of this software architecture, an approach that integrates the Fiware platform, specialized in systems for the Internet of Things (IoT), with an Application Programming Interface (API) specifically created to manage information about users, projects, and associated media files, was adopted. The material leftovers identification system employs image processing techniques to extract geometric characteristics of the materials. Additionally, these data are integrated into the company’s database. In this way, it was possible to develop an architecture that allows not only the capturing of project information but also its effective management. In the case of material leftovers identification, the system was able to establish, with a satisfactory degree of accuracy, the dimensions of the materials, enabling the insertion of these data into the company’s database for resource management and optimization.No contexto contemporâneo, marcado por uma competição global intensificada e pela constante evolução do cenário de globalização, torna-se imperativo para as indústrias, incluindo as Pequenas e Médias Empresas (PMEs), empreender esforços para aprimorar seus processos operacionais, frequentemente pela via da adaptação tecnológica digital. O presente estudo insere-se dentro do escopo do projeto denominado “Wood Work 4.0”, cujo propósito é infundir inovação na indústria de fabricação de móveis de madeira por meio da otimização de processos e da adoção de tecnologias digitais. Este projeto obteve financiamento do Fundo de Desenvolvimento da União Europeia, em colaboração com o programa Regional do Norte 2020 e foi realizado na empresa Carpintaria Mofreita, localizada em Macedo de Cavaleiros, Portugal. Nesse sentido, este estudo introduz uma arquitetura de software que oferece suporte à rastreabilidade de projetos na indústria de móveis de madeira, e simultaneamente emprega um sistema para identificar e gerenciar sobras de material, objetivando uma gestão de resíduos mais eficiente. Para o desenvolvimento dessa arquitetura de software, adotou-se uma abordagem que integra a plataforma Fiware, especializada em sistemas para a Internet das Coisas (IoT), com uma Interface de Programação de Aplicações (API) criada especificamente para gerenciar informações de usuários, projetos, e arquivos de mídia associados. O sistema de identificação de sobras de material emprega técnicas de processamento de imagem para extrair características geométricas dos materiais. Adicionalmente, esses dados são integrados ao banco de dados da empresa. Desta forma, foi possível desenvolver uma arquitetura que permite não só capturar informações de projetos, mas também gerenciá-las de forma eficaz. No caso da identificação de sobras de material, o sistema foi capaz de estabelecer, com um grau de precisão satisfatório, as dimensões dos materiais, possibilitando a inserção desses dados no banco de dados da empresa para gestão e otimização do uso de recursos

Dependable IPTV Hosting

This research focuses on the challenges of hosting 3rd party RESTful applications that have to meet specific dependability standards. To provide a proof of concept I have implemented an architecture and framework for the use case of internet protocol television. Delivering TV services via internet protocols over high-speed connections is commonly referred to as IPTV (internet protocol television). Similar to the app-stores of smartphones, IPTV platforms enable the emergence of IPTV services in which 3rd party developers provide services to consumer that add value to the IPTV experience. A key issue in the IPTV ecosystem is that currently telecommunications IPTV providers do not have a system that allows 3rd party developers to create applications that meet their standards. The main challenges are that the 3rd party applications must be dependable, scalable and adhere to service level agreements. This research provides an architecture and framework to overcome these challenges

Security, privacy, and legislation adherence assessment of a whistleblowing web application

In recent years, web applications have become increasingly more complex as they are required to have more features than ever before. The need for more features comes from both the service providers as well as the end-users, since competition on the Software as a Service (SaaS) market can be fierce. The ever-growing complexity and feature richness of web applications have in turn also increased their attack surface, predisposing them to new threats and vulnerabilities. The evolving web applications have also developed new methods of gathering personal data from its users. User information privacy has become a hot topic of discussion in the past decade, which has led to privacy legislation being enacted in different regions of the world. In 2019, the European Parliament enacted Directive (EU) 2019/1937 into the European law, which is also known as the Whistleblower Directive. The Directive's goal is to establish rules and procedures to protect individuals who report information they have acquired in a work-related context on breaches of EU law in key policy areas. The Directive requires qualifying organizations and municipalities to set up reporting channels that whistleblowers can use to anonymously report these breaches. The commissioner of this thesis, BeanBakers Ltd, has developed a web application called Vihjaa that is meant to be used by organizations and municipalities as an internal reporting channel that complies with the requirements set for the application by the Directive. The main objectives of this thesis were to identify the requirements set for Vihjaa by EU law and then to conduct security, privacy, and legislation adherence assessments on Vihjaa to gain a deeper understanding of its current status. Furthermore, the procedures and methodology used during the assessments can be used as a framework for future works, which assess the states of other web applications. Our assessment found that Vihjaa's state of security, privacy, and legislation adherence are mostly in a good standing, but there were multiple issues identified that should be addressed. Most of the identified issues were of low severity, for instance, lacking a privacy policy document, missing a incident response plan, and out-dated dependencies. In this thesis, we present the developed framework that can be used to assess web applications of this nature, the results of our assessments, and a ranking of data items collected by a web application based on how critical they are for the process of identifying a specific user

Evaluación de seguridad de gestores de bases de datos Nosql MongoDB, Redis y Cassandra

Trabajo de investigaciónEl presente proyecto busca realizar una evaluación de la seguridad de gestores de bases de datos NoSQL MongoDB, Redis y Cassandra. El proyecto se desarrolla reuniendo información sobre ataques y vulnerabilidades principalmente, diseñando un plan de pruebas para implementarlo en los prototipos para finalmente analizar los resultados obtenidos y de ser posible proponer contramedidas. Es así que se puede seleccionar cuál herramienta es más conveniente utilizar para una persona u organización en un caso particular. Los resultados demostraron que MongoDB es más vulnerable a ataques de inyección NoSQL, Redis es más vulnerable a ataques registrados en el CVE y que Cassandra es más complejo de utilizar pero es menos vulnerable.RESUMEN 1. INTRODUCCIÓN 2. OBJETIVOS 3. PLANTEAMIENTO DEL PROBLEMA 4. JUSTIFICACIÓN 5. MARCO REFERENCIAL 6. ESTADO DEL ARTE 7. METODOLOGÍA 8. DESARROLLO DEL PROYECTO CONCLUSIONES RECOMENDACIONES BIBLIOGRAFÍA ANEXOSPregradoIngeniero de Sistema

An effective and efficient web platform for monitoring, control, and management of drones supported by a new microservices approach

In recent years there has been a great growth in the use of drones, being used in several areas such as security, agriculture, or research. The existence of some systems that allow the remote control of drones is a reality, however, these systems are quite simple and directed to specific functionality. This dissertation proposes the development of a web platform made in Vue.js and Node.js to control, manage and monitoring drones in real time. Using a microservice architecture, the proposed project will be able to integrate algorithms that allow the optimization of processes. Communication with remote devices is suggested via HTTP through 3G, 4G, and 5G networks, and can be done in real time or by scheduling routes. This dissertation addresses the case of forest fires as one of the services that could be included in a system similar to the one presented. The results obtained with the elaboration of this project were a success. The communication between the web platform and drones allowed its remote control and monitoring. The incorporation of the fire detection algorithm in the platform proved possible a real time analysis of the images captured by the drone, without human intervention. The proposed system has proved to be an asset to the use of drones in fire detection. The architecture of the application developed allows other algorithms to be implemented, obtaining a more complex application with clear expansion.Nos últimos anos tem-se assistido a um grande crescimento do uso de drones, sendo utilizados em diversas áreas como a da segurança, da agricultura ou da investigação. A existência de alguns sistemas que permite o controlo de drones à distância é uma realidade, porém, estes sistemas são bastante simples e direcionados a uma funcionalidade específica. Esta dissertação propõe a elaboração de uma plataforma web feita em Vue.js e Node.js para controlar, gerir e monitorizar drones em tempo real. Usando uma arquitetura de microsserviços, o projeto proposto será capaz de integrar algoritmos que permitem a otimização de processos. A comunicação com os aparelhos remotos é sugerida via HTTP através das redes de 3G, 4G e 5G, e pode ser feita em tempo real ou através de agendamento de rotas. Esta dissertação aborda o caso dos incêndios florestais como um dos serviços que poderia ser incluído num sistema semelhante ao apresentado. Os resultados obtidos com a elaboração deste projeto foram um sucesso. A comunicação entre a plataforma web com drones permitiu o seu controlo e monitorização à distância. A incorporação do algoritmo de deteção de incêndios na plataforma demonstrou ser possível uma análise em tempo real das imagens captadas pelo drone, sem intervenção humana. O sistema proposto demonstrou ser uma mais valia ao uso de UAVs na deteção de incêndios. A arquitetura da aplicação desenvolvida permite que outros algoritmos sejam implementados, obtendo uma aplicação mais complexa e com clara expansão

The Prom Problem: Fair and Privacy-Enhanced Matchmaking with Identity Linked Wishes

In the Prom Problem (TPP), Alice wishes to attend a school dance with Bob and needs a risk-free, privacy preserving way to find out whether Bob shares that same wish. If not, no one should know that she inquired about it, not even Bob. TPP represents a special class of matchmaking challenges, augmenting the properties of privacy-enhanced matchmaking, further requiring fairness and support for identity linked wishes (ILW) – wishes involving specific identities that are only valid if all involved parties have those same wishes. The Horne-Nair (HN) protocol was proposed as a solution to TPP along with a sample pseudo-code embodiment leveraging an untrusted matchmaker. Neither identities nor pseudo-identities are included in any messages or stored in the matchmaker’s database. Privacy relevant data stay within user control. A security analysis and proof-of-concept implementation validated the approach, fairness was quantified, and a feasibility analysis demonstrated practicality in real-world networks and systems, thereby bounding risk prior to incurring the full costs of development. The SecretMatch™ Prom app leverages one embodiment of the patented HN protocol to achieve privacy-enhanced and fair matchmaking with ILW. The endeavor led to practical lessons learned and recommendations for privacy engineering in an era of rapidly evolving privacy legislation. Next steps include design of SecretMatch™ apps for contexts like voting negotiations in legislative bodies and executive recruiting. The roadmap toward a quantum resistant SecretMatch™ began with design of a Hybrid Post-Quantum Horne-Nair (HPQHN) protocol. Future directions include enhancements to HPQHN, a fully Post Quantum HN protocol, and more

A Situational Awareness Dashboard for a Security Operations Center

As a result of this dissertation, a solution was developed which would provide visibility into an institution’s security posture and its exposure to risk. Achieving this required the development of a Situational Awareness Dashboard in a cybersecurity context. This Dashboard provides a unified point of view where workers ranging from analysts to members of the executive board can consult and interact with a visual interface that aggregates a set of strategically picked metrics. These metrics provide insight regarding two main topics, the performance and risk of the organization’s Security Operations Center (SOC). The development of the dashboard was performed while working with the multinational enterprise entitled EY. During this time frame, two dashboards were developed one for each of two of EY’s clients inserted in the financial sector. Even though the first solution did not enter production, hence not leaving testing, the dashboard that was developed for the second client successfully was delivered fulfilling the set of objectives that were proposed initially. One of those objectives was enabling the solution to be as autonomous and selfsustained as possible, through its system architecture. Despite having different architectural components, both solutions were based on the same three-layered model. Whereas the first component runs all data ingestion, parsing and transformation operations, the second is in charge of the storage of said information into a database. Finally, the last component, possibly the most important one, is the visualization software tasked with displaying the previous information into actionable intelligence through the power of data visualization. All in all, the key points listed above converged into the development of a Situational Awareness Dashboard which ultimately allows organizations to have visibility into the SOC’s activities, as well as a perception of the performance and associated risks it faces.Como resultado desta dissertação, foi desenvolvida uma solução que proporcionaria visibilidade sobre a postura de segurança de uma instituição e sua exposição ao risco. Para tal foi necessário o desenvolvimento de um Situational Awareness Dashboard num contexto de cibersegurança. Este Dashboard pretende fornecer um ponto de vista unificado onde os trabalhadores, desde analistas a membros do conselho executivo, podem consultar e interagir com uma interface visual que agrega um conjunto de métricas escolhidas estrategicamente. Essas métricas fornecem informações sobre dois tópicos principais, o desempenho e o risco do Security Operations Center (SOC) da organização. O desenvolvimento do Dashboard foi realizado em parceria com a empresa multinacional EY. Nesse período, foram desenvolvidos dois dashboards, um para cada um dos dois clientes da EY inseridos no setor financeiro. Apesar de a primeira solução não ter entrado em produção, não saindo de teste, o painel que foi desenvolvido para o segundo cliente foi entregue com sucesso cumprindo o conjunto de objetivos inicialmente proposto. Umdesses objetivos era permitir que a solução fosse o mais autónoma e auto-sustentável possível, através da sua arquitetura de sistema. Apesar de terem diferentes componentes arquiteturais, ambas as soluções foram baseadas no mesmo modelo de três camadas. Enquanto a primeiro componente executa todas as operações de ingestão, análise e transformação de dados, a segundo é responsável pelo armazenamento dessas informações numa base de dados. Finalmente, o último componente, possivelmente o mais importante, é o software de visualização encarregue em exibir as informações anteriores em inteligência acionável através do poder da visualização de dados. Em suma, os pontos-chave listados acima convergiram no desenvolvimento de um Situational Awareness Dashboard que, em última análise, permite que as organizações tenham visibilidade das atividades do SOC, bem como uma percepção do desempenho e dos riscos que esta enfrenta

A Study On API Security Pentesting

Application Programming Interfaces (APIs) are essential in the digital realm as the bridge enabling seamless communication and collaboration between diverse software applications. Their significance lies in simplifying the integration of different systems, allowing them to work together effortlessly and share data. APIs are used in various applications, for example, healthcare, banks, authentication, etc. Ensuring the security of APIs is critical to ensure data security, privacy, and more. Therefore, the security of APIs is not only urgent but mandatory for pentesting APIs at every stage of development and to catch vulnerabilities early. The primary purpose of this research is to provide guidelines to help apply existing tools for reconnaissance and authentication pentesting. To achieve this goal, we first introduce the basics of API and OWASP\u27s Top 10 API security vulnerabilities. Secondly, we propose deployable scripts developed for Ubuntu Debian Systems to install pentesting tools automatically. These scripts allow future students to participate in API security courses and conduct API security pentesting. API security pentesting, regarding reconnaissance and authentication, is discussed based on the configured system. For reconnaissance, passive and active approaches are introduced with different tools for authentication, including password-based authentication brute-forcing, one-time password (OTP) brute-forcing, and JSON web token brute force

An Investigation into Possible Attacks on HTML5 IndexedDB and their Prevention

This thesis presents an analysis of, and enhanced security model for IndexedDB, the persistent HTML5 browser-based data store. In versions of HTML prior to HTML5, web sites used cookies to track user preferences locally. Cookies are however limited both in file size and number, and must also be added to every HTTP request, which increases web traffic unnecessarily. Web functionality has however increased significantly since cookies were introduced by Netscape in 1994. Consequently, web developers require additional capabilities to keep up with the evolution of the World Wide Web and growth in eCommerce. The response to this requirement was the IndexedDB API, which became an official W3C recommendation in January 2015. The IndexedDB API includes an Object Store, indices, and cursors and so gives HTML5 - compliant browsers a transactional database capability. Furthermore, once downloaded, IndexedDB data stores do not require network connectivity. This permits mobile web- based applications to work without a data connection. Such IndexedDB data stores will be used to store customer data, they will inevitably become targets for attackers. This thesis firstly argues that the design of IndexedDB makes it unavoidably insecure. That is, every implementation is vulnerable to attacks such as Cross Site Scripting, and even data that has been deleted from databases may be stolen using appropriate software tools. This is demonstrated experimentally on both mobile and desktop browsers. IndexedDB is however capable of high performance even when compared to servers running optimized local databases. This is demonstrated through the development of a formal performance model. The performance predictions for IndexedDB were tested experimentally, and the results showed high conformance over a range of usage scenarios. This implies that IndexedDB is potentially a useful HTML5 API if the security issues can be addressed. In the final component of this thesis, we propose and implement enhancements that correct the security weaknesses identified in IndexedDB. The enhancements use multifactor authentication, and so are resistant to Cross Site Scripting attacks. This enhancement is then demonstrated experimentally, showing that HTML5 IndexedDB may be used securely both online and offline. This implies that secure, standards compliant browser based applications with persistent local data stores may both feasible and efficient