Implementation of Open Web Application Security Project for Penetration Testing on Educational Institution Websites

The development of information technology cannot be separated from the development of website applications, as well as the threat of security attacks that will attack website applications. Educational Institution X uses a website application as an important medium in learning activities. Therefore, penetration testing is needed to find security holes in website applications. In this study, penetration testing will be carried out with the target website for student access at Educational Institution X based on the reason that there is sensitive student data that needs to be secure. The method used in this study is an experimental method with the OWASP TOP 10 2021 standard (Open Web Application Security Project). The penetration test results obtained on the website application at Educational Institution X found 11 vulnerabilities that could be tested. Of the 11 vulnerabilities, there is one vulnerability at the medium risk level, 7 at the low risk level, and 3 at the information risk level. The vulnerabilities found relate to token authentication, policy delivery, cookie attribute, cross-site script inclusion, authorization, clickjacking, and weak transport layer security. Based on the penetration testing activities obtained, it can be concluded that the vulnerability gaps found need to be further repaired by the website application system developer, in this case, the Educational Institution X. Therefore, the final result of this study is in the form of a report document containing a list of vulnerabilities, recommendations for vulnerability repairs, and vulnerability mitigation strategies as solutions for handling security systems on website applications to make them even better

Benchmarking Applicability of Cryptographic Wireless Communication over Arduino Platforms

The spaces around us are becoming equipped with devices and appliances that collect data from their surroundings and react accordingly to provide smarter networks where they are interconnected and able to communicate with one another. These smart networks of devices and appliances along with the applications that utilize them build smart spaces known as Internet of Things (IoT). With the on growing popularity of such smart devices (e.g., smart cars, watches, home-security systems) and IoT, the need for securing these environments increases. The smart devices around us can collect private and personal information, and the challenge lies in maintaining the confidentiality of the collected data and preventing unsecured actions—from tapping into surveillance cameras to tracking someone’s daily schedule. For example, digital health, devices that record personal data from blood pressure, heart rate, weight and daily activities sensors are storing the personal data of users for processing and monitoring and may give future recommendations. If such personal information reaches unwanted third parties who distribute or use the data without user consent or knowledge, they are attacking the user’s confidentiality. Therefore, selecting the appropriate security protocols and procedures is critical. The limited processing, storage and power capabilities. In this thesis, the focus is to provide an experimental benchmark study that shows the cost (e.g., processing time of encryption and decryption algorithms) of applying different security protocols on restricted devices equipped with lightweight Bluetooth or Wi-Fi communication modules over the Arduino Uno sensor platform

Storing IOT Data Securely in a Private Ethereum Blockchain

Internet of Things (IoT) is a set of technologies that enable network-connected devices to perform an action or share data among several connected devices or to a shared database. The actions can be anything from switching on an Air Conditioning device remotely to turning on the ignition of a car through a command issued from a remote location or asking Alexa or Google Assistant to search for weather conditions in an area. IoT has proved to be game-changing for many industries such as Supply Chain, Shipping and Transportation providing updates on the status of shipments in real time. This has resulted in a huge amount of data created by a lot of these devices all of which need to be processed in real time. In this thesis, we propose a method to collect sensor data from IoT devices and use blockchain to store and retrieve the collected data in a secure and decentralized fashion within a closed system, suitable for a single enterprise or a group of companies in industries like shipping where sharing data with each other is required. Much like blockchain, we envision a future where IoT devices can connect and disconnect to distributed systems without causing downtime for the data collection or storage or relying on a cloud-based storage system for synchronizing data between devices. We also look at how the performance of some of these distributed systems like Inter Planetary File System (IPFS) and Ethereum Swarm compare on low-powered devices like the raspberry pi

Implementation of Open Web Application Security Project for Penetration Testing on Educational Institution Websites

The development of information technology cannot be separated from the development of website applications, as well as the threat of security attacks that will attack website applications. Educational Institution X uses a website application as an important medium in learning activities. Therefore, penetration testing is needed to find security holes in website applications. In this study, penetration testing will be carried out with the target website for student access at Educational Institution X based on the reason that there is sensitive student data that needs to be secure. The method used in this study is an experimental method with the OWASP TOP 10 2021 standard (Open Web Application Security Project). The penetration test results obtained on the website application at Educational Institution X found 11 vulnerabilities that could be tested. Of the 11 vulnerabilities, there is one vulnerability at the medium risk level, 7 at the low risk level, and 3 at the information risk level. The vulnerabilities found relate to token authentication, policy delivery, cookie attribute, cross-site script inclusion, authorization, clickjacking, and weak transport layer security. Based on the penetration testing activities obtained, it can be concluded that the vulnerability gaps found need to be further repaired by the website application system developer, in this case, the Educational Institution X. Therefore, the final result of this study is in the form of a report document containing a list of vulnerabilities, recommendations for vulnerability repairs, and vulnerability mitigation strategies as solutions for handling security systems on website applications to make them even better

Mirai Bot Scanner Summation Prototype

The Mirai botnet deploys a distributed mechanism with each Bot continually scanning for a potential new Bot Victim. A Bot continually generates a random IP address to scan the network for discovering a potential new Bot Victim. The Bot establishes a connection with the potential new Bot Victim with a Transmission Control Protocol (TCP) handshake. The Mirai botnet has recruited hundreds of thousands of Bots. With 100,000 Bots, Mirai Distributed Denial of Service (DDoS) attacks on service provider Dyn in October 2016 triggered the inaccessibility to hundreds of websites in Europe and North America (Sinanović & Mrdovic, 2017). A month before the Dyn attack, the source code was released publicly on the Internet and Mirai spread to half a million bots. Hackers offered Mirai botnets for rent with 400,000 Bots. Recent research has suggested network signatures for Mirai detection. Network signatures are suggested to detect a Bot brute forcing a new Bot Victim with a factory default user-id and password. Research has not been focused on the Bot scanning mechanism. The focus of this research is performing experimentation to analyze the Bot scanning mechanism for when a Bot attempts to establish a connection to a potential new Bot Victim with a TCP handshake. The thesis is presented: it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. The three research questions are (a) Can the Bots be identified for summation? (b) Can the potential new Bot Victims be identified for summation? (c) Is it possible to monitor the Bot scanning mechanism over time? The research questions support the thesis. The Design Science Research (DSR) methodology is followed for designing and evaluating the solution presented in this study. The original Mirai Bot code is used as a research data source to perform a Bot scanner code review. A dataset containing Bot scanning network activity, recorded by the University of Southern California (USC), is utilized as the research data source for experimentation performed with the Mirai Bot Scanner Summation Prototype solution. The Bot scanner code review is performed to identify the Bot scanning functionality and network communications with a potential new Bot Victim. A sampling from the Bot scanning dataset is confirmed from the analysis performed by the code review. The solution created in this study, the Mirai Bot Scanner Summation Prototype, evaluates a Bot scanning dataset. Researchers can use the prototype to tabulate the number of Mirai Bots, the number of potential new Bot Victims, as well as the number of network packet types associated with a Bot attempting to connect to a potential new Bot Victim. Using a database, permanent storage is utilized for counting Bots, potential new Bot Victims, and network packet types. Reporting as well as line-graphs is provided for assessing the Bot scanning mechanism over a time period. Single case experimentation performed with the Mirai Bot Scanner Summation Prototype provides answers to the research questions (a) Bots are identified for summation; (b) Potential new Bot Victims are identified for summation; (c) the Bot scanner is monitored over time. A comparison to a NIDS solution highlights the advantages of the prototype for summating and assessing the Bot scanning dataset. Experimentation with the Mirai Bot Scanner Summation Prototype and NIDS verifies it is possible to develop a solution that can analyze network traffic to identify a Bot scanning for a potential new Bot Victim. Future research could include adding the additional functionality to the Bot Scanner Summation Prototype for evaluating a Bot scanner dataset for non-potential Bot Victims

Secure Computation over Lattices and Elliptic Curves

Traditional threshold cryptosystems have decentralized core cryptographic primitives like key generation, decryption and signatures. Most threshold cryptosystems, however, rely on special purpose protocols that cannot easily be integrated into more complex multiparty protocols. In this work, we design and implement decentralized versions of lattice-based and elliptic-curve-based public-key cryptoystems using generic secure multiparty computation (MPC) protocols. These are standard cryptosystems, so we introduce no additional work for encrypting devices and no new assumptions beyond those of the generic MPC framework. Both cryptosystems are also additively homomorphic, which allows for secure additions directly on ciphertexts. By using generic MPC techniques, our multiparty decryption protocols compute secret-shares of the plaintext, whereas most special-purpose cryptosystems either do not support decryption or must reveal the decryptions in the clear. Our method allows complex functions to be securely evaluated after decryption, revealing only the results of the functions and not the plaintexts themselves. To improve performance, we present a novel oblivious elliptic curve multiplication protocol and a new noise-masking technique which may be of independent interest. We implemented our protocols using the SCALE-MAMBA secure multiparty computation platform, which provides security against malicious adversaries and supports arbitrary numbers of participants

Representación formal de mejores prácticas de IoT con base en los elementos del núcleo de la Esencia SEMAT

Internet de las Cosas (IoT) es una tecnología que consta de una serie de entidades interconectadas (objetos físicos inteligentes, servicios y sistemas de software) que trabajan de manera coordinada. Con ellas se busca simplificar y mejorar la eficiencia de los procesos buscando una mejor calidad de vida para las personas. En la literatura especializada se encontró que existen prácticas para desarrollar sistemas IoT que utilizan modelos monolíticos de Ingeniería de Software y que no son fáciles de implementar. Es necesario plantear una base común a través de una representación explícita que permita abarcar todas las problemáticas que puedan resultar al tratar de implementar estas prácticas. El objetivo de este proyecto es formalizar algunas de las mejores prácticas de IoT utilizando la extracción terminológica y teniendo como base de representación el núcleo de la Esencia de SEMAT (Software Engineering Method and Theory), el cual permite describir una base común liberando a las prácticas de las limitaciones de los métodos monolíticos. Esto permitirá a los equipos de implementación de sistemas IoT visualizar el progreso de las actividades independientemente de los métodos de trabajo, también permitirá compartir, adaptar, conectar y reproducir prácticas para crear nuevas formas de trabajo que ayudará a los desarrolladores a reutilizar sus conocimientos de forma sistemática y a los ejecutivos a dirigir programas y proyectos IoT con una mejor calidad que permitan reducir costos.Internet of Things (IoT) is a technology that consists of a series of interconnected entities (intelligent physical objects, services and software systems) that work in a coordinated manner. They seek to simplify and improve the efficiency of processes seeking a better quality of life for people. In the specialized literature, it was found that there are practices to develop IoT systems that use monolithic Software Engineering models and that are not easy to implement. It is necessary to establish a common base through a clean representation that allows covering all the problems that may result when trying to implement these practices. The objective of this project is to formalize some of the best practices of IoT using terminological extraction and having as a basis of representation the core of the Essence of SEMAT (Software Engineering Method and Theory) which allows to describe a common base freeing the practices of the limitations of monolithic methods. This will allow IoT system implementation teams to visualize the progress of activities regardless of work methods, it will also allow sharing, adapting, connecting and reproducing practices to create new ways of working that will help developers to systematically reuse their knowledge in a new way and executives to direct IoT programs and projects with better quality that reduce costs.MaestríaMagíster en Ingeniería de Sistemas y ComputaciónTabla de Contenido Pág. Resumen....................................................................................................................................... 16 Abstract........................................................................................................................................ 17 Introducción ................................................................................................................................ 18 Capítulo I: Marco Teórico ......................................................................................................... 21 1.1. Internet de las Cosas (IoT)..................................................................................................... 21 1.1.1. Arquitectura IoT.................................................................................................................. 21 1.1.1.1. Capa de percepción.......................................................................................................... 21 1.1.1.2. Capa de red ...................................................................................................................... 21 1.1.1.3. Capa de aplicación ........................................................................................................... 22 1.1.2. Aplicaciones de IoT............................................................................................................ 22 1.2. Ingeniería de Software ........................................................................................................... 22 1.2.1. Núcleo de la Esencia de SEMAT........................................................................................ 22 1.2.1.1. Elementos del Núcleo de la Esencia de SEMAT............................................................. 23 1.3. Buenas Prácticas .................................................................................................................... 29 1.3.1. Nombramiento correcto de buenas prácticas...................................................................... 29 1.4. Procesamiento del Lenguaje Natural (PLN).......................................................................... 31 1.4.1. Extracción Terminológica................................................................................................... 31 1.5. Revisión Sistemática de Literatura (RSL) ............................................................................. 33 1.6. Mapeo Sistemático de Literatura (MSL) ............................................................................... 33 1.7. Grupos focales ....................................................................................................................... 34 Capítulo II: Estado del Arte ...................................................................................................... 35 Capítulo III: Planteamiento del Problema y Objetivos........................................................... 38 3.1. Descripción del Problema ...................................................................................................... 38 7 3.2. Formulación del Problema..................................................................................................... 38 3.3. Justificación ........................................................................................................................... 39 3.4. Objetivos................................................................................................................................ 41 3.4.1. Objetivo General................................................................................................................. 41 3.4.2. Objetivos Específicos.......................................................................................................... 41 Capítulo IV: Metodología .......................................................................................................... 42 4.1. Revisión Sistemática de Literatura (RSL) ............................................................................. 42 4.1.1. Planeación........................................................................................................................... 42 4.1.1.1. Definición de las Preguntas de la Investigación .............................................................. 43 4.1.2. Búsqueda Primaria .............................................................................................................. 43 4.1.2.1. Especificación del Tipo de Búsqueda .............................................................................. 43 4.1.2.2. Selección de las Fuentes de Información......................................................................... 44 4.1.2.3. Definición de las Cadenas de Búsqueda .......................................................................... 44 4.1.3. Selección Preliminar........................................................................................................... 44 4.1.3.1. Eliminación de Documentos Irrelevantes........................................................................ 44 4.1.3.2. Eliminación de Documentos Duplicados......................................................................... 44 4.1.4. Selección............................................................................................................................. 45 4.1.4.1. Definición de criterios de inclusión ................................................................................. 45 4.1.4.2. Definición de criterios de exclusión ................................................................................ 45 4.1.5. Extracción de Datos............................................................................................................ 45 4.1.5.1. Definición de Criterios de Calidad .................................................................................. 45 4.1.5.2. Extracción de Datos de cada Documento ........................................................................ 45 4.1.6. Análisis ............................................................................................................................... 45 4.2. Relación de los Componentes de Mejores Prácticas en IoT con los elementos del núcleo de la Esencia ..................................................................................................................................... 45 8 4.2.1. Selección de algunas de las Mejores Prácticas en IoT........................................................ 46 4.2.2. Construcción del Vocabulario de Términos de IoT............................................................ 46 4.2.2.1. Mapeo Sistemático de Literatura (MSL) ......................................................................... 46 4.2.2.2. Construcción del Extractor Automático de Términos ..................................................... 48 4.2.2.3. Validación del Extractor Automático de Términos......................................................... 48 4.2.2.4. Extracción del Vocabulario con el Extractor Automático de Términos.......................... 49 4.2.3. Selección de los Nombres para Mejores Prácticas en IoT.................................................. 49 4.2.4. Tabulación de Componentes de Prácticas IoT con Elementos del Núcleo de la Esencia... 49 4.3. Modelado de Mejores Prácticas en IoT con el Núcleo de la Esencia .................................... 49 4.4. Validación de los Modelos de Mejores Prácticas en IoT....................................................... 51 4.4.1. Planeación del Grupo Focal................................................................................................ 51 4.4.2. Desarrollo del Grupo Focal................................................................................................. 52 4.4.3. Análisis de Datos y Reporte de Resultados ........................................................................ 53 Capítulo V: Desarrollo de la Tesis............................................................................................. 54 5.1. Revisión Sistemática de Literatura (RSL) en IoT.................................................................. 54 5.1.1. Conclusiones de la Revisión Sistemática de Literatura ...................................................... 55 5.2. Relación de los Componentes de Mejores Prácticas en IoT con los elementos del núcleo de la Esencia ...................................................................................................................................... 57 5.2.1. Selección de algunas de las Mejores Prácticas en IoT........................................................ 57 5.2.2. Construcción del Vocabulario de Términos de IoT............................................................ 58 5.2.2.1. Mapeo Sistemático de Literatura (MSL) ......................................................................... 59 5.2.2.2. Construcción del Extractor Automático de Términos ..................................................... 72 5.2.2.3. Validación del Extractor Automático de Términos......................................................... 88 5.2.2.4. Extracción del Vocabulario con el Extractor Automático de Términos.......................... 89 5.2.3. Selección de los Nombres para Mejores Prácticas en IoT.................................................. 89 9 5.2.4. Tabulación de Componentes de Prácticas IoT con el Núcleo de la Esencia ...................... 90 5.3. Modelado de Mejores Prácticas en IoT con el Núcleo de la Esencia .................................. 100 5.4. Validación de los Modelos de Mejores Prácticas en IoT..................................................... 110 5.4.1. Planeación del Grupo Focal.............................................................................................. 110 5.4.1.1. Definición del Objetivo.................................................................................................. 110 5.4.1.2. Identificación de los Participantes................................................................................. 111 5.4.1.3. Programación de la Reunión.......................................................................................... 111 5.4.1.4. Preparación de los Materiales del Grupo Focal ............................................................. 111 5.4.1.5. Enviar Recordatorio a los Participantes......................................................................... 112 5.4.2. Desarrollo del Grupo Focal............................................................................................... 112 5.4.2.1. Presentación de los Participantes................................................................................... 112 5.4.2.2. Grabación de la Reunión................................................................................................ 112 5.4.2.3. Entrega de Materiales .................................................................................................... 112 5.4.2.4. Presentación del Grupo Focal ........................................................................................ 113 5.4.2.5. Discusión y Evaluación de los Modelos........................................................................ 113 5.4.2.6. Finalización de la Reunión............................................................................................. 113 5.4.3. Análisis de Datos y Reporte de Resultados ...................................................................... 113 5.4.3.1. Resultados de Validación de la Práctica 1 ..................................................................... 113 5.4.3.2. Resultados de Validación de la Práctica 2 ..................................................................... 114 5.4.3.3. Resultados de Validación de la Práctica 3 ..................................................................... 114 5.4.3.4. Resultados de Validación de la Práctica 4 ..................................................................... 115 5.4.3.5. Resultados de Validación de la Práctica 5 ..................................................................... 115 5.4.3.6. Resultados de Validación de la Práctica 6 ..................................................................... 116 5.4.3.7. Resultados de Validación de la Práctica 7 ..................................................................... 116 10 5.4.3.8. Resultados de Validación de la Práctica 8 ..................................................................... 117 5.4.3.9. Resultados de Validación de la Práctica 9 ..................................................................... 117 5.4.3.10. Resultados de Validación de la Práctica 10 ................................................................. 118 5.4.3.11. Conclusiones de la Validación de los Modelos ........................................................... 118 Capítulo VI: Conclusiones y Trabajo Futuro ........................................................................ 120 6.1. Conclusiones........................................................................................................................ 120 6.2. Cumplimiento de Objetivos................................................................................................. 121 6.3. Trabajos Futuros .................................................................................................................. 124 Referencias ................................................................................................................................ 125 Anexos........................................................................................................................................ 15