Render 2016 Photo of Security
Security
Photo of Vulnerability Scanning of E-Payment Gateways
Vulnerability Scanning of E-Payment Gateways
  • Slider Image
    Chan Kok Jing, Daryl
  • Slider Image
    Cheong Jie Ning, Jacqueline
  • Slider Image
    Preshant Achuthan
  • Slider Image
    Xin Zhiyuan

Vulnerability Scanning of E-Payment Gateways

Categories

Course & option
Diploma in Infocomm Security Management

Project Title
Vulnerability Scanning of E-Payment Gateways

Team Members:
Preshant Achuthan, Chan Kok Jing, Daryl, Cheong Jie Ning, Jacqueline, Xin Zhiyuan

Internal Supervisor
Liew Chin Chuan (ccliew@sp.edu.sg)

Technology Used
Ruby, JavaScript, Ruby on Rails, PostgreSQL, Redis, Resque, PhantomJS, nmap, w3af

Background
The trend of online shopping has become an increasing phenomenon in today’s world, driven by the connectivity and convenience that came along with rapid technology advancement. Payment gateways play a crucial and central role in e-commerce. In the event that the payment gateway is compromised, banks are held accountable to the merchant for failure to receive the correct payment funds. Security of payment gateways is a major factor in ensuring that transactions made are genuine. However, banks are in no control of payment gateways employed by online shopping sites. Banks are concerned with the fact that payment gateways, or even the shopping site, may be vulnerable and susceptible to cyber-attacks. The problem to be discussed and further explored in this project – What can be done to help banks minimize payment processing risks stemming from vulnerabilities found in e- commerce sites & payment gateways?

Description
The solution developed, SANTA, automates the whole processing of navigating to the checkout page of an e-commerce site and detecting the various payment gateways employed by the site. SANTA would then proceed on to scan these payment gateways to identify any potential vulnerabilities which may be present.

Potential Opportunities
SANTA can be used by banks to automate this whole processing of identifying payment gateways used by an e-merchant and proceed on to check for any vulnerabilities present. This will greatly reduce the operating costs for banks as compared to running penetration tests on a regular basis.
 


Photo of Singtel Enterprise Security Risk Management Portal (ESRMP)
Singtel Enterprise Security Risk Management Portal (ESRMP)
  • Slider Image
    BoQiang
  • Slider Image
    Randall
  • Slider Image
    YiJing

Singtel Enterprise Security Risk Management Portal (ESRMP)

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title:
Singtel Enterprise Security Risk Management Portal (ESRMP)

Team Members:
Lee Bo Qiang, Lim Jia Jin Randall, Wong Yi Jing, Loh Xueliang

Internal Supervisor:
Calvin Siak Chia Bin (calvin_siak@sp.edu.sg)

External Supervisor:
Basarudin Bin Ahmad and Zeng XianBo, Joseph (NCS)

Technology Used:
Apache Tomcat, MySQL, Eclipse IDE, BitSight, Highcharts, Bootstrap

Background:
The senior management of a company require meaningful information from the security assessment reports for decision making. Within a limited time period, understanding the technical reports fully may seem like an impossible task. They face challenges in identifying, obtaining, processing and aggregating key information that enables them to steer towards defined targets effectively, and ultimately be in better control of their company’s cyber security.

Description:
Singtel Enterprise Security Risk Management Portal (ESRMP) is a web based portal that is mainly targeted at the senior management of a company. This does not necessarily mean that it is restricted to only the senior management as it is also for other employees of the company, such as security consultants, to utilize it.

It aims to provide a consolidated single pane of glass that displays meaningful information from the detailed and technical security assessment reports and also third party solution in the form of graphical representation that is easy to understand and also can be processed within a short amount of time.

Potential Opportunities:
Currently in the team’s project scope, only 3 components were involved. However, Singtel plans to have a few more components in the near future. They are Incident Response and Forensics Investigation, Security Briefing and Cyber Threat Intelligence.

 

 

Photo of Security Intelligence Map
Security Intelligence Map
  • Slider Image
    Wynona Kaan Syn Yarn
  • Slider Image
    Lee Tze Ting
  • Slider Image
    Darren Wong Jia Wei
  • Slider Image
    Marcus Tay Kai Yan

Security Intelligence Map

Security

Course & option:
Diploma in Infocomm Security Management

Project Title:
Security Intelligence Map

Team Members:
Wynona Kaan Syn Yarn, Lee Tze Ting, Darren Wong Jia Wei, Marcus Tay Kai Yan

Internal Supervisor:
Liew Chin Chuan (ccliew@sp.edu.sg)

Technology Used:
Google Javascript API, Android, Google Analytics

Background:
As of now, it is nearly impossible to tell the difference when an alarm sounds. One may mistake this alarm for a drill and remain in the classroom, without a concern with regards to the dangers of their actions. One such case would be the recent fire outbreak in Singapore Polytechnic’s hilltop. As there was no P.A. system, it was impossible to know whether the sound represented a drill or an actual emergency situation. Many students still remained in class even with the constant sounding of the alarm, treating it as a drill or alarm maintenance, until after more than 5 minutes, when teachers stormed into classrooms to evacuate students. This brought upon immediate chaos, many students were caught off guard and had no idea what was actually going on. As such, there needs to be a monitor of the movement of connections in Singapore Polytechnic, so that students are capable of understanding and differentiating a drill from a real fire outbreak, by looking at the movement of connections within the various access points.

Also, it is hard for students to know which food courts are crowded or have no seats, given that they are in class and are planning on where to go for lunch. As such, there needs such a monitor which is capable of monitoring the population at various areas, so that they are able to plan their route, to have a satisfying lunch in peace.

Description:
Security Intelligence Map provides both staff and students of Singapore Polytechnic a visible indication on the locations of the various areas in the school, through a map. This map further allows its users to view the concentration of people at a particular area, and thus of which creates a “heatmap”. Using this derived information, students are capable of avoiding crowds during peak periods. Staffs are capable of monitoring the internet traffic and/or human traffic, based on their needs.

Potential Opportunities:
Possibility to expand this technology out to more areas, not only limited to one school.

Photo of Secure Cloud Storage
Secure Cloud Storage
  • Slider Image
    Dex
  • Slider Image
    Nathaniel
  • Slider Image
    Jian Yiee
  • Slider Image
    Wei Theen

Secure Cloud Storage

Categories

Course

Course & option:
Diploma in Infocomm Security Management

Project Title:
Secure Cloud Storage

Team Members:
Jian Yiee , Wei Theen, Dex, Nathaniel

Internal Supervisor:
Lu Liming (LU_LIMING@sp.edu.sg)

Technology Used:
JAVA, C#, Android SDK

Background:
Storing data in a cloud storage, for example Amazon Cloud Drive, Microsoft SkyDrive, or Dropbox, is gaining popularity recently. While cloud services offer flexibility and scalability, there have been commensurate concerns about security. As more data moves from centrally located storage server to the Cloud, the potential for personal and private data to be compromised will increase. Confidentiality, availability and integrity of data area at risk if appropriate measures are not in put in place prior to selecting a Cloud vendor or implementing your own cloud and migrating to cloud services. Scenarios where users have concerns of the integrity of their data stored in the cloud storage are our main concern, as the cloud storage server may not fulfil its promise of maintaining the data integrity and adhering to the service level agreement.

Description:
Proofs of Retrievability (POR) is a cryptographic formulation for remotely auditing the integrity of files stored in the cloud, without keeping a copy of the original files in local storage. In a POR scheme, a user Alice stores her files on a potentially dishonest cloud storage server Bob along with some authentication data. When needed, Alice can remotely and efficiently verify the integrity of her file using the authentication data, without needing to retrieve the file back.

Potential Opportunities:
Secure Cloud Storage has the potential to help existing cloud service providers to enhance their security without loss of efficiency in their systems

 

 

Photo of Safe PDF documents – Project Lapis
Safe PDF documents – Project Lapis
  • Slider Image
    Daniel Ho Jing Yang
  • Slider Image
    Lindon Ng Kah Wer
  • Slider Image
    Muhammad Mikail Bin Jamil
  • Slider Image
    Yew Jing Hui

Safe PDF documents – Project Lapis

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title:
Safe PDF documents – Project Lapis

Team Members:
Daniel Ho Jing Yang, Lindon Ng Kah Wer, Muhammad Mikail Bin Jamil, Yew Jing Hui

Internal Supervisor:
Ho Chee Meng (cheemeng@sp.edu.sg)

External Supervisor (DSO):
Yap Chun Beng (ychunben@dso.org.sg)
Koh Ming Yang (kmingyan@dso.org.sg)

Technology Used:
Python 2.7, Adobe PDF format

Background:
The Adobe Portable Document Format has passed the test of time, to be the world’s de facto standard format when an electronic “hard copy” document is required. A programming language in its own rights, the format is committed to document handling and control, garnering a wealth of powerful features with every new version.

In protected networks where documents with complex formats such as PDF are used, they can be used as a medium for malware or for data leakage. For example, in 2014, Adobe Reader had 67 vulnerabilities, and 31% of them still remain unpatched today. Sensitive information can also be hidden in PDF files as a means to leak them out through sensitive networks.

Description:
The purpose of project Lapis is to develop a competent backend application to analyse and sanitise PDF files, for use as a first line of defence in a series of anti-virus solutions, to increase productivity and optimise the flow of documents.

The tool chain application, Lapis, was created with the intention to improve the process of handling PDF files by acting as the first respondent. Commercial Anti-virus solutions, though effective, tend to impede the flow of processing documents.

Lapis, if part of a chain of solutions, aims to reduce the overhead of documents being parsed through by filtering out suspicious or malicious files. Dynamic analysis software can then be employed to analyse the flagged suspicious files.

Lapis as a single entity, is a comprehensive stand-alone tool for the static analysis of PDF documents, which provides two levels of sanitisation options to users.

Potential Opportunities:
Lapis can function as a modular attachment to an existing chain of security measures with the specific role of parsing any PDF documents that are being imported into the system or exported out.

To cater to the general public, Lapis is able to be used as a stand-alone tool. By deploying it as a web application, Lapis is able to function as an online scanning tool.

Photo of Lokton
Lokton
  • Slider Image
    Poh Emran Bin Elias
  • Slider Image
    Tan Yong Jian Samuel
  • Slider Image
    Jared Quek Jie Ren
  • Slider Image
    Lim Hwee Chye

Lokton

Categories

Course & option
Diploma in Infocomm Security Management

Project Title
Lokton : An automated security evaluation of a network of machines

Team Members
Poh Emran Bin Elias, Jared Quek Jie Ren, Lim Hwee Chye, Tan Yong Jian Samuel

Internal Supervisor
Eileen Yeo (Eileen_Yeo@sp.edu.sg)

Supervisor
Dinil Mon Divakaran

Technology Used
ESXi Server 6.0, Nexpose, Nessus, MBSA, VMWare vCenter Converter

Background:
Network vulnerability scans are executed periodically to ensure that the network is free of any known vulnerabilities. These scans are conducted using network vulnerability tools to scan the physical network of systems. More often than not, these scans are intrusive and can cause the system to malfunction. Examples include but are not limited to: modification of data and service disruption.

Vulnerability assessments conducted by IT professionals are relatively expensive. Small companies that wish to secure their network may not have the financial capabilities nor the IT security expertise to execute such scans. In the event that they do proceed with the scans, they run a higher risk of a service disruption or complete system failure.

Description
The Lokton project requires the creation of a tool for an automated security evaluation of a network of machines. It consists of 2 phases; Emulation and Evaluation.

Emulation seeks to copy the volumes of the source computer/machine to be converted into a virtual machine. All system configurations and applications currently installed in the source computer would be included inside its virtual machine counterpart. It would emulate the network of virtual machines in a separate environment in an attempt to recreate the original conditions

Evaluation of the network of virtual machines aims to provide the user with a comprehensive report on the security status and vulnerabilities that exists within the network through the use of third party vulnerability analysis tools.

With the seamless integration of the 2 phases, the tool would produce an evaluation of a network of emulated machines in an automated fashion.

Potential Opportunities
Lokton has the potential with further development to include more improvement in the near future. Application of a more diverse choice of vulnerability analysers and a unified report is simply just a start.

 

 

Photo of Logs Interactive Visualisation Engine (LIVE)
Logs Interactive Visualisation Engine (LIVE)
  • Slider Image
    Chua Yi Zhen
  • Slider Image
    Muhammad Farid
  • Slider Image
    Soh Jia Wei Anders
  • Slider Image
    Chin Yi Bing

Logs Interactive Visualisation Engine (LIVE)

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title:
Logs Interactive Visualisation Engine (LIVE)

Team Members:
Chua Yi Zhen, Muhammad Farid, Soh Jia Wei Anders, Chin Yi Bing

Internal Supervisor:
Mr. Calvin Siak Chia Bin (calvin_siak@sp.edu.sg)

External Supervisor:
Dr. S. P. T. Krishnan (Institute for Infocomm Research)

Technology Used:
Google App Engine, OAuth 2.0 Protocol, Google BigQuery, Google Charts, Python Programming Language, Log watcher, Apache Log files

Background:
The internet has become part of the daily life of most people. This, combined with frequent usage of the internet, web servers will have more logs in their systems as compared to a decade ago. With all these big data of logs, it will be difficult for middle-level and high-level managements such as the system administrator to keep track of their log files in real time to check for essential information about possible attacks as there will be new lines of log data appended almost every minute.

Description:
LIVE represents Logs Interactive Visualisation Engine. LIVE aims to build an automated method to update Google BigQuery with apache log files as close to real time as possible, display log files as intelligent dashboard using data obtained from Google BigQuery and inputting into Google Charts on Google App Engine, and also to detect possible cyber-attacks such as SQL injection and DOS (Denial of Service) attacks. It would also alerts the user via email if there is any sign of anomalies.

Potential Opportunities:
LIVE can be a useful tool for middle-level and high-level managements such as system administrators to be able to keep track of their web traffic more efficiently and finding out the characteristics of their web visitors in order for them to optimise their reach.
 

 

Photo of Kinect Gait Based Authentication
Kinect Gait Based Authentication
  • Slider Image
    Muhammad Sholihin Bin Kamarudin
  • Slider Image
    Zahir Ahmad
  • Slider Image
    Bai Qing Rong
  • Slider Image
    Kenneth Kan

Kinect Gait Based Authentication

Categories

Course

Course & option:
Diploma in Infocomm Security Management

Project Title:
Kinect Gait Based Authentication

Team Members:
(left to right according to the photo)
Muhammad Sholihin Bin Kamarudin, Kenneth Kan, Bai Qing Rong, Zahir Ahmad

Internal Supervisor:
Dr Lu Li Ming (LU_LIMING@SP.EDU.SG)

Technology Used:
Kinect, Kinect SDK 1.8, Processing2.0 ( Programming)

Background:
The ability to produce an automated detection system to identify users based on their unique gaits using a Kinect is one of a good security implementation the world can have. Gait patterns are always made unique due to the fact that different subjects always having a different walking behaviour. Research from the past have proven and shown that Gaits are hard to hide and imitate. One of the greatest advantage enables Gait recognition to not require the subject’s attention during the implementation phase as the system would run behind the scenes and detect any possible unauthorized users, alerting the management for further action. These are potential advantages that should be heavily considered.

Description:
The project aspires to identify subjects without intrusion into the subject’s daily life. Gait is an important part of every human life. An algorithm is set in place to calculate length of joints together with an angle to form an identification method. It aims to research if an algorithm can be calculated based on the diverse findings. This solution is designed to work as a background process. Research has shown that it is indeed possible to make a security program with a Microsoft Kinect. The Kinect has been equipped with Depth cameras which will enhance the results of the data to make the program more accurate.

In attempt to evaluate if the program is suitable to be used as a security implementation, various testing and experimentations will be carried out. This is targeted at economical organisations, such as schools, where a Kinect may prove useful and cost effective. Most importantly, this program is targeted and proposed for its ability to be non-intrusive. Through experimentations, proper documentation are anticipated to achieve results. Profiling is a critical phase in this project. It helps to gather distinctive data to be used for research.

The team made use of Microsoft Kinect sensor to research and explore more possibilities. The Microsoft Kinect has already been programmed to be able to detect and calculate XYZ. The proposed areas include just the left portion of the human body. Data will be extracted. In this program, the team will be using Processing, a language that is similar to Java. Data for comparisons will be stored in MySQL database.

So imagine, when a person were to enter a class, they would have to walk pass the Kinect at a normal walking speed. The Kinect will do the following, for each millisecond after a person is detected, it will record the X&Y Axis of the persons limbs. For each millisecond it will continue to record and once the user has pass the Kinect fully is where the magic happens. The Kinect will do many types of calculation such as calculating average speed of the user walk, length of limbs, unique gait movements, and angles between the arm during hand swing movement and also save a recording of the user walk.

All this will then be compared against the database and ensuring that the matching has a 92% similarity rate from the obtained calculation to the stored calculation which is obtain during the profiling phase.

This project has a success rate of 87% of identifying the user.

Potential Opportunities:
This program can be used in replacement of the Attendance taking system. Precautionary warning letters have been sent from the school to inform students that sharing of attendance code is strictly prohibited and yet these actions still persist. With the widespread of social media and communication platforms which the school has no jurisdiction against; should they decide to take disciplinary measures something which most students are aware of.

With our program in place and gait being unique to each individual, it can’t be shared among students thereby tackling the issue: sharing of codes.

Photo of IoT Honeypot
IoT Honeypot
  • Slider Image
    Low Shien Kiat
  • Slider Image
    Bijjala Naga Krishna Suteja
  • Slider Image
    Cheong Zun Jie
  • Slider Image
    Darren Neo

IoT Honeypot

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title
IoT Honeypot

Team Members
Low Shien Kiat, Darren Neo, Bijjala Naga Krishna Suteja, Cheong Zun Jie

Internal Supervisor
Dr. Lu Liming (lu_liming@sp.edu.sg)

External Supervisor
Mr. Christopher Lek (The Honeynet project- Singapore Chapter)

Technology Used
HTTP, SSH, XMPP, Raspberry Pi, Python

Background:
A study released by Hewlett-Packard found that 70% of devices connected to the Internet are vulnerable to some form of attack. With the exponential growth of “Internet of Things”, there is a rising concern on the increasing attack vectors for attackers into user devices. In order to study attacker methods and to facilitate the collection of the statistics of such attacks, we have made a honeypot that can emulate IoT services. This will allow us to understand the new threat landscape of IoT.

Description:
The project aims to deliver an Internet of Things Honeypot, where an internet of thing will be simulated. For the project, a webcam interface will be simulated and hosted on a server which is open to the outside world, so that it will attract attackers to the interface, where their activities will be logged down. Anything attackers try to do, be it uploading malicious files, trying to redirect to another page, will be recorded down and analyzed. The webcam interface will be simulated via HTTP, where it will display a live footage of a webcam stream, such that it will be the main attraction of attackers. Not only HTTP, protocols such as SSH and XMPP will also be tested on. The data these protocols have collected will be analyzed to derive the pattern and forms of attacks that are currently being used. Not only the project aims to deliver a product, it will also spread awareness to the public that Internet of Things are not completely secure, attacks are commonly performed under the cloud. Therefore, honeypot can be used to derive the commonly used attacks and their methods, where countermeasures can be implemented to prevent them from happening.

Potential Opportunities:
These honeypots can be a useful tool for determining the weaknesses of an IoT protocol and for the testing of these protocols. They can help us map out the threat landscape for IoT devices, allowing for increased awareness in the Industry.

 



 

Photo of ClouderExt
ClouderExt
  • Slider Image
    Chua Ian
  • Slider Image
    Jarrold Tan Yu Hng
  • Slider Image
    Ang Chin Guan Melvin
  • Slider Image
    Yap Rong En

ClouderExt

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title:
ClouderExt

Team Members:
(left to right according to the photo)
Chua Ian, Jarrold Tan Yu Hng, Ang Chin Guan Melvin, Yap Rong En

Internal Supervisor:
Ho Chee Meng (CheeMeng@sp.edu.sg)

External Supervisor:
Mr Daniel Blomberg (Cantera)

Technology Used:
HTML5, CSS3, Javascript, JQuery, Google Chrome Extension Framework, Java Servlet Pages, www.clouder.cf

Background:
In modern times, most companies are connected to the web. Whether the company is accessing a database in the cloud or advertising online, they will need the Internet connection. There are employees that misuse this Internet connection to surf the website for their personal needs. Using the company’s bandwidth to visit social media website may not really pose a serious problem, however, there are serious issues such as employees, intentionally or unintentionally, downloading malicious software onto the company’s network.

Having viruses, worms or Trojans on the company’s network will cause major issues such as leaks of confidential information that the company is in charge of and the company will be held responsible for such losses.

Description:
Project ClouderExt™ aims to develop a cloud-based system that enables organizations to reduce insider theft, protect their intellectual property and confidential data as well as enable employers to better optimize employee productivity while monitoring for compliance requirements.

The proposed solution that the our team came up with is that of a Chrome Browser Extension that collects usage data, with the gathered data presented to the end user via a simple and neat web interface. Motivated by the popularity of the Google Chrome browser, the team decided to leverage on this and develop on the Chrome platform.

Potential Opportunities:
Distractions from entertainment sites and social media is detrimental to the productiveness of employees, meaning that business opportunities could be lost. A browser has the potential to provide communication channels through emails and social media, it is through these channels that business secrets could be leaked; access to these communication channels possibly cannot be blocked due to conflict with business interest. Businesses, especially those that specialise in consumer sales, are getting savvier at using the different online media to expand their business.

There is also a rise in the popularity of using a web interface for accessing a company’s work system. Furthermore, the digitalisation of 1st world countries has led to more frequent use of remote access to allow employees to work anywhere. An example being Singapore’s Smart Nation Home Office. As such, the importance of the web browser in an organisation cannot be undermined, and our project aims to secure this aspect.

 

Photo of Biometrics-based Anonymous Entity Authentication Techniques
Biometrics-based Anonymous Entity Authentication Techniques
  • Slider Image
    Bay Wan Ting
  • Slider Image
    Joseph Fung King Yiu
  • Slider Image
    Teo Jun Hong
  • Slider Image
    Qwek Zhi Hui

Biometrics-based Anonymous Entity Authentication Techniques

Categories

Course & option:
Diploma in Infocomm Security Management

Project Title:
Singtel Enterprise Security Risk Management Portal (ESRMP)

Team Members:
Bay Wan Ting, Joseph Fung King Yiu, Teo Jun Hong, Qwek Zhi Hui

Internal Supervisor:
Lu Liming (lu_liming@sp.edu.sg)

Technology Used:
SecuGen Hamster Plus, MS Windows 7, Java JDK, Java SE, Netbeans IDE, Eclipse IDE, MySQL

Background:
Multi-factor entity authentication techniques have garnered increasing attention and found its footing in recent years. Undoubtedly, biometrics main advantage over other authentication techniques are in its high portability and security. However, at the same time, concerns over possible leakage of individual privacy in the use of biometrics for authentication, are not unfounded.

Description:
This project aims to solve the issue by developing the basis for biometrics-based entity authentication techniques that serves to protect an individual’s privacy. With little to none existing consumer-ready product or algorithm out in the market, the implementation demonstrated in this report covers new ground, and revolves around the concept of anonymous entity authentication, through the use of biometrics without the actual imagery through the use of fuzzy hashing. This project will also be released to the open-source community for feedback and possible further improvements.

Potential Opportunities:
The working implementation developed can be a useful tool to build upon, and can be easily modified to suit the needs of any individual or corporation.