College project based on IT security - Help needed :(

woppers

Hi lads and ladies!

Brief question:
I was looking for help with coming up with an idea for a college project based on IT security.

Full question:
I am currently in my 4th year of software development in IT Carlow and I have been told to come up with an idea for a project for my Computer Science subject.

We have 2 projects to do this year. One of them is our main project so we will be working on this all year. The 2nd one is the one I mentioned above, it is a smaller project than our main one. To give you an idea of the size - our main project is worth 100% of the subject and the second project is worth 30% of the subject. So this project is worth less than 1/3 of the main project.

Now, because this project is for Computer Science it has to be pretty general. I will explain what I mean by that.

I suggested that I develop some sort of responsive website - I was told that this was too specific to websites. Fair enough.

I suggested that I develop a golf handicap system - I was told that this was too specific to golf clubs. Fair enough.

I suggested that I develop a responsive website that handles a golf handicap system- I was told that this was too specific to websites for golf clubs. Fair enough.

I then suggested that I do a project based on IT Security. (I would just like to clarify that I do not have the first clue about It Security but it interests me so I am willing to learn) My lecturer liked this idea and told me to have a think about it. I suggested that I develop a system that would check through an apache log file for excessive numbers of hits originating from the one IP address, check where if this IP address is from and block the IP address if it is considered to be a threat - I was told that this was probably already done so there is no point doing it and what would would I have liked to achieve from the project. Thats fair enough also but I am running out of ideas and I have to have made a start on this project by next week.

Here's where I need your help! My lecturer suggested that I pick a couple of IT Security concepts, analyse what they do, implement a program to test the 2 different Security concepts and show where each of them is strong and where each of them is weak and come up with some sort of a conclusion as to where one concept is better than the other is a certain situation and vice versa.

Like I said earlier on in this post, I haven't got a clue about IT security so I would really appreciate it if someone could help me out with a couple of ideas to get me started or to point me in the right direction.

Thank you for your time

srsly78

Biometrics is back in fashion thanks to the new iphone, do an analysis on how the fingerprint thingy was broken. Talk about how it might be a bad idea to rely on this for so much.

Graham

srsly78 wrote: »

Biometrics is back in fashion thanks to the new iphone, do an analysis on how the fingerprint thingy was broken. Talk about how it might be a bad idea to rely on this for so much.

It would be rather odd to base an entire project on the foundation of a pre-decided conclusion of dubious validity.

Creamy Goodness

woppers wrote: »

I suggested that I develop a system that would check through an apache log file for excessive numbers of hits originating from the one IP address, check where if this IP address is from and block the IP address if it is considered to be a threat - I was told that this was probably already done so there is no point doing it and what would would I have liked to achieve from the project.

Anyone find it depressing that lecturers think that fail2ban has 'probably been done before'.

ChRoMe

Creamy Goodness wrote: »

Anyone find it depressing that lecturers think that fail2ban has 'probably been done before'.

I find it far more depressing and completely ****ing hilarious that they have disabled account creation on their wiki due to spammers LOL.

OP, why IT security if its a field that you have such little experience in and is so broad. Do you like games, looking at something like the different pathing approaches for navigating a world might be good, doing comparisons of the standard A* search to others perhaps?

jester77

ChRoMe wrote: »

I find it far more depressing and completely ****ing hilarious that they have disabled account creation on their wiki due to spammers LOL.

Looks like they failed2ban them

IT Security is such a huge topic OP, you would need to narrow it down. Have a look at burp to get ideas of what security issues you can test against with web apps, there is a free version to use. The developer is very friendly and open to questions and suggestions and his app is extensible, maybe you could pick up some ideas there.

woppers

Thanks for all the replies guys! Its much appreciated.

ChRoMe wrote: »

I find it far more depressing and completely ****ing hilarious that they have disabled account creation on their wiki due to spammers LOL.

OP, why IT security if its a field that you have such little experience in and is so broad. Do you like games, looking at something like the different pathing approaches for navigating a world might be good, doing comparisons of the standard A* search to others perhaps?

I was hoping to learn something from this area and I would like to try and find work in IT security when I finish college. The thing is I have absolutely no experience in it and I thought it would be a good project to work on. It turns out now that I am stumped and don't even know where to start. I don't mean for this next sentence to sound naive or cheesy but I think it is amazing the likes of Anonymous have the skills to take down websites and stuff like that. I would like to eventually become a white hat hacker or get into some form of computer forensics.

I have a big interest in games and I am open to suggestions over any form of computer science. Thats not a bad idea at all. Maybe I write a program to test various different algorithms and print out results.

jester77 wrote: »

Looks like they failed2ban them

IT Security is such a huge topic OP, you would need to narrow it down. Have a look at burp to get ideas of what security issues you can test against with web apps, there is a free version to use. The developer is very friendly and open to questions and suggestions and his app is extensible, maybe you could pick up some ideas there.

Thanks for the info. I never heard of Burp, it looks pretty impressive. I could be opening up a can of worms by working on something security related while using the college network. They have it pretty well locked down so I dont know if my security project will get off the ground at all.

RealistSpy

Write a sophisticated trojan horse that is very adaptive or something to do with breaking encryption using gpu.

ChRoMe

woppers wrote: »

I think it is amazing the likes of Anonymous have the skills to take down websites and stuff like that. I would like to eventually become a white hat hacker or get into some form of computer forensics.

About 90% of those attacks are done using a technique known as "SQL injection", have fun

ChRoMe

RealistSpy wrote: »

Write a sophisticated trojan horse that is very adaptive or something to do with breaking encryption using gpu.

I'd imagine that's just a tad beyond the scope! lol

Deliverance XXV

ChRoMe wrote: »

About 90% of those attacks are done using a technique known as "SQL injection", have fun

I had to give a presentation (hate presentations) in my last year for a security subject that was worth a lot of marks.

I created two web apps (one unprotected and one protected) with XAMPP/PHP and gave demonstrations on both in how SQL injections work with both apps. I talked a little about XSS and parameterised queries. It went down well and a lot of people complimented on actually seeing it being done, opposed to reading about it from lecture notes.

The most important thing is that I learned an awful lot from it too.

woppers

RealistSpy wrote: »

Write a sophisticated trojan horse that is very adaptive or something to do with breaking encryption using gpu.

As cool as this sounds, I wouldn't have the first idea where to start on something like this. Also, this isn't a main project. Its only a side project so I don't want to end up in a situation where I might not get the project complete.

ChRoMe wrote: »

About 90% of those attacks are done using a technique known as "SQL injection", have fun

I didn't know this, thanks! I'll look into it.

Deliverance XXV wrote: »

I had to give a presentation (hate presentations) in my last year for a security subject that was worth a lot of marks.

I created two web apps (one unprotected and one protected) with XAMPP/PHP and gave demonstrations on both in how SQL injections work with both apps. I talked a little about XSS and parameterised queries. It went down well and a lot of people complimented on actually seeing it being done, opposed to reading about it from lecture notes.

The most important thing is that I learned an awful lot from it too.

This sounds really cool. This is definitely something I would be interested in. As I said earlier on though, this is a much smaller project than my main project so I don't want to get overwhelmed trying to do something that I cannot finish.

There are some good suggestions here though and I really appreciate the help!

stevenmu

It sounds like your lecturer doesn't want you to just write some code to do X. They want you to come up with a project that involves you either learning something or possibly discovering something. And then maybe backing that up with some code.

Your lecturer has given you a pretty strong hint of what to do here:

Here's where I need your help! My lecturer suggested that I pick a couple of IT Security concepts, analyse what they do, implement a program to test the 2 different Security concepts and show where each of them is strong and where each of them is weak and come up with some sort of a conclusion as to where one concept is better than the other is a certain situation and vice versa.

So really what you need to do is:
1) Take a look at some common security concepts.
2) Select 2 or more to analyse. To make things easy on yourself you could rig the selection by picking a known "bad" concept like "security through obscurity" and a known good one like "defense in depth"
3) Write a report, give a blurb about security in general, about security concepts in general, then explain the two concepts you picked in detail, explain their pros and cons
4) Do a practical example to demonstrate. For e.g. you could write two simple web apps to search a database, one using each security concept, and show how one may be vulnerable to SQL Injection and the other is not.
5) Write the conclusion for your report.
6) Go to pub to celebrate

edit: you would probably get extra marks for not rigging the selection in the first place, and in particular if you can come up with some novel weaknesses. and obviously run whatever you are going to do past your lecturer first.

woppers

stevenmu wrote: »

It sounds like your lecturer doesn't want you to just write some code to do X. They want you to come up with a project that involves you either learning something or possibly discovering something. And then maybe backing that up with some code.

Your lecturer has given you a pretty strong hint of what to do here:


So really what you need to do is:
1) Take a look at some common security concepts.
2) Select 2 or more to analyse. To make things easy on yourself you could rig the selection by picking a known "bad" concept like "security through obscurity" and a known good one like "defense in depth"
3) Write a report, give a blurb about security in general, about security concepts in general, then explain the two concepts you picked in detail, explain their pros and cons
4) Do a practical example to demonstrate. For e.g. you could write two simple web apps to search a database, one using each security concept, and show how one may be vulnerable to SQL Injection and the other is not.
5) Write the conclusion for your report.
6) Go to pub to celebrate

Ha ha! I like step 6!

That is excellent advice mate, thanks a million. That sounds more like what my lecturer is looking for alright. I was struggling to come up with a plan like that but this should help me out massively. You're a gentleman! Thanks a million!

jester77

stevenmu wrote: »

It sounds like your lecturer doesn't want you to just write some code to do X. They want you to come up with a project that involves you either learning something or possibly discovering something. And then maybe backing that up with some code.

Your lecturer has given you a pretty strong hint of what to do here:


So really what you need to do is:
1) Take a look at some common security concepts.
2) Select 2 or more to analyse. To make things easy on yourself you could rig the selection by picking a known "bad" concept like "security through obscurity" and a known good one like "defense in depth"
3) Write a report, give a blurb about security in general, about security concepts in general, then explain the two concepts you picked in detail, explain their pros and cons
4) Do a practical example to demonstrate. For e.g. you could write two simple web apps to search a database, one using each security concept, and show how one may be vulnerable to SQL Injection and the other is not.
5) Write the conclusion for your report.
6) Go to pub to celebrate

edit: you would probably get extra marks for not rigging the selection in the first place, and in particular if you can come up with some novel weaknesses. and obviously run whatever you are going to do past your lecturer first.

This a good idea. Also, instead of creating your own examples, you could use an external website or some internal sites running on your colleges intranet to find security holes. I can guarantee you, it would not be too hard to find some

We've had college students in the past find security holes in the site where I work, even though our site would be considered one of the most secure in Germany, and we've given these students jobs afterwards.

chrislad

Can always have a look at the OWASP Top 10. I think there's some projects on there that may give you an idea.

https://www.owasp.org/index.php/Top_10_2013-Top_10

woppers

stevenmu wrote: »

It sounds like your lecturer doesn't want you to just write some code to do X. They want you to come up with a project that involves you either learning something or possibly discovering something. And then maybe backing that up with some code.

Your lecturer has given you a pretty strong hint of what to do here:


So really what you need to do is:
1) Take a look at some common security concepts.
2) Select 2 or more to analyse. To make things easy on yourself you could rig the selection by picking a known "bad" concept like "security through obscurity" and a known good one like "defense in depth"
3) Write a report, give a blurb about security in general, about security concepts in general, then explain the two concepts you picked in detail, explain their pros and cons
4) Do a practical example to demonstrate. For e.g. you could write two simple web apps to search a database, one using each security concept, and show how one may be vulnerable to SQL Injection and the other is not.
5) Write the conclusion for your report.
6) Go to pub to celebrate

edit: you would probably get extra marks for not rigging the selection in the first place, and in particular if you can come up with some novel weaknesses. and obviously run whatever you are going to do past your lecturer first.

jester77 wrote: »

This a good idea. Also, instead of creating your own examples, you could use an external website or some internal sites running on your colleges intranet to find security holes. I can guarantee you, it would not be too hard to find some

We've had college students in the past find security holes in the site where I work, even though our site would be considered one of the most secure in Germany, and we've given these students jobs afterwards.

chrislad wrote: »

Can always have a look at the OWASP Top 10. I think there's some projects on there that may give you an idea.

https://www.owasp.org/index.php/Top_10_2013-Top_10

All of this is great info guys, thanks very much. I have a much clearer idea now of how to proceed with my project. Hopefully I can put all of the pieces together now!