Skip to main content

· 7 min read

Orbital (a.k.a., CP2106: Independent Software Development Project) is the School of Computing’s 1st year summer self-directed, independent work course. This programme gives students the opportunity to pick up software development skills on their own, using sources on the web. All while receiving course credit in the form of 4 modular credits of Unrestricted Electives (UE). SoC provides the Orbital framework for helping students stay motivated and driven to complete a project of their own design, by structuring peer evaluation, critique and presentation milestones over the summer period.

Summary of the Level of Achievements

Vostok

Features

  • Basic features
  • Use of database (workload must be justified otherwise if there is no database)

Planning / Version Control (via Git + GitHub)

  • GitHub repo + Basic version control (e.g., add / commit / push / pull)

Design

  • Use cases and features
  • Flow and architecture

Implementation

  • Organization of files into folders
  • Code level comments

Testing

  • System testing by the developers

Documentation

  • Proper description of the system in project README, project poster and project video

Quality of peer evaluation given

  • Average feedback rating >= 2

Gemini

Features

  • Basic / Intermediate features
  • Use of database (workload must be justified otherwise there is no database)

Planning / Version Control (via Git + GitHub)

  • GitHub repo + Basic version control (e.g., add / commit / push / pull)

Design

  • Use cases and features
  • Flow and architecture

Implementation

  • Organization of files into folders
  • Code level comments

Testing

  • System testing by the developers

Documentation

  • Proper description of the system in project README, project poster and project video

Quality of peer evaluation given

  • Average feedback rating >= 3

Apollo 11

Features

  • Basic / Intermediate / advanced features with complexity
  • Use of database (workload must be justified otherwise there is no database)

Planning / Version Control (via Git + GitHub)

  • GitHub repo + Basic version control (e.g., add / commit / push / pull)
  • GitHub issues with (monthly) milestones / labels / tags / assignee + Intermediate version control (branching, pull request)

Design

  • Use cases and features
  • Flow and architecture
  • Design diagrams (drawn with tools): Sequence diagram, activity diagram, class diagram, ER diagram, etc.
  • Design principles + pattern
  • Design decisions (alternatives, criteria, comparison and justification)

Implementation

  • Organization of files into folders
  • Code level comments
  • Coding Standard

Testing

  • System testing by the developers
  • Multi-level (unit / integration / system) testing with automation + User testing
  • Proper test strategy (planning / test case design)

Documentation

  • Proper description of the system in project README, project poster and project video
  • SE evidence in every stage of the development process in project README, project poster and project video

Quality of peer evaluation given

  • Average feedback rating >= 4

Artemis

Features

  • Basic / Intermediate / advanced features with complexity
  • Use of database (workload must be justified otherwise there is no database)

Planning / Version Control (via Git + GitHub)

  • GitHub repo + Basic version control (e.g., add / commit / push / pull)
  • Github issues with (monthly) milestones / labels / tags / assignee + Intermediate version control (branching, pull request)
  • 2-week sprint with objectives / allocation / tracking.
  • Github Projects + Code Review + CI/CD

Design

  • Use cases and features
  • Flow and architecture
  • Design diagrams (drawn with tools): Sequence diagram, activity diagram, class diagram, ER diagram, etc.
  • Design principles + pattern
  • Design decisions (alternatives, criteria, comparison and justification)

Implementation

  • Organization of files into folders
  • Code level comments
  • Code Review

Testing

  • System testing by the developers
  • Multi-level (unit / integration / system) testing with automation + User testing
  • Proper test strategy (planning / test case design)

Documentation

  • Proper description of the system in project README, project poster and project video
  • SE evidence in every stage of the development process in project README, project poster and project video

Quality of peer evaluation given

  • Average feedback rating >= 4

General suggestions for the last phase of Orbital

  1. Design
    • I know that design by itself is a skill and a broad area to master, however, I think it is an important aspect because whatever you have built, it has an interface for users to interact with. The interface should be user-friendly and easily understandable. If you need inspirations, you may want to look out for designs on websites like https://dribbble.com/ ... I don't mean to say that your design should be fancy, but they should follow some of the basic design principles and be comfortable for anyone to use. You may want to explore things like https://coolors.co/ which gives you a good combination to start with. For mobile design, you can look at existing applications on https://mobbin.com/browse/ios/apps
  2. Testing
    • It's an area that's lacking in most groups
      • User testing: things like usability testing https://www.nngroup.com/articles/usability-testing-101/ and your typical surveys, interviews etc
      • Software testing: this can be specific to your tech stack, but in general it is of the form of unit, integration and end-to-end testing
  3. Deployment
    • It is important for your project to be "available" and "usable" for anyone to use and test. Please do not just leave everything deployment related at the end, thinking that you should only deploy when the entire software is built. This can be dangerous because the deployment process may require you to change the code somehow, or even making you realize later that some stuff doesn't work on certain platforms. So PLEASE start early if you have not done so, try it out, ensure that you are able to deploy way before the deadline.

Resources

· 9 min read

My submission for IE4758 Information Security 2022 Assignment

"It has been reported that the number of ransomware attacks have significantly increased as many people are still working from home and the number of online users has significantly increased. Thus, the purpose of this assignment is to research and highlight how cyber criminals are launching ransomware attacks and how businesses, governments and individuals are developing policies and are using technology for protection."

Ransomware attacks have been on the rise amid the global pandemic. Part of the reason being that more people are online for both work and leisure. The demand for internet services has increased to reflect this change in lifestyle. While the convenience of online services benefits us in carrying out our daily activities, malicious actors are capturing this opportunity to target governments, businesses as well as individuals to profit from the lack of information security. It has been reported that in Singapore, about 1.16 million US dollars have been paid out on average to ransomware attackers in the year of 2021.1 This puts Singapore at the 6^th^ place in the chart of countries with highest average ransom payments. Across the globe, companies have also fallen prey to ransomware attacks. JBS, the world's largest meat packer, halted its operations in North America and Australia due to suspension of cyber systems that were attacked.2 The ramifications of ransomware attacks highlight the importance of prevention and protection against the cyber criminals with effective security policies and best-practices.

Elements of ransomware attacks

Overview

Ransomware is a term to describe ransom malware, which is a type of malware that prevents users from accessing their system or personal files. The attackers then demand ransom payment in exchange for the data. The ransom is typically paid in Bitcoins or other cryptocurrencies to reduce traceability. Despite payment, it is worth noting that there is no guarantee that the hackers will return or decrypt the data.

Types of ransomware

In general, there are three types of ransomwares: Crypto ransomware, Locker ransomware, and Scareware.

Fig1 Types of ransomware3

How cyber criminals are launching ransomware attacks

To launch ransomware attacks, cyber criminals typically perform the following:

Creating ransomware

Besides developing custom and novel ransomware, novice cyber criminals are also able to launch attacks with easily obtainable ransomware toolkits and via RaaS (ransomware as a service). RaaS allows ransomware developers to generate variations of an existing ransomware and sell it for a profit.

Distributing ransomware

Most ransomwares are distributed through phishing via emails or deceptive links on vulnerable websites. The target group unknowingly opens an attachment or clicks on a hyperlink that results in the download of malicious software. Such software then requests for execution permission (or exploits existing vulnerabilities) and proceeds with harmful activities in the computing devices.

Setting up command and control servers

Some ransomware will require external servers that they use to store encryption/decryption keys and look up dynamic pricing according to the IP address of the infected machine.

Receive payment and decryption process

After a ransomware has encrypted files or blocked system functionalities, it typically reveals an instruction to notify the user on the attack and how payment is expected. Such instructions would include steps to purchase Bitcoin and describe how decryption can be done.

Fig2. Hybrid approach to encrypt and decrypt a user's data4

Defence against ransomware attacks

How are governments, businesses, and individuals affected by ransomware

While all parties that are hit by ransomware encounter destruction to their digital information and private data, ransomware criminals have differentiated approaches to deal with different groups of victims. While the criminals demand payment to recover data, businesses and governments are generally required to pay a larger sum due to their ability to pay and the urgency to continue operation. Businesses also have a huge interest in protecting their reputation should the cyber criminals threaten to release the encrypted data online. As for governments, they typically hold more sensitive personal data which may have a wide impact if breached.

Defence against ransomware attacks generally involve a combination of policy and technology. While technical advances in anti-virus and ransomware research can help make machines less vulnerable to ransomware attacks, human actions are often the weak point of the system. In addition to prevention, policies are also important should the event of a ransomware attack happen. A response checklist will be effective when dealing and recovering from a ransomware attack.

Prevention

To prevent ransomware attacks requires both hardware protections and human intervention.

Secure data and devices

Since files are typically under attack by ransomware, it is important to maintain offline, encrypted backups of data. For cloud infrastructures, it may also be useful to maintain an image of critical systems for rebuilding them in the event of compromise. A periodic schedule should be created to patch bugs and known vulnerabilities.5 In addition, anti-virus and network firewalls should be installed and updated to filter out potentially harmful network requests.

Education

By providing training and workshops to share best practices, we will be less likely to fall for phishing attacks and naively bring ransomware into the system. Education about cyber security can also highlight high risk activities such as downloading unverified email attachments and executing malicious macros hidden in Excel spreadsheets. Other measures such as improving password security and understanding configurations and system settings may also go a long way to help keep attackers out of the system.

Drills and insurance

Safety drills may be helpful for governments and businesses to detect potential loopholes in the current defence system, by simulating an attack and analyse the response. In addition, Cyber insurance can provide coverage against ransomware. In the state of ransomware 2022 report6, 89% of those hit by ransomware have cyber insurance.

Response

As it is difficult to prevent ransomware attacks due to resource constraints and human errors, a proper response plan is required to actively react to the attacks. This involves setting up cybersecurity budgets and an incident response plan. The plan may include details such as immediate response by investigating and isolating affected servers and machines to reduce further damage, engaging in negotiation with the cyber criminals, recovering loss of assets from backups and setting up temporary alternatives that are required to maintain business operations.

Recovery

Recovery from ransomware attacks is a continued effort from the active response to prevent future attacks. This means engaging law enforcement and cyber security firms to evaluate, analyse, and rebuild the system to mitigate security risks.7 While paying the cyber criminals could be cost-effective, it is largely an undesirable solution as it funds the cyber criminals further and may not always guarantee the return of the digital assets.

Challenges and advancements

With more information online and the recent advances in blockchain based technology, we may need to caution ourselves against block-chain based ransomware8 schemes that could use smart contracts to automate and attack with a more irreversible effect.

While ransomwares have grown to be a billion-dollar business, research on how to identify and protect against them also improved over the years. Besides a signature-based detection that may be inadequate, machine learning approaches9 have been applied to train and then spot ransomware accurately.

Conclusion

The battle against ransomware attacks is an arduous and relentless one. As humans further integrate their lives into the digital world, the attack vectors continue to increase over the years. Hence, education about information security and vigilance in carrying out measures to safeguard ourselves against attacks will continue to be necessary and important in keeping our information safe and secure.

Citations

  • Andronio, N., Zanero, S., & Maggi, F. (2015, November). Heldroid: Dissecting and detecting mobile ransomware. In international symposium on recent advances in intrusion detection (pp. 382-404). Springer, Cham.

  • Al-rimy, B. A. S., Maarof, M. A., Prasetyo, Y. A., Shaid, S. Z. M., & Ariffin, A. F. M. (2018). Zero-day aware decision fusion-based model for crypto-ransomware early detection. International Journal of Integrated Engineering, 10(6).

  • Alshaikh, H., Ramadan, N., & Hefny, H. A. (2020). Ransomware prevention and mitigation techniques. Int J Comput Appl, 117, 31-39.

  • Aurangzeb, S., Aleem, M., Iqbal, M. A., & Islam, M. A. (2017). Ransomware: a survey and trends. Journal of Information Assurance & Security, 6(2), 48-58.

  • Delgado-Mohatar, O., Sierra-Cámara, J. M., & Anguiano, E. (2020). Blockchain-based semi-autonomous ransomware. Future Generation Computer Systems, 112, 589-603.

  • Low, D. (2022, August 30). Ransomware attacks threaten nations, 137 s'pore firms fell prey in 2021: CSA. The Straits Times. Retrieved September 19, 2022, from https://str.sg/wD9K

  • Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940.

  • Ransomware guide. CISA. (n.d.). Retrieved September 27, 2022, from https://www.cisa.gov/stopransomware/ransomware-guide

  • Richardson, R., & North, M. M. (2017). Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), 10.

  • Rosenberg, J. M. (2015, April 8). A Q&A about the malicious software known as ransomware. Retrieved April 8, 2015, from http://www.salon.com/2015/04/08/a_qa_about_the_malicious_software_known_as_ransomware/

  • The state of ransomware 2022 - sophos. (n.d.). Retrieved September 27, 2022, from https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf

  • US says ransomware attack on Meatpacker JBS likely from Russia; Cattle Slaughter resuming. The Straits Times. (2021, June 3). Retrieved September 19, 2022, from https://str.sg/3krC

  • Zetter, K. (2015, September 17). Hacker lexicon: A guide to Ransomware, the scary hack that's on the rise. Retrieved from Security, https://www.wired.com/2015/09/hacker-lexicon-guideransomware-scary-hack-thats-rise/

End

Footnotes

  1. Low, D. (2022, August 30). Ransomware attacks threaten nations, 137 s'pore firms fell prey in 2021: CSA. The Straits Times. Retrieved September 19, 2022, from https://str.sg/wD9K

  2. US says ransomware attack on Meatpacker JBS likely from Russia; Cattle Slaughter resuming. The Straits Times. (2021, June 3). Retrieved September 19, 2022, from https://str.sg/3krC

  3. Andronio, N., Zanero, S., & Maggi, F. (2015, November). Heldroid: Dissecting and detecting mobile ransomware. In international symposium on recent advances in intrusion detection (pp. 382-404). Springer, Cham.

  4. Beaman, C., Barkworth, A., Akande, T. D., Hakak, S., & Khan, M. K. (2021). Ransomware: Recent advances, analysis, challenges and future research directions. Computers & Security, 111, 102490. https://doi.org/10.1016/j.cose.2021.102490

  5. Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017. International Journal of Advanced Research in Computer Science, 8(5), 1938-1940.

  6. The state of ransomware 2022 - sophos. (n.d.). Retrieved September 27, 2022, from https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf

  7. Richardson, R., & North, M. M. (2017). Ransomware: Evolution, mitigation and prevention. International Management Review, 13(1), 10.

  8. Delgado-Mohatar, O., Sierra-Cámara, J. M., & Anguiano, E. (2020). Blockchain-based semi-autonomous ransomware. Future Generation Computer Systems, 112, 589-603.

  9. Alshaikh, H., Ramadan, N., & Hefny, H. A. (2020). Ransomware prevention and mitigation techniques. Int J Comput Appl, 117, 31-39.

· 8 min read

Thoughts

For a variety of reasons, I decided to do a partial local exchange from the NUS school of computing (Computer Science) to NTU. Overall, I think the experience was good and refreshing to study in a (slightly) different environment. I ended up taking 1 module at NUS, and 5 modules at NTU. I will be writing a review of the modules below, and more importantly, I want to note down some of the gotchas that I encountered during the process of applying for the exchange. I hope that this will be useful to anyone who is considering doing a partial local exchange. Note that some of the information might be outdated, so please still do your own research.

Application

Singapore Universities Student Exchange Programme (SUSEP) is a program that allows students to take modules at another local university. The exchange is usually for a semester, and it is possible to do a partial exchange(meaning you can still do some modules at your home university). If you are interested, you should look out for the announcement email that will be sent out by the school nearer to the application period, which should be in the semester before the exchange. E.g. for my semester starting in August, the application period was in February. As they mentioned in the email, the quota is limited for NUS SOC so the application could be selective.

Application materials

Things required:

  • submit an application form
  • might require transcript
  • will need a personal statement stating why you want to do the exchange
  • an exchange plan indicating module mappings and the modules you want to take at the other university

I think a good personal statement could be important for the selection as there are only a few slots.

Module mapping

I would say that module mapping is a really troublesome part of the process. You need to do your own research to find out the modules offered and whether they could possibly be mapped back.

Some things to do include:

  • going into Edurec and checking the past module mapping records, which could be found under academics -> global education -> search module mapping
  • search online to see if the modules are still available and offered in the coming semester

Below is a list of approved modules that I requested, so you can use it as a reference. (open the image in a new tab if blurry) mapping

Gotchas

Here's what I painfully learned during the process of module mapping:

  • some modules might not be offered to exchange students.
    • some modules may claim that they don't offer to exchange students but somehow you can bid and get the module ...
  • some modules may be phased out.
  • some modules have separate module codes for a particular faculty, e.g. CZ XXXX for computer science students.
  • module code and content could change from year to year, which means the module mapping may become invalid if it differs from what you requested
  • when filling up the individual module request, you will need to provide module information as well as your pre-requisite module grades. Sometimes it's impossible to find a URL for module details, in those cases you can try to print out the NTU official module search webpage and upload it to dropbox, and then link it. If you can't find the module details e.g the module components, you can just leave it blank (which was what I did).
  • if you are doing a partial exchange, do take note that you may need to submit appeals to NUS to adjust your min workload. This is to prevent the system from disallowing you to drop the extra modules you applied to at your home university. I applied for additional modules at NUS just in case I could not secure the modules that I wanted at NTU, and I had a hard time dropping them after I got the modules I wanted at NTU.
  • Some modules will be preallocated to you before the exchange period, and for the rest, you will have to go through the module bidding process.
  • If you are doing a partial exchange, you will need to be careful about schedule conflicts. Even if the modules don't directly conflict, you may need to take into account the time you need to travel between the two universities. I would say for some of the modules in NTU, it was fine that I did not attend the tutorials and lectures as I could just watch the recordings or read the slides. However, for some modules, there are compulsory labs or you need to be careful with the quiz timings that happen during lecture time.

Below is a sample module mapping request that you will need to fill up. (open the image in a new tab if blurry)

request

CS3219 Software Engineering Principles and Patterns (NUS)

This is an over-subscribed software engineering module that many students want to do. It was worth doing because I got to try and understand not just some of the software principles, but also technologies that support them. A large part of what I learned came from working on individual assignments, which got me into Docker, Kubernetes, Redis, AWS hosting and deployment, kafka, and more. Those experiences were really valuable as I wanted to learn about these technologies for a long time and finally had the chance to do so. The group assignment was also a good way to practice building an application powered by micro-services. Overall, I would say that the practical aspects of the module were really good. Of course, what you learn out of it depends on how much effort you put in, but I would say that the assignments were well structured for you to learn.

One thing that I remembered: my first time implementing a complete authentication system via JWT......pretty cool experience as I discovered some intricacies of JWT and how to use it properly. (I will probably write about it in the future)

SC2005 Operating Systems (NTU)

I took this module to map it back to our NUS core OS module, and surprisingly the quality of this module in NTU was pretty decent. I think that the two profs delivered the course well (lectures were great) and the tutorial was conducted in a way that was very helpful for students to understand the concepts (again, the prof for my tutorial was great). The labs were a little less challenging and the workload overall was very manageable.

CZ4003 Computer Vision (NTU)

This module is an overview of the computer vision space, talking about how digital images can be enhanced, and how computers "see" them (so edge detection, object detection, 3D reconstruction etc). I think it gave me some ideas about what computer vision means and the mechanisms behind things like object detection. My personal opinion is that the module materials were not very easy to understand and perhaps some background knowledge was required in order to understand the concepts better. When going into the technical details such as deriving Fourier transforms, some mathematical maturity certainly helps for topics on linear algebra, calculus, trigonometry, and matrix manipulation. Overall, I think I would not recommend this module.

IE4483 Artificial Intelligence and Data Mining (NTU)

This module is split into 3 parts:

  • traditional AI methods(e.g. search, logic, planning, etc)
  • Machine learning (convolutional neural networks, decision trees, etc)
  • Data mining and more ML (clustering, optimization, PCA etc)

The last two parts were well taught and the topics covered gave me a good introduction to machine learning. The first part was a little less interesting, probably because I already learned those in the introduction to AI in NUS. The assignments were doable. Overall I would say that this module is worth doing if you want to learn more about machine learning.

IE4758 Information Security (NTU)

I think this module is super light and the workload is almost non-existent. The module is about the basics of information security, and the topics covered are pretty much common sense. It's like a general knowledge class where you just come in and listen to the prof talk about the topics. The only technical parts are some calculations that you need to do for cryptography(e.g RSA and Diffie-Hellman key exchange), which is not difficult. Overall this module is pretty simple and recommended if you want to do a near-zero workload module.

CX4153 Blockchain Technology (NTU)

The lectures in this module are all recorded and every week you will need to watch a series of videos. After doing this module, I finally understood some of the concepts in the blockchain world. I think the topics are interesting and I got the fundamental ideas of blockchain after doing this module. And I appreciate why blockchain is so popular because it solves some of the existing problems with such an elegant computational and distributed solution. The assignment also gave me a good idea of how to write a smart contract and connect it to a frontend. Overall, I would say that this module is highly recommended if you are interested in blockchain.