Security analysis of Aspiro Music Platform, a digital music streaming service
Master thesis
Permanent lenke
http://hdl.handle.net/11250/2400527Utgivelsesdato
2010Metadata
Vis full innførselSamlinger
Sammendrag
The report is mainly based on recommendations given by the National Institute of Standards and Technology in special publication 800-30 ``Risk Management Guide for Information Technology Systems''. The risk analysis presented in this report emphasizes a qualitative approach.
Firstly, the security requirements for Aspiro Music Platform were identified and classified by the level of importance. Secondly, potential threats to the system were discussed. In the next step the potential system vulnerabilities were identified and presented in form of an attack tree. Afterwards, a penetration testing of the potentially vulnerable parts of the Aspiro Music Platform were performed. This step resulted in discovery of a few major and minor flaws as well as in creation of WiMP Number Dump - an experimental hacker tool that exploited weaknesses of getwimp.com webpage to create a list of WiMP subscribers, their telephone numbers and addresses. The results were used to asses the level of risk to Aspiro Music Platform by multiplying the ratings assigned for threat likelihood and threat impact. Lastly, the mitigation methods for identified risks were suggested.
The thesis does not focus on the security of WiMP and music files in the offline mode. Also, a few attacks like SQL-injections, cross-site scripting and Denial-of-Service stress test were left out of the penetration testing part of the analysis due to legal and technical reasons. This gives the groundwork for further testing.