What I did this week (April 30)

I helped marco to finish the Android app for the final presentation, these changes were UI changes, and there are push notifications, that was something more elaborated than I tought, I needed to obtain some keys in our firebase database to let our server comunicate with the gcm service (now it’s called fcm, firebase cloud messaging), then when the user signups or updates their profile, the android device sends a token that fcm generated for the device and we store it in neo4j, then when someone invites that user to a pool or asks them to pay his debt we send a push notification to his phone. Now, to receive push notifications, we needed to register a service in the android app that would listen for the messages, then depending on the messages we would create a different behaviour when the user clicks the notification, or one of its buttons. It was a pain in the ass.

This is the app. https://play.google.com/store/apps/details?id=com.cooper.cooper

I think it does not have the most recent code.

Resultado de imagen para push notifications

What I did this week (April 23)

This last week I tested a lot from the users and pools, I found a lot of bugs while I was doing so and fixed them. I managed to solve the travis-ci problem with neo4j (turns out it was trying to connect to another port). So now when someone pushes, the tests are run.

Francisco helped us edit the final video.

What I’ll do this week (April 23)

This week I plan to finish the test and have at least 70% of the api code covered. We already have all signup, login, profile and delete account functionality tested and passing. I tried to include the tests in the travis-ci build but it seems to have problems with the neo4j service, neo4j is throwing this error:

Uncaught error when processing result: Neo4jError: 140223444313984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827

And I just don’t know why, should I just remove the https code when the code is being executed in travis? Maybe it’s because it does not find the key and certificate, but I don’t see why that would be the case, I’ll try again anyway.

What I did this week (April 16)

This week I started helping with the testing. I solved the issues that they were facing with the cookie. Marco is creating the web application and, when he was developing, found some bugs in the api, these are already fixed. Marco (and someone else that I’m not aware of, I guess) integrated the firebase chat to the app. That’s nice, altough it’s kind of ugly, but hey, it works.

We know we may have some security issues, in the chat and some parts of the api, but no can do, we are aware of that and will not fix it, we have to finish the things that we need to present in the demo.

Vehicle cybersecurity

Resultado de imagen para tesla hacked

Today’s vehicles feature driver assistance, like collision warning, automatic emergency braking and safety vehicle communications. The NHTSA (National Highway Traffic Security Administration) is exploring the full spectrum of its tools to ensure these technologies are deployed safely and effectively. It encourages the implementation of NIST Cybersecurity Framework. NHTSA promotes a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired.

Malicious exploitation of security vulnerabilities in connected cars is a major problem, with news stories of hacking interfering with consumer acceptance of the current and future capabilities of vehicles.

The first well known security compromise of a smart vehicle, a 2014 Jeep Cherokee was hacked by security reserchers Charlie Miller and Chris Valasek in 2015, they were able to turn the steering wheel, disable the brakes and shut the engine down, all remotely. They also discovered that they could access thousands of other vehicles that were using the Uconnect entertainment and navigation system, common in Dodge, Jeep and chrysler vehicles.

It is good to know that automotive manufacturers and transportation compaines are well informed about these problems and are taking it very seriously, hiring cybersecurity experts as part of a concerted auto industry effort to greatly increase the strength of security features in cars.




Cybersecurity in healthcare

One of the most terryfing things in cybersecurity is not our private data being leaked. Imagine our own health is compromised our healthcare data from an hospital is leaked, or even that some critical devices in our bodies could be manipulated remotely by others.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware from Forbes.

Past year, when the WannaCry ransomware was a thing, some hospital networks were infected, causing hospitals to close their doors to new patients and halting treatments for other patients because they were not able to access the patient’s data records. A lot of healthcare data is being stored in the cloud, this has a expected growth rate of 20.5% by 2020, this is such a risk because, data in the cloud must be correctly protected, it requires robust encryption measures and appropiate authentication. 90% of hospitals run legacy applications to preserve patients data, these kind of applications can have serious security holes that a cybercriminal could take advantage of, they run old and unpatched operating systems (Causing the WannaCry infection).

Resultado de imagen para pacemaker security threats

Last year, St Jude Medical’s pacemakers had a security scandal. It turns out that half a million of patients’ pacemakers could be hacked to run the batteries out or even alter the patient’s heartbeat. The manufactured issued a firmware update (ha! an update for your heart, isn’t that cool?). They are all radio-controlled implantable cardiac pacemakers. The FDA (Food and Drug Administration agency) says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it, this could lead to the death of the patient. The security weakness was discovered by MedSec, a cybersecurity firm that specialises in researching vulnerabilities in the medical devices and healthcare industries, and it had previously been the target of a lawsuit from SJM for disclosing such vulnerabilities. It turns out that St Jude Medical knew about this vulnerability since 2014, but did not took action until the weakness was make public. You can read more about here, the story is great, with lots of plot twists.

Resultado de imagen para artificial pancreas system

Another device that might be a source of security scandals in the future is the artificial pancreas system, this thing is an IOT insuline monitor glucose monitor that comunicates with an insuline pump and a computer (like a raspeberry pi) via radio waves. There is even an open source project that lets you create your own system called OpenAPS.





What I’ll do this week (April 9)

I have some things left to work in the api before helping Marco or Francisco with the mobile app and the tests.

  • Pool owners can specify custom amounts for each user, but they cannot make it automatic, I have to put a flag in the pool creation to set if the users will be charged the same amount, and also update everyones debt if a new user joins (This will only be updated if the pool has not started yet, because then users can start paying).
  • I need to notify users if they have a debt that have not paid (when the pool end date arrives).
  • With cash, owners should confirm the amount the users claim to have paid.
  • Store profile pics somewhere.

That’s what I’ll work this week, even if I don’t finish all of this I’ll start working in the Android app with Marco.