What I’ll do this week (April 23)

This week I plan to finish the test and have at least 70% of the api code covered. We already have all signup, login, profile and delete account functionality tested and passing. I tried to include the tests in the travis-ci build but it seems to have problems with the neo4j service, neo4j is throwing this error:

Uncaught error when processing result: Neo4jError: 140223444313984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827

And I just don’t know why, should I just remove the https code when the code is being executed in travis? Maybe it’s because it does not find the key and certificate, but I don’t see why that would be the case, I’ll try again anyway.

Advertisements

What I did this week (April 16)

This week I started helping with the testing. I solved the issues that they were facing with the cookie. Marco is creating the web application and, when he was developing, found some bugs in the api, these are already fixed. Marco (and someone else that I’m not aware of, I guess) integrated the firebase chat to the app. That’s nice, altough it’s kind of ugly, but hey, it works.

We know we may have some security issues, in the chat and some parts of the api, but no can do, we are aware of that and will not fix it, we have to finish the things that we need to present in the demo.

Vehicle cybersecurity

Resultado de imagen para tesla hacked

Today’s vehicles feature driver assistance, like collision warning, automatic emergency braking and safety vehicle communications. The NHTSA (National Highway Traffic Security Administration) is exploring the full spectrum of its tools to ensure these technologies are deployed safely and effectively. It encourages the implementation of NIST Cybersecurity Framework. NHTSA promotes a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired.

Malicious exploitation of security vulnerabilities in connected cars is a major problem, with news stories of hacking interfering with consumer acceptance of the current and future capabilities of vehicles.

The first well known security compromise of a smart vehicle, a 2014 Jeep Cherokee was hacked by security reserchers Charlie Miller and Chris Valasek in 2015, they were able to turn the steering wheel, disable the brakes and shut the engine down, all remotely. They also discovered that they could access thousands of other vehicles that were using the Uconnect entertainment and navigation system, common in Dodge, Jeep and chrysler vehicles.

It is good to know that automotive manufacturers and transportation compaines are well informed about these problems and are taking it very seriously, hiring cybersecurity experts as part of a concerted auto industry effort to greatly increase the strength of security features in cars.

Sources:

https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity

https://hackernoon.com/smart-car-hacking-a-major-problem-for-iot-a66c14562419

Cybersecurity in healthcare

One of the most terryfing things in cybersecurity is not our private data being leaked. Imagine our own health is compromised our healthcare data from an hospital is leaked, or even that some critical devices in our bodies could be manipulated remotely by others.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware.

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware from Forbes.

Past year, when the WannaCry ransomware was a thing, some hospital networks were infected, causing hospitals to close their doors to new patients and halting treatments for other patients because they were not able to access the patient’s data records. A lot of healthcare data is being stored in the cloud, this has a expected growth rate of 20.5% by 2020, this is such a risk because, data in the cloud must be correctly protected, it requires robust encryption measures and appropiate authentication. 90% of hospitals run legacy applications to preserve patients data, these kind of applications can have serious security holes that a cybercriminal could take advantage of, they run old and unpatched operating systems (Causing the WannaCry infection).

Resultado de imagen para pacemaker security threats

Last year, St Jude Medical’s pacemakers had a security scandal. It turns out that half a million of patients’ pacemakers could be hacked to run the batteries out or even alter the patient’s heartbeat. The manufactured issued a firmware update (ha! an update for your heart, isn’t that cool?). They are all radio-controlled implantable cardiac pacemakers. The FDA (Food and Drug Administration agency) says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it, this could lead to the death of the patient. The security weakness was discovered by MedSec, a cybersecurity firm that specialises in researching vulnerabilities in the medical devices and healthcare industries, and it had previously been the target of a lawsuit from SJM for disclosing such vulnerabilities. It turns out that St Jude Medical knew about this vulnerability since 2014, but did not took action until the weakness was make public. You can read more about here, the story is great, with lots of plot twists.

Resultado de imagen para artificial pancreas system

Another device that might be a source of security scandals in the future is the artificial pancreas system, this thing is an IOT insuline monitor glucose monitor that comunicates with an insuline pump and a computer (like a raspeberry pi) via radio waves. There is even an open source project that lets you create your own system called OpenAPS.

Sources

http://resources.infosecinstitute.com/top-10-threats-healthcare-security/

https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

https://www.meddeviceonline.com/doc/artificial-pancreas-systems-rife-with-security-issues-say-experts-0001

What I’ll do this week (April 9)

I have some things left to work in the api before helping Marco or Francisco with the mobile app and the tests.

  • Pool owners can specify custom amounts for each user, but they cannot make it automatic, I have to put a flag in the pool creation to set if the users will be charged the same amount, and also update everyones debt if a new user joins (This will only be updated if the pool has not started yet, because then users can start paying).
  • I need to notify users if they have a debt that have not paid (when the pool end date arrives).
  • With cash, owners should confirm the amount the users claim to have paid.
  • Store profile pics somewhere.

That’s what I’ll work this week, even if I don’t finish all of this I’ll start working in the Android app with Marco.

What I did this week (April 1)

This week I worked in the flow logic for cash payments, a user can only pay a pool if it has a debt, but he or she can overpay and then the pool owner has a debt with him. Pool owners can edit the debts and amounts of the users but only if the debt is high enough to surpass the pool’s total. I was working implementing stripe, in fact, we were able to receibe payments from users that registered in stripe (we were missing the frontend that would comunicate with stripe for the registration). Anyway we decided that we don’t have the time to finish this, there are other, more urgent things to do before the final delivery, so we will drop the credit card functionality from the app and focus in making better what we already have.

What I’ll do this week (April 1)

This week I’ll be working on the payment flow.

When a pool is marked as cash, users should say how much they paid and then the administrator should confirm the amount.

When a pool is marked as credit we will have to request the payment from the users and then send the same amount to the admin (we need to check if this is possible with stripe).

If the admin wants to update the amounts that the users have debt, we need to make sure that everything is kept within the limits of the initial costs (right now you can update a user’s dept to whatever amount). And maybe we should not be able to update the already paid amount (at least for credit), what’s already paid should not change.

Another nice to have would be to find friends on Facebook, instead of searching them by name or email.

That’s it.