What I did this week (April 30)

--Originally published at Hermes's Blog

I helped marco to finish the Android app for the final presentation, these changes were UI changes, and there are push notifications, that was something more elaborated than I tought, I needed to obtain some keys in our firebase database to let our server comunicate with the gcm service (now it’s called fcm, firebase cloud messaging), then when the user signups or updates their profile, the android device sends a token that fcm generated for the device and we store it in neo4j, then when someone invites that user to a pool or asks them to pay his debt we send a push notification to his phone. Now, to receive push notifications, we needed to register a service in the android app that would listen for the messages, then depending on the messages we would create a different behaviour when the user clicks the notification, or one of its buttons. It was a pain in the ass.

This is the app. https://play.google.com/store/apps/details?id=com.cooper.cooper

I think it does not have the most recent code.

What I did this week (April 30)

What I’ll do this week (April 23)

--Originally published at Hermes's Blog

This week I plan to finish the test and have at least 70% of the api code covered. We already have all signup, login, profile and delete account functionality tested and passing. I tried to include the tests in the travis-ci build but it seems to have problems with the neo4j service, neo4j is throwing this error:

Uncaught error when processing result: Neo4jError: 140223444313984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:827

And I just don’t know why, should I just remove the https code when the code is being executed in travis? Maybe it’s because it does not find the key and certificate, but I don’t see why that would be the case, I’ll try again anyway.

What I did this week (April 16)

--Originally published at Hermes's Blog

This week I started helping with the testing. I solved the issues that they were facing with the cookie. Marco is creating the web application and, when he was developing, found some bugs in the api, these are already fixed. Marco (and someone else that I’m not aware of, I guess) integrated the firebase chat to the app. That’s nice, altough it’s kind of ugly, but hey, it works.

We know we may have some security issues, in the chat and some parts of the api, but no can do, we are aware of that and will not fix it, we have to finish the things that we need to present in the demo.

Vehicle cybersecurity

--Originally published at Hermes's Blog

Vehicle cybersecurity

Today’s behicles feature driver assistance, like collision warning, automatic emergency braking and safety vehicle communications. The NHTSA (National Highway Traffic Security Administration) is exploring the full spectrum of its tools to ensure these technologies are deployed safely and effectively. It encourages the implementation of NIST Cybersecurity Framework. NHTSA promotes a multi-layered approach to cybersecurity by focusing on a vehicle’s entry points, both wireless and wired.

Malicious exploitation of security vulnerabilities in connected cars is a major problem, with news stories of hacking interfering with consumer acceptance of the current and future capabilities of vehicles.

The first well known security compromise of a smart vehicle, a 2014 Jeep Cherokee was hacked by security reserchers Charlie Miller and Chris Valasek in 2015, they were able to turn the steering wheel, disable the brakes and shut the engine down, all remotely. They also discovered that they could access thousands of other vehicles that were using the Uconnect entertainment and navigation system, common in Dodge, Jeep and chrysler vehicles.

It is good to know that automotive manufacturers and transportation compaines are well informed about these problems and are taking it very seriously, hiring cybersecurity experts as part of a concerted auto industry effort to greatly increase the strength of security features in cars.

Sources:

https://www.nhtsa.gov/technology-innovation/vehicle-cybersecurity

https://hackernoon.com/smart-car-hacking-a-major-problem-for-iot-a66c14562419

Cybersecurity in healthcare

--Originally published at Hermes's Blog

One of the most terryfing things in cybersecurity is not our private data being leaked. Imagine our own health is compromised our healthcare data from an hospital is leaked, or even that some critical devices in our bodies could be manipulated remotely by others.

Cybersecurity in healthcare

A Bayer MedRad device used to assist in MRI scans infected with the WannaCry ransomware from Forbes.

Past year, when the WannaCry ransomware was a thing, some hospital networks were infected, causing hospitals to close their doors to new patients and halting treatments for other patients because they were not able to access the patient’s data records. A lot of healthcare data is being stored in the cloud, this has a expected growth rate of 20.5% by 2020, this is such a risk because, data in the cloud must be correctly protected, it requires robust encryption measures and appropiate authentication. 90% of hospitals run legacy applications to preserve patients data, these kind of applications can have serious security holes that a cybercriminal could take advantage of, they run old and unpatched operating systems (Causing the WannaCry infection).

Cybersecurity in healthcare

Last year, St Jude Medical’s pacemakers had a security scandal. It turns out that half a million of patients’ pacemakers could be hacked to run the batteries out or even alter the patient’s heartbeat. The manufactured issued a firmware update (ha! an update for your heart, isn’t that cool?). They are all radio-controlled implantable cardiac pacemakers. The FDA (Food and Drug Administration agency) says that the vulnerability allows an unauthorised user to access a device using commercially available equipment and reprogram it, this could lead to the death of the patient. The security weakness was discovered by MedSec, a cybersecurity firm that specialises in researching vulnerabilities in the medical devices and healthcare industries, and it had previously been the target of a lawsuit from SJM for disclosing such vulnerabilities. It turns out that St Jude Medical knew about this vulnerability since 2014, but did not took action until the weakness was make public. You can read more about here, the story is great, with lots of plot twists.

Cybersecurity in healthcare

Another device that might be a source of security scandals in the future is the artificial pancreas system, this thing is an IOT insuline monitor glucose monitor that comunicates with an insuline pump and a computer (like a raspeberry pi) via radio waves. There is even an open source project that lets you create your own system called OpenAPS.

Sources

http://resources.infosecinstitute.com/top-10-threats-healthcare-security/

https://www.theguardian.com/technology/2017/aug/31/hacking-risk-recall-pacemakers-patient-death-fears-fda-firmware-update

 

What I’ll do this week (April 9)

--Originally published at Hermes's Blog

I have some things left to work in the api before helping Marco or Francisco with the mobile app and the tests.

  • Pool owners can specify custom amounts for each user, but they cannot make it automatic, I have to put a flag in the pool creation to set if the users will be charged the same amount, and also update everyones debt if a new user joins (This will only be updated if the pool has not started yet, because then users can start paying).
  • I need to notify users if they have a debt that have not paid (when the pool end date arrives).
  • With cash, owners should confirm the amount the users claim to have paid.
  • Store profile pics somewhere.

That’s what I’ll work this week, even if I don’t finish all of this I’ll start working in the Android app with Marco.

What I did this week (April 1)

--Originally published at Hermes's Blog

This week I worked in the flow logic for cash payments, a user can only pay a pool if it has a debt, but he or she can overpay and then the pool owner has a debt with him. Pool owners can edit the debts and amounts of the users but only if the debt is high enough to surpass the pool’s total. I was working implementing stripe, in fact, we were able to receibe payments from users that registered in stripe (we were missing the frontend that would comunicate with stripe for the registration). Anyway we decided that we don’t have the time to finish this, there are other, more urgent things to do before the final delivery, so we will drop the credit card functionality from the app and focus in making better what we already have.

What I’ll do this week (April 1)

--Originally published at Hermes's Blog

This week I’ll be working on the payment flow.

When a pool is marked as cash, users should say how much they paid and then the administrator should confirm the amount.

When a pool is marked as credit we will have to request the payment from the users and then send the same amount to the admin (we need to check if this is possible with stripe).

If the admin wants to update the amounts that the users have debt, we need to make sure that everything is kept within the limits of the initial costs (right now you can update a user’s dept to whatever amount). And maybe we should not be able to update the already paid amount (at least for credit), what’s already paid should not change.

Another nice to have would be to find friends on Facebook, instead of searching them by name or email.

That’s it.

What I did this week (May 25)

--Originally published at Hermes's Blog

Even though we were on vacations I made a lot of progress. From the Cooper API now we can:

  • Use another invitation flow: there is an endpoint where we can find the pools that we are invited to, an endpoint to accept invitations, and another one to decline invitations, this way we can make sure that only those who are invited join and that you can also decline invitations.
  • Disabled sendgrid, we will delete the code that send emails, everything will be done in the app.
  • Friend requests, now we can have friends, send, accept and decline friend requests.
  • Login with facebook.
  • I put a server on Digital Ocean, started using travis for continous integration, everytime we push to the server repository, the app is built and the tests are run, if they pass we can merge, when we create a pull request to master and merge it, the code is deployed automatically to the Digital Ocean Server and restarted.
  • Now there is an https version of the server on port 3443, altough the http server is still running on 3000, this was because facebook only allows login from an https server. We may need to get a real certificate (I created and signed one by myself and the browser shows a warning).