Car Hacking: Accessing and Exploiting the CAN Bus Protocol

With the rapid adoption of internet-connected and driver-assist technologies, and the spread of semi-autonomous to self-driving cars on roads worldwide, cybersecurity for smart cars is a timely concern and one worth exploring both in the classroom and in the real world. Highly publicized hacks against production cars, and a relatively small number of crashes involving autonomous vehicles, have brought the issue of securing smart cars to the forefront as a matter of public and individual safety, and the cybersecurity of these “data centers on wheels” is of greater concern than ever. However, up to this point there has been a steep learning curve involved in applying cybersecurity research to car hacking. The purpose of this paper is to present a clear, step-by-step process for creating a car-hacking research workstation and to give faculty, students, and researchers the ability to implement car hacking in their own courses and lab environments. This article describes the integration of a module on car hacking into a semester-long ethical hacking cybersecurity course, including full installation and setup of all the open-source tools necessary to implement the hands-on labs in similar courses. This work demonstrates how to test an automobile for vulnerabilities involving replay attacks, and how to reverse-engineer CAN bus messages, using a combination of open-source tools and a commodity CAN-to-USB cable or wireless connector for under $100 (USD). Also provided are an introduction to the CAN (controller area network) bus in modern automobiles and a brief history of car hacking

Health IT Security: An Examination of Modern Challenges in Maintaining HIPAA and HITECH Compliance

This work describes an undergraduate honors research project into some of the challenges modern healthcare providers face in maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) and HITECH (Health Information Technology for Economic and Clinical Health) Act. An overview of the pertinent sections of both the HIPAA and HITECH Acts regarding health information security is provided, along with a discussion of traditionally weak points in information security, including: people susceptible to social engineering, software that is not or cannot be regularly updated, and targeted attacks (including advanced persistent threats, or APTs). Further, the paper examines potential violations of HIPAA involving vulnerabilities in commonly-used enterprise health records systems. Finally, we compare these challenges to the challenges of the United States healthcare system prior to 1995, specifically looking at information handling procedures, how procedures have changed, and how effective those changes have been

Planning and Implementing a Successful NSA-NSF GenCyber Summer Cyber Academy

The GenCyber program is jointly sponsored by the National Security Agency (NSA) and the National Science Foundation (NSF) to help faculty and cybersecurity experts provide summer cybersecurity camp experiences for K-12 students and teachers. The main objective of the program is to attract, educate, and motivate a new generation of young men and women to help address the nationwide shortage of trained cybersecurity professionals. The curriculum is flexible and centers on ten cybersecurity first principles. Currently, GenCyber provides cyber camp options for three types of audiences: students, teachers, and a combination of both teachers and students. In 2016, over 120 GenCyber camps were funded, serving 5,000+ students and teachers, and the NSA hopes to double the program in 2017. GenCyber camps can be offered at colleges, universities, public or private school systems, or non-profit institutions. The purpose of this paper is to describe the GenCyber program, provide lessons learned from a successful program implementation, and encourage PI’s to plan and implement a GenCyber summer cyber academy

Voice Hacking: Using Smartphones to Spread Ransomware to Traditional PCs

This paper presents a voice hacking proof of concept that demonstrates the ability to deploy a sequence of hacks, triggered by speaking a smartphone command, to launch ransomware and other destructive attacks against vulnerable Windows computers on any wireless network the phone connects to after the voice command is issued. Specifically, a spoken, broadcast, or pre-recorded voice command directs vulnerable Android smartphones or tablets to a malicious download page that compromises the Android device and uses it as a proxy to run software designed to scan the Android device’s local area network for Windows computers vulnerable to the EternalBlue exploit, spreading a ransomware-like application to those PCs, and executing it remotely. The demonstrated proof of concept, with relevant source code included in the appendix, can be extended and adapted to allow other voice-enabled, mobile, and IoT devices to perform multi-platform attacks against traditional PCs, as well as other mobile and IoT devices, and even critical infrastructure systems. In addition to describing the proof-of-concept attack in detail, the authors propose several remedies individuals and organizations can employ to prevent such attacks

What You See Is Not What You Know: Studying Deception in Deepfake Video Manipulation

Research indicates that deceitful videos tend to spread rapidly online and influence people’s opinions and ideas. Because of this, video misinformation via deepfake video manipulation poses a significant online threat. This study aims to discover what factors can influence viewers’ capability to distinguish deepfake videos from genuine video footage. This work focuses on exploring deepfake videos’ potential use for deception and misinformation by exploring people’s ability to determine whether videos are deepfakes in a survey consisting of deepfake videos and original unedited videos. The participants viewed a set of four videos and were asked to judge whether the videos shown were deepfakes or originals. The survey varied the familiarity that the viewers had with the subjects of the videos. Also, the number of videos shown at one time was manipulated. This survey showed that familiarity with subjects has a statistically significant impact on how well people can determine a deepfake. Notably, however, almost two-thirds of study participants (102 out of 154, or 66.23%) were unable to correctly identify a sequence of just four videos as either genuine or deepfake. This study provides insights into possible considerations for countering disinformation and deception resulting from the misuse of deepfakes

Voice Hacking Proof of Concept: Using Smartphones to Spread Ransomware to Traditional PCs

This paper presents a working proof of concept that demonstrates the ability to deploy a sequence of hacks, triggered by speaking a smartphone command, to launch ransomware and other destructive attacks against vulnerable Windows computers on any wireless network the phone connects to after the voice command is issued. Specifically, a spoken, broadcast, or pre-recorded voice command directs vulnerable Android smartphones or tablets to a malicious download page that compromises the Android device and uses it as a proxy to run software designed to scan the Android device’s local area network for Windows computers vulnerable to the EternalBlue exploit, spreading a ransomware-like application to those PCs, and executing it remotely. In addition to describing the proof-of-concept attack in detail, the authors propose several remedies individuals and organizations can use to prevent such attacks

Survey Responses: Mail Versus Email Solicitations

Surveys, particularly electronic surveys, are becoming popular methods of eliciting consumer responses. For example, many businesses now have survey sites printed on the bottom of receipts with some future discount as an enticement to participate. Clearly, the intent of such incentives is to stimulate participation. Surveys have also become popular in academia, but rarely are incentives offered. Clearly, those in academia also prefer a high participation rate, but without financial incentives what can be done to encourage participation? This research attempts to address that question

Hijacking Wireless Communications using WiFi Pineapple NANO as a Rogue Access Point

Wireless access points are an effective solution for building scalable, flexible, mobile networks. The problem with these access points is often the lack of security. Users regularly connect to wireless access points without thinking about whether they are genuine or malicious. Moreover, users are not aware of the types of attacks that can come from “rogue” access points set up by attackers and what information can be captured by them. Attackers use this advantage to gain access to users’ confidential information. The objective of this study is to examine the effectiveness of the WiFi Pineapple NANO used as a rogue access point (RAP) in tricking users to connect to it. As part of the preliminary study, a brief survey was provided to users who connected to the Pineapple to evaluate the reasons why users connect to RAPs. The result of the cybersecurity pilot study indicated that lack of awareness played an important role. Specifically, users unknowingly connect to rogue wireless access points that put at risk not only their devices, but the whole network. The information collected in this research could be used to better educate users on identifying possible RAPs and the dangers of connecting to them

Artificial intelligence within the interplay between natural and artificial computation:Advances in data science, trends and applications

Artificial intelligence and all its supporting tools, e.g. machine and deep learning in computational intelligence-based systems, are rebuilding our society (economy, education, life-style, etc.) and promising a new era for the social welfare state. In this paper we summarize recent advances in data science and artificial intelligence within the interplay between natural and artificial computation. A review of recent works published in the latter field and the state the art are summarized in a comprehensive and self-contained way to provide a baseline framework for the international community in artificial intelligence. Moreover, this paper aims to provide a complete analysis and some relevant discussions of the current trends and insights within several theoretical and application fields covered in the essay, from theoretical models in artificial intelligence and machine learning to the most prospective applications in robotics, neuroscience, brain computer interfaces, medicine and society, in general.BMS - Pfizer(U01 AG024904). Spanish Ministry of Science, projects: TIN2017-85827-P, RTI2018-098913-B-I00, PSI2015-65848-R, PGC2018-098813-B-C31, PGC2018-098813-B-C32, RTI2018-101114-B-I, TIN2017-90135-R, RTI2018-098743-B-I00 and RTI2018-094645-B-I00; the FPU program (FPU15/06512, FPU17/04154) and Juan de la Cierva (FJCI-2017–33022). Autonomous Government of Andalusia (Spain) projects: UMA18-FEDERJA-084. Consellería de Cultura, Educación e Ordenación Universitaria of Galicia: ED431C2017/12, accreditation 2016–2019, ED431G/08, ED431C2018/29, Comunidad de Madrid, Y2018/EMT-5062 and grant ED431F2018/02. PPMI – a public – private partnership – is funded by The Michael J. Fox Foundation for Parkinson’s Research and funding partners, including Abbott, Biogen Idec, F. Hoffman-La Roche Ltd., GE Healthcare, Genentech and Pfizer Inc