Best Paper Award at NDSS to Team featuring THaW Researchers

IMG_0366

A team featuring THaW PI Carl Gunter and led by his student Guliz Seray Tuncay recently won “Best Paper” at NDSS. Resolving the Predicament of Android Custom Permissions was so well received at the conference it took home highest honors. To check out the full text, and what the team discovered about conflicting trust levels in regard to Android permissions, click through on the link below.

PDF: Resolving the Predicament of Android Custom Permissions

Kevin Fu Researches Mystery Embassy Ailment

THaW researcher Kevin Fu, along with colleagues Chen Yan and Wenyuan Xu, recently released a technical report on a mysterious ailment at the United States embassy in Cuba. After exploring a wide variety of options, the trio concluded that the ailment may in fact have inadvertently been caused by interfering ultrasonic waves in the environment. Click through below to see some press coverage their discoveries have received, in addition to the full technical report.

The Conversation – Can Sound Be Used As A Weapon?

IEEE Spectrum – Finally, A Likely Explanation for the “Sonic Weapon” Used At The US Embassy In Cuba

PDF: On Cuba, Diplomats, Ultrasound, and Intermodulation Distortion

THaW Releases Technical Report On STEM Outreach Program

DSC01398

As part of THaW’s efforts towards community outreach and education, we have developed a curriculum based on the FitBit technology platform. This curriculum has been successfully deployed in two pilot groups let by THaW associates over the past two years.

Now, THaW researcher Joseph Carrigan, along with PI’s David Kotz and Avi Rubin, has formalized the curriculum into a technical report to allow others to use our implementation. Said Carrigan, “We developed an outreach activity that is engaging, informative, and repeatable. We are interested to see how it will be used at other locations.” To peruse the technical report and access the curriculum guidelines, please click below.

STEM Outreach Activity with Fitbit Wearable Devices

Eric Johnson Explores Hospital Care Quality

THaW member Eric Johnson (along with co-author Sung Choi) recently published at the 14th Workshop on The Economics of Information Security. In the paper, the two explore the ramifications of hospital data breaches, and if these breaches have an effect on quality of care. To learn more, click through to the paper below.

PDF: Do Hospital Data Breaches Reduce Patient Care Quality?

Kevin Fu Discusses The Challenges of Ransomware

THaW researcher Kevin Fu recently joined his colleague Harold Thimbleby to discuss the challenges and obstacles created by ransomware. Read their comprehensive assessment of the problem, as well as possible solutions, at the link below.

HealthcareITNews — Ransomware:
 How we can climb out of this mess

Eric Johnson Talks with Charles Lebo: Healthcare Data Security


THaW contributor Eric Johnson’s conversations from the CISO conference continued with VP and CISO of Kindred Healthcare, Charles Lebo. The two had a conversation to discuss some of the emerging challenges of healthcare security. The topics ranged from the scope of large healthcare datasets, to the emergence of ransomware and maintaining data security.

Click here, or play the embedded video above, to hear the discussion in full.

Interactive Map Of US Healthcare Breaches

interactive map
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires health care providers and health plans that experienced a data breach of unsecured protected health information affecting more than 500 persons to notify the U.S. Department of Health and Human Services (HHS). HHS maintains a public database of the reported breaches submitted from October 2009 to the present. THaW researchers recently constructed an interactive map to visualize the HHS database of health data breaches.

When it Comes to Medical Device Security, the Dos Outweigh the Don’ts

THaW researchers A.J. Burns, Eric Johnson and Peter Honeyman, have compiled a compelling chronology of medical device security in their recently published article in Communications of the ACM, “A Brief Chronology of Medical Device Security” (see the THaW blog’s publication page for complete reference information and a link to the article).

The authors identify three key points relating to medical devices:

  1. Frightening language and misinformation often characterize discussions of cybersecurity and medical devices.
  2. There are always security trade-offs when designing, deploying, and maintaining medical devices.
  3. Medical devices are often not that different than other network-enabled digital devices, in terms of their vulnerability to network-based cyberattack.

The authors further identify four major periods that span the evolution of medical devices:

  1. Complex systems and accidental disasters
  2. Implantable medical devices
  3. The threat of unauthorized access
  4. Cyber threats to medical device security

The article offers a comprehensive examination of the legislative timeline and the evolving threats to information security in healthcare. They argue that “the steps we take today will largely define the future of medical device security,” and while there is a temptation to publicly wring our hands in despair over medical-device insecurity, “we must resist the temptation to sensationalize the issues…and instead apply sober, rational, systematic approaches to understanding and mitigating security risks.”

The authors conclude by challenging the medical-device community to better secure these devices:

“…it is safe to say that patients’ reluctance to accept medically indicated devices due to concerns about security poses a greater threat to their health than any threat stemming from medical device security…it is incumbent on our field to continue to prioritize the security of medical devices as a part of our fiduciary responsibility to act in the interests of those who rely on these life-saving devices.”

For complete reference information and a link to the article, please visit the THaW publication page.

THaW researcher, Kevin Fu, Questions Recent MedSec Findings

“For decades, there’s been an unofficial truce between cybersecurity researchers and companies: When good guy hackers find a problem, they give companies a chance to fix it before going public.

But a cybersecurity firm called MedSec just upended that truce.

(https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/)

“While medical device manufacturers must improve the security of their products, claiming the sky is falling is counterproductive.” – ThaW researcher, Kevin Fu

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

MedSec, a medical security firm, has formed an unusual partnership with investment firm Muddy Waters to generate revenue based on MedSec infosec research. When MedSec recently found alleged faults in St. Jude’s implantable heart equipment, it alerted Muddy Waters rather than St. Jude’s as tradition normally dictates. Muddy Waters promptly issued a research report highlighting the alleged faults and shorted St. Jude’s stock, giving MedSec a portion of the proceeds from the short sale.

However, ThaW researcher, Kevin Fu, and University of Michigan colleagues attempted to replicate the MedSec research and determined that MedSec’s findings were “inconclusive”. For more information on the Michigan investigtion see –

(http://www.engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report)

This saga is far from complete, as Fu’s team continues to look into the MedSec findings.

For more information:

http://engin.umich.edu/college/about/news/stories/2016/august/holes-found-in-report

https://www.washingtonpost.com/news/the-switch/wp/2016/09/01/a-new-hacker-money-making-strategy-betting-against-insecure-companies-on-wall-street/

http://www.startribune.com/so-far-st-jude-medical-weathering-cybersecurity-scrutiny/392212661/