Seguridad y Privacidad en Carpetas Personales de Salud para Android e iOS

For my PhD I write scientific articles that are submitted to scientific journals or conferences. The objective is to get them accepted and published. Currently we have 3 papers accepted. One of them has recently been published, the only article written in Spanish. The journal is Iberian Journal of Information and Technologies.

The RISTI (Iberian Journal of Information Systems and Technologies) is a peer-reviewed scientific journal, published by Academy Publisher in association with AISTI (Iberian Association of Systems and Information Technology), which focuses the research and the innovative practical application in the field of information systems and technologies. It is a biannual journal that publishes original and innovative articles accepted in an evaluation process by, at least, three members of the Scientific Council.

The journal is published in electronic and print version. The electronic version is free access and here is the reference (APA style) and the link to my article:

Zapata, B., Niñirola, A., Fernández-Alemán, J., & Toval, A. (2014). Seguridad y Privacidad en Carpetas Personales de Salud para Android e iOS. Iberian Journal Of Information Systems And Technologies, 0(13), 35-50. doi:10.4304/risti.13.35-50

RISTI nº 13

The abstract of the article:

Durante los últimos años, el uso de dispositivos móviles como teléfonos inteligentes y tabletas ha suscitado gran interés entre los proveedores de servicios de salud en el mundo de la mSalud. Las Carpetas Personales de Salud (en inglés Personal Health Record o PHR) móviles proporcionan numerosas ventajas y aunque hay estudios que indican que los pacientes están dispuestos a utilizarlos, los índices de uso son aún bajos. La seguridad y la privacidad han sido identificadas como una importante barrera para lograr su amplia adopción. Haciendo uso de un método adaptado de la revisión sistemática de literatura se identificaron 24 PHRs móviles para Android e iOS. La seguridad y privacidad de estos PHRs móviles fueron evaluadas usando un cuestionario de 12 preguntas. Nuestra investigación muestra que los desarrolladores de PHRs móviles han de mejorar sustancialmente sus políticas de privacidad.

 

Read More

Vulnerability, exposure, threat and risk terms

A threat is a potential cause of an unwanted impact to a system or organization (ISO 13335-1). Threats fall into two categories: vulnerabilities and exposures.

A vulnerability, according to MITRE’s CVE Terminology, is a mistake in software that can be used by a hacker to gain access to a system. A vulnerability:

  • Allows an attacker to execute commands as another user.
  • Allows an attacker to access data that is contrary to the specified access restrictions for that data.
  • Allows an attacker to pose as another entity.
  • Allows an attacker to conduct a denial of service

An exposure is defined by MITRE’s CVE Terminology as a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network. An exposure:

  • Allows an attacker to conduct information gathering activities.
  • Allows an attacker to hide activities.
  • Includes a capability that behaves as expected, but can be easily compromised.
  • Is a primary point of entry that an attacker may attempt to use to gain access to the system or data.
  • Is considered a problem according to some reasonable security policy.

A risk according to the ISO 31000 definition is the effect of uncertainty upon objectives where an effect is a deviation from the expected, positive or negative. ISO 31000 notes that risk can be regarded in terms of:

  • Likelihood of an event occurring.
  • Impact of the event if it occurs.

Read More

Introduction to software vulnerabilites

According to MITRE’s CVE Terminology, a vulnerability is a mistake in software that can be directly used by a hacker to gain access to a system or network, a state in a computing system which either:

  • Allows an attacker to execute commands as another user.
  • Allows an attacker to access data that is contrary to the specified access restrictions for that data.
  • Allows an attacker to pose as another entity.
  • Allows an attacker to conduct a denial of service.

Life cycle

The vulnerability life cycle consists of four events:

  • Discovery date. Somebody discovers that the vulnerability exists.
  • Disclosure date. A trusted security organization or the vulnerable software producer discloses the vulnerability existence.
  • Exploit date. Somebody creates an attack which exploits the vulnerability.
  • Patch date. Vulnerable software producer provides a solution or patch to protect the system.

It is not necessary that these four events occur in the vulnerability life cycle. A vulnerability can be exploited with no previous disclosure or can be patched with no previous exploit.

Vulnerability databases

Several databases store relevant data about vulnerabilities. Some examples are:

Read More