New Hacking Threat Could Impact Traffic Systems

Motorists drive by traffic lights every day and trust they will work. But NBC 5 Investigates found that as more cities turn to wireless traffic systems, some of those systems are unprotected and open to a cyber-attack.

“We implicitly trust these devices,” said Branden Ghena, a University of Michigan PhD student who studies how easy it is to manipulate electronics. “We drive through the intersection knowing that red means we should stop and green means we should go and there’s not going to be any trouble. The light will work as intended.”

“We could actually make the lights all red,” said Ghena. “We could change the light to be green in our direction. These are clearly not the intended behavior of these systems.”

Ghena and a research team at the University of Michigan discovered that with a basic laptop and a wireless radio it could hack into the software system of a company called Econolite. The research team worked with a road crew to make this happen. And In their experiment, Ghena says they were able to manipulate more than 1,000 traffic lights in one town alone – turning red lights green, and green lights red.

“It was surprisingly easy,” said Ghena.

The reason is simple.

“It doesn’t have passwords on it or encryption on the wireless communications,” said Ghena. “They’re basic things, but they’re not enabled by default because the vendor wasn’t thinking about that and assumed the road agency would do something. And the road agency assumed they were good enough the way they came.”

NBC5 Investigates discovered similar vulnerabilities with another company called Sensys Networks, which controls wireless traffic systems in major hubs including Washington DC, Los Angeles, New York City, San Francisco and Chicago.

Just two months ago the U.S. Department of Homeland Security issued this advisory, warning of these “vulnerabilities” after learning about the research of Argentinian security expert Cesar Cerrudo. Cerrudo used a cheap drone flying hundreds of feet above to show how he could hack into Sensys’s traffic signals below.

“The problem is that it’s not protected information,” said Cesar Cerrudo, Chief Technology Officer for IOActive Labs. “I just programmed it to send fake data to the traffic control system so I can make them do things they are not supposed to do.”

Here’s how a traffic control system works: There are sensors buried in the road that detect cars. That information is then sent to the access point which is connected to the traffic control system and controls the lights. And all of this is done wirelessly.

These Sensys Networks systems are used in 10 countries, 45 states, and throughout Illinois.

“(Cerrudo) did identify an area where we had not encrypted the data stream,” said a Sensys Networks spokesman, during a phone conversation with NBC 5 Investigates. He also explained that the company recently issued a software fix, but that it is up to each city, whether to use the fix - and that some cities across the us could still be vulnerable.

NBC 5 Investigates had a lengthy phone conversation with the spokesman from Sensys Networks. We offered the company the opportunity to answer our questions in an on-camera interview. It declined and instead provided us with this two-page statement.

A spokesman from the Chicago Department of Transportation tells us of the 3,100 intersections in Chicago, only 12 of them utilize Sensys Networks wireless technology. But he could not say whether the city has upgraded the software to make Chicago’s traffic lights more secure.

“They are as vulnerable as any cellphone system,” said Transportation Engineer Erick Rivera, who has worked with both Sensys Networks and Econolite traffic systems

Without passwords or encryption, these systems are only as secure as your basic cell phone.

“If the person is able to hack into one intersection, it could mess up an entire corridor,” said Rivera.

Security researchers say simply using passwords and encrypting the systems could prevent future attacks.

“The real attacks here are where you clog up congestion in a city so you can turn all the lights to red and people will be stuck in traffic jams for hours,” said Ghena.

Facebook Now Accessible Via Tor Network Using Official .Onion Address

If you are fan of the largest social networking site Facebook, but also want to remain anonymous while using your Facebook account, then there is really a Good news for you.

Facebook on Friday began offering a way for security and Privacy conscious users to connect to its social networking service using the anonymizing service running on the Tor network, by launching a .onion address. This is really a historic move of the social network.

Tor Browser is an open source project, launched in 2002, designed to increase the anonymity of your activities on the Internet by not sharing your identifying information such as your IP address and physical location with websites and your service providers. Browsing and data exchange over a network is made through encrypted connections between computers.

The social network just created a special URL – https://facebookcorewwwi.onion – that will allow users running Tor-enabled browsers to connect Facebook’s Core WWW Infrastructure. Hidden services accessed through the Tor network allow both the Web user and website to remain anonymous. Do note that the Tor link will only work on Tor-enabled browsers.

"Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Alec Muffett, a software engineer with Facebook’s security infrastructure group, said in a blog post. "It provides end-to-end communication, from your browser directly into a Facebook datacenter."

Facebook has previously been criticised by Tor users as the company’s security features treated Tor as a botnet — a collection of computers designed to attack the site. Users were able to access their Facebook account before today, but it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all.

Back in 2013, the social network assured Tor users that the company would work with Tor service on a possible solution. Now, after a year, we can see a great move from Facebook’s side with the launch of a dedicated Tor access address. However, the company said that the Tor network may poses some risks as the .onion address is described as an "experiment" by the social network.

"Tor challenges some assumptions of Facebook's security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada," Alec Muffett said.

"In other contexts such behaviour might suggest that a hacked account is being accessed through a "botnet", but for Tor this is normal. Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor."

Furthermore, the company also offers encryption using SSL over Tor with a certificate that cites the unique Tor address, so that users won’t have to deal with SSL certificate warnings and can therefore be assured they are connecting to a secure and real Facebook, preventing users from being redirected to fake sites.

Runa Sandvik, a security researcher who was consulted by Facebook on the project and previously worked at the Tor Project, tweeted, "The launch of the Facebook Tor hidden service also marks the first time a CA has issued a legitimate SSL cert for a .onion address."

Millions of websites hit by Drupal hack attack

 

 

 

Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.

The sites use Drupal to manage web content and images, text and video.
Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should "assume" they have been hacked.

It said automated attacks took advantage of the bug and can let attackers take control of a site.

'Shocking' statement
 
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised.

Anyone who had not yet updated should do so immediately, it warned.
However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
Mark Stockley, an analyst at security firm Sophos, said the warning was "shocking".

The bug in version 7 of the Drupal software put attackers in a privileged position, he wrote. Their access could be used to take control of a server or seed a site with malware to trap visitors, he said.

He estimated that up to 5.1% of the billion or so sites on the web use Drupal 7 to manage their content, meaning the number of sites needing patching could be as high as 12 million.

Drupal should no longer rely on users to apply patches, said Mr Stockley.
"Many site owners will never have received the announcement and many that did will have been asleep," he said. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."