New Hacking Threat Could Impact Traffic Systems

Motorists drive by traffic lights every day and trust they will work. But NBC 5 Investigates found that as more cities turn to wireless traffic systems, some of those systems are unprotected and open to a cyber-attack.

“We implicitly trust these devices,” said Branden Ghena, a University of Michigan PhD student who studies how easy it is to manipulate electronics. “We drive through the intersection knowing that red means we should stop and green means we should go and there’s not going to be any trouble. The light will work as intended.”

“We could actually make the lights all red,” said Ghena. “We could change the light to be green in our direction. These are clearly not the intended behavior of these systems.”

Ghena and a research team at the University of Michigan discovered that with a basic laptop and a wireless radio it could hack into the software system of a company called Econolite. The research team worked with a road crew to make this happen. And In their experiment, Ghena says they were able to manipulate more than 1,000 traffic lights in one town alone – turning red lights green, and green lights red.

“It was surprisingly easy,” said Ghena.

The reason is simple.

“It doesn’t have passwords on it or encryption on the wireless communications,” said Ghena. “They’re basic things, but they’re not enabled by default because the vendor wasn’t thinking about that and assumed the road agency would do something. And the road agency assumed they were good enough the way they came.”

NBC5 Investigates discovered similar vulnerabilities with another company called Sensys Networks, which controls wireless traffic systems in major hubs including Washington DC, Los Angeles, New York City, San Francisco and Chicago.

Just two months ago the U.S. Department of Homeland Security issued this advisory, warning of these “vulnerabilities” after learning about the research of Argentinian security expert Cesar Cerrudo. Cerrudo used a cheap drone flying hundreds of feet above to show how he could hack into Sensys’s traffic signals below.

“The problem is that it’s not protected information,” said Cesar Cerrudo, Chief Technology Officer for IOActive Labs. “I just programmed it to send fake data to the traffic control system so I can make them do things they are not supposed to do.”

Here’s how a traffic control system works: There are sensors buried in the road that detect cars. That information is then sent to the access point which is connected to the traffic control system and controls the lights. And all of this is done wirelessly.

These Sensys Networks systems are used in 10 countries, 45 states, and throughout Illinois.

“(Cerrudo) did identify an area where we had not encrypted the data stream,” said a Sensys Networks spokesman, during a phone conversation with NBC 5 Investigates. He also explained that the company recently issued a software fix, but that it is up to each city, whether to use the fix - and that some cities across the us could still be vulnerable.

NBC 5 Investigates had a lengthy phone conversation with the spokesman from Sensys Networks. We offered the company the opportunity to answer our questions in an on-camera interview. It declined and instead provided us with this two-page statement.

A spokesman from the Chicago Department of Transportation tells us of the 3,100 intersections in Chicago, only 12 of them utilize Sensys Networks wireless technology. But he could not say whether the city has upgraded the software to make Chicago’s traffic lights more secure.

“They are as vulnerable as any cellphone system,” said Transportation Engineer Erick Rivera, who has worked with both Sensys Networks and Econolite traffic systems

Without passwords or encryption, these systems are only as secure as your basic cell phone.

“If the person is able to hack into one intersection, it could mess up an entire corridor,” said Rivera.

Security researchers say simply using passwords and encrypting the systems could prevent future attacks.

“The real attacks here are where you clog up congestion in a city so you can turn all the lights to red and people will be stuck in traffic jams for hours,” said Ghena.

Facebook Now Accessible Via Tor Network Using Official .Onion Address

If you are fan of the largest social networking site Facebook, but also want to remain anonymous while using your Facebook account, then there is really a Good news for you.

Facebook on Friday began offering a way for security and Privacy conscious users to connect to its social networking service using the anonymizing service running on the Tor network, by launching a .onion address. This is really a historic move of the social network.

Tor Browser is an open source project, launched in 2002, designed to increase the anonymity of your activities on the Internet by not sharing your identifying information such as your IP address and physical location with websites and your service providers. Browsing and data exchange over a network is made through encrypted connections between computers.

The social network just created a special URL – https://facebookcorewwwi.onion – that will allow users running Tor-enabled browsers to connect Facebook’s Core WWW Infrastructure. Hidden services accessed through the Tor network allow both the Web user and website to remain anonymous. Do note that the Tor link will only work on Tor-enabled browsers.

"Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud," Alec Muffett, a software engineer with Facebook’s security infrastructure group, said in a blog post. "It provides end-to-end communication, from your browser directly into a Facebook datacenter."

Facebook has previously been criticised by Tor users as the company’s security features treated Tor as a botnet — a collection of computers designed to attack the site. Users were able to access their Facebook account before today, but it often loaded irregularly with incorrectly displayed fonts and sometimes didn't load at all.

Back in 2013, the social network assured Tor users that the company would work with Tor service on a possible solution. Now, after a year, we can see a great move from Facebook’s side with the launch of a dedicated Tor access address. However, the company said that the Tor network may poses some risks as the .onion address is described as an "experiment" by the social network.

"Tor challenges some assumptions of Facebook's security mechanisms – for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada," Alec Muffett said.

"In other contexts such behaviour might suggest that a hacked account is being accessed through a "botnet", but for Tor this is normal. Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor."

Furthermore, the company also offers encryption using SSL over Tor with a certificate that cites the unique Tor address, so that users won’t have to deal with SSL certificate warnings and can therefore be assured they are connecting to a secure and real Facebook, preventing users from being redirected to fake sites.

Runa Sandvik, a security researcher who was consulted by Facebook on the project and previously worked at the Tor Project, tweeted, "The launch of the Facebook Tor hidden service also marks the first time a CA has issued a legitimate SSL cert for a .onion address."

Millions of websites hit by Drupal hack attack

 

 

 

Up to 12 million websites may have been compromised by attackers who took advantage of a bug in the widely used Drupal software.

The sites use Drupal to manage web content and images, text and video.
Drupal has issued a security warning saying users who did not apply a patch for a recently discovered bug should "assume" they have been hacked.

It said automated attacks took advantage of the bug and can let attackers take control of a site.

'Shocking' statement
 
In its "highly critical" announcement, Drupal's security team said anyone who did not take action within seven hours of the bug being discovered on 15 October should "should proceed under the assumption" that their site was compromised.

Anyone who had not yet updated should do so immediately, it warned.
However, the team added, simply applying this update might not remove any back doors that attackers have managed to insert after they got access. Sites should begin investigations to see if attackers had got away with data, said the warning.

"Attackers may have copied all data out of your site and could use it maliciously," said the notice. "There may be no trace of the attack." It also provided a link to advice that would help sites recover from being compromised.
Mark Stockley, an analyst at security firm Sophos, said the warning was "shocking".

The bug in version 7 of the Drupal software put attackers in a privileged position, he wrote. Their access could be used to take control of a server or seed a site with malware to trap visitors, he said.

He estimated that up to 5.1% of the billion or so sites on the web use Drupal 7 to manage their content, meaning the number of sites needing patching could be as high as 12 million.

Drupal should no longer rely on users to apply patches, said Mr Stockley.
"Many site owners will never have received the announcement and many that did will have been asleep," he said. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

Aaron Swartz, internet hero, hounded to death by powers that be

Aaron Swartz was a young internet prodigy facing computer fraud charges when he took his own life. Source: ABC

TV editor Lyndall Crisp selects The Internet’s Own Boy as her pick of the week on free-to-air television.

The Internet’s Own Boy
Sunday, 8.30pm, ABC2
Aaron Swartz was a precocious child with extraordinary learning abilities. As a teenager he was a computer programming prodigy and as an adult he was a political activist hellbent on making the world a better place. Described as “the brightest light on the internet … an astonishing intellect”, he was — like his hero Tim Berners-Lee who invented the world wide web and gave it away for nothing — not interested in money. We’ll never know what he might have achieved because last year, aged 26, he committed suicide in his Brooklyn apartment. Using family home movies, clips from old interviews and conversations with the people closest to him, this fascinating documentary profiles the young genius. Swartz was facing 13 charges of wire fraud, computer fraud and unauthorised access to a computer according to antiquated legislation that carried a 35-year prison term. He devised a brilliant system that allowed him to access general information and make it commonly available. The company he targeted didn’t want to pursue the charges, but the US government insisted the case go on as a deterrent to others. There were also political reputations at stake. Swartz’s lawyer was sure he could win the case, but fear of what might lie ahead terrified Swartz. An outpouring of grief and anger flooded the internet following his death. A tragic story well told.
ALSO RECOMMENDED
Gardening Australia
Saturday, 6.30pm, ABC
It’s that gorgeous time of year when all those plants you thought were dead turn out to have been sleeping. A spot of warmer weather and they burst into bud. A trip to the nursery and a ramble through open gardens are among the many joys of spring. For 25 years this show has been sharing advice on how to make it all happen in your garden, and tonight, to celebrate the milestone, the first of four specials on the building blocks of gardening looks at healthy soil. Sophie Thomson visits a cherry orchard in South Australia where an experiment using bees to deliver antifungal spore is proving a success.
The Graham Norton Show
Sunday, 9.30pm, Ten
It’s fair to mention this show again because I haven’t for a while (at least two weeks). It’s so jolly good. A laugh a minute. In this episode Norton’s guests include Hugh Grant, Emma Thompson, Luke Evans and Lenny Kravitz. Grant tells the story of his first audition in Hollywood in front of a famous director who projectile-vomited halfway through the first page of the script. And Thompson tells how she made two co-stars in Mr Banks laugh by taking off her bra and putting two Mickey Mouse stickers on her nipples. Love her!
Gough Whitlam — In His Own Words
Sunday, 8.30pm, SBS One
Much has been written and said about this giant of Australian politics since he died, aged 98, in Sydney on October 21. Most of it was good, but many people still harbour doubts, even bitterness, about the former Labor prime minister’s legacy. No one, surely, can deny that in so many ways he was a shining light on a sea of mediocrity. This documentary, commissioned by SBS, was filmed 12 years ago. It was the last television interview Gough Whitlam did. In it, he talks about his remarkable 50 years in public life. It charts his earliest days in parliament, his rise as deputy leader, then leader, of the ALP and finally his success in ending 23 years of Liberal government. A chance to hear it from him.
Michael Mosley: Should I Eat Meat?
Monday, 7.30pm, SBS One
As the BBC’s medical correspondent, Michael Mosley has put himself through some of the weirdest tests to get the facts for a good story. Here he ups his daily intake of red meat to 130g to see what impact it will or won’t have on his health. As the man behind the phenomenally successful (commercially) 5:2 diet, Mosley knows all about sensible eating. But he has always wondered about how much red meat is too much. Apart from the ethical argument that we should all be vegetarians, there’s at least one good reason we should stand back from the barbie: cardiovascular disease is the biggest killer in the Western world. Yet, despite speaking to experts in Britain and US, Mosley doesn’t find the answer. I say pass the lamb chops and don’t think too much about it.
Salamander
Monday, 11pm, SBS One
Sorry to see this fine Belgian drama moved to such an ungodly hour on a school night, but thank heavens for the record button. Paul Gerardi (Filip Peeters) is a detective with Brussels police suspended for insisting on pursuing a private-bank robbery. The embarrassing contents of 66 safety deposit boxes were stolen but the robbery was not reported because they belonged to VIPs who have a lot to lose. Although his wife and daughter have been threatened and he’s a wanted man, Gerardi refuses to back off after three people connected to the robbery are murdered. Here, in the fourth of 12 episodes, the mastermind behind the robbery is revealed to be millionaire Gil Wolfs (Vic de Wachter), who wants each of the 66 owners — who belong to a secret group called Salamander — eliminated.
The Melbourne Cup Carnival
Tuesday, 10am, Seven
It’s that time of year again. Although Melbourne Cup Day has become something of a social event, serious horse people say the $3 million Cox Plate is the more important race. That aside, the first Tuesday in November has gained traction as the event, particularly among fashionistas who wouldn’t know one end of a horse from another. But hey, it’s fun to dress up and knock back a few champers. And it’s not just locals watching the 24 thoroughbreds compete; it’s estimated that about 650 million people across the world tune in at 3pm. The $6 million prize money may have something to do with that; the past four winners — Fiorente (Irish), Green Moon (Irish), Dunaden (French) and Americain (American) — were imports. The whole day is covered live.
At the Movies
Tuesday, 9.30pm, ABC
When David Stratton, 75, and Margaret Pomeranz, 70, call it quits next month after 28 years sharing their thoughts on the latest films, they will leave big shoes to fill. Incisive, quirky, knowledgeable — what they have to say is worth hearing, especially when they disagree. Here they review five films: John Wick starring Keanu Reeves; Interstellar starring Matthew McConaughey (True Detective); Two Days, One Night starring Marion Cotillard; My Mistress with Emmanuelle Beart; and Rise with Jessica Green.
Madam Secretary
Thursday, 8.30pm, Ten
College professor and former CIA analyst Elizabeth McCord (Tea Leoni) hesitated when President Conrad Dalton (Keith Carradine) wanted to appoint her secretary of state after the incumbent was killed in a suspicious plane crash. But once behind the desk she established herself as a tough negotiator and no-nonsense leader. In five episodes so far, she has helped two American teenagers facing execution in Syria, brokered a peace treaty between China and Japan, and managed sensitive negotiations with Iran over its nuclear program. Here in The Call, McCord asks the president to help with a tricky situation in West Africa.
Classical Destinations — Salzburg
Friday, 6pm, SBS One
Remember Aled Jones, the young Welsh boy with a voice like an angel until it broke? His rendition of Walking In the Air was goose-bump material. By the time he was 16 he’d sold six million albums and sung for pope John Paul II and the Queen (presumably not at the same time). He then took up acting, appearing in theatre and on radio and television. In this gorgeous series combining fabulous scenery and music, Jones, now 43, visits the cities that influenced the great composers, beginning with Salzburg, home of Mozart.
Better Homes and Gardens
Friday, 7pm, Seven
No matter how realistic your renovation budget it will always end up costing you more. In Small Budget, Big Makeover, Rob Palmer and the team show how to stretch the dollar. I love this show: it’s full of interesting stuff told in short, sharp takes. A fish recipe, Versailles’ gardens and a new hi-tech dog tag ... something for everyone.

xss vulnrability in wordpress

Hey guys i wanted to share with u a vulnerability in a WordPress plugin i found.

# WordPress WP-Password Plugin XSS Vulnerability

###########################

[+] Exploit Title: WordPress WP-Password Plugin XSS Vulnerability
[+] Find: 2014
[+] Category: WebApp
[+] Google Dork: inurl:"/wp-content/plugins/wp-password/login.php"
[+] Tested On: Windows - Linux
[+] Site:

###########################################
###########################################

# Type: XSS Vulnerability

# Exploit: http://Site.com/{Path}/wp-content/plugins/wp-password/login.php?err={Your Text}

# Explaination: Copy The Dork In Google - Open A Site - Delete All Texts After login.php

Copy This Code At The End Of The Url: ?err={Your Text} - And End

###########################################
###########################################
Greets to: to alll hacker and newbi and lammer ;p
###########################################
###########################################

this exploit works exceptionally well.
if any of you have any ideas to add to this or want to share your own exploits please drop them down in the comments. would love to hear back from you guys.