March 8, 2018
Smart traffic lights cause jams when fed spoofed data
by Lisa Vaas
We’ve got smart cars (that would be connected vehicles, or CVs, in smart-transportation lingo). We’ve got a US Department of Transportation (USDOT) pilot program that, since 2016, has been testing traffic lights that rely on data sent wirelessly from those cars.
If it all were to play nicely together, eventually, a smart car helped out by smart traffic lights could encounter a smooth sequence of green lights, driving through intersections without getting stuck in traffic jams or wasting fuel as drivers idle, waiting for the light to change.
But no, we can’t have nice things like smooth, smart, algorithmically timed sailing through intersections – at least, not with the current state of traffic technology. A team of five researchers from the University of Michigan have found that the DOT’s I-SIG (Intelligent Traffic Signal System) is way too easy to spoof with bad data.
In fact, the researchers said in a paper recently published on Internet Society that the current signal control algorithm has been designed and implemented to be “highly vulnerable” to data spoofing attacks from even one, single, solitary attack vehicle.
By constructing practical exploits and evaluating them in real-world intersection settings, the researchers found that data-spoofing attacks can even cause a blocking effect to jam an entire approach to an intersection.
I-SIG, the CV-based traffic control system they were attacking was developed in the DOT’s Dynamic Mobility Applications (DMA) research program and takes in real-time vehicle trajectory data to best control traffic lights.
I-SIG has been tested in real intersections in Anthem, Arizona and Palo Alto, California, where it’s managed to cut vehicle delays by 26.6%. Well, kiss those time savings goodbye: the research team’s spoofed-data attack was so severe, they found that 22% of vehicles would need to spend over seven minutes for what would normally be a half-minute trip – a jam-up that makes the trip 14 times longer.
In other words, the vulnerabilities in I-SIG can be exploited to completely erase any benefit it attains, by slowing down traffic to make it 23.4% worse than if no such system had been adopted in the first place.
Read more at https://nakedsecurity.sophos.com/2018/03/08/smart-traffic-lights-cause-jams-when-fed-spoofed-data/
Spyware maker shuts down surveillance services after hacks
by Lisa Vaas
Here’s one of the many problems with spyware: if hackers decide to gang up on the company behind it, both the spyware users and their targets are vulnerable to having their personal data – private photos, messages, GPS locations and more – compromised.
That includes the data of whomever users are legally surveilling – children or employees – or illegally surveilling, including ex-lovers, victims of domestic abuse or stalking victims.
That’s what happened with Retina-X Studios, the company behind PhoneSheriff, TeenShield, SniperSpy and Mobile Spy. It’s been repeatedly hacked, first in April 2017 and again last month.
Retina-X has had it with the hacking. On Monday, it threw in the towel on all of the aforementioned tools. The company put an announcement at the top of its site saying that while no personal data was accessed during the year of attacks, some “photographic material” of TeenShield and PhoneSheriff customers had been exposed.
That’s it, the company said, we’re out of here:
As a result, [of the hacks], and to protect our valued customers, Retina-X Studios is immediately and indefinitely halting its PhoneSheriff, TeenShield, SniperSpy and Mobile Spy products.
The company’s going to offer pro-rated refunds to customers with a current contract for the services. Emails with instructions how to get the refund and how to get at data during the shutdown are on the way to customers.
Read more at https://nakedsecurity.sophos.com/2018/03/08/spyware-maker-shuts-down-surveillance-services-after-hacks/
How women are helping to fight cybercrime
by Charlotte Williams
Today is International Women’s Day. And, in celebration of just some of the women working to fight cybercrime, we asked a number of professionals at Sophos about their roles in cybersecurity and what this day means to them.
1. A new problem to solve
Software Engineer, Daphne Allamenou
I work on the Virtualization team which is responsible for the development and testing of our Sophos for Virtual Environments product. While that may sound like a repetitive cycle, each piece of work is a new problem to solve which challenges me in different ways. The love for my job comes from the satisfaction I get when I overcome these tasks, particularly the more difficult ones.
International Women’s Day for me is about recognizing the merits of women, past and present, and emphasizing them as role models for younger and future generations. With this exposure, young girls may be inspired enough to venture down paths they would perhaps not have considered.
This day may not be enough to solve the gender balance problem we are facing in the tech sector but I think celebrating and highlighting the strength and ability of women in all areas is a step in the right direction for forging a better world where gender does not define your place or treatment in the world.
2. Technical decisions and strategies
Senior Development Manager, Chloe Acebes
I run a team of 13 software developers and quality assurance engineers to deliver security software for Windows Servers. There are three main aspects to my job: making technical decisions and strategizing about the products that the team owns, developing the people in the team, and managing the team projects. Each one of these is challenging and rewarding in its own way, and finding a balance between the three can be particularly difficult – there is no point ensuring we deliver a new project on time if the new feature doesn’t work as expected and the team are unhappy!
I joined Sophos directly from university and decided that a career in cybersecurity was for me when I interviewed for a graduate engineer role. The overriding message I took from that day was how working in cybersecurity allows you to help people. That feeling hasn’t changed in the 16 years I’ve been working at Sophos. I still get a great sense of satisfaction from doing a job that gives me interesting technical challenges whilst delivering software that genuinely benefits people.
For me, International Women’s Day is a great opportunity to try to encourage more females into STEM career paths. I am definitely in the minority in terms of male/female balance in the Engineering team, and in cybersecurity, or even software development, in general. However, this is a great industry to get into – there are loads of opportunities for anyone who likes solving problems. Gone are the days of coders sitting in a corner bashing away at their keyboards and speaking to no one. Being a software engineer nowadays requires a good analytical mind, plenty of collaboration and a thirst to continually learn new things.
Read more at https://nakedsecurity.sophos.com/2018/03/08/how-women-are-helping-to-fight-cybercrime/
Patch now! Half a million Exim mail servers need an urgent update
by John E Dunn
About half a million email systems running the hugely popular Exim Mail Transfer Agent (MTA) have yet to be patched for a potentially dangerous security flaw made public earlier this week.
Disclosed to the software’s maintainers in early February by Meh Chang, from security firm Devcore Security Consulting, the Exim vulnerability is a one-byte buffer overflow in the software’s Base64 decoding.
Notes Chang:
Base64 decoding is such a fundamental function and therefore this bug can be triggered easily, causing remote code execution.
The researcher’s proof-of-concept exploit targeted this through the preamble to the SMTP daemon’s authentication process, before any emails are sent or received.
Generally, this bug is harmless because the memory overwritten is usually unused. However, this byte overwrites some critical data when the string fits some specific length.
This prompted Exim’s developers to respond:
Currently we’re unsure about the severity, we *believe* an exploit is difficult. A mitigation isn’t known.
By which they mean that defending against the flaw requires an update rather than a configuration tweak – referenced as CVE-2018-6789, updated version, 4.90.1, was first made available on 10 February.
The main takeaway is that this flaw affects all Exim versions going back to its first appearance in 1995 as a University of Cambridge Computing Service project to build a sophisticated alternative to the older Sendmail.
Read more at https://nakedsecurity.sophos.com/2018/03/07/patch-now-half-a-million-exim-mail-servers-need-an-urgent-update/