JetLib News

bennyboy64 writes “An IT security company has discovered a serious exploit in Apache’s HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache’s core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit.”

Source: Serious Apache Exploit Discovered

northernboy and many other readers sent news of the beheading of the Mariposa botnet with three arrests in Spain. “Defense Intelligence of Ottawa working with ISPs and Spanish authorities have taken down yet another > 12M PC botnet, called Mariposa. The three top-level operators are in custody, but remain anonymous under Spanish law (how quaint: apparently in Spain, the accused have some right to privacy). AP is claiming that the botnet included systems in roughly half of the Fortune 1000 companies, scattered over 190 countries. Interesting details: none of the three principals has a prior criminal record. Although apparently hardworking, they are not uber-hackers, but rather had connections to the Spanish mafia, which apparently helped to equip them. At the time of arrest, they were not showing signs of their significant new income level. From the article: ‘Chris Davis, CEO of Ottawa-based Defence Intelligence, said he noticed the infections when they appeared on networks of some of his firm’s clients, including pharmaceutical companies and banks. It wasn’t until several months later that he realized the infections were part of something much bigger. After seeing that some of the servers used to control computers in the botnet were located in Spain, Davis and researchers from the Georgia Tech Information Security Center joined with software firm Panda Security, which is headquartered in Bilbao, Spain. The investigators caught a few lucky breaks. For one, the suspects used Internet services that wound up cooperating with investigators. That isn’t always the case.’”

Source: Mariposa Botnet Beheaded

Ian Lamont writes “Microsoft has issued a security advisory warning users not to press the F1 key in Windows XP, owing to an unpatched bug in VBScript discovered by Polish researcher Maurycy Prodeus. The security advisory says that the vulnerability relates to the way VBScript interacts with Windows Help files when using Internet Explorer, and could be triggered by a user pressing the F1 key after visiting a malicious Web site using a specially crafted dialog box.”

Source: Microsoft Says, Don’t Press the F1 Key In XP

An anonymous reader writes “Even with all of the emphasis on writing software with security in mind, most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Close to 60 percent of the applications tested by application security company Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing. And this data is based on software developers who took the time and effort to have their code tested — who knows about the others.”
Reader sgtrock pointed out another interesting snippet from the article: “‘The conventional wisdom is that open source is risky. But open source was no worse than commercial software upon first submission. That’s encouraging,’ Oberg says. And it was the quickest to remediate any flaws: ‘It took about 30 days to remediate open-source software, and much longer for commercial and internal projects,’ he says.”

Source: Over Half of Software Fails First Security Tests

Johnny Fusion writes “The writer of the Securi Security Blog had a an alarming awakening when a honeypot on port 22 on a GoDaddy hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy’s network. Before he could “alert” GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials.
There is an update where GoDaddy explains itself and says they will change policy.”

Source: GoDaddy Wants Your Root Password

thelamecamel writes “According to the New South Wales state government, the Sydney Morning Herald, a local newspaper, attacked the government’s ‘website firewall security’ for two days to research a recent story. The affected government minister said that the website was accessed 3,727 times, and that this is ‘akin to 3,727 attempts to pick the lock of a secure office and take highly confidential documents.’ The matter has been referred to the police, who are now investigating. But how did the paper ‘hack’ the website? They entered the unannounced URL. Security by obscurity at its finest.”

Source: Newspaper “Hacks Into” Aussie Gov’t Website By Guessing URL

Trailrunner7 writes to tell us that US Cyber-Security Czar Howard Schmidt recently gave an interview where he discusses his career and what he sees as the priorities of the positions. “Howard Schmidt has been involved in just about every aspect of the security industry during his career. After stints in the Air Force and at Microsoft, he served as a cyber-security adviser to George W. Bush. Now, after heading back to the private sector for several years, he’s been appointed to serve as President Obama’s security adviser.”

Source: An Interview With Cyber-Security Czar Howard Schmidt

Trailrunner7 writes to tell us that US cybersecurity czar Howard Schmidt recently gave an interview where he discusses his career and what he sees as the priorities of the positions. “Howard Schmidt has been involved in just about every aspect of the security industry during his career. After stints in the Air Force and at Microsoft, he served as a cybersecurity advisor to George W. Bush. Now, after heading back to the private sector for several years, he’s been appointed to serve as President Obama’s security advisor.”

Source: An Interview With Cybersecurity Czar Howard Schmidt

tekgoblin writes “The Lower Merion School District of Pennsylvania was recently accused of privacy invasion. Now the school has released an official response to the allegations. According to the school, the security feature was installed in the laptops as an anti-theft device and was not intended to invade privacy. The software that was installed would take a photo of the person using the laptop after it was stolen to give to the authorities. Now this may be what it was intended for, but it seems that someone didn’t get the memo.”
The district’s claim that it “has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever” doesn’t square with the allegations which set off this whole storm. And if there was nothing wrong with it, why does the school say it won’t start using the snooping feature again without “express written notification to all students and families”?

Source: PA School Defends Web-Cam Spying As Security Measure, Denies Misuse

In a screw up so big it could only be brought to you by the government of a famous athlete, 243 guns were lost by Homeland Security agencies between 2006 and 2008. 179 guns, were lost “because officers did not properly secure them,” an inspector general report said. One of the worst examples of carelessness sites a customs officer who left a firearm in an idling vehicle in the parking lot of a convenience store. The vehicle was stolen while the officer was inside. “A local law enforcement officer later recovered the firearm from a suspected gang member and drug smuggler,” the report said.

Source: Officers Lose 243 Homeland Security Guns