OWASP Website Running Outdated and Insecure Version of MediaWiki

The Open Web Application Security Project (OWASP) promotes itself as being “focused on improving the security of software”, but unfortunately they don’t even bother to keep the software running their website up to date. If you visit their website with our Meta Generator Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of MediaWiki:

OWASP Website is Running MediaWiki 1.18.0

OWASP has failed to update their MediaWiki installation for over a year, the next version, 1.18.1, was released in January of 2012. They failed to apply any of the five security updates that were released for version 1.18.x. Support for version 1.18.x of MediaWiki ended back in November, so they also should have moved to a supported version some time ago.

Keeping software up to date is one the basic steps and easier steps to keep software running a website secure. The fact that a project dedicated to security is failing to do that highlights how bad the state of security is and raises the questions if the security community is in fact actually interested in security.

Former Hostgator employee arrested, charged with rooting 2,700 servers

Aurich Lawson

A former employee of Hostgator has been arrested and charged with installing a backdoor that gave him almost unfettered control over more than 2,700 servers belonging to the widely used Web hosting provider.

Eric Gunnar Gisse, 29, of San Antonio, Texas, was charged with felony breach of computer security by the district attorney's office of Harris County in Texas, according to court documents. He worked as a medium-level administrator from September 2011 until he was terminated on February 15, 2012, according to prosecutors and a company executive. A day after his dismissal, Hostgator officials discovered a backdoor application that allowed Gisse to log in to servers from remote locations, including a computer located at the Hetzner Data Center in Nuremberg, Germany. He took pains to disguise his malware as a widely used Unix administration tool to prevent his superiors from discovering the backdoor process, prosecutors said.

"The process was named 'pcre', a common system file, in order to disguise the true purpose of the process which would grant an attacker unauthorized access into Hostgator's computer network," a Houston Police Department investigator and the document's "affiant," Gordon M. Garrett, wrote in an affidavit. "Complainant told affiant he searched Hostgator's computer network and found the unauthorized 'pcre' process installed on 2723 different Hostgator servers within the computer network."

Read 7 remaining paragraphs | Comments

Apple remembers where you wanted to get drunk for up to 2 years

Apple probably still has this query of mine from 2011 saved somewhere in the cloud.

Remember that time when you asked Siri about the nearest place to find hookers? Or perhaps the time you wanted to know where to find the best burritos at 3am? Whatever you've been asking Siri since its launch in late 2011 is likely still on record with Apple, as revealed by a report by our friends at Wired on Friday. Apple spokesperson Trudy Muller told Wired that Apple stores Siri queries on its servers for "up to two years," though the company says it makes efforts to anonymize the data.

"Apple may keep anonymized Siri data for up to two years," Muller said. "Our customers’ privacy is very important to us."

Why does Apple have your Siri queries on record in the first place? Remember, Siri doesn't just operate locally on your iPhone or iPad—when you ask it a question, your voice query is sent to Apple's servers for processing before the answer—a Google search, an answer from Wolfram alpha, a Yelp result, etc.—is sent back. That's why an Internet connection is required in order to use Siri; if you have no Wi-Fi or cellular signal, you can't use Siri to perform any actions.

Read 4 remaining paragraphs | Comments

Oracle takes a leaf out of Microsoft’s book, prioritizes Java security

The release of Java 8, originally due in September this year, has been pushed back. The new version's headline feature—Project Lambda, which brings anonymous functions to Java—isn't yet finished.

The reason for this delay is, in part, security. Over the past eight months, a large number of critical security flaws have been found and patched. This has damaged Java's reputation, with Apple, for example, reacting by removing the Java plugin from its Safari browser.

In response, Mark Reinhold, chief architect of the Java Platform Group at Oracle, has announced a "renewed focus on security" that will tie up engineering efforts. As a result, Java 8 has now been pushed back until the first quarter of 2014.

Read 3 remaining paragraphs | Comments