The Apache Software Foundation has announced the availability of Apache 2.4, a major update of the popular open source HTTP server. The arrival of the new version, which is the first major release of Apache in six years, coincides with the software’s 17th anniversary.

The Apache project emerged in 1995 around a fork of a Web server that was originally developed at the National Center for Supercomputing Applications (NCSA). Apache became the Web’s number one HTTP server is currently used by 400 million websites around the world, powering roughly 60 percent of all active domains.

The new version of Apache introduces a number of new features and technical improvements that will help it retain its standing. The developers say that version 2.4 is significantly more efficient than its predecessor, offering better performance and lower resource consumption.

“This release delivers a host of evolutionary enhancements throughout the server that our users, administrators, and developers will welcome,” Apache server vice president Eric Covener wrote in a statement. “We’ve added many new modules in this release, as well as broadened the capability and flexibility of existing features”.

One improvement that is particularly worth noting is that the multiprocessing module system (MPM) has been improved so that the desired module can be selected at runtime. Various MPMs implement different behaviors for how the HTTP server spreads its workload across threads and processes.

Previously, the desired module had to be selected during the configuration step of the build process. In version 2.4, it’s now possible to select multiple MPMs during configuration and specify the one that should be used at runtime. This will offer more flexibility in Apache deployments.

Although Apache is highly popular and deeply entrenched, it is facing some fresh competition from nginx, an open source Web server that has seen dramatic growth in adoption over the past year. The latest statistics show that nginx has become the second most popular server, surpassing Microsoft’s IIS.

Adopters generally cite superior performance as the reason why they replace Apache with nginx. According to some benchmarks (PDF) demonstrated by Apache Software Foundation president Jim Jagielski, Apache 2.4 offers competitive performance.

For more details about the release, you can refer to the official launch announcement. An overview of the new features can be found in the Apache 2.4 documentation.

Read the comments on this post

An attacker can determine the location of a GSM cell phone user just from the information that “leaks” out of GSM network communications protocols, according to a team from the University of Minnesota. The paper (PDF) was presented at the Internet Society’s Network and Distributed System Security Symposium on February 6 in San Diego by researchers Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim, who demonstrated that it was possible to use a GMS network’s “paging request” to let transceivers know where a mobile device is located within the network.

The paging signals make use of a phone’s International Mobile Station Identity (IMSI) or a Temporary Mobile Subscriber Identity (TMSI). GSM phones listen in, or “camp” on a frequency broadcast by transceiver stations to listen to pages for their identity. By sending either a call or an SMS message to a target phone and listening passively to the paging requests, an attacker could locate the phone within a small geographic area. 

Because GSM networks broadcast a page to just the towers in the last Location Area Code (LAC) they were seen in, a page can be used to quickly determine if a phone is still in that LAC. Using open source software and off-the-shelf GSM hardware, the researchers were able to map AT&T and T-Mobile networks’ LACs and the transceiver cells within them. They then showed how they could quickly determine if a GSM device was present in a 100-square kilometer area—and if it was, narrow that location down to within a square kilometer or less.

There are some limitations to the attack, though. For example, it requires the targeted phone to be within a kilometer of a given tower for several minutes, so moving targets are harder to nail down. To prevent the leaking of identity and location data, the researchers recommended that wireless carriers broadcast pages more widely, change TMSIs more frequently, and vary the timing of outgoing paging request messages from cellular base stations to prevent eavesdroppers from doing traffic analysis to link pages to calls.

Read the comments on this post

ViaSat’s newest satellite broadband hardware is capable of speeds of up to 40 Mbps down.

Read More:
Engadget

Read the comments on this post

Google’s Chrome development team is working on a system to automatically generate passwords, which would help users secure their online identities with passwords that would be diversified across different sites, and are randomized and thus harder to guess. Detailed in developer documentation on the Chromium Project site, the system would detect account sign-up pages and “add a small UI element to the password field” giving the user the option of letting Chrome manage the password for them.

Initial versions of the system would create passwords on an individual basis, at the user’s request. But Google’s development team states that “At some point in the future it might also be possible for us to automatically change all of a user’s passwords when we realize that their account is hijacked.” The developer documentation notes that the feature would make Google “a higher value hijacking target,” than it already is, although “Google is already a high value target so this shouldn’t change much.”

Read the comments on this post

Update: Fleishman-Hilliard is disputing the facts of the hack as presented by hosting provider Media Temple. Bill Pendergast, general manager of the Fleishman-Hillard DC office, told Ars Technica, “”For Media Temple to claim ignorance of hosting the FTC — or other government — sites is completely false. In their own words, Media Temple is deep in this area, with what they claim to be the appropriate level of compliance. It’s hard to see how their fiction helps anyone get to a constructive outcome.” A fully-updated story with the latest information from FTC, Fleishman-Hilliard and Media Temple will be posted shortly.

If you were looking for a recipe for creating government websites that attract defacement attacks, the acquisition process that led to the creation of a set of recently hacked Federal Trade Commission sites would be a good place to start. Despite a raft of federal security regulations and guidelines for using cloud services, smaller projects often fall through the cracks of security oversight—just as they often do with outsourced marketing projects for large corporations.

The initial language of the FTC’s solicitation for the $1.49 million contract that created the sites that were hacked on January 24 and February 17 set out very specific language about the security requirements for the site. But by the time the contract for a set of consumer and business education websites and social media was awarded to public relations firm Fleishman-Hilliard in August of 2011, those requirements were dropped from the statement of work.

Read the comments on this post

The seeds of LightSquared’s failure to win government clearance to build a 4G-LTE network can, ironically, be found in the “approval” the company received just 13 months ago.

In January 2011, the Federal Communications Commission (FCC) was clearly getting a positive vibe from LightSquared’s plan to build an open-access network using both satellites and cell towers. The conditional approval issued by the agency stressed the positives of LightSquared’s plan, noting that “if LightSquared successfully deploys its integrated satellite/terrestrial 4G network, it will be able to provide mobile broadband communications in areas where it is difficult or impossible to provide coverage by terrestrial base stations (such as in remote or rural areas and non-coastal maritime regions), as well as at times when coverage may be unavailable from terrestrial-based networks (such as during natural disasters).”

Read the comments on this post

The hacking of the websites of the Federal Trade Commission’s Bureau of Consumer Protection on February 17 was the second attack on the agency’s Web presence in less than a month. Both of the attacked servers were set up for the FTC by the public relations firm Fleishman-Hilliard under a $1.5 million communications support contract held by the company awarded last August, and ran on servers the firm provisioned from Web hosting and cloud services provider Media Temple. But even after the server for the FTC’s OnGuardOnline.gov site (ironically, a site intended to share tips from the government on computer security and privacy for consumers) was hacked on January 24 using an exploit of security weaknesses in the applications running on it, Fleishman declined to update the software running its other sites, an executive of Media Temple told Ars.

Media Temple chief marketing officer Kim Brubeck told Ars, “we have actually asked Fleishman-Hilliard to remove any [remaining] .gov sites” from Media Temple’s servers. In an email to Fleishman-Hilliard on February 18, Brubeck requested that the company complete the transfer of its remaining government websites to other hosting providers within 48 hours.

Referring to the government’s security regulations, Brubeck explained, “We aren’t a FISMA-certified hosting service,” and added that Media Temple was unaware that Fleishman-Hilliard had intended to use the servers for government accounts. Under the terms of the provisioning service that the servers were provided under, Fleishman-Hilliard was responsible for the administration and security of the servers, including operating system updates, software installations and backups, and had set up the servers—but “had chosen not to update their applications,” Brubeck said.

Update: a Fleishman-Hilliard spokesperson contacted Ars on February 19, and said the company could not comment on the attack due to a strict non-disclosure agreement with the FTC, and referred further questions to the agency .

Read the comments on this post

From encryption to darknets: As governments snoop, activists fight back: Governments around the world routinely track and monitor cell phones and Internet use. Activists—some funded by the US government—are fighting back with secure communications tools that can be had on the cheap.

High Orbits and Slowlorises: understanding the Anonymous attack tools : Putting the Low-Orbit Ion Cannon behind them to better protect themselves from being tracked down, members of Anonymous have put together a package of DDoS tools and security best practices that aims to make them more effective and less of a target for law enforcement.

Read the comments on this post

For almost three months, versions of three widely distributed open-source applications from Horde.org contained a backdoor that allowed attackers to remotely execute malicious PHP code on systems that ran the programs.

Members of the Horde Project warned of the tampering earlier this week, in a bulletin that advised users of the collaboration and messaging applications to immediately reinstall newer versions that didn’t contain the malicious code. Those affected included anyone who downloaded installation packages for Horde 3.3.12, Horde Groupware 1.2.10 or Horde Groupware Webmail Edition 1.2.10 between various dates in November and February 7. Horde 4 is not affected. A module that targets the vulnerability has already been added to the Metasploit framework for hackers and penetration testers.

Read the comments on this post

Members of Anonymous’ “Antisec” collective struck a Web server of the Federal Trade Commission’s Bureau of Consumer Protection early on February 17, hacking into and defacing the sites hosted on it. 

“The Bureau of Consumer Protection’s Business Center website and the partnership site NCPW run by the Federal Trade Commission were hacked earlier today,” FTC spokesperson Cecelia Prewett said in an official statement sent to Ars. “The FTC takes these malicious acts seriously. The sites have been taken down and will be brought back up when we’re satisfied that any vulnerability has been addressed.”

The log of the hack, a cut-and-paste from a shell session on the Red Hat Enterprise Linux server, shows the server’s directories, the user account names and encrypted passwords stored in its etc/shadow file, and the MySQL databases running on the server. The contents of two of the tables posted in the log dump include the contents of a table with the account names, e-mail addresses, and hashed passwords of what appears to be the users of the server’s installations of Drupal and WordPress.

While the websites belong to the FTC, they weren’t running in a government-owned data center. According to the IP address data for the server, it was hosted by Media Temple in Culver City, California, and it appears its sites were set up for the FTC by the public relations firm Fleishman-Hilliard. A spokesperson for Fleishman did not respond to requests for comment. Update: Media Temple CMO Kim Brubeck told Ars that her company was unaware Fleishman had intended to use the uservers in its data center for .gov sites, and that she has requested they remove any additional .gov sites.

Based on the claims of the Anon Antisec member who posted the log of the attack to Pastebin.com, the attack was motivated by the FTC’s failure to step in to stop Google’s changes in its privacy policy, and by the US government’s support of ACTA. In the statement, the Anon threatened that “If ACTA is signed by all participating negotiating countries…We will systematically knock all evil corporations and governments off of our internet.”

Read the comments on this post