(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Millions of mobile phones may be vulnerable to spying due to the use of outdated, 1970s-era cryptography, according to new research due to be presented at the Black Hat security conference.

Since Thursday, registered Apple developers trying to download OS X 10.9, iOS 7, or any other Apple software from the company's developer portal have been greeted with a notice that the site was down for "maintenance." Today, the company issued a brief statement (above) blaming the extended outage on an "intruder," and that Apple "[has] not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed."

The notice says that "sensitive" information could not be accessed by the intruder because it was encrypted, and the company told MacWorld that the system in question is not used to store "customer information," application code, or data stored by applications. Anecdotal reports (including one from our own Jacqui Cheng) point to a sudden spike in password reset requests for some Apple IDs, suggesting that email addresses have in fact been accessed and distributed but that passwords were not. In any case, we generally recommend that users change their passwords when any breach (or suspected breach) like this one occurs.

"In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database," the statement said. Apple has also given week-long extensions to any developers' whose program subscriptions were scheduled to lapse during the outage, which will keep those developers' applications from being delisted in Apple's various App Stores.

Read on Ars Technica | Comments


SAP co-CEO Jim Hagemann Snabe will leave his post in May 2014 to become a member of the enterprise software vendor's supervisory board, leaving Bill McDermott as sole CEO.
The defacement left on the Ubuntu Forums website.

E-mail addresses, user names, and password data for every registered user of the Ubuntu Forums—estimated to be 1.82 million accounts—were exposed in a security breach hitting the company responsible for maintaining the freely available, open-source operating system. There's no sign the compromised data has been published online.

The Ubuntu Forums were closed Saturday evening, following the discovery that the site's homepage was defaced by someone who managed to gain privileged access to its underlying servers. To their credit, administrators with Canonical, the for-profit company that markets Ubuntu, quickly issued an advisory that warned users who used their forum password to safeguard other accounts to change the credentials immediately. The forums remained inaccessible at time of writing on Sunday afternoon.

"While the passwords were not stored in plain text, good practice dictates that users should assume the passwords have been accessed and change them," Ubuntu CEO Jane Silber wrote in an updated advisory. "If users used the same password on other services, they should immediately change that password."

Read 6 remaining paragraphs | Comments



As an IT professional you may already know some Regular Expressions (Regex) and have experimented with tools such as grep to search for a pattern in your log files for a certain piece of text (i.e. actor IP address). Often enough, having to parse huge amount of data usually takes time to get the result but we all realize using Regex can be powerful, by using a few tools (i.e Perl, grep, sed or awk) can take a complex task and turn it into an automated task that is now easy to solve. Working in security, also means to be challenged into parsing or sifting through large amount of data to find the answer that might not always be obvious.

However, you might ask yourself, how do I tackle this problem without having to use complex programs such as moving the data into a database and having to write a frontend that will provide the answer I'm looking for. The answer is either to script or combine the results using well known Unix tools (most of them are available as Windows binaries) into a usable output. Regex can automate such a task(s) that sometimes can take minutes or hours to complete.

It is quite conceivable some of the security tools or devices deployed in your network are using some form of Regex to parse the data it inspects. These could be Snort rules as one example or logs collected by SIEM.

Here are a few examples. I need to retrieve every IP addresses from subnet from a logfile. To ease this task, I can use grep:

grep "192\.168\.25\.[[:digit:]]\{1,3\}" query.log
grep -e "192\.168\.25\.\{1,3\}" query.log

Another simple yet powerful search is to completely ignore subnet and show everything else. The –v (invert-match) in grep selects non matching lines:

grep -v -e "192\.168\.25\.\{1,3\}" query.log

When required replacing a string of text in one or more documents, one Unix application well suited for this task is sed. This example searches for http: and deletes it every times it finds it in the file. The s is for search (regex) and g is for copy/append.

sed 's/http://g' file.txt > newfile.txt

sed can also be used to delete all empty lines in a file:

sed '/^$/d' file.txt > newfile.txt     (The results is sent to newfile.txt and preserves the original)
sed '/^$/d' -i file.txt                       (Warning: This example removes the empty lines and overwrite the original)

This last example takes the results of one regex and pipes the results to another regex tool or tools. Reusing the above example,

file.txt wc -l                        (Counts the number of lines in the file before processing)
sed '/^$/d' file.txt | wc -l    (Counts the number of lines in the file after processing)

The "The Regex Coach" is a tool that can help ease learning for those who are new to Regex. In the Regular Expression window, you can build your Regex pattern step-by-step and watch the results and the Target string window shows and highlight if you Regex is parsing the data correctly. Here is an example of DNS data where each fields are separated with 2 pipes (IP address is highlighted in both windows):

String: 1374432453.842653||||||IN||s0-2mdn-net.l.google.com.||A||||228||1

Regex: (\d*).(\d*)\|\|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|\|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|\|(\w*)\|\|(.*\.)\|\|(\w{1,3})\|\|(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\|\|(\d*)\|\|(.*)

The following regex characters have the following meaning:

\d Match a digit character
\w Match a "word" character

Regex are a powerful way used to search about anything in text based files for data with an identifiable pattern.

[1] http://www.weitz.de/regex-coach/
[2] http://gnuwin32.sourceforge.net/
[3] http://en.wikipedia.org/wiki/Regular_expression


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ubuntu forums are currently down because they have been breached. According to their post, "the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database." [1] They have advised their users that if they are using the same password with other services, to change their password immediately. Other services such as Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected. Their current announcement is can be read here.

[1] http://ubuntuforums.org/announce.html


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status