Security News #0x33

• Chinese hackers appear to have attacked a number of American newspapers, including the New York Times, the Wall Street Journal and the Washington Post. For a different perspective on the Washington Post attack, see the blog of Brian Krebs a former security writer for the Post.
• Chris Truncer has a great piece on what it looks like to be on the red team at a CCDC practice. His piece, and his commentary afterwards are all spot-on! The Reddit for this piece has some valuable commentary as well, and Raphael Mudge (author of Armitage) has some comments of his own on both the original piece and the reddit on his blog.
• There is another vulnerability in Ruby on Rails, (CVE 2013-3033) affecting versions up to 2.3.15, 3.0.19, 3.1.10, 3.2.11. This is similar to a previous parsing vulnerability from just a short while ago. Metasploit already has a module, called Ruby on Rails JSON Processor YAML Deserialization Code Execution.
• It looks like rubygems.org was compromised by attackers using this YAML vulnerability.
• It turns out that UPnP, a protocol that probably should not be internet accessible is responding on 80 million different IPs. This protocol exposes a number of potentially vulnerable services, and now Metasploit has a scanner to detect them. Right now, the big problem is that a common library for implementing this protocol, libupnp, is vulnerable to multiple attacks; worse yet this library was used is a wide range of consumer devices. Because of the ubiquity of this library, the folks at Rapid7 have a tool to scan your network to determine if you might be vulnerable.
• The date for BSidesDC has been announced. Mark your calendar for October 19-20, 2013!
• Zeknox has a piece on how he performs email phishing attacks over on pentestgeek.
• I just found out about VulnHub, a collection of links to vulnerable virtual machines for hacking practice.
• Last week we mentioned the problem with a class or DVRs; the folks at Metasploit have gone and built a scanner to detect vulnerable devices.