Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack.
Welcome to Cyber Security Today. It’s Monday, July 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Mandatory two-factor login authentication will be imposed on maintainers of critical projects in the open source PyPI registry. That’s the website for projects written in the Python language. The new policy was announced Friday by the registry as a way to improve security and reduce the odds a hacker can tamper with a project in the registry. It will be implemented in the coming months. As an incentive a limited number of Google Titan USB security keys are being given away to developers. However, project maintainers or owners can use any approved USB security key or app-based 2FA like Google Authenticator, Microsoft Authenticator, Duo, Authy or a password manager that generates authentication codes. Any project in the top one per cent of downloads in a six-month period is considered critical. At the moment 3,500 projects would qualify.
A new ransomware strain is being distributed that pretends to be a Google software update. Researchers at Trend Micro call this strain HavanaCrypt. Before executing the ransomware it deletes Windows shadow copies of data and system restore instances. Listeners must ignore any email or text message that claims to be a Google update. Remember applications like Gmail, Workspace, Google Docs and others automatically update. The only safe way to get a browser update is to have your Chrome browser set to automatically download updates, or you can just go into the control menu. You get that from clicking on the three dots in the upper right corner of the browser. From there click on Help and then About Google Chrome.
A poorly protected Elasticsearch database allegedly led to the theft in May of data on 23 million users of the Mangatoon comic reading platform. The Bleeping Computer news service said a well-known hacker who uses the name pompompurin claims they were able to copy that database because the password was the word …. password. Who created that database isn’t known. It had the usernames — which may not be the real names — of subscribers, plus their email addresses, auth tokens for social media accounts and hashed passwords. Those tokens might allow an attacker to take over a social media account. So Mangatoon subscribers should consider changing their social media passwords as well as their Mangatoon passwords.
Finally, in a news story earlier this year on ITWorldCanada.com I reported that Microsoft planned to make an important change to boost security in its Office suite. That change would be to make it harder for users to get around protection against malicious macros from running. Macros are pieces of automated code. Hackers can include malicious macros in compromised documents in email attachments. Microsoft disables external macros from running automatically unless the user clicks on an approval button. Microsoft planned to remove that button because too many people just click on it. However, British security reporter Graham Cluley notes that last week Microsoft has paused the change because of criticism. It promises to make improvements to the user experience and still lower the odds of bad macros running.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.