Mandatory 2FA for PyPI registry, beware of fake Google software updates and wrong password leads to huge data hack.
Welcome to Cyber Security Today. Today is Monday, July 11, 2022. I’m Howard Solomon, contributing cybersecurity reporter for ITWorldCanada.com.
Mandatory two-factor login authentication will be imposed on maintainers of critical projects in the PyPI open source registry. This is the website for projects written in the Python language. The new policy was announced on Friday through the registry as a way to improve security and reduce the chance that a hacker could tamper with a project in the registry. It will be implemented in the coming months. As an incentive, a limited number of Google Titan USB Security Keys are offered to developers. However, maintainers or project owners can use any approved USB dongle or 2FA based app like Google Authenticator, Microsoft Authenticator, Duo, Authy or a password manager that generates passcodes. Any project in the top 1% of downloads over a six-month period is considered critical. Currently, 3,500 projects would be eligible.
A new strain of ransomware is distributed claiming to be a software update from Google. Trend Micro researchers call this variety The Havana Crypt. Before running the ransomware, it deletes Windows Shadow Copies of data and System Restore instances. Listeners should ignore any email or text message claiming to be an update from Google. Remember that apps like Gmail, Workspace, Google Docs, and others update automatically. The only sure way to get a browser update is to set your Chrome browser to automatically download updates, or you can just go to the control menu. You get this by clicking on the three dots in the upper right corner of the browser. From there, click Help, then click About Google Chrome.
A poorly protected Elasticsearch database would have led to the theft in May of data on 23 million users of the Mangatoon comic book platform. The Bleeping Computer news service said a well-known hacker who goes by the name of pompompurin claims he was able to copy this database because the password was the word…. the password. Who created this database is not known. It contained the usernames – which may not be the real names – of subscribers, as well as their email addresses, authentication tokens for social media accounts and hashed passwords. These tokens could allow an attacker to take control of a social media account. Mangatoon subscribers should therefore consider changing their social media passwords as well as their Mangatoon passwords.
To finish, in a report earlier this year on ITWorldCanada.com, I reported that Microsoft was planning to make a significant change to tighten the security of its Office suite. This change would make it more difficult for users to circumvent protection against malicious macro execution. Macros are pieces of automated code. Hackers can include malicious macros in compromised documents in attachments. Microsoft disables the automatic execution of external macros unless the user clicks an approval button. Microsoft planned to remove this button because too many people simply click on it. However, British security journalist Graham Cluley notes that last week Microsoft put the change on hold due to criticism. It promises to bring improvements to the user experience and further reduce the chances of running bad macros.
Remember that links to podcast story details are in the text version on ITWorldCanada.com. This is where you will also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.