Cyber Security Today, July 11, 2022 – Mandatory 2FA For The PyPI Registry, Beware Of Fake Google Software Updates And A Poor Password Leads To Huge Data Hack

Share post:

Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack.

Welcome to Cyber Security Today. It’s Monday, July 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Mandatory two-factor login authentication will be imposed on maintainers of critical projects in the open source PyPI registry. That’s the website for projects written in the Python language. The new policy was announced Friday by the registry as a way to improve security and reduce the odds a hacker can tamper with a project in the registry. It will be implemented in the coming months. As an incentive a limited number of Google Titan USB security keys are being given away to developers. However, project maintainers or owners can use any approved USB security key or app-based 2FA like Google Authenticator, Microsoft Authenticator, Duo, Authy or a password manager that generates authentication codes. Any project in the top one per cent of downloads in a six-month period is considered critical. At the moment 3,500 projects would qualify.

A new ransomware strain is being distributed that pretends to be a Google software update. Researchers at Trend Micro call this strain HavanaCrypt. Before executing the ransomware it deletes Windows shadow copies of data and system restore instances. Listeners must ignore any email or text message that claims to be a Google update. Remember applications like Gmail, Workspace, Google Docs and others automatically update. The only safe way to get a browser update is to have your Chrome browser set to automatically download updates, or you can just go into the control menu. You get that from clicking on the three dots in the upper right corner of the browser. From there click on Help and then About Google Chrome.

A poorly protected Elasticsearch database allegedly led to the theft in May of data on 23 million users of the Mangatoon comic reading platform. The Bleeping Computer news service said a well-known hacker who uses the name pompompurin claims they were able to copy that database because the password was the word …. password. Who created that database isn’t known. It had the usernames — which may not be the real names — of subscribers, plus their email addresses, auth tokens for social media accounts and hashed passwords. Those tokens might allow an attacker to take over a social media account. So Mangatoon subscribers should consider changing their social media passwords as well as their Mangatoon passwords.

Finally, in a news story earlier this year on ITWorldCanada.com I reported that Microsoft planned to make an important change to boost security in its Office suite. That change would be to make it harder for users to get around protection against malicious macros from running. Macros are pieces of automated code. Hackers can include malicious macros in compromised documents in email attachments. Microsoft disables external macros from running automatically unless the user clicks on an approval button. Microsoft planned to remove that button because too many people just click on it. However, British security reporter Graham Cluley notes that last week Microsoft has paused the change because of criticism. It promises to make improvements to the user experience and still lower the odds of bad macros running.

Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.

Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.

The post Cyber Security Today, July 11, 2022 – Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

Open AI and Google Both Have Major AI Announcements: Hashtag Trending for Thursday, January 16, 2025

OpenAI’s new Tasks feature hints at autonomous AI, Google unveils Titans AI with long-term memory, and where are...

WordPress Co-Founder Warns Lawsuits Could End WordPress.org: Hashtag Trending for Wednesday, January 15, 2025

WordPress Co-Founder Warns Lawsuits Could Mean The End Of  WordPress.org. Tech Leaders Launch $30M Campaign to Protect Bluesky...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways