Subterms
Image: Getty Microsoft says it will end support for Microsoft 365 apps on its legacy Windows versions after January 10, 2023. Admins should bookmark the date if they want to keep Office apps and others in the Microsoft 365 fold protected with security updates. Two big events coincide on January 10 that affect Office services […] More
Image: Getty A recently discovered form of powerful banking malware has quickly become one of the most prolific threats to Android users. First uncovered in June, MaliBot steals passwords, bank details and the contents of cryptocurrency wallets from users – and it does so by bypassing multi-factor authentication protections. The malware can also access text […] More
Image: Shutterstock / baranq Microsoft has warned that a large-scale phishing campaign using “adversary-in-the-middle” or AiTM websites has hit more than 10,000 organizations since September 2021. AiTM sounds like bad news as the phishing sites can skip authentication on sites even when the user has enabled multi-factor authentication (MFA). The attack involves hijacking a user’s […] More
Image: Jetta Productions Inc/Getty Images Microsoft has released its July 2022 Patch Tuesday update to address 84 flaws affecting Windows and two affecting its Chromium-based Edge browser. It’s the first Patch Tuesday after Microsoft this week officially launched its Autopatch service for enterprise customers on Windows or Microsoft 365 E3 and E5 licenses. While Autopatch […] More
By Rawpixel.com — Shutterstock According to the Federal Trade Commission, U.S. consumers reported losing more than $5.8 billion to fraud in 2021, an increase of 70% from the previous year. As anyone who’s gotten a fraud alert from their credit card company knows, tech has long played a role in stopping fraudulent transactions. Now, though, […] More
University students with laptops studying in the library. Image: Getty/Klaus Vedfelt The number of ransomware attacks against schools and universities is on the rise – and victims are struggling to recover after their networks have been hit. According to analysis by cybersecurity researchers at Sophos, education is facing an increased challenge from the threat of […] More
PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language. Python is one of the world’s most popular programming languages, loved for its breadth of packages or add-on libraries that make it useful for data science. Developers need to update these packages frequently and attackers have used this behavior to backdoor their Windows, Linux and Apple machines through bogus packages that are similarly named to legitimate ones, otherwise known as software supply chain attacks. PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. PyPI and JavaScript’s equivalent npm repository act like the App Store/Play Store for developers, but aren’t closed and the free services don’t have the resources to vet package submissions for malware. Google, through the Linux Foundation’s Open Source Security Foundation (OpenSSF), is tackling the threat of malicious language packages and open source software supply chain attacks. It found over 200 malicious JavaScript and Python packages in one month and noted “devastating consequences” for developers and the organizations they write code for when they install them. One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind “critical projects” to use 2FA in coming months. PyPI hasn’t declared a specific date for the requirement.”We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them,” the PSF said on its PyPI Twitter account. As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google’s open source security team. “In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” PSF said in a statement. “To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as “critical” and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners. Titan keys are only approved for sale in certain geographic regions, so only developers from Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States are eligible to receive a free one, according to PyPI. Maintainers in other regions who will be required to use 2FA need to buy a FIDO U2F security key from vendors like Yubikey. Or they can enable 2FA through a mobile app like Google Authenticator, Microsoft Authenticator, Duo Mobile, Auth, FreeOTP+ or FreeOTP or a password manager like 1Password. Eligible maintainers can redeem a promo code for two free Titan Security Keys (USB-C or USB-A), including free shipping from the PyPI website. The code expires on October 1. While most developers will be familiar with 2FA, the requirement could create log-in challenges, say if a user loses the 2FA key and has set up their account with only one 2FA option. “Without multiple 2FA options, effect of losing a 2FA method results in the need to fully recover an account, which is burdensome and time-consuming both for maintainers and PyPI administrators. Enabling multiple 2FA methods reduces the potential disruption if one is lost,” PyPl warns. More
Shutterstock Last month, T-Mobile fully launched its App Insights program after it spent over a year in beta. The program collects information about the apps you have installed on your phone, how often you use them, which Wi-Fi networks you connect to and your web browsing habits and then sells that valuable information to marketers. Scary, right? To […] More
