Information Technology

PyPI or the Python Package Index is giving away 4,000 Google Titan security keys as part of its move to mandatory two-factor authentication (2FA) for critical projects built in the Python programming language.  Python is one of the world’s most popular programming languages, loved for its breadth of packages or add-on libraries that make it useful for data science. Developers need to update these packages frequently and attackers have used this behavior to backdoor their Windows, Linux and Apple machines through bogus packages that are similarly named to legitimate ones, otherwise known as software supply chain attacks. PyPI, which is managed by the Python Software Foundation, is the main repository where Python developers can get third-party developed open-source packages for their projects. PyPI and JavaScript’s equivalent npm repository act like the App Store/Play Store for developers, but aren’t closed and the free services don’t have the resources to vet package submissions for malware. Google, through the Linux Foundation’s Open Source Security Foundation (OpenSSF), is tackling the threat of malicious language packages and open source software supply chain attacks. It found over 200 malicious JavaScript and Python packages in one month and noted “devastating consequences” for developers and the organizations they write code for when they install them.  One way developers can protect themselves from stolen credentials is by using two-factor authentication and the PSF is now making it mandatory for developers behind “critical projects” to use 2FA in coming months. PyPI hasn’t declared a specific date for the requirement.”We’ve begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them,” the PSF said on its PyPI Twitter account. As part of the security drive, it is giving away 4,000 Google Titan hardware security keys to project maintainers gifted by Google’s open source security team. “In order to improve the general security of the Python ecosystem, PyPI has begun implementing a two-factor authentication (2FA) requirement for critical projects. This requirement will go into effect in the coming months,” PSF said in a statement.  “To ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team, a sponsor of the Python Software Foundation, has provided a limited number of security keys to distribute to critical project maintainers.PSF says it deems any project in the top 1% of downloads over the prior six months as critical. Presently, there are more than 350,000 projects on PyPI, meaning that more than 3,500 projects are rated as critical. PyPI calculates this on a daily basis so the Titan giveaway should go a long way to cover a chunk of key maintainers but not all of them. In the name of transparency, PyPI is also publishing 2FA account metrics here. There are currently 28,336 users with 2FA enabled, with nearly 27,000 of them using a 2FA app like Microsoft Authenticator. There are over 3,800 projects rated as “critical” and 8,241 PyPI users in this group. The critical group is also likely to grow since projects that have been designated as critical remain so indefinitely while new projects are added to mandatory 2FA over time. The 2FA rule applies to both project maintainers and owners. Titan keys are only approved for sale in certain geographic regions, so only developers from Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, United Kingdom, and the United States are eligible to receive a free one, according to PyPI. Maintainers in other regions who will be required to use 2FA need to buy a FIDO U2F security key from vendors like Yubikey. Or they can enable 2FA through a mobile app like Google Authenticator, Microsoft Authenticator, Duo Mobile, Auth, FreeOTP+ or FreeOTP or a password manager like 1Password. Eligible maintainers can redeem a promo code for two free Titan Security Keys (USB-C or USB-A), including free shipping from the PyPI website. The code expires on October 1. While most developers will be familiar with 2FA, the requirement could create log-in challenges, say if a user loses the 2FA key and has set up their account with only one 2FA option. “Without multiple 2FA options, effect of losing a 2FA method results in the need to fully recover an account, which is burdensome and time-consuming both for maintainers and PyPI administrators. Enabling multiple 2FA methods reduces the potential disruption if one is lost,” PyPl warns. More

Shutterstock Last month, T-Mobile fully launched its App Insights program after it spent over a year in beta. The program collects information about the apps you have installed on your phone, how often you use them, which Wi-Fi networks you connect to and your web browsing habits and then sells that valuable information to marketers.  Scary, right? To […] More

A man sitting in front of a laptop and speaking on the phone in his home office. Image: Getty/MoMo Productions Brazen cyber criminals are now posing as cybersecurity companies in phishing messages which claim that the recipient has been hit by a cyber attack and that they should urgently respond in order to protect their […] More

A Google employee riding a bicycle on the Google campus. Image: Google For Jeanette Manfra, director of risk and compliance at Google Cloud, overseeing cybersecurity of a vast array of technical infrastructure and services is nothing new.  She previously served as assistant director for the Cybersecurity and Infrastructure Agency (CISA), where she led the Department […] More

The number of businesses paying a ransom following a ransomware attack is going up and the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) are asking solicitors to remind their clients that paying up won’t keep their data safe. In a joint letter sent to The Law Society, the NCSC and ICO say […] More

The hands of a computer hacker working on computer keyboard Image: Getty Images A newly uncovered form of Linux malware creates a backdoor into infected machines and servers, allowing cyber criminals to secretly steal sensitive information while also maintaining persistence on the network.  Detailed by cybersecurity researchers at Intezer, the previously undetected malware has been […] More

Singapore still is mulling over new rules that will, amongst others, instruct social media platforms to disable access to content it deems harmful. It will not, however, bar the use of hyperlinks in SMS or other messaging apps as doing so will not eliminate the risk of someone falling prey to phishing attacks. The Ministry of Communications and Information (MCI) last month said it was working on two proposed Codes of Practice that aimed to improve the safety of social media users in the country. The first would require social media services providers to adopt upstream “system-wide” processes to bolster online safety for their users, particularly, the young. The second Code of Practice would empower industry regulator Infocomm Media Development Authority (IMDA) to instruct social media platforms to cut access to specific “egregious harmful content” that remained available in spite of these operators’ content moderation systems. The government deemed such content to encompass sexual harm, self-harm, public security, as well as racial or religious intolerance. The new enforcement framework would provide IMDA the power to direct any social media service accessible from Singapore to block access to specific types of harmful content or disallow specific online accounts to communicate such content or engage users in the country. The ministry noted that while such services had made efforts to address this issue, it was concerned that online harms continued to prevail and that these were compounded when amplified on social media.MCI said in a written parliamentary response this week that governments worldwide also were looking at ways to effectively regulate social media services. “As with all forms of regulations, non-compliance must result in enforcement actions. MCI has studied relevant international regulatory models and provisions under existing local laws. We will provide details of the enforcement framework in due course,” the ministry said. Various measures needed to mitigate phishing threatsWhile it mulls over new regulations for social media, Singapore has taken more concrete steps to mitigate risks stemming from embedded hyperlinks in SMS and other messaging platforms.The government in January said it was reviewing the public sector’s use of SMS and clickable links in interacting with the public as part of efforts to combat phishing scams. The move came after SMS-phishing scams involving OCBC Bank customers, where scammers manipulated SMS Sender ID details to direct victims to phishing  phishing websites, resulted in losses of more than SG$8.5 million. Banks then were instructed to remove hyperlinks from email or SMS messages sent to consumers.In its parliamentary response this week, the Smart Nation Digital Government Group (SNDGG) said it had assessed the use of links by government agencies and determined that removing them in SMS, email or other messaging platforms would not eliminate the risks of users falling prey to phishing attempts.To better mitigate such threats, it instead would implement detection and prevention measures at the backend as well as drive user awareness on how to safeguard against such scams from perpetuating through the use of hyperlinks. Elaborating on the backend measures, SNDGG said the government would use only domains ending with “.gov.sg” when sending SMS messages with links. However, there were exceptions where government agencies collaborated with other organisations and other websites could be used. Such sites would be listed online so users could check unfamiliar websites before interacting with them.SNDGG added that the Singapore SMS Sender ID Registry was established in March 2022 to block SMS messages that spoofed the sender IDs of targeted entities, including government agencies and banks. To date, more than 50 organisations have signed up for the registry, with all government agencies “progressively onboarding” as well. The government still was evaluating whether it would be necessary to require all users of alphanumeric sender IDs to participate in the registry.Telcos also were implementing capabilities in their networks to block scam messages and calls, including robocalls and anyone spoofing numbers of local government agencies and emergency services, said SNDGG. It added that the government also implemented multi-factor authentication–including the use of biometrics–on SingPass, which residents needed to access e-government services.  In addition, plans were underway to launch a WhatsApp channel for the National Crime Prevention Council in the third quarter.  This would enable citizens to more quickly report suspected scams and enable the government to “crowdsource information” and respond to scam websites and messages, SNDGG said. It added that IMDA also was collaborating with the Singapore Police Force to identify and block suspected scam websites. Some 12,000 suspected scam websites were blocked last year. Misconfigurations main cause of digital bank service disruptions Scams aside, errors were the main cause of disruptions to online banking services over the past year. Four retail banks–Citibank Singapore, DBS Bank, OCBC, and United Overseas Bank (UOB)–reported eight interruptions to their digital banking services since July 2021. Mostly resolved within three hours, the incidents affected an average of 12,000 customers, said Tharman Shanmugaratnam, Singapore’s Senior Minister and Minister in Charge of Monetary Authority of Singapore (MAS) in his parliamentary response this week.The longest disruption, lasting 39 hours, involved DBS in November last year that later was attributed to a malfunction of the bank’s access control servers.While one disruption was related to an outage at a third-party cloud service provider, Tharman said the banks themselves mainly were the root causes of these incidents. The minister pointed to software misconfigurations, system malfunctions, and errors that were introduced when the banks were making system changes. MAS required all banks to be able to recover systems supporting critical banking services, such as fund transfers and payments, within four hours following any disruption. The total unscheduled downtime for each critical system also must not exceed four hours within any 12-month period.Tharman said MAS would take supervisory action when the banks breached these requirements. DBS, for instance, was instructed to engage an independent expert to conduct a review of the bank’s service disruption, including the bank’s controls and recovery actions and preventive measures for similar incidents in future. DBS also had to rectify all shortcomings identified from the review and implement measures to ensure any future disruption to its digital banking services was resolved quickly and adequately, Tharman said. “The recent incidents highlight the need for banks to continually review their IT resilience strategy and ensure that there is sufficient redundancy and fault tolerance built into their digital banking IT infrastructure,” the minister wrote. “Swift diagnosis and recovery of systems, coupled with robust business continuity management, are critical in minimising the impact of an IT disruption.”He added that MAS introduced business continuity management guidelines that outlined measures financial institutions should employ to sustain critical business services and minimise service disruption. With cloud adoption increasing the sector’s exposure to third-party risks, MAS also had highlighted such risks as a key area for financial institutions to focus on in both the BCM guidelines as well as its technology risk management guidelines.RELATED COVERAGE More

Linode Kali Linux is a Linux distribution designed for penetration testing or — yes — hacking. This Debian-based Linux is a security worker’s favorite distribution. And, now Linode, which recently became part of Akamai, is offering Kali as a supported distribution. zdnet recommends With Kali on Akamai, you can test and secure your production systems. […] More