{"id":25171,"date":"2022-07-11T08:25:17","date_gmt":"2022-07-11T12:25:17","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=492039"},"modified":"2022-07-18T10:49:10","modified_gmt":"2022-07-18T14:49:10","slug":"cyber-security-today-july-11-2022-mandatory-2fa-for-the-pypi-registry-beware-of-fake-google-software-updates-and-a-poor-password-leads-to-huge-data-hack","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-july-11-2022-mandatory-2fa-for-the-pypi-registry-beware-of-fake-google-software-updates-and-a-poor-password-leads-to-huge-data-hack\/","title":{"rendered":"Cyber Security Today, July 11, 2022 \u2013 Mandatory 2FA For The PyPI Registry, Beware Of Fake Google Software Updates And A Poor Password Leads To Huge Data Hack"},"content":{"rendered":"<p data-ar-index=\"0\">Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack.<\/p>\n<p data-ar-index=\"1\">Welcome to Cyber Security Today. It\u2019s Monday, July 11th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"2\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23699264\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"3\">\n<p data-ar-index=\"4\"><strong>Mandatory two-factor login authentication<\/strong> will be imposed on maintainers of critical projects in the open source PyPI registry. That\u2019s the website for projects written in the Python language. <a href=\"https:\/\/pypi.org\/security-key-giveaway\/\" rel=\"noopener\">The new policy was announced Friday<\/a> by the registry as a way to improve security and reduce the odds a hacker can tamper with a project in the registry. It will be implemented in the coming months. As an incentive a limited number of Google Titan USB security keys are being given away to developers. However, project maintainers or owners can use any approved USB security key or app-based 2FA like Google Authenticator, Microsoft Authenticator, Duo, Authy or a password manager that generates authentication codes. Any project in the top one per cent of downloads in a six-month period is considered critical. At the moment 3,500 projects would qualify.<\/p>\n<p data-ar-index=\"5\"><strong>A new ransomware strain<\/strong> is being distributed that pretends to be a Google software update.<a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/g\/brand-new-havanacrypt-ransomware-poses-as-google-software-update.html\" rel=\"noopener\"> Researchers at Trend Micro call this strain<\/a> HavanaCrypt. Before executing the ransomware it deletes Windows shadow copies of data and system restore instances. Listeners must ignore any email or text message that claims to be a Google update. Remember applications like Gmail, Workspace, Google Docs and others automatically update. The only safe way to get a browser update is to have your Chrome browser set to automatically download updates, or you can just go into the control menu. You get that from clicking on the three dots in the upper right corner of the browser. From there click on Help and then About Google Chrome.<\/p>\n<p data-ar-index=\"6\"><strong>A poorly protected Elasticsearch database<\/strong> allegedly led to the theft in May of data on 23 million users of the Mangatoon comic reading platform. <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mangatoon-data-breach-exposes-data-from-23-million-accounts\/\" rel=\"noopener\">The Bleeping Computer news service said<\/a> a well-known hacker who uses the name pompompurin claims they were able to copy that database because the password was the word \u2026. password. Who created that database isn\u2019t known. It had the usernames \u2014 which may not be the real names \u2014 of subscribers, plus their email addresses, auth tokens for social media accounts and hashed passwords. Those tokens might allow an attacker to take over a social media account. So Mangatoon subscribers should consider changing their social media passwords as well as their Mangatoon passwords.<\/p>\n<p data-ar-index=\"7\"><strong>Finally,<\/strong> in a news story earlier this year on ITWorldCanada.com I reported that Microsoft planned to make an important change to boost security in its Office suite. That change would be to make it harder for users to get around protection against malicious macros from running. Macros are pieces of automated code. Hackers can include malicious macros in compromised documents in email attachments. Microsoft disables external macros from running automatically unless the user clicks on an approval button. Microsoft planned to remove that button because too many people just click on it. However, <a href=\"https:\/\/grahamcluley.com\/microsoft-rolls-back-plan-to-block-macros-by-default\/\" rel=\"noopener\">British security reporter Graham Cluley notes<\/a> that last week Microsoft has paused the change because of criticism. It promises to make improvements to the user experience and still lower the odds of bad macros running.<\/p>\n<p data-ar-index=\"8\">Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That\u2019s where you\u2019ll also find other stories of mine.<\/p>\n<p data-ar-index=\"9\">Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.<\/p>\n<p data-ar-index=\"10\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-july-11-2022-mandatory-2fa-for-the-pypi-registry-beware-of-fake-google-software-updates-and-a-poor-password-leads-to-huge-data-hack\/492039\">Cyber Security Today, July 11, 2022 \u2013 Mandatory 2FA for the PyPI registry, beware of fake Google software updates and a poor password leads to huge data hack<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode reports on mandatory two-factor authentication coming for critical projects in the PyPI registry, fake Google software updates spreading and another hack blamed on the use of &#8216;password&#8217; as a<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-25171","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=25171"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25171\/revisions"}],"predecessor-version":[{"id":25587,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/25171\/revisions\/25587"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=25171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=25171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=25171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}