As the news of two malicious Python packages in PyPI spread across the Internet, I started revisiting all the hours our team at Freedom of the Press Foundation spent to think about these exact kind of attacks the ways of mitigation. In this particular case, the attackers used typosquatting to get similar project names and sent in malware-ridden code via the same.
I gave a talk Building reproducible Python applications for secured environments at PyCon US this year on the mitigation processes we follow. In simple words, we verify every source code update by reading the changes manually (with human eyes+tools) and then build and store wheel files on our index. Everything also gets verified via GPG signatures and known sha256sums.
Links for the week
- How Russian intelligence officers interfered in the 2016 election
- Tiny startup in the exploit market
- SMS Replacement is Exposing Users to Text
- Massoud Molavi, the Iranian activist, and journalist was assassinated in Istanbul
- Hacking Team is still selling spyware with a new company name
- USA charges Russian 'Evil Corp' hackers with $100m banking scheme
Video for the week