Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2023-05-22 to 2023-05-29.
This article provides insights in a quite interesting type of typosquatting attacks on NPM. Capitalization! Someone could upload a package with the name of a popular package, but with all lowercase letters. To compare with other package managers, PyPI and NuGet will restrict anyone else from uploading a package with the same name, regardless of the capitalization of letters. The NPM security team promptly acknowledged and effectively addressed the security issue. Now newly uploaded packages in conflict will receive an error message “Package name too similar to existing package”.
Google Registry actually announced eight new top-level domains (TLDs) that day: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. Users have a clear idea what .zip means. In his article Bobby Rauch points out the dangers of the .zip TLD. Absuing this ambivalence adversaries can now abuse this to mislead or misdirect Citizen Lab’s John Scott-Railton recommends blocking the newly introduced TLD.
Evil:
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
Legitimate:
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
German prosecutors have indicted four former CEOs of FinFisher. They are accuesed of having sold surveillance technology to the Turkish secret service without permission. The investigation is based on the complaint of Netzpolitik.org, Gesellschaft für Freiheitsrechte, Reporter ohne Grenzen and European Center for Constitutional and Human Rights.
The PyPI seems to be having a hard time recently. There are a lot of malicious packages uploaded (1, 2). The signing with GPG seems to be more cosmetic than security relevant (1,). Still, the PSP is also doing some things really well, judging by this blog article.
The United States Department of Justice subpoenaed PSP and request the information for five PyPI users. The subpoenas were not associated with a non-disclosure order. The PSP published the post as a matter of transparency. In the article they describe what information PyPI stores and what was forwarded. Also, the article implies that PSP received more subpoenas, then are explicitly discussed in the article.