Cyber Security Headlines: W4SP stings PyPI, password hubris, Dropbox breached – CISO Series

The software supply chain security firm Phylum published a report detailing 29 packages in the PyPi registry used to push the W4SP info-stealing malware. These packages appear to all by setup as typosquats, with similar names to popular packages. The attackers copied the original codebase and then injected the malware through the “import” statement. This includes copying the packages setup and README files, so it generates legitimate looking landing pages with mostly working links. W4SP seems focused on stealing Discord tokens, cookies and saved passwords. The malicious packages received over 5,700 downloads at the time of the report. 
(Bleeping Computer)
The password manager released its fifth annual Psychology of Password report, which looked at password behaviors among professionals across age ranges. It found a disconnect between confidence of secure behavior and actual practice in Gen Z. They were the most confident in password management techniques, but were the most likely to use a variation of the same password across sites, relying the most on memorization. 65% of all respondents said they received some cybersecurity education, but of those, only 31% stopped reusing passwords as a result. Almost all respondents, 89%, recognized reusing passwords as a risk, but only 12% used different passwords on different accounts. 
(Dark Reading)
The cloud storage provider disclosed the break. It saw threat actors gain access to one of its GitHub accounts through a phishing attack. This led to the theft of 130 code repositories. GitHub notified Dropbox of suspicious behavior on October 14th. Dropbox said the repositories contained credentials like API key used by its developers. The attackers also obtained names and emails from a few thousand “Dropbox employees, current and past customers, sales leads, and vendors.” Stolen code did not include any for its core apps or infrastructure. Attackers never accessed customer accounts, passwords or payment info. 
(Bleeping Computer)
One of the big questions since Elon Musk acquired Twitter would be how the self-described “free speech absolutist” would handle previously banned accounts, specifically that of former President Donald Trump. Musk addressed these concerns, saying that the platform will not reinstate banned accounts before there is a clear process to do so. Musk said it will “take at least a few more weeks” to build that process, and that he began talks with civil rights leaders about joining a content moderation council.
Up until this year, the release of text-to-image engines to the general public caused some concern about how they would be used. With the release of Stability AI’s Stable Diffusion and OpenAI’s DALL-E 2, that theoretical cat is now largely out of the bag. Tortured metaphors aside, Google remains a big name when it comes to AI image generation, but one that so far kept it’s tech away from public hands.
Now it’s making its Imagen text-to-image model available in its AI Test Kitchen. It previously used the space to provide limited access to its LaMDA model. Users won’t have full access to Imagen, but can interact with demos called “City Dreamer” and “Wobble.” The former will use the model to generate elements of a city around a user’s prompt. The latter does the same with creating a little monster. Google wants users feedback on how users try to break the system, as well as how well it works overall. 
(The Verge)
The popular social network updated its privacy policy, outlining that European user data can be accessed by its employees outside of the bloc, including in Brazil, Canada, Israel, the US, and China. TikTok claims that employees use the data to make the platform “consistent, enjoyable and safe”. According to its head of privacy in Europe, Elaine Fox, the data will be “subject to a series of robust security controls and approval protocols” using methods recognized under GRPR. This comes as the US government continues to wrangle with TikTok over storing US user data in China. The new policy goes into effect December 2nd. 
(The Guardian)
The recently transacted social network released data on the covert operation to researchers and the Washington Post. Twitter removed three distinct networks operating out of Japan, taking down 2000 users accounts. These posed as US-based. Two targeted a right-leaning audience, one left-leaning, all of them hitting on hot-button issues including election-rigging, trying to stoke hyper-partisan discord. These takedowns occurred between April and October, with one network tweeting over 250,000 times. Some of these accounts also received not insignificant followings, with one account having over 26,000 followers, and received 180,000 retweets of various conspiracy theories. 
The US Department of Justice partially unsealed charges against eight individuals involved in a cybercrime organization operating a Racketeer Influenced and Corrupt Organizations or RICO conspiracy. The accused allegedly purchased server credentials of CPAs and tax prep firms on the dark web. They used this access to steal thousands of tax returns, file false returns, and then open back accounts under a fraudulent tax business to receive “tax preparer fees.” The group claimed over $36 million in false refunds, but the actual loss amount appears to be around $4 million. The operators face up to 44 years in prison. 
(InfoSecurity Magazine)
Acting as a media network for cyber information and exchange, CISO Series is just a member of this fantastic community that unfortunately has some conflicts. We’re just putting ourselves at the center of the conversation, acting as couples counseling for security vendors and practitioners.

CISO Series: Delivering the most fun you’ll have in cybersecurity.
Contact us: [email protected]
© 2021 CISO Series



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page