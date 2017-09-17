Python's Official Repository Included 10 'Malicious' Typo-Squatting Modules (bleepingcomputer.com) 31
An anonymous reader quotes BleepingComputer: The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI -- Python Package Index -- the official third-party software repository for the Python programming language. NBU experts say attackers used a technique known as typosquatting to upload Python libraries with names similar to legitimate packages -- e.g.: "urlib" instead of "urllib." The PyPI repository does not perform any types of security checks or audits when developers upload new libraries to its index, so attackers had no difficulty in uploading the modules online.
Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."
The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.
Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.
I use pip install all the time...well pip3 install
pypl is great but they could increase their security at bit and still keep the same level of functionality. This malware is kind of obvious, or at least it seems like it should be obvious to security people.
I remember thinking on more than a few occasions that pypl could be easily misused by beginners.
What the hell would that change?
The vector here is people asking for a module that is named similar to the one they want, pip in installing exactly the module they are mistakenly asking for - there is no reason that any cryptographic signature would be failed.
The only marginal finger-pointing possible here is at PyPl for allowing typo squating, however even that is marginal.
Basically, if you are installing modules from 'dah internetz', you should take just a little care, perhaps?
The thing is, typos happen.
Sometimes it's not even that. Beautiful Soup is the module for parsing HTML and XML files. However, beautifulsoup (bs) is the legacy version and beautifulsoup4 (bs4) is the version that everyone should be using. It's very easy to install the former when you need the latter.
https://www.crummy.com/software/BeautifulSoup/bs4/doc/#installing-beautiful-soup [crummy.com]
And how exactly would a cryptographic signature help that?
It would just certify that you had actually installed the right cones typo squatter correctly....
Unless there was a central controller of who was allowed to publish python extensions.
Is that what you want? It's called a walled garden...
And how would cryptographically signed even help?
Anyone letting a package into a library site need to verify it before it can be downloaded.
If you download stuff from an unofficial library then you are on your own. But most of the unofficial sites are friendly though, so don't be too scared.
And how would cryptographically signed even help?
That way you can be sure that if you download malware, it's not tampered with.
And how would cryptographically signed even help?
That way you can be sure that if you download malware, it's not tampered with.
all it tells you is, the signature was valid. whilst it links the file *to* the signature, it doesn't tell you anything about the trustworthiness of the PERSON. for that, you need much much more than just a legitimate signature: you need a full web-of-trust and for the package uploaders to be involved in key-signing parties, where they've basically (collectively) staked their reputation on trusting the ACTUAL identity. this becomes incredibly hard to compromise when there are multiple people involved. n
I use pip install all the time...well pip3 install
pypl is great but they could increase their security at bit and still keep the same level of functionality.
it's actually incredibly comprehensive and extremely involved. for a completely separate team, i'm just in the process of writing up the requirements (following software engineering practices) which cover exactly this scenario: you can read them here if you like (note: they're in development and undergoing review): http://lkcl.net/reports/wot/ [lkcl.net]
Pip is the markings on dominoes and dice.
https://en.wikipedia.org/wiki/Pip_(counting) [wikipedia.org]
How does one quarantine an operating system?
The most secured version of Windows is installed on a PC with no cables attached inside a locked room.