Jan 16, 2023

                            January 16, 2023

                Jan 16, 2023

                        Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”

            Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” | FortiGuard Labs
            The FortiGuard Labs team discovered an attack embedded in three PyPI packages called ‘colorslib’, ‘httpslib’, and “libhttps”. Read our blog to learn more.…

-
The Info Op is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

-
Electrospaces @electrospaces
Right behind German defense minister Lambrecht we can see the brand new secure telephone SINA Communicator H: 
Verteidigungsministerium @BMVg_Bundeswehr
Gemeinsam sind wir stärker. Ministerin Lambrecht stimmte sich heute mit 🇺🇸 @SecDef Austin zu Schützenpanzern #Marder und dem Flugabwehrsystem #Patriot für die 🇺🇦 ab. Das nächste Ramstein-Treffen findet am 20. Januar statt. Details finden Sie in der heutigen Pressemitteilung👇 https://t.co/bVjlYYZefb10:43 AM ∙ Jan 15, 2023
9Likes2Retweets
-
Matt Suiche @msuiche
This is an attack vector that @lordx64, @Cryptilt and I have been talking about since 2021. 🤷‍♂️ https://t.co/FbY7238tQf
whalechart.org @WhaleChart
BREAKING: Google Chrome security vulnerability detected could lead to crypto wallet stealing3:55 PM ∙ Jan 15, 2023
21Likes6Retweets
-
Given that the invention of attack trees is commonly attributed to Schneier's 1999 article, I was surprised to see the idea described in a 1991 paper by J.D. Weiss of Bell Labs [1].
Even more surprising is that I found it because it was cited in another paper co-authored by Schneier in 1998 [2].
[1]J.D. Weiss, "A System Security Engineering Process," Proceedings of the 14th National
Computer Security Conference, 1991.

https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1991/10/01/proceedings-14th-national-computer-security-conference-1991/documents/1991-14th-NCSC-proceedings-vol-2.pdf

[2] Chris Salter, O. Sami Saydjari, Bruce Schneier, Jim Wallner, "Toward a secure system engineering methodology," NSPW '98: Proceedings of the 1998 workshop on New security paradigms

https://dl.acm.org/doi/10.1145/310889.310900

            Alex Gantman: "Given that the invention of attack trees is commo…" - IOC.exchange
            Attached: 1 image

Given that the invention of attack trees is commonly attributed to Schneier's 1999 article, I was surprised to see the idea described in a 1991 paper by J.D. Weiss of Bell Labs [1].
Even more surprising is that I found it because it was cited in another paper co-authored by Schneier in 1998 [2].

[1]J.D. Weiss, "A System Security Engineering Process," Proceedings of the 14th National
Computer Security Conference, 1991.
https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1991/10/01/proceedings-14th-national-computer-security-conference-1991/documents/1991-14th-NCSC-proceedings-vol-2.pdf

[2] Chris Salter, O. Sami Saydjari, Bruce Schneier, Jim Wallner, "Toward a secure system engineering methodology," NSPW '98: Proceedings of the 1998 workshop on New security paradigms
https://dl.acm.org/doi/10.1145/310889.310900

-
Time Travelling Italian Midwife @DrFurfagMDhol up 
the chinese are running cobalt strike on iphones
gloxec.github.io/CrossC2/zh_cn/… 
10:56 PM ∙ Jan 14, 2023
489Likes127Retweets
-
Zhuowei Zhang @zhuowei(apologies to xkcd.com/1420/) 
<img class="tweet-photo" src="https://pbs.substack.com/media/FmiyyZLXEAgbTN_.png" alt="Timeline from 1990 to 2030 with two regions highlighted:
"API key max user limit" (ending in 2010)
(empty area between 2010 and just past 2020)
"API key revoked"

An arrow points to the empty area, with caption:
"Brief, glorious period in which Tweetbot was usable"" loading="lazy">
9:31 PM ∙ Jan 15, 2023
159Likes33Retweets
-
Guccifer is out of prison and giving interviews. I wouldn’t wish American prison on my worst enemy. 

            Hacker Guccifer Launched Clinton Email Scandal Out of Prison
            Before Russian intelligence cribbed his handle, Marcel Lehel Lazar hacked celebrities and Sidney Blumenthal. Now he’s back home in Transylvania.

-
Claudio Tennie @CTennieLet’s assume two neighbouring ape groups, 1 fishes for termites, while 2 dips for ants. This is ape culture. 
In the graphic you see six ape groups’ cultures. 
You might NOT have actually seen this graphic before. The graphic is from our recent paper: nature.com/articles/s4159… 1/n 
1:33 PM ∙ Jan 15, 2023
52Likes22Retweets
-
Xeno Kovah @XenoKovah🧵1 @glitchnsec and I wanted to say thanks to the people whose CVE discoveries, vulnerability write-ups, and PoCs we used to create the material for #OST2 ost2.fyi/Vulns1001. So thanks go out to the following contributors…
ost2.fyiVulnerabilities 1001 Short URL Redirect3:38 AM ∙ Jan 16, 2023
30Likes11Retweets
-
Daniel Cuthbert @dcuthbert
A threat intel firm hacking a .ru drug market to divert cash to Ukrainian efforts. 

holdsecurity.com/news/2023/01/s…
Motive aside, this is still a very dodgy approach to take.
holdsecurity.comSolaris – Russian Drug Platform Exposed | Hold Security8:23 AM ∙ Jan 16, 2023
15Likes8Retweets

Jan 16, 2023

Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps”

Supply Chain Attack Using Identical PyPI Packages, “colorslib”, “httpslib”, and “libhttps” | FortiGuard Labs

The FortiGuard Labs team discovered an attack embedded in three PyPI packages called ‘colorslib’, ‘httpslib’, and “libhttps”. Read our blog to learn more.…

Alex Gantman: "Given that the invention of attack trees is commo…" - IOC.exchange

Guccifer is out of prison and giving interviews. I wouldn’t wish American prison on my worst enemy.

Hacker Guccifer Launched Clinton Email Scandal Out of Prison

Before Russian intelligence cribbed his handle, Marcel Lehel Lazar hacked celebrities and Sidney Blumenthal. Now he’s back home in Transylvania.

Stargirl: "So You Want to Solve Python Packaging: A Practica…" - Hachyderm.io

So You Want to Solve Python Packaging: A Practical Guide First, the technical: Python is used by vastly different groups of people, some that don't identify as "developers". Those groups often have disparate expectations about how packaging should work. Some don't even know what a package is.