#1273292: NCSC warns devs to shed Python 2 over fears of WannaCry-style incident

Description: CYBER COPS at the UK's National Cyber Security Centre have sounded the alarms over the impending end of life (EOL) of Python 2, warning companies that continue to use unsupported software that they could face a WannaCry-alike incident.

Python 2 reaches EOL on 1 January 2020, after which there will be no more bug fixes or security updates from Python's core developers.

Given that's a little over four months away, the NCSC is urging devs to port their code to Python 3, warning that if they don't, they are "risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing.

"The WannaCry ransomware provides a classic example of what can happen if you run unsupported software. It infected more than 230,000 computers, causing major disruption around the globe. More recently, the Equifax breach has resulted in a settlement of up to $700m."

The risk of a WannaCry or Equifax-style incident isn't the agency's only concern. It notes that many popular projects such as NumPy, Requests, and TensorFlow have pledged to drop support for 2.x by 2020 and some already have.

"This means that if you want to use the latest features of your favourite modules, you'll need to be using Python 3," the agency said. "The longer you wait to update, the more the Python 3 versions of your dependencies will have changed, and the more difficult updating will become."

It also urging devs who maintain a library that others rely on to take heed of its warning, noting: "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others.

"You may not publish any code outside of your organisation but consider your colleagues who may also be using your code internally."

Naturally, the NCSC's blog also outlines the benefits of Python 3, and lists a number of tools and resources available to make porting code easier, such as Can I Use Python 3 and 2to3.
More info: https://www.theinquirer.net/inquirer/news/3080802/ncsc-python-2-eol-warning-wannacry

Date added Aug. 24, 2019, 11:16 a.m.
Source The Inquirer
  • GCHQ / NCSC UK / Joint Threat Research Intelligence Group / JTRIG
  • Latest Global Security News
  • Python - Various
  • UK Active Cyber Defence (ACD) - UK NCSC (GCHQ) Programme