security

One of our main roles at Jumping Rivers is to set-up and provide ongoing maintenance to R, Python and RStudio infrastructure. This typically involves ensuring software is up-to-date and making sure everything is running smoothly. The OSS Index developed by Sonatype is a free catalogue of open source components and scanning tools to help developers identify vulnerabilities, understand risk, and keep their software safe. The {oysteR} package is an R interface to the OSS Index that allows users to scan their installed R packages.

One of the great things about R, is the myriad of packages. Packages are typically installed via CRAN Bioconductor GitHub But how often do we think about what we are installing? Do we pay attention or just install when something looks neat? Do we think about security or just take it that everything is secure? In this post, we conducted a little nefarious experiment to see if people pay attention to what they install.

Introduction Domain squatting or URL hijacking is a straightforward attack that requires little skill. An attacker registers a domain that is similar to the target domain and hopes that a user accidentally visits the site. For example, if the domain is example.com, then a typo-squatter would register similar domains such as common misspelling: examples.com misspellings based on omitted letters: exampl.com misspellings based on typos: ezample.com a different top-level domain: example.