How digital forensics helps bring criminals to justice – Beef up your Facebook privacy – Take a quiz to test your phish-spotting prowess

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

Google releases a fix for the security hole that, if left unplugged, could allow attackers to run malicious code with no user interaction

The post Critical Bluetooth bug leaves Android users open to attack appeared first on WeLiveSecurity

The feature is part of expanded parental controls on the Messenger Kids app aimed at children under 13

The post Facebook now lets parents monitor their children’s chats appeared first on WeLiveSecurity


Today we’re announcing that Chrome will gradually ensure that secure (HTTPS) pages only download secure files. In a series of steps outlined below, we’ll start blocking “mixed content downloads” (non-HTTPS downloads started on secure pages). This move follows a plan we announced last year to start blocking all insecure subresources on secure pages.
Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely-downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements. To address these risks, we plan to eventually remove support for insecure downloads in Chrome.
As a first step, we are focusing on insecure downloads started on secure pages. These cases are especially concerning because Chrome currently gives no indication to the user that their privacy and security are at risk.
Starting in Chrome 82 (to be released April 2020), Chrome will gradually start warning on, and later blocking, these mixed content downloads. File types that pose the most risk to users (e.g., executables) will be impacted first, with subsequent releases covering more file types. This gradual rollout is designed to mitigate the worst risks quickly, provide developers an opportunity to update sites, and minimize how many warnings Chrome users have to see.
We plan to roll out restrictions on mixed content downloads on desktop platforms (Windows, macOS, Chrome OS and Linux) first. Our plan for desktop platforms is as follows:

  • In Chrome 81 (released March 2020) and later:
    • Chrome will print a console message warning about all mixed content downloads.
  • In Chrome 82 (released April 2020):
    • Chrome will warn on mixed content downloads of executables (e.g. .exe).
  • In Chrome 83 (released June 2020):
    • Chrome will block mixed content executables
    • Chrome will warn on mixed content archives (.zip) and disk images (.iso).
  • In Chrome 84 (released August 2020):
    • Chrome will block mixed content executables, archives and disk images
    • Chrome will warn on all other mixed content downloads except image, audio, video and text formats.
  • In Chrome 85 (released September 2020):
    • Chrome will warn on mixed content downloads of images, audio, video, and text
    • Chrome will block all other mixed content downloads
  • In Chrome 86 (released October 2020) and beyond, Chrome will block all mixed content downloads.
Example of a potential warning
Chrome will delay the rollout for Android and iOS users by one release, starting warnings in Chrome 83. Mobile platforms have better native protection against malicious files, and this delay will give developers a head-start towards updating their sites before impacting mobile users.
Developers can prevent users from ever seeing a download warning by ensuring that downloads only use HTTPS. In the current version of Chrome Canary, or in Chrome 81 once released, developers can activate a warning on all mixed content downloads for testing by enabling the “Treat risky downloads over insecure connections as active mixed content” flag at chrome://flags/#treat-unsafe-downloads-as-active-content.
Enterprise and education customers can disable blocking on a per-site basis via the existing InsecureContentAllowedForUrls policy by adding a pattern matching the page requesting the download.
In the future, we expect to further restrict insecure downloads in Chrome. We encourage developers to fully migrate to HTTPS to avoid future restrictions and fully protect their users. Developers with questions are welcome to email us at security-dev@chromium.org.

What is it like to defeat cybercrime? A peek into how computer forensics professionals help bring cybercriminals to justice.

The post How to catch a cybercriminal: Tales from the digital forensics lab appeared first on WeLiveSecurity

A helmet may not be enough to keep you safe(r) while riding an e-scooter

The post Electric scooters vulnerable to remote hacks appeared first on WeLiveSecurity

As Facebook turns 16, we look at how to keep your personal information safe from prying eyes

The post Facebook privacy settings: Protect your data with these tips appeared first on WeLiveSecurity

As the tide of phishing attacks rises, improving your scam-spotting skills is never a bad idea

The post Would you get hooked by a phishing scam? Test yourself appeared first on WeLiveSecurity

ESET research into a campaign of the Winnti Group – The FBI warns of a job scam – What IoT legislation means for device makers and users

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

ESET research into a campaign of the Winnti Group – The FBI warns of a job scam – What IoT legislation means for device makers and users

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity