5 tips for businesses on Safer Internet Day

By Paul Ducklin

Safer Internet Day is here!

Note that it’s more than just One Safe Internet Day, where you spend 24 hours taking security seriously, only to fall back on bad habits the day after.

As the old saying goes, “Cybersecurity is a journey, not a destination,” and that’s why we have SAFER internet day – it’s all about getting BETTER at cybersecurity, no matter how safe you think you are already.

So here are five things you can do in your business, regardless of its size, to help you and your colleagues keep ahead of the cybercrooks.

1. PATCH EARLY, PATCH OFTEN

We’ve won part of this battle already, because most businesses these days do install security patches.

At least, they install updates eventually. But there are still many organization’s out there that take their time about it, putting off updates for weeks or even months “in case something goes wrong”.

The problem is that once crooks know about new security holes, they don’t put off using them – so the longer you lag behind, the more vulnerable your business becomes. Learn how to test updates quickly – you can start with one computer and make notes from there – and have a plan for rolling back in the rare event that something does go wrong.

Read more at https://nakedsecurity.sophos.com/2020/02/11/5-tips-for-businesses-on-safer-internet-day/

Google Chrome to start blocking downloads served via HTTP

By John E Dunn

Google has announced a timetable for phasing out insecure file downloads in the Chrome browser, starting with desktop version 81 due out next month.

Known in jargon as ‘mixed content downloads’, these are files such as software executables, documents and media files offered from secure HTTPS websites over insecure HTTP connections.

This is a worry because a user seeing the HTTPS padlock on a site visited using Chrome might assume that any downloads it offers are also secure (HTTP sites offering downloads are already marked ‘not secure’).

That, of course, is a risky assumption, as Google’s announcement points out:

Insecurely-downloaded files are a risk to users’ security and privacy. For instance, insecurely downloaded programs can be swapped out for malware by attackers, and eavesdroppers can read users’ insecurely-downloaded bank statements.

Google will introduce this change gradually rather than all at once, at first offering warnings about executable downloads via HTTP in versions 81 and 82 of the desktop browser.

From version 83, due in June, these will be blocked outright and Chrome will start offering warnings for archives files such as .zip.

In subsequent versions, the same warn-and-block process will start to apply for downloads such as .doc and PDFs, images, videos and music files until, by Chrome version 86 in October, all downloads via HTTP will be blocked.

Mobile versions of Chrome will use the same timetable except that each milestone will apply one version later than for the desktop version.

Enterprise and education customers will be able to disable the policy on a per-site basis using the InsecureContentAllowedForUrls policy, Google said.

Read more at https://nakedsecurity.sophos.com/2020/02/10/google-chrome-to-start-blocking-downloads-served-via-http/

Facebook encrypted messaging will ‘create hiding places for child abuse’

By Lisa Vaas

Last year, Facebook announced that it would stitch the technical infrastructure of all of its chat apps – Messenger, WhatsApp and Instagram – together so that users of each app can talk to each other more easily.

The plan includes slathering the end-to-end encryption of WhatsApp – which keeps anyone, including law enforcement and even Facebook itself, from reading the content of messages – onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in “secure connections” mode: a mode that’s off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.

“As you would expect, there is a lot of discussion and debate as we begin the long process of figuring out all the details of how this will work,” Facebook has said – including, of course, the fact that law enforcement would be shut out of viewing messages on yet more chat apps.

That discussion now includes an open letter, signed by 129 child protection organizations around the world and sent to CEO Mark Zuckerberg on Thursday. The groups, led by the UK’s National Society for the Prevention of Cruelty to Children (NSPCC), are urging the company to stop its plans until “sufficient safeguards” are in place.

According to news outlets that have seen the letter, it says that Facebook could be building on “years of sophisticated efforts” to protect children online, but is instead “inclined to blindfold itself.”

More from the letter:

We urge you to recognize and accept that an increased risk of child abuse being facilitated on or by Facebook is not a reasonable trade-off to make. Children should not be put in harm’s way either as a result of commercial decisions or design choices.

The NSPCC said in December 2019 that police in the UK recorded over 4,000 instances – an average of 11 per day – where Facebook apps were used in child abuse image and online child sexual offenses during the prior year.

Read more at https://nakedsecurity.sophos.com/2020/02/10/facebook-encrypted-messaging-will-create-hiding-places-for-child-abuse/