Naked Security: Chrome to brand FTP as “not secure”. “On 14 September, it was announced in a Chrome developers group that Chrome will mark FTP (File Transfer Protocol) resources in the address bar as ‘not secure.’ The change is expected to be made by the release of Chrome 63 in December 2017.” Good. It’s 2017, don’t use FTP. GoAnywhere’s got an overview on the differences between SFTP and FTPS.
Chrome
CNET: Google Chrome to block autoplay videos from January
CNET: Google Chrome to block autoplay videos from January. “Google is being the ultimate pal: In an upcoming update to its Chrome web browser, it will block any autoplay video that has sound. ‘Starting in Chrome 64,’ an official blog post explained, “‘autoplay will be allowed when either the media won’t play sound, or the user has indicated an interest in the media.'” YAY!
Bleeping Computer: Apple and Google Fix Browser Bug. Microsoft Does Not.
Bleeping Computer: Apple and Google Fix Browser Bug. Microsoft Does Not.. “Microsoft has declined to patch a security bug Cisco Talos researchers discovered in the Edge browser, claiming the reported issue is by design. Apple and Google patched a similar flaw in Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), respectively. According to Cisco Talos researcher Nicolai Grødum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where.”
Lifehacker: Snapmail Allows You to Send Self-Destructing Gmail Messages
Lifehacker: Snapmail Allows You to Send Self-Destructing Gmail Messages. “There are a lot of options out there to send secure and self-destructing messages to others. But what if you really just want to send them a message using Gmail? Snapmail is a Chrome extension that allows you to send messages just like you might otherwise to recipients that will destruct in 60 seconds.”
The Register: Google to kill Symantec certs in Chrome 66, due in early 2018
The Register: Google to kill Symantec certs in Chrome 66, due in early 2018 . “Google has detailed its plan to deprecate Symantec-issued certificates in Chrome. The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild.”
TechCrunch: Google says its Safe Browsing tool now protects over 3 billion devices
TechCrunch: Google says its Safe Browsing tool now protects over 3 billion devices. “Google today announced that its Safe Browsing service, which keeps Chrome, Safari and Firefox users on the desktop and on mobile from visiting potentially dangerous sites, now protects more than 3 billion devices. That’s up from 1 billion in 2013 and 2 billion the company starting citing in May 2016.”
SANS Infosec: Second Google Chrome Extension Banker Malware in Two Weeks
SANS Infosec: Second Google Chrome Extension Banker Malware in Two Weeks. “It seems that Google Chrome extensions have become quite the tool for banking malware fraudsters. Two weeks ago, an offender phoned a victim and asked him to install a supposedly new bank security module that, instead, was a malicious extension hosted at the Google Chrome app store aimed to steal victim’s banking credentials [1]. This week I received a report about a targeted email phishing campaign against another company with a suspicious attachment. The attachments, after the analysis detailed in today’s diary, revealed itself to be another Google Chrome extension prepared to steal banking credentials, credit card, CVV numbers and fraud ‘compensation tickets’ (a popular and particular Brazilian payment method; we call it ‘boleto’) to divert payments.”
