Skip to content

IT News

Security iPhone gyroscopes, of all things, can uniquely ID handsets on anything earlier than iOS 12.2

QUOTE

Your iPhone can be uniquely fingerprinted by apps and websites in a way that you can never clear. Not by deleting cookies, not by clearing your cache, not even by reinstalling iOS.

Cambridge University researchers will present a paper to the IEEE Symposium on Security and Privacy 2019 today explaining how their fingerprinting technique uses a fiendishly clever method of inferring device-unique accelerometer calibration data.

“iOS has historically provided access to the accelerometer, gyroscope and the magnetometer,” Dr Alastair Beresford told The Register this morning. “These types of devices don’t seem like they’re troublesome from a privacy perspective, right? Which way up the phone is doesn’t seem that bad.

“In reality,” added the researcher, “it turns out that you can work out a globally unique identifier for the device by looking at these streams.”
Your orientation reveals an awful lot about you

“MEMS” – microelectromechanical systems – is the catchall term for things like your phone’s accelerometer, gyroscope and magnetometer. These sensors tell your handset which way up it is, whether it’s turning and, if so, how fast, and how strong a nearby magnetic field is. They are vital for mobile games that rely on the user tilting or turning the handset.

These, said Beresford, are mass produced. Like all mass-produced items, especially sensors, they have the normal distribution of inherent but minuscule errors and flaws, so high-quality manufacturers (like Apple) ensure each one is calibrated.

“That calibration step allows the device to produce a more accurate parameter,” explained Beresford. “But it turns out the values being put into the device are very likely to be globally unique.”

Beresford and co-researchers Jiexin Zhang, also from Cambridge’s Department of Computer Science and Technology, and Ian Sheret of Polymath Insight Ltd, devised a way of not only accessing data from MEMS sensors – that wasn’t the hard part – but of inferring the calibration data based on what the sensors were broadcasting in real time, during actual use by a real-world user. Even better (or worse, depending on your point of view), the data can be captured and reverse-engineered through any old website or app.

“It doesn’t require any specific confirmation from a user,” said Beresford. “This fingerprint never changes, even if you factory reset the handset or reinstall the OS. This is buried deep inside the firmware of the device so the fingerprint data doesn’t change. This provides a way to track users around the web.”
How they did it

“You need to record some samples,” said Beresford. “There’s an API in JavaScript or inside Swift that allows you to get samples from the hardware. Because you get many samples per second, we need around 100 samples to get the attack. Around half a second on many of the devices. So it’s quite quick to collect the data.”

Each device generates a stream of analogue data. By converting that into digital values and applying algorithms they developed in the lab using stationary or slow-moving devices, Beresford said, the researchers could then infer what a real-world user device was doing at a given time (say, being bounced around in a bag) and apply a known offset.

“We can guess what the input is going to be given the output that we observe,” he said. “If we guess correctly, we can then use that guess to estimate what the value of the scale factor and the orthogonality are.”

From there it is a small step to bake those algorithms into a website or an app. Although the actual technique does not necessarily have to be malicious in practice (for example, a bank might use it to uniquely fingerprint your phone as an anti-fraud measure), it does raise a number of questions.
Good news, fandroids: you’re not affected

Oddly enough, the attack doesn’t work on most Android devices because they’re cheaper than Apple’s, in all senses of the word, and generally aren’t calibrated, though the researchers did find that some Google Pixel handsets did feature calibrated MEMS.

Beresford joked: “There’s a certain sense of irony that because Apple has put more effort in to provide more accuracy, it has this unfortunate side effect!”

Apple has patched the flaws in iOS 12.2 by blocking “access to these sensors in Mobile Safari just by default” as well as adding “some noise to make the attack much more difficult”.

The researchers have set up a website which includes both the full research paper and their layman’s explanation, along with a proof-of-concept video. Get patching, Apple fanbois

Boeing 737 Max Simulators Are in High Demand. They Are Flawed.

QUOTE

Since the two fatal crashes of the Boeing 737 Max, airlines around the world have moved to buy flight simulators to train their pilots.

They don’t always work.

Boeing recently discovered that the simulators could not accurately replicate the difficult conditions created by a malfunctioning anti-stall system, which played a role in both disasters. The simulators did not reflect the immense force that it would take for pilots to regain control of the aircraft once the system activated on a plane traveling at a high speed.

The mistake is likely to intensify concerns about Boeing, as it tries to regain credibility following the crashes of Lion Air and Ethiopian Airlines flights. In the months since the disasters, Boeing has faced criticism for serious oversights in the Max’s design. The anti-stall system was designed with a single point of failure. A warning light that Boeing thought was standard turned out to be part of a premium add-on.

“Every day, there is new news about something not being disclosed or something was done in error or was not complete,” said Dennis Tajer, a spokesman for the American Airlines pilots union and a 737 pilot.

The training procedures have been a source of contention. Boeing has maintained that simulator training is not necessary for the 737 Max and regulators do not require it, but many airlines bought the multimillion-dollar machines to give their pilots more practice. Some pilots want continuing simulator training.

The flight simulators, on-the-ground versions of cockpits that mimic the flying experience, are not made by Boeing. But Boeing provides the underlying information on which they are designed and built.
 

The simulators did not reflect the immense force that it would take for pilots to regain control of the aircraft once the system activated on a plane traveling at a high speed.

 

“Boeing has made corrections to the 737 Max simulator software and has provided additional information to device operators to ensure that the simulator experience is representative across different flight conditions,” said Gordon Johndroe, a Boeing spokesman. “Boeing is working closely with the device manufacturers and regulators on these changes and improvements, and to ensure that customer training is not disrupted.”

In recent weeks, Boeing has been developing a fix to the system, known as MCAS. As part of that work, the company tried to test on a simulator how the updated system would perform, including by replicating the problems with the doomed Ethiopian Airlines flight.

It recreated the actions of the pilots on that flight, including taking manual control of the plane as outlined by Boeing’s recommended procedures. When MCAS activates erroneously, pilots are supposed to turn off the electricity to a motor that allows the system to push the plane toward the ground. Then, pilots need to crank a wheel to right the plane. They have limited time to act.

On the Ethiopian flight, the pilots struggled to turn the wheel while the plane was moving at a high speed, when there is immense pressure on the tail. The simulators did not properly match those conditions, and Boeing pilots found that the wheel was far easier to turn than it should have been.

Regulators are now trying to determine what training will be required.

When the Max was introduced, Boeing believed that pilots did not need experience on the flight simulators, and the Federal Aviation Administration agreed. Many pilots learned about the plane on iPads. And they were not informed about the anti-stall system.

The limited training was a selling point of the plane. It can cost airlines tens of millions of dollars to maintain and operate flight simulators over the life of an aircraft.

After the first crash, Boeing gave airlines and pilots a full rundown of MCAS. But the company and regulators said that additional training was not necessary. Simply knowing about the system would be sufficient.

In a tense meeting with the American Airlines pilots union after the crash, a Boeing vice president, Mike Sinnett, said he was confident that pilots were equipped to deal with problems, according to an audio recording review by The New York Times. A top Boeing test pilot, Craig Bomben, agreed, saying, “I don’t know that understanding the system would have changed the outcome of this.”

Since the Ethiopian Airlines disaster in March, lawmakers and regulators are taking a closer look at the training procedures for the 737 Max, and whether they should be more robust. At a congressional hearing this week, the acting head of the F.A.A., Daniel Elwell, testified that MCAS should “have been more adequately explained.”

Boeing said on Thursday that it had completed its fix to the 737 Max. Along with changes to the anti-stall system, the fix will include additional education for pilots.
Subscribe to With Interest

Catch up and prep for the week ahead with this newsletter of the most important business insights, delivered Sundays.

The company still has to submit the changes to regulators, who will need to approve them before the plane can start flying again. The updates are not expected to include training on simulators, but the F.A.A. and other global regulators could push to require it.

“The F.A.A. is aware that Boeing Company is working with the manufacturers of Boeing 737 Max flight simulators,” a spokesman for the agency said in an emailed statement. “The F.A.A. will review any proposed adjustments as part of its ongoing oversight of the company’s efforts to address safety concerns.”

Airlines have already been pushing to get more simulators and develop their own training.

Pilots at American Airlines, which began asking for simulators when they started flying the planes, ratcheted up their requests after the Lion Air crash. Regardless of what the F.A.A. requires, the union believes pilots should get the experience. A spokesman for the airline said it had ordered a simulator that would be up and running by December.

“We value simulators in this situation,” said Mr. Tajer. “It’s not a condition of the Max flying again, but it is something we want.”

Bug-hunter reveals another ‘make me admin’ Windows 10 zero-day – and vows: ‘There’s more where that came from’

Quote

Vulnerability can be exploited to turn users into system stars, no patch available yet

A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft’s latest operating systems.

The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse.

The flaw was uncovered, and revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen going by the handle SandboxEscaper. She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.

This latest one works by abusing Windows’ schtasks tool, designed to run programs at scheduled times, along with quirks in the operating system.
 

Meanwhile… If you haven’t yet patched the wormable RDP security flaw in Windows (CVE-2019-0708), please do so ASAP – exploit code that can crash vulnerable systems is doing the rounds, and McAfee eggheads have developed and described a proof-of-concept attack that executes arbitrary software on remote machines, with no authentication required. Eek.

It appears the exploit code imports a legacy job file into the Windows Task Scheduler using schtasks, creating a new task, and then deletes that new task’s file from the Windows folder. Next, it creates a hard filesystem link pointing from where the new task’s file was created to pci.sys, one of Windows’ kernel-level driver files, and then runs the same schtasks command again. This clobbers pci.sys’s access permissions so that it can be modified and overwritten by the user, thus opening the door to privileged code execution.

The exploit, as implemented, needs to know a valid username and password combo on the machine to proceed, it seems. It can be tweaked and rebuilt from its source code to target other system files, other than pci.sys. …….

Rampant Android bloatware a privacy and security hellscape

I spent the past week examining an AT&T android. The bloatware was off the scale as was the spyware. Removing these via ADB broke the system. Even installing a firewall broke the system as it appeared that the firewall was detected and it simply blocked calls even the firewall was disabled (but installed). I will next look at and Android One Device to see if it is any better as they claim to be pure Android and no bloatware. I am not just picking on AT&T, but as the article and the PDF study that generated it points out, the practice is rampant.

Quote

The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think.

This according to a paper (PDF) from university researchers in the US and Spain who studied the pre-installed software that 214 different vendors included in their Android devices. They found that everyone from the hardware builders to mobile carriers and third-party advertisers were loading products up with risky code.

“Our results reveal that a significant part of the pre-installed software exhibit potentially harmful or unwanted behavior,” the team from Universidad Carlos III de Madrid, Stony Brook University and UC Berkeley ICSI said.

 

The study, An Analysis of Pre-installed Android Software, was written by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. It is being presented later this month at the 41st IEEE Symposium on Security and Privacy.

 

“While it is known that personal data collection and user tracking is pervasive in the Android app ecosystem as a whole we find that it is also quite prevalent in pre-installed apps.”

To study bundled software, the team crowdsourced firmware and traffic information from a field of 2,748 volunteers running 1,742 different models of devices from 130 different countries.

Across all those different vendors, carriers, and locales, one theme was found: Android devices are lousy with bloatware that not only takes up storage, but also harvests personal information and in some cases even introduces malware.

“We have identified instances of user tracking activities by preinstalled Android software – and embedded third-party libraries – which range from collecting the usual set of PII and geolocation data to more invasive practices that include personal email and phone call metadata, contacts, and a variety of behavioral and usage statistics in some cases,” the team wrote.

“We also found a few isolated malware samples belonging to known families, according to VirusTotal, with prevalence in the last few years (e.g., Xynyin, SnowFox, Rootnik, Triada and Ztorg), and generic trojans displaying a standard set of malicious behaviors (e.g., silent app promotion, SMS fraud, ad fraud, and URL click fraud).”
Beware the bloat

The device vendors themselves were not the only culprits. While the bundled apps can be installed by the vendors, bloatware can also be introduced by the carriers who add their own software to devices as well as third parties that may slip in additional advertising or tracking tools into otherwise harmless and useful software.

Addressing this issue could prove particularly difficult, the researchers note. With vendors and carriers alike looking to eke a few extra bucks out of every device sold, bundled apps and bolted on advertising and tracking tools are highly attractive to companies, and absent pressure from a higher-up body, the bottom line will almost always win out.

To that end, they recommend someone steps in to offer audits of the supply chain and catch potential security and privacy threats in bundled software.

“Google might be a prime candidate for it given its capacity for licensing vendors and its certification programs,” the researchers note.

“Alternatively, in absence of self-regulation, governments and regulatory bodies could step in and enact regulations and execute enforcement actions that wrest back some of the control from the various actors in the supply chain.”

The study, An Analysis of Pre-installed Android Software, was written by Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. It is being presented later this month at the 41st IEEE Symposium on Security and Privacy. ®

Security Panic as panic alarms meant to keep granny and little Timmy safe prove a privacy fiasco

QUOTE

Simple hack turns them into super secret spying tool

A GPS tracker used by elderly people and young kids has a security hole that could allow others to track and secretly record their wearers.

The white-label product is manufactured in China and then rebadged and rebranded by a range of companies in the UK, US, Australia and elsewhere including Pebbell 2, OwnFone and SureSafeGo. Over 10,000 people in the UK use the devices.

It has an in-built SIM card that it used to pinpoint the location of the user, as well as provide hands-free communications through a speaker and mic. As such it is most commonly used by elderly people in case of a fall and on children whose parents want to be able to know where they are and contact them if necessary.

 

It has an in-built SIM card that it used to pinpoint the location of the user, as well as provide hands-free communications through a speaker and mic. As such it is most commonly used by elderly people in case of a fall and on children whose parents want to be able to know where they are and contact them if necessary.

But researchers at Fidus Information Security discovered, and revealed on Friday, that the system has a dangerous flaw: you can send a text message to the SIM and force it to reset. From there, a remote attacker can cause the device to reveal its location, in real time, as well as secretly turn on the microphone.

The flaw also enables a third party to turn on and off all the key features of the products such as emergency contacts, fall detection, motion detection and a user-assigned PIN. In other words, a critical safety device can be completely disabled by anybody in the world through a text message.

 

But researchers at Fidus Information Security discovered, and revealed on Friday, that the system has a dangerous flaw: you can send a text message to the SIM and force it to reset. From there, a remote attacker can cause the device to reveal its location, in real time, as well as secretly turn on the microphone.

The flaw also enables a third party to turn on and off all the key features of the products such as emergency contacts, fall detection, motion detection and a user-assigned PIN. In other words, a critical safety device can be completely disabled by anybody in the world through a text message.

The flaw was introduced in an update to the product: originally the portable fob communicated with a base station that was plugged into a phone line: an approach that provided no clear attack route. But in order to expand its range and usefulness, the SIM card was added so it was not reliant on a base station and would work over the mobile network.

The problem arises from the fact that the Chinese manufacturer built in a PIN to the device so it would be locked to the telephone number programmed into the device. Which is fine, except the PIN was disabled by default and the PIN is currently not needed to reboot or reset the device.

And so it is possible to send a reset command to the device – if you know its SIM telephone number – and restore it to factory settings. At that point, the device is wide open and doesn’t need the PIN to make changes to the other functions. Which all amounts to remote access.
Random access memory

But how would you find out the device’s number? Well, the researchers got hold of one such device and its number and then ran a script where they sent messages to thousands of similar numbers to see if they hit anything.

They did. “Out of the 2,500 messages we sent, we got responses from 175 devices (7 per cent),” they wrote. “So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!”

The good news is that it is easy to fix: in new devices. You would simply add a unique code to each device and require it be used to reset the device. And you could limit the device to only receive calls or texts from a list of approved contacts.

But in the devices already on the market, the fix is not so easy: even by using the default PIN to lock it down, the ability to reset the device is still possible because it doesn’t require the PIN to be entered. The researchers say they have contacted the companies that use the device “to help them understand the risks posed by our findings” and say that they are “looking into and are actively recalling devices.” But it also notes that some have not responded.

In short, poor design and the lack of a decent security audit prior to putting the updated product on the market has turned what is supposed to provide peace of mind into a potential stalking and listening nightmare.

Hundreds of millions of Facebook records exposed on public servers – report

Wait Wait – I thought old Zuck said he was changing things. I guess his users (including Business users) are really the Zuckers.

Note to Businesses: DROP FACEBOOK, it will hurt you in the long run.
Note to Users: Time to seek addiction counseling because if you still use Facebook, in spite of all the news, you are either mentally challenged or have a serious addiction problem (or simply too apathetic to give a damn).

Editorial — actually my ire is not with the users, it is with the businesses that still patronize Facebook. Customers of these businesses really need to ask this “why is this business still using Facebook?” The answers is clear — they also want your private data and prefer to track and monetize you as opposed to protecting your privacy. And yes, their bedfellows include media like the Washington Post, New York Times, The Guardian, Bloomberg, all of which we often quote here. Shame on them and all others. If companies left Facebook, then this menace (Facebook) would be history. Well that will not happen as they see $$$$$$$$$$$.

What to do? Simple: 1) Delete your Facebook Account, 2) contact those businesses and urge them to drop Facebook.

Quote

Material discovered on Amazon cloud servers in latest example of Facebook letting third parties extract user data

More than 540m Facebook records were left exposed on public internet servers, cybersecurity researchers said on Wednesday, in just the latest security black eye for the company.

Researchers for the firm UpGuard discovered two separate sets of Facebook user data on public Amazon cloud servers, the company detailed in a blogpost.

One dataset, linked to the Mexican media company Cultura Colectiva, contained more than 540m records, including comments, likes, reactions, account names, Facebook IDs and more. The other set, linked to a defunct Facebook app called At the Pool, was significantly smaller, but contained plaintext passwords for 22,000 users.
Zuckerberg’s proposals to regulate Facebook are self-serving and cynical | Roger McNamee
Read more

The large dataset was secured on Wednesday after Bloomberg, which first reported the leak (see article here), contacted Facebook. The smaller dataset was taken offline during UpGuard’s investigation.

The data exposure is not the result of a breach of Facebook’s systems. Rather, it is another example, akin to the Cambridge Analytica case, of Facebook allowing third parties to extract large amounts of user data without controls on how that data is then used or secured.

More than 540m Facebook records were left exposed on public internet servers, cybersecurity researchers said on Wednesday, in just the latest security black eye for the company.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote in its blogpost. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

Facebook said that it was investigating the incident and did not yet know the nature of the data, how it was collected or why it was stored on public servers. The company said it will inform users if they find evidence that the data was misused.

“Facebook’s policies prohibit storing Facebook information in a public database,” a spokeswoman said in a statement. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Cultura Colectiva did not immediately respond to a request for comment.

The data exposure is just the latest example of how Facebook’s efforts to be perceived as a “privacy-focused” platform are hampered by its own past practices and what UpGuard researchers called “the long tail” of user data. For years, Facebook allowed third-party app developers substantial access to users’ information.

“As these exposures show, the data genie cannot be put back in the bottle,” the UpGuard researchers wrote. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”

The Police State: Ex-Mozilla CTO: I was grilled for three hours at San Francisco airport by US border cops – and I’m an American citizen

The Land of the Free where we respect liberty and the constitution – NOT. Not much different in the U.S. as compared to Venezuela or Turkey or _fill in the blank. Despots rule the day. Note to youth. Put down your entertainment and become active in the political process before all rights are gone.

Quote

Techie raises alarm over ‘detention’ after he refused to unlock work laptop, phone

Former Mozilla CTO Andreas Gal says he was interrogated for three hours by America’s border cops after arriving at San Francisco airport – because he refused to unlock his work laptop and phone.

Gal, now employed by Apple, today claimed he was detained and grilled on November 29 after landing in California following a trip to Europe.

He had attempted to pass through US customs via a Global Entry electronic kiosk. He wasn’t expecting a problem, since the Hungarian-born techie is now an American citizen, but it was not to be.

“On this trip, the kiosk directed me to a Customs and Border Patrol agent who kept my passport and sent me to secondary inspection,” Gal said. “There I quickly found myself surrounded by three armed agents wearing bullet proof vests. They started to question me aggressively regarding my trip, my current employment, and my past work for Mozilla, a non-profit organization dedicated to open technology and online privacy.”

Gal said the g-men were rather interested in his time at Firefox-maker Mozilla, and of his recent trip to Canada. They also went through his wallet and luggage, and this led to a request by the agents for Gal to unlock his Apple-issued iPhone XS and MacBook Pro, it is claimed.

Gal believes the ordeal was not a random search gone awry, but rather a targeted attempt by the government to send a message. Certainly more and more security researchers report being grilled by US border patrol, if they can even get a visa to enter the country, that is.

“My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,” Gal noted. “I wonder whether these CBP [Customs and Border Patrol] programs led to me being targeted.”

Given the devices were emblazoned with big red stickers reading “PROPERTY OF APPLE. PROPRIETARY,” and he had signed confidentially agreements with Cupertino, Gal said he asked for permission to call his bosses and/or a lawyer to see if he would get into trouble by handing over access. When this request was repeatedly refused, we’re told, he clammed up, taking the Fifth, and citing constitutional rights against unwarranted searches.

Irked by Gal’s refusal, it is claimed, the border agents told him he had no constitutional nor any legal protections, and threatened him with criminal charges should he not concede to the search. He said he was eventually allowed to leave with his belongings, the devices still locked, and no charges were pressed. Gal said the agents did take away his Global Entry pass, which allows express entry through customs, as punishment for not complying with their demands.
How random is random?

Gal believes the ordeal was not a random search gone awry, but rather a targeted attempt by the government to send a message. Certainly more and more security researchers report being grilled by US border patrol, if they can even get a visa to enter the country, that is.

“My past work on encryption and online privacy is well documented, and so is my disapproval of the Trump administration and my history of significant campaign contributions to Democratic candidates,” Gal noted. “I wonder whether these CBP [Customs and Border Patrol] programs led to me being targeted.”

Now, Gal has enlisted the help of the ACLU to probe into the brouhaha, and determine whether his civil rights were violated. The civil-liberties watchdog has filed a complaint [PDF] with the Department of Homeland security to determine whether the search violated the US Constitution and demand an investigation of whether the CBP’s entry policies are illegal.

“CBP’s baseless detention and intrusive interrogation of Andreas Gal and the attempted search of his devices violated his Fourth Amendment rights,” ACLU Northern California senior counsel William Freeman said of the complaint.

“Furthermore, CBP’s policies lack protections for First Amendment rights by allowing interrogation and device searches that may be based on a traveler’s political beliefs, activism, nation of origin, or identity.”

CBP declined to comment. ®

Google Fined $1.7 Billion by E.U. for Unfair Advertising Rules

The Monopolists and Oligopolists party that keeps rolling on. The U.S. needs to get on board NOW with Europe. In fact even Europe is a bit weak. It is time to break up the monopolies and oligopolies and spur real competition across many sectors.

This article underlies just one example. It is not just Google, but several other tech companies including those in Telecoms, shopping, and so on. The U.S. is now the land of Oligopolies and Monopolies. Vigorous anti-trust enforcement is needed now!
Quote

LONDON — European authorities on Wednesday fined Google 1.5 billion euros for antitrust violations in the online advertising market, continuing its efforts to rein in the world’s biggest technology companies.

The fine, worth about $1.7 billion, is the third against Google by the European Union since 2017, reinforcing the region’s position as the world’s most aggressive watchdog of an industry with an increasingly powerful role in society and the global economy. The regulators said Google had violated antitrust rules by imposing unfair terms on companies that used its search bar on their websites in Europe.

Europe’s regulatory approach was once criticized as unfairly focusing on technology companies from the United States, but is now viewed as a potential global model as governments question the influence of Silicon Valley. Europe is at the forefront of a broad debate about the role of tech platforms like Apple, Amazon, Facebook and Google, and whether their size and power hurt competition.

With the announcement on Wednesday, the European fines against Google total roughly 8.2 billion euros, or $9.3 billion. But the bloc has not received any of the money yet; Google is appealing the earlier decisions, and is mulling whether to appeal the most recent ruling.

“Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anticompetitive contractual restrictions on third-party websites,” Margrethe Vestager, Europe’s top antitrust watchdog, said in a statement. “This is illegal under E.U. antitrust rules.”

The fine centers on contracts that license the use of Google’s search bar on websites run by newspapers, blogs, travel services and other companies. European regulators said the operators of the third-party websites using Google’s search bar had been required to display a disproportionate number of text ads from Google’s own advertising services over competing digital advertising companies.

The practice, regulators said, undercut competitors, such as Microsoft and Yahoo, that were trying to challenge Google in search.

“There was no reason for Google to include these restrictive clauses in its contracts, except to keep its rivals out of the market,” Ms. Vestager said at a news conference in Brussels. She said the ruling covered 2006 to 2016, when Google stopped the practices.

Europe’s actions against Silicon Valley are influencing policy debates around the world, but some critics question the overall effectiveness of the penalties.

The European Union spent a decade investigating Google, a slow and deliberate process, during which the company’s business and power continued to grow. Annual revenue at Google’s parent company, Alphabet, reached $137 billion last year, compared with $22 billion a decade earlier. On Wednesday, Google shares rose 2 percent.

The Google cases highlight a larger question policymakers face in overseeing the digital economy.

“As it becomes increasingly clear that antitrust fines or after-the-fact remedies are not enough to bring vibrant competition to the market, governments will need to move to deeper tech sector regulation to remedy problems,” said Gene Kimmelman, a former antitrust official in the Justice Department who is now president of Public Knowledge, a consumer advocacy group. He suggested rules preventing tech platforms like Google from favoring their own services.

In the United States, where there has been limited regulation of tech companies, Senator Elizabeth Warren, Democrat of Massachusetts, has made breaking up Google and other tech giants a priority in her presidential campaign. This week, Representative David Cicilline, Democrat of Rhode Island and chairman of the House Subcommittee on Antitrust, Commercial and Administrative Law, called for a federal antitrust investigation of Facebook.

In response to the ruling on Wednesday, Google said, “Healthy, thriving markets are in everyone’s interest.”

“We’ve already made a wide range of changes to our products to address the commission’s concerns,” Kent Walker, Google’s senior vice president for global affairs, said in a statement. “Over the next few months, we’ll be making further updates to give more visibility to rivals in Europe.”

The case is the last of three investigations the European Commission has pursued against Google, which has headquarters in Mountain View, Calif.

Last year, Ms. Vestager fined Google a record €4.34 billion for using its ownership of the Android mobile operating system to unfairly undercut rivals in the mobile phone market, a decision that also forced the company to change how it bundled its apps on smartphones. In 2017, the company was fined 2.4 billion euros for unfairly favoring its own shopping services over those of rivals.

The two previous rulings have not had a big impact on Google’s financial health, but they have forced the tech giant to adjust some business practices.

After the Android ruling last year, Google for the first time began charging handset makers to pre-install Gmail, Google Maps and other popular applications for Android devices in the European Union.

Perhaps in an attempt to head off additional inquiries, Google announced a number of further changes to services across Europe on Wednesday, after rivals complained that it continued to benefit from anticompetitive business practices.

For the first time, the company said, it will ask Android phone users in Europe if they want to switch to a web browser and search engine not owned by Google. To allow more competition when customers shop with Google, it will give other shopping sites more prominence in its search results, the company also said. Google said it would do the same with local search queries in Europe, such as when a person searches for a restaurant, a move that could help companies like TripAdvisor and OpenTable.

Outside of its review of practices by Google and others, the European Union has adopted tough new privacy rules that many countries outside Europe now view as a template. Regulators here have also investigated tech companies’ tax practices and called for more scrutiny of artificial intelligence.

The decision on Wednesday against Google will be one of the final major antitrust rulings in the five-year term of Ms. Vestager, whose crackdown on Silicon Valley while competition commissioner has made her a minor celebrity in the often-staid world of European politics.

Ms. Vestager has expressed openness to serving another term as the bloc’s top antitrust watchdog, but she is also considered a contender to become president of the European Commission, the most powerful executive position in the European Union. Her future will depend in part on the outcome of European parliamentary elections in May.

Even with her possible departure, pressure on the technology industry is not easing.

The European Union is expected to adopt new copyright regulations as early as next week that would impose restrictions to stop unlicensed content, like music and videos, from being shared on tech platforms like Google and Facebook. Another proposal tries to block the sharing of hate speech and extremist content, a policy that some critics say could lead to censorship.

At the same time, regulators across Europe are pursuing several lines of inquiry.

Ms. Vestager’s office announced last year that Amazon was under investigation for its treatment of independent sellers who use its website to reach customers.

Apple, which in 2016 was ordered to pay Ireland $14.5 billion in back taxes, is now under scrutiny for its App Store policies. Facebook is facing separate inquiries related to its business practices and handling of user data. Google’s advertising practices are also being monitored by privacy advocates who are urging regulators to begin a new investigation for violating privacy rights.

“Businesses and consumers, they depend on platforms to get the best out of digitization,” Ms. Vestager said. “Illegal behavior in these cases is a very serious affair.”

How to Stop Facebook’s Dangerous App Integration Ploy

Here is a great op. ed. piece by Sally Hubbard who is a former assistant attorney general in the New York State Attorney General’s Antitrust Bureau and an editor at The Capitol Forum, where she covers technology and monopolization. She makes two points 1) Facebook is a monopolist and 2) the FTC is toothless. Both need to change.
Quote

In response to calls that Facebook be forced to divest itself of WhatsApp and Instagram, Mark Zuckerberg has instead made a strategic power grab: He intends to put Instagram, WhatsApp and Facebook Messenger onto a unified technical infrastructure. The integrated apps are to be encrypted to protect users from hackers. But who’s going to protect users from Facebook?

Ideally, that would be the Federal Trade Commission, the agency charged with enforcing the antitrust laws and protecting consumers from unfair business practices. But the F.T.C. has looked the other way for far too long, failing to enforce its own 2011 consent decree under which Facebook was ordered to stop deceiving users about its privacy claims. The F.T.C. has also allowed Facebook to gobble up any company that could possibly compete against it, including Instagram and WhatsApp.

Not that blocking these acquisitions would have been easy for the agency under the current state of antitrust law. Courts require antitrust enforcers to prove that a merger will raise prices or reduce production of a particular product or service. But proving that prices will increase is nearly impossible in a digital world where consumers pay not with money but with their personal data and by viewing ads.

The integration Mr. Zuckerberg plans would immunize Facebook’s monopoly power from attack. It would make breaking Instagram and WhatsApp off as independent and viable competitors much harder, and thus demands speedy action by the government before it’s too late to take the pieces apart. Mr. Zuckerberg might be betting that he can integrate these three applications faster than any antitrust case could proceed — and he would be right, because antitrust cases take years.

Luckily, the F.T.C. has a way to act quickly. Prompted by the Cambridge Analytica scandal, the agency has been investigating Facebook for violating that 2011 consent decree, which required it, among other things, to not misrepresent its handling of user information and to create a comprehensive privacy program. The F.T.C. can demand Facebook stop the integration as one of the conditions for settling any charges related to the consent decree, rather than just imposing an inconsequential fine.

If not stopped, the integration will cement Facebook’s monopoly power by enriching its data trove, allowing it to spy on users in new ways. Facebook might decide to sync data from one app to another so it can better track users. And Facebook needs user data: The reason it commands such a large share of digital advertising is that it tracks users — and even people without Facebook accounts — across millions of sites. It gathers data that allows it to target ads more precisely than many of its rivals for digital ad dollars, including news media sites and content creators.

After stopping Mr. Zuckerberg’s integration plan, the F.T.C. should reverse the WhatsApp and Instagram acquisitions as illegal under the Clayton Act, which prohibits mergers and acquisitions where the effect “may be substantially to lessen competition, or to tend to create a monopoly.” Undoing the mergers would give consumers an alternative to Facebook-owned apps and force Facebook to do better.

Without meaningful competition, Facebook has little incentive to protect users by making changes that could reduce profits. Users unhappy about data collection and algorithms that promote fake news and political polarization don’t have anywhere to go.

Any future Facebook acquisitions, no matter what the size, should be strictly reviewed because of the company’s history of deceiving users. Facebook uses technology, like its Onavo and Research apps, that monitor consumers’ app usage to identify potential rivals even before they are big enough to get on antitrust enforcers’ radars. Internal Facebook documents published by the British Parliament show Facebook used Onavo data to identify WhatsApp as a competitive threat, only to convince regulators otherwise.

Congress also should write legislation to overrule misguided cases that have neutered antitrust enforcement, and pass a strong privacy law with enough resources to enforce it. Only then, perhaps, will we be protected from Facebook.

Avast Highlights the Threat Landscape for 2019

Heads up, it will not get easier.

Quote
The Dawn of Adversarial AI

We foresee the emergence of a class of attacks known as ‘DeepAttacks’, which use AI-generated content to evade AI security controls. In 2018, the team observed many examples where researchers used adversarial AI algorithms to fool humans. Examples include the fake Obama video created by Buzzfeed where President Obama is seen delivering fake sentences, in a convincing fashion.

We have also seen examples of adversarial AI deliberately confounding the smartest object detection algorithms, such as fooling an algorithm into thinking that a stop sign was a 45-mph speed limit sign.

In 2019, we expect to see DeepAttacks deployed more commonly in an attempt to evade both human detection and smart defenses.

IoT Threats Will Become More Sophisticated

The trend toward smart devices will be so pronounced in the coming years that it will become difficult to buy appliances or home electronics that are not connected to the internet.

Avast research has shown that security is often an afterthought in the manufacturing of these devices. While the big name smart devices often do come with embedded security options, some producers skimp on security either to keep costs low for consumers or because they are not experts in security. Considering a smart home is only as secure as its weakest link, this is a mistake. History tends to repeat itself, so we can expect to see IoT malware evolve and become more sophisticated and dangerous, similar to how PC and mobile malware developed.

Router Attacks Will Advance

Routers have proven to be a simple and fertile target for a growing wave of attacks. Not only have we seen an increase in router-based malware in 2018, but also changes in the characteristics of those attacks.

In 2019, we expect to see the increased hijacking of routers used to steal banking credentials, for example, where an infected router injects a malicious HTML frame to specific web pages when displayed on mobile. This new element could ask mobile users to install a new banking app, for instance, and this malicious app will then capture authentication messages. Routers will continue to be used as targets of an attack, not just to run malicious scripts or spy on users, but also as an intermediate link in chain attacks.

The Evolution of Mobile Threats

In 2019, well known tactics such as advertising, phishing and fake apps will continue to dominate the mobile threat landscape. In 2018, we tracked and flagged countless fake apps using our apklab.io platform. Some were even found on the Google Play Store. Fake apps are the zombies in mobile security, becoming so ubiquitous that they barely even make the headlines as new fake apps pop up to take the place of the ones already flagged for removal. They will continue to persist as a trend in 2019, exacerbated by fake versions of popular app brands doing their rounds on the Google Play Store.

In 2018, the return of banking Trojans was also particularly pronounced on the mobile side, growing 150 percent year-on-year, from three percent to over seven percent of all detections we see worldwide. While perhaps not a big shift in terms of the overall volume, we believe that cybercriminals are finding banking to be a more reliable way to make money than cryptomining.

“This year, we celebrated the 30th anniversary of the World Wide Web. Fast forward thirty years and the threat landscape is exponentially more complex, and the available attack surface is growing faster than it has at any other point in the history of technology,” commented Ondrej Vlcek, President of Consumer at Avast.

“PC viruses, while still a global threat, have been joined by a multitude of malware categories that deliver more attacks. People are acquiring more and varied types of connected devices, meaning every aspect of our lives could be compromised by an attack. Looking ahead to 2019, these trends point to a magnification of threats through these expanding threat surfaces.”

These trends form part of Avast’s annual Threat Report. To download the full report please click here.