STE WILLIAMS

Updated Sportswear brand FILA is the latest outfit to fall victim to card-stealing JavaScript of the kind that menaced British Airways and Ticketmaster last year.

Russian security house Group-IB said it discovered and reported to FILA UK malware known as GMO that was active on the fashion brand’s website for the past four months – and may have sniffed the payment card information of thousands of customers placing online orders through the tainted pages.

What’s worse, the researchers reported that, despite multiple attempts to reach FILA, they have been unable to get the card-data-stealing code removed.

FILA did not respond to our request for comment on the allegation.

According to Group-IB’s threat hunters, the GMO infection is very similar to the card-harvesting JavaScript nasty MageCart, in that an attacker covertly slips onto the server of the targeted company and installs code onto the business’s website to covertly collect card numbers as they are entered by customers. These details are later uploaded to a collection server at a set time. Such attacks can be particularly difficult to detect as they do not produce a steady stream of traffic out of the infected machine.

In short, don’t order anything from FILA online, and if you have, contact your bank and check your statements.

“One-line card stealing code downloads a JavaScript Sniffer once a customer lands on a checkout page, which intercepts credit card data and sends it to local storage. After, the payment cards’ details are sent to the JS Sniffer’s gate which is located on the same server as a JS Sniffer script itself,” said Group-IB CTO Dmitry Volkov.

“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS [content management system], used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods,” Volkov added.

Just how many customers could have fallen victim to the attack is difficult to say. Group-IB used a loose estimate based on monthly traffic figures and a one per cent conversion rate (ie, 1 per cent of people who visit the site end up buying something) to arrive at an estimated figure of around 5,600 compromised cards.

Group-IB said that FILA is likely not alone in falling victim to this latest variation of JavaScript malware harvesters. The researchers found six other unnamed websites to be similarly infected with the card-stealing scripts, and will be reaching out to US and UK police to help further suss out and stop any active infections. ®

Updated to add

Within hours of this article being published, the GMO JavaScript card sniffer was removed from FILA’s website, Group-IB tells us.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/14/fila_uk_hacked/

A Pakistani government website was compromised with a keylogger and other malware that hoovered up a whole host of information about people checking on their passport application status.

Researchers from Trustwave discovered that the Scanbox JavaScript framework was running on the site.

The keylogger scooped up users’ login details for the compromised site, while Scanbox fingerprinted the user’s browser and collected details of programs installed on the machine used to sign in. It also hunted for 77 common anti-malware packages, beaming back details of its findings to the attackers’ command-and-control servers.

The user’s IP address, the referring site, operating system, user-agent string and installed browser plugins were all collected. The compromised site is at hxxp://gdip.gov.pk (do NOT visit this link!).

Trustwave’s Ziv Mador told The Register his firm discovered the breach after noticing unusual things cropping up in telemetry data. He said: “Its appearance on the website is very minimal. Apart from the link [to the Scanbox payload server] there is no other sign of compromise.”

Scanbox previously cropped up in infosec firm FireEye’s research, dating back to at least 2015. That company described it as an APT tool.

Highlighting how this malware campaign differs from the usual get-rich-quick scams set up by lower-level cybercrooks, Mador said: “We can say that the most common purpose [of malware criminals] is fundamentally driven by … things that generate revenue. Here it’s different: they didn’t try to install any malware.”

Describing the miscreants as “probably a sophisticated team”, Mador speculated that their intent was to “infect with further malware”, using the information slurped by Scanbox to precisely craft nasties that worked around known anti-malware suites installed on target devices.

“We contacted the Pakistani government site regarding this infection, but as of the time of publishing this blog post have received no response and the site remains compromised,” shrugged Trustwave. While the command-and-control server went dormant shortly after the threat research firm started poking around, there is no guarantee that the operators will not reactive it again.

The timing of the attack is of interest in the wider political context. Trustwave first spotted the infection on 2 March, shortly after tensions between India and Pakistan flared up into military action. While Trustwave did not have any information to indicate who was behind the infection, Mador told El Reg: “Given it’s a passport website, it’s quite likely [the infection] was politically motivated. About one-third to one-quarter [of those Trustwave observed using the site after spotting the compromise] are people living outside Pakistan. Maybe they’re travelling into Pakistan. Someone has an interest in monitoring this.”

Last year the Pakistani Air Force was targeted by a state-sponsored group in a campaign dubbed Operation Shaheen, while previous researchers noticed that cyber-sniping between the two countries tends to peak around national holidays and sports fixtures between the two. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/14/pakistan_passport_site_compromise/

A newly revealed vuln in the open-source CMS WordPress allows an unauthenticated website attacker to remotely execute code – potentially letting naughty folk delete or edit blog posts.

The flaw, detailed by German code-checking company RIPS Technologies in a blog post, can be exploited “by tricking an administrator of a target blog to visit a website set up by the attacker” in order to activate a cross-site request forgery exploit.

The attack relies on a) the target site having comments enabled, and b) the site admin being oblivious enough to click a dodgy link, however the attacker presents it to them. Security-aware folk are unlikely to be affected by this.

With WordPress claiming to power a third of websites on the WWW, including a large number of news websites and corporate blogs, the vuln could have business-critical implications.

“WordPress performs no CSRF [Cross-Site Request Forgery] validation when a user posts a new comment. This is because some WordPress features such as trackbacks and pingbacks would break if there was any validation,” wrote RIPS’ Simon Scannell, explaining that WordPress site admins can include arbitrary code in comments they post on their own websites. “In theory, an attacker could simply abuse the CSRF vulnerability to create a comment containing malicious JavaScript code.”

While WordPress sanitises code snippets out of comments, it does so by running them past one of two internal lists (depending on whether the admin account passes nonce validation; something an attacker should not be able to achieve) and deleting tags that are not on the approved list. If an admin posts a comment but fails nonce validation, his comment is still sanitised but not as harshly as an ordinary user’s comment would be.

“An attacker can create a comment containing a crafted a tag and set for example the title attribute of the anchor to title='XSS " onmouseover=alert(1) id="'. This attribute is valid HTML and would pass the sanitization step. However, this only works because the crafted title tag uses single quotes,” wrote Scannell. He said that an attacker could add an additional double quote to insert extra attributes that would not be stripped out by the sanitising code.

For example: a title='XSS " onmouseover=evilCode() id=" ' would turn into a title="XSS " onmouseover="evilCode()" id="" after processing.

Thanks to WordPress’s frontend not implementing x-frame-options protections, the payload-containing comment can be displayed as an iframe. Scannell suggested the “attacker can make the iframe follow the mouse of the victim to instantly trigger the XSS payload”. From there it is a relatively straightforward step to have the target admin executing arbitrary JavaScript. Scannell added that one route to complete pwnage would be to insert a PHP backdoor into a WordPress theme or plugin. Doing so in the default theme shipped with out-of-the-box WordPress installs could be one method of staying below the radar.

To avoid this rather convoluted vuln, WordPress admins should ensure their installs are patched to version 5.1.1, or, failing that, disable comments until the core site can be patched.

“Most importantly, make sure to logout of your administrator session before visiting other websites,” advised RIPS. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/03/14/wordpress_rce_vuln_v_5_1_0_previous/

When you approach security from the inside out, you’re protecting your data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets.

Sun Tzu, the famous military strategist and philosopher, once said, “If you know the enemy and you know yourself, you need not fear the result of a hundred battles.”

This quote from two millennia ago could not be more pertinent to today’s cybersecurity landscape. Too often, security leaders — across the private and public sectors — neglect the essential questions regarding the cyber defenses and capabilities they already have. In the cybersecurity realm, this boils down to asking, “Do I know my inside controls are working like they’re supposed to be working? How is our cyber hygiene?”

Understanding inside weaknesses and vulnerabilities is more important than ever. During periods of company inactivity — like the most recent government shutdown for example — organizations are especially prone to data breaches. Security certificates can expire during those times, leaving agencies weaker and more vulnerable to a number of threats. Security teams also lose time for essential tasks because of loads of backlogs to sift through.

To truly prepare for the cyber threats, it’s crucial that organizations start operationalizing a view of security from the inside out while focusing on cyber hygiene right at the heart.

Cyber Hygiene at the Heart
Traditionally, companies tend to manage cybersecurity based on assumptions: assuming their vendors’ products are working correctly, then assuming those products have been deployed and configured correctly.

What’s missing is the validation that the information surrounding an organization’s cyber defense is accurate, with no gaps or points of misinformation. Agencies need to validate controls in a continuous manner rather than viewing measurement of security as one snapshot at a time.

This is what the Department of Homeland Security (DHS) promotes through its Continuous Diagnostics and Mitigation (CDM) program. CDM is aligned to give government agencies real-time visibility into their security systems with continuous monitoring. Instead of penetration tests or audits, which are static, continuous monitoring gives more holistic visibility into systems over a longer period of time. Agencies can then quantifiably validate whether their controls are protecting critical assets. At the same time, security leaders and teams can manage their cybersecurity programs with more meaningful metrics to drive decision-making, optimize operations, and, ultimately, improve their cyber posture over time.

Look “Inside Out”
Despite the progress being made through programs like CDM, continuous monitoring still needs validation of the implementation of solutions as well as surrounding data. That’s why it’s increasingly important for private companies and government agencies to approach cybersecurity with an “inside out” view by doing the following:

1. Identify exact points of vulnerability within the attack life cycle. The first point of vulnerability is your organization’s own people. Security leaders should focus on helping their teams understand an attacker’s behavior in a particular segment they’re trying to defend. Then test defenses by testing incident response process. Do personnel know who to call and how to quantify what they’re seeing in context? Do they forward a phishing email to the correct party? By understanding how teams currently respond to threats with practice scenarios, leaders can determine where to make defenses stronger.

2. Measure ROI on cybersecurity investments. Government must be extremely judicious about spending taxpayer dollars, while businesses must ensure trust with their partners and clients. This is why it’s especially important to verify that your organization is attaining the expected ROI out of cybersecurity investments — rather than assuming so. Security leaders need data that shows exactly where the security gaps are and where you need to invest more heavily.

3. Apply risk-based decision-making, not compliance-based. Traditional models of measuring cybersecurity effectiveness tend to be siloed and compliance based, where cybersecurity measures are managed across separate enterprise channels and important data is underutilized. This also tends to result in a “checklist” mentality, which can leave your company vulnerable. Instead, cybersecurity must be aligned with your organization’s biggest risks and mission-critical business needs with products that deliver holistic and actionable insights.

4. Determine which technologies can be improved and which can be removed from the stack. For cybersecurity personnel, there are many products they have to manage. But it’s important to verify which products in the environment are working and which are not. Solutions for one organization may not be the right match for yours. Determine what technology products can give you the most value and what fits best with your current architecture so that you’re not purchasing redundant products that you already own. Having security controls mapped in an automated fashion also makes it easier to tag and label identified threats.

Know Thyself
When you tackle security from the outside in, you’re simply trying to deny intrusion. When you approach from the inside out, you are protecting your mission-critical data by determining the most vital applications and using a risk-based strategy, which focuses on the most valuable and vulnerable assets. Tackling cybersecurity from the inside out will not be easy. But as budgets continue to spike — even as the data breaches keep happening — security leaders must tie security to accountability. Whether government or private sector, every organization at the end of the day is a business, and an inside-out approach makes the most business sense.

Related Content:

• Your Employees Want to Learn. How Should You Teach Them?
• Debunking 5 Myths About Zero Trust Security
• It’s Time to Rethink Your Vendor Questionnaire
• Care and Feeding of Your SIEM

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Major General Earl Matthews, USAF (Ret.), is an award-winning retired Major General of the U.S. Air Force with a successful career influencing the development and application of cybersecurity and information management technology. His strengths include his ability to lead … View Full Bio

Article source: https://www.darkreading.com/cloud/4-reasons-to-take-an-inside-out-view-of-security/a/d-id/1334117?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There’s still time to apply for Black Hat’s focused high-level networking and knowledge-sharing event in Singapore next week!

Head’s up, cybersecurity luminaries: There’s still time to apply for access to the new Executive Summit at Black Hat Asia, which kicks off in Singapore next week!

If you’re not familiar with the Executive Summit yet, know that it’s a focused one-day event,  next Wednesday, March 20, to be specific, where CISOs and other cybersecurity executives have opportunities to hear from a variety of industry experts shaping the next generation of information security strategy.

In a concise session on “Future-Proofing Supply Chain Against Emerging Cyber-Physical Threats,” for example, PSA Corporation’s Steven Sim will show you how the latest round of industrialization has further blurred the line between physical and cyberthreats. These threats, especially the recent NotPetya attacks, are a rude warning that cyber resilience is even more critical to ensuring business continuity, which is why this session aims to share security and governance strategies that can be applied holistically against such threats.

Later in the day you’ll have an opportunity to hear from Barclays’ Theo Nassiokas on “How Exactly Can Security Executives Mitigate Cyber Risk?” Nassiokas will share real-world cyberthreat examples, explain how to quantify cyberthreats, and offer a glimpse of the biggest challenges executives are up against. This talk will also connect cybersecurity events to real actors and geopolitical events reported in the press, and identify alleged state-sponsored cyberthreat actors and the alleged crimes they committed.

Plus, those who apply for the Executive Summit and are selected to attend will receive a Black Hat Asia Business Pass, a ticket to the Black Hat Asia VIP party (where you can meet speakers, trainers, review board members, and fellow attendees), and access to great Black Hat Asia Features like the Arsenal open-source tool demo area, and the Business Hall.

If you haven’t yet, apply now to take part in high-level networking and knowledge-sharing at the Black Hat Asia Executive Summit!

Black Hat Asia returns to the Marina Bay Sands in Singapore March 26-29, 2019. For more information on what’s happening at the event and how to register, check out the Black Hat website.

Article source: https://www.darkreading.com/black-hat/join-your-peers-at-the-black-hat-asia-executive-summit/d/d-id/1334166?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

More than three-quarters of IT pros say they feel safer for having done so, according to a new report.

Artificial intelligence (AI) and machine learning (ML) are buzzwords in the cybersecurity industry as companies try to keep up with an expanding threat environment. That is reflected in a new study from Webroot, which found 73% of IT professionals across the US and Japan saying they plan to increase their use of AI and ML this year.

The report, “Knowledge Gaps: AI and Machine Learning in Cybersecurity,” found uptake of the technologies to be increasing, even though 58% of survey respondents say they’re not sure what it means when a tool claims to use AI or ML. The uncertainty seems OK, though, when 72% say that they don’t really care whether their tools are intelligent, as long as they do the job.

Leveraging AI/ML in security seems a reasonable tactic since 84% say they believe criminals are already employing machine intelligence in their infrastructures.

The report also shows that companies are spending more on AI/ML than they did two years ago; 76% of respondents say the investment has made their companies safer.

Read more here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/businesses-increase-investments-in-ai-and-machine-learning/d/d-id/1334156?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The news follows a long, tumultuous period of scandal around Facebook and its privacy practices.

Facebook is under criminal investigation by federal prosecutors, who are looking into the social giant’s data-sharing deals with major technology companies, The New York Times reports.

In December 2018, the NYT revealed how Facebook shared unknowing users’ data with Microsoft, Amazon, Netflix, and more than 150 other tech firms, retailers, entertainment sites, and media outlets. The companies participating in these data-sharing deals owned applications seeking information on hundreds of millions of people each month. As part of the deals, partnering companies have been allowed to view users’ friends, contact info, and other data, sometimes without consent. Most have been shut down in the past two years.

Now, a New York grand jury has subpoenaed records from “at least two prominent makers of smartphones and other devices,” the NYT says, citing two people familiar with the requests. The two companies had reportedly made data-sharing agreements with Facebook, which is also under scrutiny by the Federal Trade Commission and the Securities and Exchange Commission, as well as the Justice Department, following the 2018 Cambridge Analytica incident.

This news follows a long, tumultuous period of scandal around Facebook and its privacy practices. Last week CEO Mark Zuckerberg published a lengthy essay detailing his plans for a more privacy-oriented future. But as this new investigation shows, the company still has a long way to go to address the decisions it has made in the past.

Read more details here.

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/us-prosecutors-investigate-facebooks-data-sharing-deals/d/d-id/1334159?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The challenge is identifying suspicious events in training sets where no anomalies are encountered. Part two of a two-part series.

The problem of anomaly detection is not new, and a number of solutions have already been proposed over the years. However, before starting with the list of techniques, let’s agree on a necessary premise: All anomaly detection techniques must involve a training set where no anomaly examples are encountered. The challenge consists of identifying suspicious events, even in the absence of examples.

We talk in this case of a training set formed of only “normal” events. The definition of “normal” is, of course, arbitrary. In the case of anomaly detection, a “normal” event refers just to the events represented in the training set. Here are four common approaches.

Statistical Methods
Everything that falls outside of the statistical distribution calculated over the training set is considered an anomaly.

The simplest statistical method is the control chart. Here the average and standard deviation for each feature is calculated on the training set. Thresholds are then defined around the average value as k*std deviation where k is an arbitrary coefficient, usually between 1.5 and 3.0, depending on how conservative we want the algorithm to be. During deployment, a point trespassing the thresholds in both directions is a suspicious candidate for an anomaly event.

Such methods are easy to implement and understand, fast to execute, and fit both static and time series data. However, they might be too simple to detect more subtle anomalies.

Clustering
Other proposed methods are often clustering methods. Since the anomaly class is missing from the training set, clustering algorithms might sound suitable for the task.

The concept here is clear. The algorithm creates a number of clusters on the training set. During deployment, the distance between the current data point and the clusters is calculated. If the distance is above a given threshold, the data point becomes a suspicious candidate for an anomaly event. Depending on the distance measure used and on the aggregation rules, different clustering algorithms have been designed and different clusters are created.

This approach, however, does not fit time series data since a fixed set of clusters cannot capture the evolution in time.

Supervised Machine Learning
Surprised? Supervised machine learning algorithms can also be used for anomaly detection. They would even cover all data situations since supervised machine learning techniques can be applied to static classification as well as to time series prediction problems. However, since they all require a set of examples for all involved classes, we need a little change in perspective.

In the case of anomaly detection, a supervised machine learning model can only be trained on “normal” data — i.e., on data describing the system operating in “normal” conditions. The evaluation of whether the input data is an anomaly can only happen during deployment after the classification/prediction has been made.There are two popular approaches for anomaly detection relying on supervised learning techniques.

The first one is a neural autoassociator (or autoencoder). The autoassociator is trained to reproduce the input pattern onto the output layer. The pattern reproduction works fine as long as the input patterns are similar to the examples in the training set — i.e., “normal.” Things do not work quite as well when a new, different shape vector appears at the input layer. In this case, the network will not be able to adequately reproduce the input vector onto the output layer. If a distance is calculated between the input and the output of the network, the distance value will be higher for an anomaly rather than for a “normal” event. Again, defining a threshold on this distance measure should find the anomaly candidates. This approach works well for static data points but does not fit time series data.

The second approach uses algorithms for time series prediction. The model is trained to predict the value of the next sample based on the history of previous n samples on a training set of “normal” values. During deployment, the prediction of the next sample value will be relatively correct — i.e., close to the real sample value, if the past history comes from a system working in “normal” conditions. The predicted value will be farther from reality if the past history samples come from a system not working in “normal” conditions anymore. In this case, a distance measure calculated between the predicted sample value and the real sample value would isolate candidates for anomaly events.

Related Content: 

• IoT Anomaly Detection 101: Data Science to Predict the Unexpected  (Part 1) 
• 8 Tips for Monitoring Cloud Security
• New Arm Certification Aims to Secure IoT Devices

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Rosaria Silipo, Ph.D., principal data scientist at KNIME, is the author of 50+ technical publications, including her most recent book “Practicing Data Science: A Collection of Case Studies”. She holds a doctorate degree in bio-engineering and has spent more than 25 years … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/anomaly-detection-techniques-defining-normal-/a/d-id/1334116?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you were among the millions of users who updated Chrome last week to dodge a zero-day exploit, Microsoft has something for you in this month’s Patch Tuesday – a fix for a separate flaw targeting Windows 7 that is being used as part of the same attacks.

To recap, the Chrome flaw (CVE-2019-5786) was first advised on 1 March with a ‘hurry up and apply the update’ follow-up a few days later when news of exploits emerged. The patch for that took Chrome to 72.0.3626.121.

Microsoft’s part of the twofer is a fix for a local elevation of privilege (EoP) vulnerability in Win32k (CVE-2019-0808), which in addition to Windows 7 also affects Window Server 2008.

As Google’s Clement Lecigne pointed out, another way to achieve the same end is for Windows 7 users to upgrade:

As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows.

Zero day 2

Among a total of 64 CVEs, including 17 rated ‘critical’, is a second zero-day affecting all Windows versions identified as CVE-2019-0797, believed to have been deployed by middle-eastern APT groups. According to Microsoft’s description, that too is an EoP flaw requiring local access:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

A further four vulnerabilities earn ‘important’ status because they are now in the public domain, namely CVE-2019-0683 (active directory EoP), CVE-2019-0754 (Windows denial-of-service), CVE-2019-0757 (NuGet Package Manager tampering), and CVE-2019-0809 (Visual studio remote code execution/RCE).

Critical flaws

However, there is more to worry about in the list of flaws marked ‘critical’, starting with three RCEs affecting the Windows DHCP client, CVE-2019-0697, CVE-2019-0698, CVE-2019-0726.

That makes March the third Patch Tuesday in a row with at least one DHCP critical vulnerability. As the flaws are RCEs, this is potentially a big deal because every Windows computer runs this software.

Other criticals include CVE-2019-0763 affecting Internet Explorer, one of around a dozen flaws affecting the defunct browser with about the same number affecting its replacement, Edge. Indeed, around a third of the update has some bearing on browsers, including no fewer than seven marked as Scripting Engine memory corruptions.

This prominence might have something to do with the fact that the annual Pwn2Own contest at CanSecWest happens in March where researchers vie to find security flaws in software, particularly browsers.

Botched updates?

A new tweak this month will see Windows automatically roll back updates that cause problems that can’t be resolved by other recovery methods, in which case users will receive the message:

We removed some recently installed updates to recover your device from a startup failure.

These won’t be installed for 30 days to give Microsoft time to work out what went wrong, after which it will attempt to install them again. This relates to all updates and not only ones that arrive as part of Patch Tuesday.

Adobe

After all the excitement for Reader and ColdFusion since the last Patch Tuesday, Adobe has an uncharacteristically quiet month with security advisories for only two products, Adobe Digital Editions, and Photoshop CC.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HRj01C5GHBw/

The knives are out for Google in Australia, where the local arm of Rupert Murdoch’s News Corp has called for the Alphabet-owned company to be broken up. Oracle has also accused Google of spying on Australians by building shadow profiles.

Reuters reports that the News Corp demand, published on Tuesday in response to a government inquiry, goes beyond what the Australian Competition and Consumer Commission (ACCC) recommended in a preliminary report that came out of its Digital Platforms Inquiry.

In December 2018, the ACCC had recommended that Google’s mighty market power be muzzled in online search, search advertising and news referral – for example, by preventing Google Chrome from being installed as a default browser on mobile devices, computers and tablets. It had similar suggestions for Facebook, which the ACCC found to be weighing down competition with its market power in social media, display advertising and online news referral.

The ACCC also called for a regulator to keep an eye on how these large digital platforms rank and display advertisements and news content.

Google: We’re not all that, not at all

Google’s response to the ACCC was made public last week, along with 85 others. In it, Google said that the interim report is based on a mistaken notion that Google’s a market heavyweight:

The Preliminary Report bases many of its recommendations on the mistaken premise that Google has market power in search, search advertising, and news media referrals.

…Google is just one among many sources of traffic to news sites. Direct navigation by consumers to news sites is the largest source of traffic.

News Corp: Draw and quarter ’em

The ACCC’s preliminary recommendations are one thing, but Google has a lot more to respond to when it comes to News Corp’s 80-page response. In that response, News Corp agreed with the ACCC that Facebook and Google both have “substantial market power” that “underpins the harms perpetuated by digital platforms” against publishers such as itself.

News Corp claims that “Google has become an ‘unavoidable trading partner’ for consumers, media content providers and advertisers alike” and that Google’s “anti-competitive” behavior threatens the sustainability of news and journalism, undermining the “virtuous cycle” of the publisher’s subscription and advertising revenue.

While the ACCC called for a regulatory body to oversee how tech giants rank ads and news articles, News Corp Australia went beyond that to call for structural remedies: as in, Google could either functionally separate its search business from the rest of its business units, retaining ownership but operating it separately, or could divest entirely by selling parts of the business.

Would that be easy to pull off? Nope, News Corp Australia conceded. But reining in Google will require a “bold” solution, given how the company wriggles out from under regulations and contracts by replacing past conduct with new, similarly anti-competitive ways to direct traffic and sales to its own sites.

Any solution must be bold… Google’s prior conduct reveals a pattern of avoiding and undermining regulatory initiatives and ignoring private contractual arrangements. Furthermore, even where Google does appear to change its conduct in response to investigation or regulation, it is often not long before the conduct is replaced with something similar that creates equivalent problems for publishers under the guise of a different name. This track record shows that any solution must be comprehensive, lasting, involve adequate oversight, and be backed by legal sanctions.

The ACCC declined to comment specifically on News Corp’s submission, but commission Chairman Rod Sims told the Australian Broadcasting Corp that he was “looking at it with an open mind”.

Oracle: “Is the microphone on? Is the camera activated? No – but they might as well be.”

For its part, Oracle’s 72-page response to the ACCC painted a portrait of Google’s data collection that we’ve long associated with Facebook: that of shadow profiles, made up of data quietly collected by the online data titans.

The pieces of Facebook’s shadow profiles fell into place last year following CEO Mark Zuckerberg getting grilled by lawmakers on Capitol Hill. They’re profiles filled in with data collected from non-members that include, among other things, email addresses, names, telephone numbers, addresses and work information… a practice that European courts have told Facebook to knock off.

Oracle painted a dramatic portrait of Google’s version of shadow profiles in a report, Google’s Shadow Profile: A Dossier of Consumers Online and Real World Life, attached to its response to the ACCC.

A consumer sees an ad that is unnervingly, pointedly accurate. It seems to target information – so personal, so specific – that only this consumer would know the information. Maybe the ad targets a secret interest or hobby, a special place, or intimate lifestyle details. Is the microphone on? Is the camera activated? No – but they might as well be. In fact, Google is using massive amounts of consumer data, not all of which it discloses to consumers, to micro-target advertising. All without the consumers [sic] knowledge or consent.

Oracle claimed that part of these shadow profiles are the precise location information Google gets from Android users by capturing how close their phone is to Wi-Fi base stations and at what time:

If a consumer connects to the same Wi-Fi access point at 9am Monday-Friday, the Wi-Fi base station likely represents the consumer’s place of work. Similarly, if a consumer connects to the same base station every day at 7pm and stays connected through the evening, the station is likely in located in the consumer’s home.

A consumer’s pattern of life – the daily rhythm of the people and places individuals spend time in the real world – combined with online web browsing, search history and a myriad of other data points creates an intimate dossier of a consumer’s lifestyle.

Oracle recommended that the ACCC examine whether Google’s privacy policy was misleading about the fact that it’s collecting data for its own benefit. It’s not shy about telling consumers that they’ll get goodies such as driving directions or movie showtimes, Oracle said, but there’s a lot more going on that Google doesn’t mention:

These purposes are not the primary purposes for which location information is collected. Location information – as well as other activity information that Google collects – is primarily collected to sell advertising.

Oracle also said that Google’s personal data download feature, called “Takeout,” omits “entire categories of other data collected by Google”.

While purporting to provide a complete picture of the data Google holds on a consumer, it is only a fraction of Google’s actual online tracking.

Oracle says that Google’s data set is “so immense,” and its data collection is “so pervasive,” that it can profile and target ads to even those consumers who’ve opted-out or deleted their data, “just as effectively as it can consumers who remain inside Google’s ecosystem.”

This information is not included in “Takeout” data, leaving consumers in the dark. Furthermore, the Takeout service only works for consumers who have a Google Account. Consumers who are not signed into, or do not even have, a Google Account may still have data collected on them and remain subject to Google’s privacy policy and terms of service.

Warren: Stop the competition eaters

At any rate, News Corp isn’t the only one who’d like to see the splintering of Google. Sen. Elizabeth Warren (D-MA), who’s running for president, has said that she’ll break up the big tech giants if she gets elected in 2020.

Somebody’s got to stop these big companies from eating up the competition, she said:

With giants like Amazon and Google and Facebook, do you know how venture capitals talk about the space around them? They call it the kill zone because they don’t want to fund businesses in that space because they know Amazon will eat them up, Facebook will eat them up, Google will eat them up.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/kTiBGTSHGHo/