Could your social media account be spoofed, why would anybody do it, and what can you do to avoid having a doppelgänger?

The post Attack of the Instagram clones appeared first on WeLiveSecurity

A deep dive into Mekotio – The financial fallout from data breaches – Fixing election security issues

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

The web browser will only display domain names as a way to help people recognize impostor websites

The post Google will test new feature in Chrome to curb phishing appeared first on WeLiveSecurity

Another in our occasional series demystifying Latin American banking trojans

The post Mekotio: These aren’t the security updates you’re looking for… appeared first on WeLiveSecurity

The price tag is higher if the incident exposed customer data or if it was the result of a malicious attack, an annual IBM study finds

The post What is the cost of a data breach? appeared first on WeLiveSecurity

An apparent glitch is preventing a number of users from signing into their accounts

The post Twitter working to fix issue with 2FA feature appeared first on WeLiveSecurity

With the big voting day rapidly approaching, can the security of the election still be shored up? If so, how?

The post Black Hat 2020: Fixing voting – boiling the ocean? appeared first on WeLiveSecurity

Trust is very important when it comes to the relationship between a user and their smartphone. While phone functionality and design can enhance the user experience, security is fundamental and foundational to our relationship with our phones.There are multiple ways to build trust around the security capabilities that a device provides and we continue to invest in verifiable ways to do just that.

Pixel 4a ioXt certification

Today we are happy to announce that the Pixel 4/4 XL and the newly launched Pixel 4a are the first Android smartphones to go through ioXt certification against the Android Profile.

The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones.

The core focus of ioXt is “to set security standards that bring security, upgradability and transparency to the market and directly into the hands of consumers.” This is accomplished by assessing devices against a baseline set of requirements and relying on publicly available evidence. The goal of ioXt’s approach is to enable users, enterprises, regulators, and other stakeholders to understand the security in connected products to drive better awareness towards how these products are protecting the security and privacy of users.

ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization.

We believe that using a widely known industry consortium standard for Pixel certification provides increased trust in the security claims we make to our users. NCC Group has published an audit report that can be downloaded here. The report documents the evaluation of Pixel 4/4 XL and Pixel 4a against the ioXt Android Profile.

Security by Default is one of the most important criteria used in the ioXt Android profile. Security by Default rates devices by cumulatively scoring the risk for all preloads on a particular device. For this particular measurement, we worked with a team of university experts from the University of Cambridge, University of Strathclyde, and Johannes Kepler University in Linz to create a formula that considers the risk of platform signed apps, pregranted permissions on preloaded apps, and apps communicating using cleartext traffic.

Screenshot of the presentation of the Android Device Security Database at the Android Security Symposium 2020

In partnership with those teams, Google created Uraniborg, an open source tool that collects necessary attributes from the device and runs it through this formula to come up with a raw score. NCC Group leveraged Uraniborg to conduct the assessment for the ioXt Security by Default category.

As part of our ongoing certification efforts, we look forward to submitting future Pixel smartphones through the ioXt standard, and we encourage the Android device ecosystem to participate in similar transparency efforts for their devices.

Acknowledgements: This post leveraged contributions from Sudhi Herle, Billy Lau and Sam Schumacher

ESET highlights new research at Black Hat 2020 – What to if your data was stolen in the Blackbaud breach

The post Week in security with Tony Anscombe appeared first on WeLiveSecurity

We introduce Stadeo – a set of scripts that can help fellow threat researchers and reverse engineers to deobfuscate the code of Stantinko and other malware

The post Stadeo: Deobfuscating Stantinko and more appeared first on WeLiveSecurity