Abstract: Disclosed herein are techniques for detecting phishing websites. In one embodiment, a method is disclosed comprising receiving, at a server, a request for a webpage from a client device; generating, by the server, and inserting an encoded tracking value (ETV) into the webpage; inserting, by the server, dynamic tracking code (DTC) into the webpage, the inserting of the DTC further comprising obfuscating the DTC; and returning, by the server, the webpage including the ETV and DTC to the client device, the DTC configured to execute upon receipt at the client device and validate the ETV upon executing.

Abstract: A triggering event correlated with domain name system (DNS) requests is identified. In response to the identification, DNS answers to the DNS requests are resolved. A determination is made that a part of the answers or the DNS requests is missing from a list of acceptable parts. In response to determining that the part is missing, an action is performed.

Abstract: Computer systems and methods to protect user credential against phishing with security measures applied based on determination of phishing risks of locations being visited, phishing susceptibility of users, roles of users, verification of senders of messages, and/or the timing of stages in accessing and interacting with the locations. For example, when a site is unclassified at the onset of being accessed by a user device, security measures can be selectively applied to allow the site to be initially viewed on the user device, but disallow some user interactions to reduce phishing risk. For example, a response to a domain name system (DNS) request can be customized based on a user risk level. For example, a message can be displayed without a profile picture of a contact of a user when the sender of the message appears to be the contact but cannot be verified to be the contact.

Abstract: A cloud server collects and stores context data from mobile devices. Data collected for a mobile device is compared to the historical data. A security policy is selected for the mobile device based on the comparison. The selected policy is deployed to the mobile device. A status of the deployment is tracked by the cloud server.

Abstract: A mobile communications device is provided with a tagging module that tags outgoing communications. Upon receiving the tagged communication, a communications provider requests from a registered owner service identified in the tag whether the mobile communications device identified in the tag is registered with the registered owner service. Upon receiving confirmation from the registered owner service that the mobile communications device is registered with the service, the communications provider provides information regarding the location of the mobile communications device to the registered owner service.

Abstract: Based on context received regarding a computing device and a security policy, a computing device evaluates a request by an application program to determine whether or not to allow the establishment of an application connection.

Abstract: A device includes a secure execution context that is segregated from an operating system of the device. A security application executing in the operating system interfaces with the secure execution context to obtain verified data. The secure execution context may verify that operating system files are free of malware, obtain sensor readings that may be cryptographically signed, verify functioning of a baseband processor, and verify other aspects of the function and security of the device. The verified data may be used for various purposes such as verifying location of the device, training a machine learning model, and the like.

Abstract: Techniques for DNS prefetching based on application or contextual triggers to increase security in prefetching. The techniques can include storing historical DNS information from sources of DNS information. The historical DNS information can include historical DNS requests and triggering events correlated to the historical DNS requests. The techniques can also include identifying, by a processor or one or more sensors, an occurrence of a triggering event. The techniques can also include, in response to identifying the occurrence of the triggering event, resolving one or more answers to one or more DNS requests correlated with the triggering event based on the stored historical DNS information. The techniques can also include storing the one or more answers for later use by requesters.

Abstract: Methods and systems provide for receiving an assessment of a full uniform resource locator (URL) in a browser session in advance of the browser accessing the URL, maintaining client privacy in the process using a proxy between the client device and an assessment component on a server. The proxy receives the client identity and a URL. After substituting an arbitrary query identifier for the client identity in the assessment request, the proxy forwards the anonymized assessment request to the assessment component. In return the proxy receives classification data regarding the URL associated with the arbitrary query identifier, which the proxy associates with the client identity and subsequently forwards the classification data to the client.

Abstract: Techniques for deployment of policies to computing devices are described herein. The techniques can include a server deploying a passive policy to the computing devices. After deploying the passive policy, data is collected from each of the computing devices regarding operation of the computing device. The server monitors, based on comparing the passive policy to the collected data, compliance of each computing device with the passive policy. The server determines, based on the monitoring, a set of the computing devices that exhibit a policy violation associated with the passive policy. The server deploys an active policy to the set of computing devices. The active policy corresponds to the passive policy, and deploying the active policy causes one or more actions that correspond to the policy violation to be performed on each of the set of computing devices.

Abstract: In one approach, a request for software evaluation is received by an evaluation server from a user device. The request relates to software to be installed on the user device. In response to receiving the request, the evaluation server sends data associated with the software to an authenticity server. The evaluation server receives, from the authenticity server, a result from the evaluation of the software. The evaluation server determines based on the result whether a security threat is associated with the software. In response to determining that there is a security threat, the evaluation server sends a communication to the user device that causes the software to be quarantined.

Abstract: Techniques for phishing protection using cloning detection are described herein. The techniques described herein can include a server which hosts a website detecting that a fetcher is a cloning toolkit or an entity known for using a cloning toolkit. The techniques can also include a server which hosts a downloadable application (such as a mobile application) detecting that a fetcher for the application is a cloning toolkit or an entity known for using a cloning toolkit. The detection can be done in several ways, such as by analyzing data logs for patterns associated with cloning toolkits or entities known for using cloning toolkits. The techniques described herein can also include a part of an end user device (such as a part of a mobile device) detecting a clone (such as a clone website or application) that was cloned by a cloning toolkit. Then, upon detection, security actions can be taken.

Abstract: For increased security, a source is determined for software to be installed on a computing device. In one approach, a side-load server receives, from a mobile device, data regarding an application to be installed on the mobile device. The server determines a source of the application, then sends, to an authenticity server, data regarding the source. The server receives, from the authenticity server, a first state designation for the application. In response to receiving the first state designation, the server sets a second state designation, and sends the second state designation to the mobile device (e.g., to permit or block installation of the application).

Abstract: Based on context received regarding a mobile communications device a server determines whether an existing network connection employed by the mobile communications device offers a level of security that is appropriate. When the server determines that the level of security is appropriate, the mobile communications device is allowed to continue using the network connection. Otherwise, the server directs the mobile communications device to terminate the network connection.

Abstract: Software applications to be installed on user devices are monitored. Authenticity of the applications is evaluated using trust factors. In some cases, the trust factors relate to security associated with a network being accessed by a user device. In response to the evaluation, an action is performed such as configuring or disabling execution of one or more components of an application.

Abstract: A device includes a secure execution context that is segregated from an operating system of the device. A security application executing in the operating system interfaces with the secure execution context to obtain verified data. The secure execution context may verify that operating system files are free of malware, obtain sensor readings that may be cryptographically signed, verify functioning of a baseband processor, and verify other aspects of the function and security of the device. The verified data may be used for various purposes such as verifying location of the device, training a machine learning model, and the like.

Abstract: Techniques for providing domain name and URL visual verifications to increase security of operations on a device. The techniques include a visual indicator and/or warning to a user on the user's computing device that a domain or URL requested by the user and the device is unpopular, new, unknown, inauthentic, associated with malware or phishing, or in some other way, risky. The techniques include identifying a domain name in a communication received by a computing device and then determining a popularity ranking and/or an age of the domain name. The device can render, for display on a screen of the device, a visual indicator having the popularity ranking and/or the age of the domain name. Also, the techniques can include identifying a URL in a communication received by a computing device and then rendering, for display on a screen of the device, a visual indicator having the entire URL.

Abstract: A method includes: after installation of software on a first mobile device, receiving new data from a second mobile device; analyzing, using a data repository, the new data to provide a security assessment; determining, based on the security assessment, a new security threat associated with the software; and in response to determining the new security threat, causing the first mobile device to implement a quarantine of the software.

Abstract: Systems and methods for coordinating components can include: determining, by a first application executing on a client device, a need to perform a sharable functional task; identifying a first software component installed on the client device and capable of performing a first variation of the sharable functional task; identifying a second software component installed on the client device and capable of performing a second variation of the sharable functional task, wherein the second variation of the sharable functional task is functionally overlapping with and not identical to the first variation; identifying a set of characteristics of both the first software component and the second software component; selecting the second software component for performing the sharable functional task based on the set of characteristics, where the set of characteristics includes at least a version number; and delegating performance of the sharable functional task to the second software component.

Abstract: Methods and systems provide for resolving domain names by employing a proxy server between the client device and the resolving server. The methods and systems may maintain user privacy by the proxy receiving the client identity and an encrypted domain name. After substituting an arbitrary query identifier for the client identity in the resolution request, the proxy forwards the anonymized resolution request to the resolving server. In return the proxy receives an encrypted internet protocol (IP) address with the arbitrary query identifier, which the proxy associates with the client identity and forwards the encrypted IP address to the client for decrypting. Methods and systems provide for receiving an assessment of a full uniform resource locator (URL) in a browser session in advance of the browser accessing the URL. Methods and systems further prevent the re-use of passwords.