Abstract: A central server configured with an Attribute Authority (“AA”) acting as a Trusted Third Party mediating service provider and using X.509-compatible PKI and PMI, VPN technology, device-side thin client applications, security hardware (HSM, Network), cloud hosting, authentication, Active Directory and other solutions. This ecosystem results in real time management of credentials, identity profiles, communication lines, and keys. It is not centrally managed, rather distributes rights to users. Using its Inviter-Invitee protocol suite, Inviters vouch for the identity of Invitees who successfully complete the protocol establishing communication lines. Users establish and respond to authorization requests and other real-time verifications pertaining to accessing each communication line (not end point) and sharing encrypted digital files.

Abstract: Disclosed herein are representative embodiments of methods, apparatus, and systems for facilitating the use and exchange of customized third-party content in a distributed computing environment that allows for third-party hosting. Embodiments of the disclosed technology concern an application store within an application (e.g., an “in-app app store”). The application store can offer downloadable digital content and/or roaming entitlements to a user of the application. Further, in particular embodiments, the downloadable content and/or entitlements are generated by a third party (e.g., a party different than the provider/publisher of the application and the user of the application). Also disclosed are methods and mechanisms for copy-protecting such content.

Abstract: User interface integration across multiple clouds is achieved by hosting UI extensions for different services in the same browser window. The UI extensions are initialized by a shell with any necessary security context for the corresponding cloud. The shell provides versioning so that the newest version of the UI is presented to users for all versions of a service. A connector in a local cloud provides translation between APIs across different clouds.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for providing content management features in a messaging service. A content management system is configured to receive an update to a rule in a data loss prevention (DLP) policy, to identify, based on a log of DLP violations, one or more content items for updating content management permissions, and to update the content management permissions for the one or more content items based on the update to the rule.

Abstract: This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer storage media, for enhancing a device provisioning protocol (DPP) to support multiple configurators. In one aspect, a first configurator device can export a configurator key package. In one aspect, the configurator key package may be used for backup and restore of the configurator keys. The configurator key package may include a configurator private signing key and, optionally, a configurator public verification key. A second configurator device may obtain the configurator key package and also may obtain decryption information which can be used to decrypt the configurator key package. Thus, in another aspect, both the first configurator device and the second configurator device can use the same configurator keys with the device provisioning protocol to configure enrollees to a network.

Abstract: An example operation may include one or more of receiving a new identifier from a user device associated with a user account, creating a hash based on the new identifier, comparing the hash to a hash value associated with one or more identifiers stored in a blockchain, identifying a match of the hash and the hash value associated with the one or more identifiers, authorizing the user account, responsive to identifying the match of the hash and the hash value associated with the one or more identifiers, and deleting the hash, the new identifier, and the hash value associated with the one or more identifiers stored in the blockchain responsive to authorizing the user account.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for providing content management features in a messaging service. A content management system is configured to receive an update to a rule in a data loss prevention (DLP) policy, to identify, based on a log of DLP violations, one or more content items for updating content management permissions, and to update the content management permissions for the one or more content items based on the update to the rule.

Abstract: Disclosed are various embodiments for identifying characteristics of developers of problematic software. Report data generated by a security analysis tool is received, which is based at least in part on a security analysis of a program or an operational configuration. The report data indicates one or more security issues identified in the program or the operational configuration. A user is identified who is responsible for at least a threshold impact of the security issue(s). Coding or configuration characteristics associated with the user are then determined.

Abstract: A non-transitory computer readable storage medium stores one or more computer programs adapted to cause a processor based system to execute steps that include analyzing an image, identifying one or more faces in the image using a face recognition technique, designating at least one of the identified faces collectively as a first area of interest, and determining whether an insertion area exists in the image where additional content can be inserted without obstructing the first area of interest. Another computer program is adapted to cause a processor based system to execute steps that include determining whether the insertion area can be divided into two or more regions based on color. Methods and processor based apparatuses that perform one or more of these steps are also disclosed.

Abstract: Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.

Abstract: In one embodiment, a method of secure network transmission is performed by a computer system. The method includes encrypting a payload via a first symmetric key and encrypting the first symmetric key via a second symmetric key. The method further includes encrypting an author header comprising the encrypted first symmetric key and a recipient list via a third symmetric key, wherein the recipient list comprises at least one recipient. The method also includes encrypting the third symmetric key via a public asymmetric key associated with an authentication server. Furthermore, the method includes transmitting the encrypted author header and the encrypted third symmetric key to the authentication server for use in recipient-initiated pre-access authentication. In addition, the method includes transmitting the encrypted payload and the second symmetric key over a computer network to the at least one recipient.

Abstract: Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.

Abstract: A non-transitory computer readable storage medium stores one or more computer programs adapted to cause a processor based system to execute steps that include analyzing an image, identifying one or more faces in the image using a face recognition technique, designating at least one of the identified faces collectively as a first area of interest, and determining whether an insertion area exists in the image where additional content can be inserted without obstructing the first area of interest. Another computer program is adapted to cause a processor based system to execute steps that include determining whether the insertion area can be divided into two or more regions based on color. Methods and processor based apparatuses that perform one or more of these steps are also disclosed.

Abstract: Disclosed are systems and methods for repairing vulnerabilities of objects connected to a data network. An example method includes transmitting a request throughout the data network, obtaining responses from a plurality of accessible objects in the data network, attempting to obtain access to the plurality of accessible objects using a plurality of access methods, when access to an object is obtained, obtaining a list of resources of the accessed object, comparing the list of resources with a database of vulnerabilities to determine to identify one or more resources from the list of resources that have a similar vulnerable status as a vulnerable resource in the database of vulnerabilities and repairing vulnerabilities associated with the accessed object by applying repairs associated with the vulnerable resource to the accessed object.

Abstract: A system and method for filtering detected anomalies in cloud service usage activities associated with an enterprise uses a trusted location analysis to filter detected anomalies. The locations from which the cloud usage activities are made are analyzed and designated as trusted or non-trusted. The trusted location determination is used to filter the detected anomalies that are associated with trusted locations and therefore may be of low risk. In this manner, actions can be taken only on detected anomalies that are associated with non-trusted locations and therefore may be high risk. The system and method of the present invention enable security incidents, anomalies and threats from cloud activity to be detected, filtered and annotated based on the location heuristics. The trusted location analysis identifies trusted locations automatically using cloud activity usage data and does not rely on potentially unreliable location data from user input.

Abstract: Techniques for rendering an object using multiple versions of an application in a single process for dynamic malware analysis are disclosed. In some embodiments, a system, process, and/or computer program product for rendering an object using multiple versions of an application in a single process for dynamic malware analysis includes receiving a sample at a cloud security service, in which the sample includes an embedded object; detonating the sample using a browser executed in an instrumented virtual machine environment; and rendering the embedded object using a plurality of versions of an application in a single process during a dynamic malware analysis using the instrumented virtual machine environment.

Abstract: Context-based authentication in a secure network comprised of multiple programmable devices is described. A machine readable storage device or storage disk includes instructions that, when executed, cause a machine to obtain, from a programmable device, identity data and contextual data associated with a current authentication attempt by a user attempting to access a secure network. The contextual data indicates a number of authentication factors implementable by the programmable device in connection with the current authentication attempt. The instructions further cause the machine to determine a pattern associated with authentication of the user. The instructions further cause the machine to determine, based on the identity data, the number of authentication factors, and the pattern, a risk level associated with the current authentication attempt. The instructions further cause the machine to request additional identity data in response to the risk level not satisfying a threshold.

Abstract: In one embodiment, an apparatus includes: a device having a physically unclonable function (PUF) circuit including a plurality of PUF cells to generate a PUF sample responsive to at least one control signal; a controller coupled to the device, the controller to send the at least one control signal to the PUF circuit and to receive a plurality of PUF samples from the PUF circuit; a buffer having a plurality of entries each to store at least one of the plurality of PUF samples; and a filter to filter the plurality of PUF samples to output a filtered value, wherein the controller is to generate a unique identifier for the device based at least in part on the filtered value. Other embodiments are described and claimed.

Abstract: Systems and methods for securing communications in a playback device using a key base and at least one key contribution in accordance with embodiments of the invention are disclosed. In one embodiment, a process includes generating a key base using a decryption key and at least one key contribution, where the decryption key can be recovered using the key base and the at least one key contribution, receiving the key base, receiving the at least one key contribution, sending the key base to a decryption module, sending the key contribution to a control module, performing a control feature on the piece of content using the control module, providing the key contribution to the decryption module when the control feature is performed, generating the decryption key using the key base and the at least one key contribution, and accessing at least a portion of the piece of content.

Abstract: An apparatus has a number of data holding elements for holding data values which are reset to a reset value in response to a transition of a signal at a reset signal input of the data holding element from a first value to a second value. A reset tree is provided to distribute a reset signal received at root node of the reset tree to the reset signal inputs of the data holding elements. At least one reset attack detection element is provided, with its reset signal input coupled to a given node of the reset tree, to assert an error signal when its reset signal input transitions from the first value to a second value. Reset error clearing circuitry triggers clearing of the error signal, when the reset signal at the root node of the reset tree transitions from the second value to the first value.