Abstract: A networked infrastructure is described that includes a set of programmed computing nodes, each node being configured with a processor and non-transitory computer readable media including computer-executable instructions that, when executed by the processor, facilitate a social security number registry server carrying out a method that provides an individual with the ability to remotely approve or disapprove, in real-time, the use of his/her social security number (SSN) by a relying party server.

Abstract: A system for data processing, comprising a plurality of data processing systems, each associated with a user and having an anchor certificate, a proxy system operating on a processor and configured to determine whether an expiration associated with the anchor certificate for each data processing system is within a predetermined time of expiration and a certificate expiration monitor operating on the processor and configured to generate a certificate signing request in response to the determination that the expiration associated with the anchor certificate for each data processing system is within the predetermined time of expiration.

Abstract: A method for symmetric authentication is provided. This method includes generating a first challenge message containing a first string; encrypting the first challenge message; transmitting the encrypted first challenge message to a second device; receiving a first answer message from the second device; decrypting the first answer message; and authenticating the second device based on determining the decrypted first answer message contains the first string. Upon successful authentication of the second device, the method further includes receiving an encrypted second challenge message from the second device; decrypting the encrypted second challenge message; generating a second answer message containing a second string; encrypting the second answer message; and transmitting the encrypted second answer message to the second device.

Abstract: Systems and methods for authenticating a user via a customized image-based challenge are disclosed. In embodiments, a computer-implemented method comprises: receiving an access request from a user requesting access to content; generating a list of items recommended for the user based on computer-based user behavior data; selecting from the list of recommended items: a first set of items and a second set of items, wherein the first set of items are associated with a characteristic and the second set of items are not associated with the characteristic; generating an image-based challenge comprising a test question to be answered by the user and a plurality of selectable images including images of each of the first set of items and images of each of the second set of items; and providing the image-based challenge to a user computer device of the user.

Abstract: Systems, devices, and/or computer-implemented methods for secure offline data storage are provided herein. More particularly, a system is provided that permits access to a data storage device when offline from various components of the system. Furthermore, the disclosed system may permit the re-setting of authentication passwords/PINs for the data storage devices, even when such data storage devices are offline from other components of the system.

Abstract: A method, non-transitory computer readable medium and apparatus for controlling access of a custom browser function are disclosed. For example, the method includes a processor that sends a request to a third party website, receives a hypertext markup language code and a browser script, renders the hypertext markup language code, detects that the browser script is trying to access a custom browser function, compares one or more parameters associated with the custom browser function to an access control list to control an access of the custom browser function, and executes the custom browser function when a match of the one or more parameters is found in the access control list.

Abstract: System and method for secure time synchronization in an industrial facility, wherein a synchronization request of a facility component is transmitted to a registration service of a certificate management of the facility and the synchronization request is examined by the registration service, where the synchronization request includes a signature of the requesting facility component, and where depending on an outcome of the examination, a synchronization response is then transmitted to the requesting facility component a system time of the facility component is matched to a system time of the registration service based on the synchronization response.

Abstract: Migration of a pairing of wearable device to a new companion electronic device is disclosed. In one embodiment, pairing migration is performed by syncing and verifying a migration key in the wearable and new companion device. Pairing migration includes moving settings and pairing data of the wearable to the new companion device in response to detecting the wearable is associated with the migration key, wherein the migration key establishes a validation of trust of the wearable relative to the companion device. The settings and pairing data can include configuration and protected data and one or more keys to establish a trust relationship between the wearable and new companion device. The settings and pairing data can also include device data such that the wearable can be discoverable by the new companion device.

Abstract: A given policy file is obtained at a publishing node of a decentralized system of nodes, wherein the given policy file defines a policy that applies to at least a subset of nodes in the decentralized system of nodes. The given policy file is sent to a decentralized storage network for storage therein. Storage metadata is received from the decentralized storage network, wherein the storage metadata represents address information associated with storage of the given policy file in the decentralized storage network. The publishing node generates policy file retrieval metadata based on the storage metadata received from the decentralized storage system. The policy file retrieval metadata is sent to a blockchain network for storage therein. One or more querying nodes of the decentralized system of nodes access the blockchain network to obtain the policy file retrieval metadata in order to then retrieve the policy file from the decentralized storage network.

Abstract: Disclosed in some examples are systems, methods, and machine readable mediums for identifying insider threats by determining file system element activity models that correlate to undesirable behavior and then utilizing the determined model to detect insider threats. Events involving file system elements of a client computing device (e.g., a network endpoint) may be monitored by a file system element monitoring application on the client computing device. The values of these signals are aggregated across all events of the same type that have occurred within a predetermined time window (e.g., an hour) for a particular client computing device. Each time an aggregated signal has a value over the threshold, an anomaly is recorded. Anomaly counts for each signal are then calculated as the aggregate number of anomalies for a particular signal over a second time period, the span of which is determined by the generation of first anomaly to the close of an alert by the network monitor.

Abstract: Techniques for data source driven expected network policy control are described. A policy enforcement service receives, from a compute instance in a virtual network implemented within a service provider system, a request to access data. The policy enforcement service determines that a virtual network security condition of a policy statement is not satisfied. The policy statement was configured by a user for use in controlling access to the data. The virtual network security condition defines a condition of the virtual network that is to be met. The policy enforcement service performs one or more security actions in response to the determination that the virtual network security condition of the policy statement is not satisfied.

Abstract: An authentication server is connected to a plurality of client devices via a network and includes: a storage that stores a database including: a plurality of pieces of user information; and multiple kinds of a plurality of pieces of credential information for logging into an application or service provided by an external server via each of the client devices; and a processor that: upon receiving a first piece of user information from a first client device, determines whether the database contains a first piece of credential information corresponding to the first piece of user information, and upon determining that the database contains the first piece of credential information, sends to the first client device the first piece of credential information required to allow a user to log into the application or service provided via the first client device.

Abstract: Systems and methods are disclosed for obtaining network security threat information and mitigating threats to improve computing network operations. For example, methods may include receiving a message from a central instance; from outside of a private network, invoking a search of data associated with the private network, wherein the search is based on the message and the search is performed by an agent device within the private network; receiving a search result of the search from the agent device; transmitting the search result to the central instance, wherein the central instance is configured to generate network security threat information based in part on the search result and share the network security threat information with a plurality of customer instances that are associated with a group of customers; and receiving an alert message from the central instance, wherein the alert message includes information that identifies a network security threat.

Abstract: A server computing system generates a universally unique identifier (UUID) associated with a first application, the UUID to be encrypted using a private key associated with the first application to generate a first digital signature. The server computing system generates a first session key associated with the first application, the first digital signature to be encrypted using the first session key to generate a first encrypted digital signature. The server computing system encrypts the first session key using a public key associated with a second application to generate a first encrypted session key, wherein the first application and the second application are deployed with the PaaS associated with the server computing system. The server computing system transmits the UUID, the first encrypted digital signature, and the first encrypted session key to the second application using hypertext transfer protocol (HTTP) to enable the second application to authenticate the first application.

Abstract: One or more medical devices are configured to connect to a predetermined temporary provisioning network of a healthcare organization, the temporary provisioning network being different than a healthcare network of the healthcare organization. After the devices are received by the healthcare organization, and powered up for the first time, device identifiers corresponding to the medical devices are received at a server remote from the healthcare organization, from the temporary provisioning network, together with an indication that the medical devices are requesting access to a management server within a healthcare network of the healthcare organization.

Abstract: Techniques for managing permissions to cloud-based resources with session-specific attributes are described. A first request to create a first session to permit access to resources of a provider network is received under an assumed role. The first request is permitted based on an evaluation of a rule associated with the role. Session data including a user-specified attribute included with the first request is generated. A second request to perform an action with a resource hosted by the provider network is received. The user-specified attribute is obtained from the session data based at least in part on the second request. The second request is permitted based on an evaluation of another rule with the user-specified attribute.

Abstract: A first authentication apparatus obtains a modification restriction parameter which is stored in a second authentication apparatus and which indicates a number of times a mutual authentication pair modification is possible or a number of times modification has been executed. The first authentication apparatus transmits to the second authentication apparatus authentication information corresponding to the modification restriction parameter. The second authentication apparatus receives the authentication information from the first authentication apparatus. The second authentication apparatus determines whether or not the received authentication information is authentication information for permitting the mutual authentication pair modification. In a case where the received authentication information is authentication information that permits the mutual authentication pair modification, the second authentication apparatus and the first authentication apparatus form a mutual authentication pair.

Abstract: A server to provide single sign on services. The server includes a processor and a memory storing an attempt table. The server, in response to receiving a first password for a user account, forwards the first password to an authentication device. The server determines that the first password is not valid for the user account. The server stores the first password in association with the user account in the attempt table. In response to receiving a second password for the user account, the server determines whether the second password matches the first password. When the second password does not match the first password, the server forwards the second password to the authentication device.

Abstract: Methods and systems for injection of tokens or certificates for managed application communication are described. A computing device may intercept a request from an application executable on the computing device, the request being to access a remote resource. The computing device may modify future network communications between the computing device and the remote resource to include a token or a client certificate, where the token or the client certificate is an identifier that enables the future network communications to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the remote resource in which to receive the future network communications. The computing device may send the future network communications to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the future network communications.

Abstract: Methods, systems, and computer-readable storage media for receiving, from a first component and by a second component in a cloud platform, a call, a token, and a first client certificate, determining, by the second component, a first client identifier associated with the first component, and determining, by the second component, that the first client identifier is included in a manifest of the token, the manifest defining at least a portion of a communication path between components within the cloud platform, and in response: executing functionality responsive to the call.