Abstract: A method for accessing a service system includes: receiving fingerprint information of a to-be-verified terminal device and identification information of a to-be-verified user from a login computer system based on a service access instruction to access the service server; verifying, according to the fingerprint information of the to-be-verified terminal device and the identification information of the to-be-verified user, whether the to-be-verified terminal device is a specified device of the to-be-verified user based on a specified device database, the specified device database comprising identification information of each user and fingerprint information of a specified device of each user; determining, according to a result of the verifying, whether to allow the login computer system to access the service server according to the service access instruction; and if yes, sending a notification to the login computer system to enable the login computer system to access the service server.

Abstract: An MRI image processing and analysis system may identify instances of structure in MRI flow data, e.g., coherency, derive contours and/or clinical markers based on the identified structures. The system may be remotely located from one or more MRI acquisition systems, and perform: error detection and/or correction on MRI data sets (e.g., phase error correction, phase aliasing, signal unwrapping, and/or on other artifacts); segmentation; visualization of flow (e.g., velocity, arterial versus venous flow, shunts) superimposed on anatomical structure, quantification; verification; and/or generation of patient specific 4-D flow protocols. A protected health information (PHI) service is provided which de-identifies medical study data and allows medical providers to control PHI data, and uploads the de-identified data to an analytics service provider (ASP) system. A web application is provided which merges the PHI data with the de-identified data while keeping control of the PHI data with the medical provider.

Abstract: A value corresponding to an input for a cryptographic operation may be received. The value may be masked by multiplying the value with a first number modulo a prime number. The cryptographic operation may subsequently be performed on the masked value.

Abstract: A method performed at a first electronic device includes: (i) storing a privacy table that comprises random numbers at the first electronic device, (ii) transmitting the privacy table to a second electronic device over an encrypted channel, (iii) receiving a first message for transmission to the second electronic device, (iv) generating a map based on the privacy table, (v) generating a primary key based on the map and the privacy table, and (vi) encrypting the first message using the primary key to form an encrypted first message. The method also includes (vii) transmitting the map and the encrypted first message to the second electronic device, thereby enabling the second electronic device to decrypt the encrypted first message by recreating the primary key based on the map and the privacy table and decrypting the encrypted first message using the recreated primary key.

Abstract: Security design and architecture for a multi-tenant Hadoop cluster are disclosed. In one embodiment, in a multi-tenant Hadoop cluster comprising a plurality of tenants and a plurality of applications, a method for identifying, naming, and creating a multi-tenant directory structure in a multi-tenant Hadoop cluster may include (1) identifying a plurality of groups for a directory structure selected from the group consisting of a superuser group, a plurality of tenant groups, and at least one application group; (2) creating an active directory for each of the groups; (3) adding each of a plurality of users to one of the plurality of tenant groups and the application group; (4) creating tenant directories and home directories for the users; and (5) assigning owners, group owners, default permissions, and extended access control lists to the tenant directories and the home directories.

Abstract: A system for dynamically masking items containing sensitive information on a display screen of a user device is disclosed. A distance of each viewer from the display screen is determined. Each viewer is identified using a facial recognition algorithm. Each viewer's authority level to view certain information is determined. For each item containing sensitive information, a dynamic proximity threshold for the item is determined based on a size of the display screen and a size of the item. The dynamic proximity threshold for the item is a distance from the display screen from which the item is identifiable. The system is configured to determine whether each viewer is authorized to view the item based on the authority level of each viewer. The item is masked if at least one viewer is at a distance that is within the dynamic proximity threshold and is not authorized to view the item.

Abstract: In a method for providing provisioning information, a central data processing system receives from a transaction data processing system, an encrypted user datum associated with a client user of the transaction data processing system; receives from at least one of a plurality of account administrator data processing systems, a response comprising a notification that a user account administrated by that account administrator data processing system is associated with the client user; receives an account administrator selection message including identification of a user-selected account administrator from an account administrator list; transmits to the account administrator data processing system associated with the user-selected account administrator, a provisioning request for client user account provisioning information; receives from the account administrator data processing system associated with the user-selected account administrator, the client user account provisioning information; and transmits to the t

Abstract: Various examples described herein are directed to identifying a particular computing device, such as a computing device having malware. A DNS query may be received with a token identifying an originating computing device. The DNS query may be compared to a list of domain names associated with particular characteristics, such as having malware. The token may be used to identify the originating computing device and perform further actions.

Abstract: A computer-implemented method, a computer program product, and a computer system for using a mobile device to authenticate a user to access a secure facility. An authentication service determines whether the mobile device of the user is locked. The authentication service requests the user to unlock the mobile device and determines whether the user has unlocked the mobile device. The authentication service retrieves, from the mobile device, a first token and a MAC address. The authentication service retrieves, from a database, a token identifier of the mobile device and a personal identifier of the user. The authentication service generates a second token, based on the token identifier, the personal identifier, and the MAC address. The authentication service determines whether the first and the second tokens match. The authentication service grants the user access to the secure facility, in response to the first and the second tokens matching.

Abstract: A data management computing system for tracking data protection compliance of a plurality of entities using a data management (“DM”) server is provided. The DM server includes at least one processor programmed to: (i) receive, from a requesting entity, a personally identifying information (“PII”) consent request for access to a requested PII set of a user, (ii) determine at least one PII item associated with a reason code, (iii) compare the at least one PII item to the requested PII set, (iv) generate a consent recommendation, (v) transmit the consent recommendation to the user, (vi) receive a response indicating user consent, (vii) transmit, to the requesting entity, a notification indicating the user consent for the requesting entity to retrieve the at least one PII item from a third-party PII storage entity, and (viii) update a user profile to track the requesting entity with the at least one PII item.

Abstract: An image forming apparatus includes a communication interface and a processor. The communication interface is configured to transmit data to and receive data from a cloud server that provides a cloud service. The processor is configured to receive a token from the cloud server via the communication interface, transmit a request including the token to the cloud server via the communication interface, receive a response including user information from the cloud server via the communication interface, and shift to a login state based on the user information.

Abstract: Embodiments include method, systems and computer program products for automatic detection of an incomplete static analysis security assessment. In some embodiments, a method includes obtaining component versioning data associated with a build of an application. The method further includes determining, using the component versioning data associated with the build of the application, that a static analysis security assessment configuration of the application is incomplete. The method further includes, responsive to determining that the static analysis security assessment configuration of the application is incomplete, generating metadata indicating that at least a portion of the build of the application has been changed from a previous build of the application.

Abstract: The present system relates a platform for addressing the optimal privacy-accuracy trade-off in the revelation of a user's valuable information to a third party. Specifically, the present system formalizes the privacy-accuracy trade-off in a precise mathematical framework, wherein mathematical formalization captures user's privacy preference with a single parameter. The system possesses a revelation method of user data that is optimal, in the sense of abiding by user's privacy preference while providing the most accurate description to third party subject to the aforementioned privacy preference constraint.

Abstract: Disclosed is a server for performing authentication or identification using biometric information including basic information and detailed information includes a storage for storing basic information and detailed information that are separately encrypted for each of a plurality of users, a communicator for communicating with an external device, and a processor configured to, based on separately encrypted basic information and detailed information being received from an external terminal device through the communicator, performing user authentication or user identification for the received basic information and detailed information by decrypting and comparing the stored encrypted basic information and the received encrypted basic information, and comparing the received detailed information with at least one piece of stored detailed information corresponding to a piece of basic information having a degree of similarity that is higher than or equal to a predetermined value and with the received basic information

Abstract: A computer system includes an independent compute core; and an isolated secure data storage device to store data accessible only to the independent compute core. The independent compute core is to open an Application Program Interface (API) during runtime of the computer system in response to receiving a verified message containing secure data to be written to the secure data storage device.

Abstract: Techniques are described that eliminate storage of primary account numbers (PANs) by third-party cloud applications executed in external networks. An example method includes receiving a query from an external network that includes a card reference number (CRN) and converting the CRN into a primary account number (PAN). The method includes modifying the query to include the PAN in place of the CRN and performing a service call to retrieve a record responsive to the query from a master account database using the PAN. The method includes, when the record includes the PAN, converting the PAN into the CRN via the tokenization server. Additionally, the method includes adding the record with the CRN to a query response and transmitting the query response to the external network.

Abstract: A system and method for scrubbing data to be shared between organizations to test a joint solution, and for preventing the introduction of unscrubbed data. Each organization captures a subset of data, which may be customer data from a line of business. The first organization scrubs its data according to scrubbing rules, and then passes the scrubbed data to its test environment, while the second organization passes its unscrubbed data to its test environment. The scrubbed data is communicated to the second organization and is applied to the unscrubbed data in order to scrub it, and then communicate it to the first organization. Both organizations use the scrubbed data in their respective test environments to test the joint solution or joint testing. Scrubbing the data may involve scrubbing only specific data fields containing sensitive information.

Abstract: A server includes a processor, memory, and a communications interface. During a registration process the communications interface receives a phone number associated with a client mobile device, from a client computer system. In response to receiving the phone number, the processor generates a password and associates it with the client computer system. The password is transmitted to the client mobile device using the received phone number, and a password interface is transmitted to the client computer system. The processor waits up to a predetermined amount of time for the password transmitted to the client mobile device to be returned to the server device via the password interface transmitted to the client computer system. In response to the predetermined amount of time expiring without receiving the password, a message allowing the registration process to be completed using the client mobile device is transmitted to the client mobile device.

Abstract: Various embodiments of network access control (NAC) systems and methods are provided herein to control access to a network comprising a plurality of network endpoint nodes, where each network endpoint node includes a policy information point and a policy decision point. The policy information point within each network endpoint node stores a distributed ledger including one or more client policies that must be satisfied to access the network, and a smart contract including a set of predefined rules defining network access behaviors and actions. Upon receiving a network access request from a client device outside of the network, the policy decision point within each network endpoint node executes the smart contract to determine whether the client device should be granted access, denied access or have restricted access to the network, and executes consensus algorithm to select one of the network endpoint nodes to be a policy decision point leader.

Abstract: In some aspects, a computing system can receive a request for a processing operation that involves a query. The computing system can extract a query parameter indicating an entity or information type. The computing system can parse, using the query parameter, an obfuscated dataset that is generated by electronically transforming (i) first sensitive information into first obfuscated data using an obfuscation key and (ii) second sensitive information into second obfuscated data using the obfuscation key. The sensitive information is unreadable in the obfuscated data. The computing system can match the query parameter to the first obfuscated data and the second obfuscated data based on a relationship between the first obfuscated data and the second obfuscated data. The relationship is independent of a meaning of the first and second sensitive information. The computing system can performing the processing operation using the first and second obfuscated data.