Abstract: An improved information tracking procedure is provided. A precise information tracking procedure is performed for a sensitive value when an application is predicted to modify the sensitive value prior to the sensitive value reaching a data sink. The sensitive value comprises an attribute that may be linked to external knowledge to reveal sensitive information about an individual. In response to the application not being predicted to modify the sensitive value prior to the sensitive value reaching the data sink, a value-based information tracking procedure is performed. The value-based information tracking procedure comprises storing one or more values that are observed at a data source, and then determining whether or not each of these one or more values are observed at the data sink.

Abstract: A message distribution system replicates a collection of messages across multiple regional data centers. When any of the data centers receives a message for distribution from an authorized publisher, it transmits the message to each of the other data centers so that the collection of messages is immediately replicated among each data center. When any data center determines that a subscriber is connected to it, that data center determines which messages in the data collection the subscriber is authorized to receive, and it automatically sends those messages to the subscriber.

Abstract: A login system allows users to access computer systems without using a password. The passwordless system and method can use other information to securely and reliably identify true authorized system users. The identity of a user can be associated with their mobile device. The login can be based upon a minimal amount of information such as a name and a phone number which can be stored as an identification record for each of the users in a database.

Abstract: Techniques for enhancing the security of a communication device when conducting a transaction using the communication device may include receiving a cryptogram generation key replenishment request that includes transaction log information derived from transaction data stored in a transaction log on a communication device, verifying that the transaction log information in the replenishment request is consistent with the previously received transaction information, and providing a new cryptogram generation key to the communication device in response to verifying the transaction log information in the replenishment request.

Abstract: Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform key—no elimination of the encrypted data, regardless of its storage location, is needed.

Abstract: Particular embodiments may include a system, apparatus, method, and/or machine readable storage medium for determining sensor usage by: detecting, at a level below an operating system executing on a computing device, one or more requests from an application to access one or more sensors associated with the computing device; determining, based on the one or more requests from the application to access the one or more sensors, that the application requested unexpected access to the one or more sensors; and performing a remedial action in response to the unexpected access requested by the application.

Abstract: A host computer system contains a software module that monitors and records network communications that flow through the legitimate network channels provided by the operating system and reports this information to a central processing server. A computer system acting as a central processing server compares network communications data received from the host computer system with the overall network traffic. Network traffic that is not reported from the host computer system is likely the result of stealth network traffic produced by advanced malware that has hidden its communications by circumventing the legitimate network channels provided by the OS. Detection of this stealth network traffic can be accomplished by using just the packet header information so the data payload does not need to be recorded, thereby reducing the memory requirements and reducing the need to save any potentially sensitive information.

Abstract: The present invention generally relates to detecting malicious network activity coming from network devices such as routers and firewalls. Specifically, embodiments of the present invention provide for detecting stealth malware on a network device by comparing inbound and outbound network traffic to discover packets originating from the network device and packets that violate configuration rules. When combined with a network traffic monitor server configured to monitor actual network traffic reports and to receive known network traffic reports from host computers, the system can detect stealth network traffic originating from both network devices and host computer systems.

Abstract: The Firmware Extension for Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems (“SFTSP”) transforms transaction signing request, key backup request, key recovery request inputs via SFTSP components into transaction signing response, key backup response, key recovery response outputs. A key backup request that includes an encrypted master key associated with a hosting HSM is received by a backup HSM from a backup utility. A private key decryption key corresponding to a public key encryption key previously provided by the backup HSM to the backup utility for the hosting HSM is retrieved from the backup HSM's tamper-proof storage and used to decrypt the encrypted master key. A specified number of master key shares to generate for the decrypted master key is determined and generated using a secret sharing method. The generated master key shares are provided to the backup utility.

Abstract: The technology disclosed herein enables reduction of secure protocol overhead when transferring packets between guest elements on different hosts. In a particular embodiment, the method provides, in a first virtual network interface of a first guest element, receiving one or more first packets from a first guest element directed to a second guest element. In response to determining that the first packets will be encapsulated in a secure protocol having a first integrity check procedure provided for by the secure protocol, the method provides refraining to perform a transmit-side portion of a second integrity check procedure on the first packets as provided for by a transport protocol. The method further provides passing the first packets to a first host of the first virtual network interface in the transport protocol.

Abstract: Improved virtualized application performance is provided through disabling of unnecessary functions, such as unnecessary encryption and decryption operations. An example method performed by a hypervisor includes the steps of obtaining a request to one or more of encrypt and decrypt a communication between a first virtual machine and a second virtual machine; determining if the first and second virtual machines execute on a same host as the hypervisor (e.g., by evaluating a context of the communication); and processing the communication without encrypting or decrypting the communication if the first and second virtual machines execute on the same host. Lawful Interception is performed by forwarding an unencrypted version of the communication to an authorized agency.

Abstract: Methods and systems for controlling access to content are described. The method may include detecting, at a client electronic device, the presence of a beacon device signal emitted from a beacon device. The method may further include determining, based on the beacon device signal, whether the content is accessible from the client electronic device. The method may also include, in response to determining that the content is accessible from the client electronic device, providing access to the content at the client electronic device.

Abstract: A system and method are described for preventing security breaches in an IoT system.

Abstract: A dispersed storage network (DSN) includes a DSN memory, which in turn employs multiple distributed storage (DS) units to store encrypted secret material that can be decrypted using an unlock key. The unlock key is stored external to the DS unit, in some cases using multiple data slices dispersed throughout the DSN. To obtain the unlock key, the DS unit transmits authentication credentials to another device included in the DSN, but external to the DS unit. The other device authenticates the DS unit using the authentication credentials, and sends the unlock key to the DS unit. The DS unit uses the unlock key in normal decryption operations. In response to a security event, the DS unit transitions to a secure mode by erasing any material decrypted using the unlock key, the unlock key, and the DS unit's authentication credentials.

Abstract: A mobile terminal is provided by an issuing authority for capturing biometric data of a user for transmission to a security document. The mobile terminal includes a data storage unit containing a credential, an authentication module, a sensor for capturing the biometric data of the user and a control unit that is configured to capture the biometric data of the user only upon successful reciprocal authentication of the user and the mobile terminal. An authenticity test module tests the authenticity of the captured biometric data captured. If authentic, the captured biometric data is stored in the data storage unit in protected form. Readout of the biometric data from the mobile terminal, by an operator of the issuing authority, is permitted only if the operator has been authenticated to the mobile terminal using additional authentication data.

Abstract: A system provides for monitoring information received, determining whether received information does or is likely to include executable code, and if so, causes as sandboxed package including the received information and mobile protection code (MPC) to be transferred to a destination device of the received information. At a destination device, the sandboxed package is unbundled such that upon initiating the Downloadable, malicious Downloadable operating attempts are received by the MPC causing (predetermined) corresponding operations to be executed in response to the attempts.

Abstract: A Material eXchange Format (MXF) digital file generated by a digital electronic processor is disclosed that includes a generic container for a media file. The MXF file also includes a SDTI-CP (Serial Data Transport Interface-Content Package) compatible system item. The SDTI-CP compatible system item has a media file metadata and a blockchain hash digest information formed from the media file. The blockchain hash digest information of the media file may be a blockchain hash digest used to error check the media file. Alternatively, the blockchain hash digest information of the media file may be a link to a cloud-based blockchain hash digest used to error check the media file.

Abstract: An encryption method is provided that has a software model of a technical system, the model including software components is encrypted by a public key and a decryption structure, wherein the latter includes definitions of component groups of the software model. The decryption structure is integrated at least partially into the encrypted software model. Correspondingly, in a decryption method according to the invention, via a secret key that likewise comprises definitions of component groups, only the particular component groups are decrypted whose definitions the secret key includes in agreement with the definitions of the encrypted software model. The definitions of the secret key can be extended after the fact by a key extension, so that additional component groups can be decrypted with an extended secret key.

Abstract: A method for authenticating a client application by an authorization server is provided. In the method, the authorization server transmits a first redirect identifier assigned to a client application to a web runtime engine, in response to receiving a registering request to register with the authorization server of the client application; receives an access request to access a protected resource stored on a resource server by the client application: and transmits the access request to the resource server through the web runtime engine using a second redirect identifier corresponding to a redirect endpoint of the client application. The second redirect identifier is intercepted by the web runtime engine, and the protected resource is accessed by the client application based on a comparing result between the first redirect identifier and the second redirect identifier in the web runtime engine.

Abstract: The present invention relates to the field of tracing and anti-counterfeit protection of physical objects, and particularly to preparing and performing a secure authentication of such objects. Specifically, the invention is directed to a method and a system for preparing a subsequent secured authentication of a physical object or group of physical objects by a recipient thereof, to a method and system for authenticating a physical object or group of physical objects, to a method and system of securely providing a time-variant combination scheme for authenticating a physical object or group of physical objects according to the above methods, and to related computer programs corresponding to said methods. The invention is based on the concept of increasing the security level by increasing the information entropy of the data on which the anti-counterfeit protection is based by means of random data communicated to authenticating entities in an algorithmically hidden way.