Abstract: Cross-Site Request Forgery attacks are mitigated by a CSRF mechanism executing at a computing entity. The CSRF mechanism is operative to analyze information associated with an HTTP request for a resource. The HTTP request typically originates as an HTTP redirect from another computing entity, such as an enterprise Web portal. Depending on the nature of the information associated with the HTTP request, the HTTP request may be rejected because the CSRF mechanism determines that the request is or is likely associated with a CSRF attack. To facilitate this determination, the approach leverages a new type of “referer” attribute, a trustedReferer, which indicates that the request originates from a server that has previously established a trust relationship with the site at which the CSRF mechanism executes. The trustedReferer attribute typically is set by the redirecting entity, and in an HTTP request header field dedicated for that attribute.

Abstract: An example method includes receiving a digital certificate corresponding to a user at a stylus device. The method includes transmitting the digital certificate and associated digital ink data to a touch device to authenticate the user based at least on the digital certificate and the associated digital ink data in response to detecting that the stylus device is within a threshold range of the touch device.

Abstract: Aspects of the subject technology relate to systems and methods for sharing encrypted information among multiple devices. A peer-to-peer connection between a first computing device associated with a user account and a second computing device associated with the user account is established. Information associated with at least a portion of a file system of the second computing device may be received by the first computing device, where the portion of the file system comprises encrypted data. The portion of the file system of the second computing device may be mounted on the first computing device based on the received information.

Abstract: In an embodiment, a data processing method providing an improvement in computer security, comprises selecting, from a domain name queue comprising a plurality of domain names, a particular domain name to analyze; extracting one or more features of the particular domain name; determining a particular risk priority score of the particular domain name based on analyzing the one or more features of the particular domain name by applying a classifier to the one or more features of the particular domain name; inserting the particular risk priority score and an identifier associated with the particular domain name into a priority queue comprising a plurality of risk priority scores and a plurality of domain names; repeating the selecting, extracting, determining, and inserting steps for the remaining domain names in the domain name queue; retrieving from the priority queue, based upon the risk priority score, the identifier associated with the particular domain name; determining the particular domain name associated

Abstract: Techniques of the present disclosure register a device to a mobile device management (MDM) network to enable access of the MDM network. In some embodiments, a registration service receives a request to register a device as a device managed by an enterprise associated with the registration service. In response, the registration service sends a response redirecting the device to authenticate via an authentication service, where the device is configured via an authentication profile to authenticate via the authentication service. The device sends a token issued by the authentication service of the enterprise. The registration service provides access to the registration service based the received token, including by allowing the registration service to be used to register the device as a device managed at least in part by the enterprise. The present techniques improve security of communications by registering a device without requiring input of sensitive authentication information.

Abstract: A root user device associated with a user receives a request from a non-root user device associated with the user to issue a digital certificate to the non-root user device. The root user device utilizes a shared secret to determine whether the request is valid. If the request is determined to be valid, the root user device uses a public cryptographic key of a cryptographic key pair generated by the non-root user device to generate the digital certificate. The root user device digitally signs the digital certificate by using its private cryptographic key of a cryptographic key pair generated by the root user device. The root user device issues the digitally signed digital certificate to the non-root user device for use in authentication of the non-root user device.

Abstract: A method and system. Ciphertext is generated by applying both an initialization vector and an encryption key directly to plaintext. The initialization vector is combined with the ciphertext to generate encrypted data, by using an embedding rule to perform the combining.

Abstract: Some embodiments provide novel methods for processing remote-device data messages in a network based on data-message attributes from a remote device management (RDM) system. For instance, the method of some embodiments identifies a set of RDM attributes associated with a data message, and then performs one or more service operations based on identified RDM attribute set.

Abstract: A runtime analysis framework (RTA) stores a hierarchical list of input tags and a hierarchical list of output tags. The RTA stores defined vulnerabilities that include associated input tags and output tags. During runtime the software application may receive a request from a user system. The RTA assigns an input tag from the hierarchical list of input tags to an object associated with the request and assigns an output tag from the hierarchical list of output tags to a method generating a response to the request. The RTA identifies one of the defined vulnerabilities as a potential vulnerability if the assigned output tag and output tag associated the potential vulnerability are in a same subtree of the hierarchical list of output tags and the assigned input tag and the input tag associated with the potential vulnerability are in a same subtree of the hierarchical list of input tags.

Abstract: In some embodiments, a network regulator device protects a local network of client systems (e.g. Internet-of-things devices such as smartphones, home appliances, wearables, etc.) against computer security threats. Various aspects of the operation of the network regulator may be managed remotely via a graphical user interface (GUI) executing on an administration device, such as a mobile phone. The GUI is further configured to display a security notification to a user of the administration device, the security notification indicating the occurrence of a security event caused by an action of a protected client system.

Abstract: A user may only log into an education application using login credentials of a third-party social media site. A browser is redirected to a server computer of the site which authenticates the user's credentials. The server confirms to the education application which displays its contents on the computer and allows the user to access the education application. Or, the user selects a mobile application on a telephone which connects to the server of the site. The site authenticates the user's credentials and sends a confirmation back to the mobile application. The mobile application connects to the education application and allows it to display its contents on the telephone. Alternatively, an actual minimum number of links is required before access is granted to the education application which is greater than a stated minimum. Attempting to log into the education application with fewer than the stated minimum results in a warning message and access is not granted.

Abstract: In accordance with codes of applications, it is determined whether the applications access predetermined privacy information due to permission, a first label is assigned to an application that is determined to make an access, and a second label to an application that is determined not to make an access. The score of each word is calculated such that a high score is set to a word that is included in the text of the description of the application, to which the first label is assigned, more often than in the text of the description of the application, to which the second label is assigned, and a predetermined number of words at the top with regard to the score is extracted. The application whose text of the description includes the extracted word is classified as an application that refers to the permission.

Abstract: Disclosed herein are systems and methods for distributed key management. A first communications node may join a network. The first communications node may receive a white list generated by a central authority. The white list may include criteria for selecting a master communications node that may generate and distribute a cryptographic key for the network. The white list may also identify one or more communications nodes authorized to receive the generated cryptographic key. Responsive to detecting a second communications node joining the network, the first communications node may determine whether the second communications node is to be the master communications node for the network.

Abstract: Techniques are disclosed for providing an authentication service that performs authentication of users on behalf of a relying party. The authentication service receives authentication requirements from the relying party and compares those requirements with authentication capabilities of the user and user equipment. If the authentication requirements are met, the authentication service may perform authentication using the corresponding authentication factors. If the available authentication factors are insufficient or the user fails authentication using the authentication factors used by the authentication service, the relying party may be notified that authentication failed. Upon successful authentication, the authentication service notifies the requiring party that the user has been authenticated.

Abstract: There is disclosed in an example, a computing apparatus, including: a trusted execution environment (TEE); and one or more logic elements providing a collaboration engine within the TEE, operable to: receive a change to a secured document via a trusted channel; apply a change to the secured document; log the change to a ledger; and display the document to a client device via a protected audio-video path (PAVP). There is also disclosed a method of providing a collaboration engine, and a computer-readable medium having stored thereon executable instructions for providing a collaboration engine.

Abstract: Systems, devices and processes are described for implementing an access heartbeat role on a hardware security module (HSM) that stores secure data on behalf of a secure data owner. Heartbeat and access credentials are established and distributed by the HSM. Access to the secure data is prevented unless the HSM receives valid heartbeats prior to a time expiration along with a valid access request. Generally, heartbeats are signed messages and include heartbeat credentials. Access requests may also be signed messages and include access credentials. The access credentials may be suspended, revoked or the entire HSM may be zeroized (e.g., plaintext keys erased), dependent upon a failure to receive valid heartbeats in a timely fashion. Heartbeats may be required from multiple entities, in some embodiments. Some example configurable features include heartbeat expiration time, the source of the credentials, the access denial options, and how many sources of distinct heartbeats are required.

Abstract: A host central processing unit subsystem that writes information to external memory may provide policy to the external memory. Then every time a write comes from the host subsystem, a memory controller within the memory may check the write against the policy stored in the memory and decide whether or not to implement the write.

Abstract: An integrated circuit includes a security module with multiple stages arranged in a pipeline, with each stage executing a different operation for accessing stored lifecycle (LC) information. For each portion of LC being accessed, each stage performs N iterations of its corresponding operation, whereby N is an integer greater than two, and crosschecks the results of successive iterations to ensure that the results of the operation are consistent. In addition, the stages of the security module are overlapping, such that different stages can perform different iterations concurrently. These concurrent operations at different stages are organized such that they may also be crosschecked and thereby confirm “offset” results between the stages.

Abstract: Systems and methods for unmanned vehicle security and control are provided herein. An exemplary system includes a control station and an unmanned vehicle. The unmanned vehicle may be locked from remote control by the control station. The system may also include a first access control hardware device attached to the control station and communicably coupled, using a network, with the unmanned vehicle. The system may also include a second access control hardware device physically attached to the unmanned vehicle and communicably coupled, using the network, with the control station. The first and/or second access control hardware devices are utilized to unlock the unmanned vehicle from remote control by the control station.

Abstract: A convenient, easy to use ubiquitous secure communications capability can automatically encrypt and decrypt messages without requiring any special intermediating security component such as gateways, proxy servers or the like. Trusted/secure applications for the mobile workforce can significantly improve productivity and effectiveness while enhancing personal and organizational security and safety.