Abstract: A method and system for determining whether a consensus has been achieved for adding a block to a distributed ledger. The system receives a candidate block to add to the distributed ledger and receives block approvals of approving participants for the candidate block. The system calculates a total block approval stake that the approving participants have in the distributed ledger. The system identifies a total stake that participants have in the distributed ledger. When the total block approval stake is at least a threshold fraction of the total skate, the system indicates that the consensus has been achieved for adding the candidate block to the distributed ledger.

Abstract: An illustrative example embodiment of a controller associated with a container includes a processor and memory. The controller is configured to generate a derived key based on global positioning system information corresponding to a location of the controller. The controller uses the derived key to authenticate a user device.

Abstract: An autonomous robotic vehicle includes a conveyance system, a securable compartment configured to autonomously lock and unlock, a customer identification reader, at least one processor, and a memory storing instructions which, when executed by the at least one processor, causes the autonomous robotic vehicle to, autonomously: travel to a destination location of a customer; capture, by the customer identification reader at the destination location, a customer identification object; determine that the captured customer identification object matches an identity of the customer; unlock the securable compartment based on the determination; capture, by the product identification reader, a product identifier; and accept a product to be returned by locking the securable compartment. The securable compartment contains a product identification reader.

Abstract: A first network device nonce is computed. The first network device nonce is based on a first network device secret. A Change Token Table message (CTTM) is sent to a second network device. The CTTM comprises the first network device nonce. A Change Token Table Ack Message (CTTAM) with a second network device nonce is received from the second network device. A new token for a tokenization table is computed based on the first network device secret, the second network device nonce, a prime number, and a key derivation function. The new token for the tokenization table is also computed by the second network device based on a second network device secret, the first network device nonce, the prime number, and the key derivation function.

Abstract: A handling apparatus (14a) handles a server attack taking place on a network (1Na) or handles a server attack as requested by a security system provided on another network. In accordance with a determination that it is not possible to handle the server attack by the handling apparatus (14a), the control determination apparatus (12a) makes a request to another security system (1Sb) capable of handling the server attack to handle the server attack. A centralized control apparatus (11) determines whether the server attack taking place on the network (1Na) can be handled on another network.

Abstract: Apparatus and method for managing devices within a trust boundary of a computer network. In some embodiments, a trust manager circuit uses a first registration authority to authenticate a plurality of processing devices to form a trust group. A new processing device is subsequently added to the group. The trust manager circuit uses a different, second registration authority to provisionally authenticate the new processing device in response to an unavailability of the first registration authority, and grants provisional rights to the new processing device. Once the first registration authority is once again available, the trust manager performs a full authentication of the new processing device and grants full rights to the device.

Abstract: Groups of devices may be prevented from accessing content by encrypting the content. A plurality of secrets associated with a decryption key may be generated using a secret sharing algorithm. The plurality of secrets may be sent to one or more groups of devices to derive the decryption key. A non-restricted subset of the groups of devices may receive one or more secrets. Devices within the non-restricted subset of the groups may be able to use one or more secrets to determine the decryption key for the content. Groups that do not receive one or more secrets may be unable to determine the decryption key for the content.

Abstract: A certificate management system includes an electronic device and a server. The electronic device is configured to transmit a certificate application request. The server is configured to sign a device certificate corresponding to the electronic device through an intermediate certificate device after receiving the certificate application request, and transmit the device certificate and the Internet address of the server to the electronic device. The electronic device stores the device certificate and the Internet address of the server to complete the certificate issuance operation.

Abstract: The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.

Abstract: A mobile terminal includes a touch screen display, a camera, a power button and an activation button for turning on the touch screen display. The mobile terminal has a first function and a second function to perform in response to user input and provides user settings for configuring at least one of the first and second functions such that the at least one of the first and second functions is performed along with turning on the touch screen display when pressing of the activation button is detected while the touch screen display is turned off. The mobile terminal is configured to perform the first and second functions depending upon length of pressing of the activation button in addition to turning on the touch screen display.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to facilitate end-user defined policy management. An example apparatus includes an edge node interface to detect addition of a networked user device to a service gateway, and to extract publish information from the networked user device. The example apparatus also includes a device context manager to identify tag parameters based on the publish information from the networked user device, and a tag manager to prohibit unauthorized disclosure of the networked user device by setting values of the tag parameters based on a user profile associated with a type of the networked user device.

Abstract: A process running on client devices intercepts requests destined for an identity provider (“IdP”) system and injects a digital signature corresponding to a user associated with the request. In order to reduce or eliminate the burden on providers of the applications or other resources used by the users, the organization providing the IdP system may also provide components that run locally on the client devices of users and integrate with the users' applications. For example, in one embodiment code of the IdP system is run within a container of an application to handle communication with the IdP system. Additionally, code of the IdP system is run as a local process that handles request interception and digital signature injection. For client devices not supporting the use of the local process, a separate verifier application of the IdP can be run locally and allow interactively performing authentication via a user interface.

Abstract: A method including determining, by a first device, encrypted content based at least in part on utilizing a symmetric key; determining, by the first device, a sharing link to be utilized by a second device to obtain access to the encrypted content, the sharing link including a static portion and a dynamic portion; transmitting, by the first device to the second device, the sharing link to enable the second device to obtain access to the encrypted content; transmitting, by the second device to the endpoint, a request to access the encrypted content, the request being routed to the endpoint based at least in part on the static portion; and receiving, by the second device, access to the encrypted content based at least in part on transmitting the request. Various other aspects are contemplated.

Abstract: An access control system which relies at least in part on a non-networked path for permitting an entity access to a secured location; the entity identified by the system by means of a unique entity identifier accorded the entity; entry to said secured location secured by a barrier; said barrier identified by the system by means of a unique barrier identifier accorded the barrier; said system including a local access unit located local to the barrier; said system including a barrier controller for actuation of the barrier; said local access unit issuing an open signal to the barrier controller whereby the barrier permits the entity access to the secured location if and only if data contained in a token communicated from an un-trusted communications device to the local access unit is verified by the local access unit with respect to at least a first parameter by the local access unit.

Abstract: Disclosed are various embodiments for performing authenticated actions when Internet connectivity is not available. An application executed in a first computing device determines that an authenticated action is requested to be performed. The application determines that Internet connectivity is unavailable to the first computing device. The application initiates the authenticated action using a communication channel that connects the first computing device to a second computing device. The Internet is inaccessible through the communication channel.

Abstract: Provided is a method for disabling encryption of data in motion in response to an event. The method includes a service processing data. The service may process the data while in a public mode, in which the service is configured to encrypt data in motion. The method further comprises detecting an event that triggers the service to go into a protected mode. The method further comprises isolating the service from one or more public systems in response to detecting the event. The method further comprises deactivating encryption of data in motion, and processing the data without encrypting the data while in motion.

Abstract: A computer includes a processor and a memory storing instructions executable by the processor to, upon receiving an authorization message, transmit a plurality of new authentication keys to a respective plurality of control modules, the memory including an expiration time for the authorization message; update a listing of the control modules with respective statuses of the transmissions of the respective new authentication keys to the respective control modules, wherein each status is one of successful or unsuccessful; upon at least one status being unsuccessful, prevent the authorization message from expiring at the expiration time; after preventing the authorization message from expiring, retransmit the respective new authentication keys to each control module for which the respective status is unsuccessful; and then expire the authorization message.

Abstract: A cyber security system for providing security to a railway, the system comprising: a data monitoring and processing hub; a network comprising a plurality of data collection agents synchronized to a same network clock and configured to monitor railway infrastructure devices and onboard devices of rolling stock having a train communication network (TCN), and forward monitored data to the hub for processing by the hub to detect anomalies in railway operation that are indicative of a cyber-attack; at least one anonymizer configured to scrub information items from data that the hub receives from a data collection agent of the plurality of data collection agents which may be used to identify the cyber security system or the railway for which the system provides security.

Abstract: The present disclosure describes systems and method for performing a vulnerabilities assessment of an organization. A campaign controller executes one or more simulated phishing campaigns directed to a plurality of users of an organization, using a plurality of models determined by the campaign controller based at least on identification of the organization. The campaign controller stores to a database the results of execution of the one or more simulated phishing campaigns and based on the results, the campaign controller determines one or more vulnerabilities to phishing for the organization. In one embodiment, the campaign controller determines a percentage of the plurality of users of the organization that are phish-prone. In some embodiments, the users of the organization that are phish-prone interacted with a link of a simulated phishing communication.

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).