Abstract: In one embodiment, a device obtains telemetry data regarding an encrypted traffic session in a network. The telemetry data includes Transport Layer Security (TLS) features of the traffic session and auxiliary information indicative of a destination address of the traffic session, a destination port of the traffic session, or a server name associated with the traffic session. The device retrieves, using the obtained telemetry data, a plurality of candidate processes from a TLS fingerprint database that relates processes with telemetry data from encrypted traffic sessions initiated by those processes. The device uses a probabilistic model to assign probabilities to each of the plurality of candidate processes. The device identifies one of the plurality of candidate processes as having initiated the encrypted traffic session based on its assigned probability.

Abstract: In particular embodiments, a data processing consent management system may be configured to utilize one or more age verification techniques to at least partially authenticate the data subject's ability to provide valid consent (e.g., under one or more prevailing legal requirements) in order to collect, store, and or process the subject's personal data. For example, according to one or more particular legal or industry requirements, an individual (e.g., data subject) may need to be at least a particular age (e.g., an age of majority, an adult, over 18, over 21, over 13, or any other suitable age) in order to provide valid consent. Data processing systems may generate and store one or more consent records memorializing valid consent for data processing from data subjects in response to confirming that the data subject is old enough to provide such consent.

Abstract: Methods and systems are disclosed for isolation of collaboration software on a host computer system. A networked computer system may include a network, a first host computer system, a border firewall and/or a web proxy. The host computer system may be configured to run a collaboration software application or process that enables interaction with one or more other host computer systems. The collaboration software application or process may be run within an untrusted memory space. The collaboration software application or process may enable interaction between a second host computer system and the untrusted memory space such that the second host computer system may access meeting data within a sandboxed computing environment operating within the untrusted memory space.

Abstract: Systems, methods, and devices for implementing secure views for zero-copy data sharing in a multi-tenant database system are disclosed. A method includes granting, to one or more cross-accounts, access to a share object comprising a secure view and usage functionality associated with a user-defined function (UDF) to underlying data without providing a view of the procedural logic associated with the UDF.

Abstract: A plurality of system nodes coupled via a dedicated private network is described herein. The nodes offer an end-to-end solution for protecting against network-based attacks. The nodes can include network gateways that allow remote systems, such as servers located at an entity's place of operation or a data center accessible by the entity, to securely transmit data between the nodes and the remote systems. For example, the network gateways can transmit split data into different portions, and transmit each portion over a different path through a public network to mitigate the effects of man-in-the-middle attacks. Once data reaches a node, transmission of the data from one node to another can pass through multiple intermediary nodes via the dedicated private network. The nodes and/or remote systems may also include cross-domain guard devices that control whether data can pass from one security domain to another.

Abstract: The disclosed technology is generally directed to blockchain and other security technology. In one example of the technology, a first node is endorsed. During endorsement of a first node, a pre-determined type of blockchain or other security protocol code to be authorized and a pre-determined membership list are stored in a trusted execution environment (TEE) of the first node. A determination is made as to whether the membership lists and pre-determined blockchain or other security protocol code to be authorized from the proposed members match. If so, TEE attestation is used to verify that nodes associated with prospective members of the consortium store the pre-determined type of blockchain or other security protocol code to be authorized. Upon TEE attestation being successful, a consortium network is bootstrapped such that the prospective members become members of the consortium network.

Abstract: An electronic device is provided. The electronic device includes a first processor configured to perform communication with an external electronic device, a second processor configured to execute at least one application, and a secure module configured to include a first interface electrically connected with the first processor, a second interface electrically connected with the second processor, a memory storing subscriber information and biometric information, and a control circuit. The control circuit is configured to provide the subscriber information to the first processor through the first interface, based at least on a request received in connection with the communication from the first processor and provide the biometric information to the second processor through the second interface, based at least on a request received in connection with at least a portion of the at least one application from the second processor.

Abstract: Technologies are disclosed herein for running a long-term on-demand service for executing actively-secure computations. A function circuit may be represented as a stream of buckets, in which each bucket represents a logical AND gate. A pool having a plurality of garbled AND gates is generated. Garbled AND gates are randomly selected from the pool for placement in one of the buckets. An output for the bucket is determined by an evaluation of the selected garbled AND gates. The output represents an execution of the logical AND gate. The determined output is applied as a parameter in a secure protocol.

Abstract: A method for sharing data in a multi-tenant database includes receiving, by a target account of a multiple tenant database, access rights of a share object in a first account of the multiple tenant database, wherein the share object having access rights to a database object of the first account and wherein access to the database object of the first account by the target account is based on the access rights of the share object. The method also includes receiving, by one or more processors of the target account, access rights to an alias object, wherein the alias object references the database object of the first account.

Abstract: An approach is disclosed that receives a request from a first device connected to a first network to connect to a second device connected to a second network. In response to verifying that a connection between the first device and the second device is allowed, the approach operates to establish a secure network communications tunnel between the first device and the second device. The secure network communications tunnel is specific to the first and second devices and the first device is inhibited from accessing other devices that are connected to the second network using the secure network communications tunnel. The secure network communications tunnel is then terminated in response to a detection of a security event.

Abstract: Control of a prompt for a credential to unlock a computer-readable storage device is provided. Some embodiments permit identifying a component that encrypted the computer-readable storage device and, depending on the identified component, prompting for such a credential. One embodiment can determine that a firmware encrypted the computer-readable storage device and can prompt for a password, for example, to unlock the computer-readable storage device during a boot-up process performed by the firmware. Other embodiments can determine that an operating system encrypted the computer-readable storage device, and can avoid the presentation of a prompt for a password, for example, during a boot-up process performed by the firmware. The computer-readable storage device can be a self-encrypting drive (SED) or another type of disk drive.

Abstract: One or more embodiments of the present specification relate to a data processing method for binding server accounts. An example method includes, in response to obtaining a binding request, determining a first account, and sending binding request feedback data to a terminal device. In response to obtaining binding object selection data that indicates a selection of candidate binding objects presented by the terminal device, a respective target binding object is determined for each selected candidate binding object, and a respective target server is determined for each target binding object. For each target server, the first account is bound to a second account of the target server.

Abstract: Methods and systems for providing vendor agnostic captive portal authentication in a network that includes a plurality of network access devices are provided. For instance, one method includes receiving a redirect request for a communication between a first user-terminal and a first network access device, the redirect request including at least one of a vendor-specific item of information of the first network access device and an Internet Protocol (IP) address of the first network access device. The method further includes comparing the at least one of the vendor-specific item of information of the first network access device and the IP address of the first network access device against each of a plurality of entries of a network access device database, and providing the first user-terminal access to a captive portal page in response to an appropriate match.

Abstract: Systems and methods are provided for identifying network addresses and/or IDs of a deduplicated list among network data, machine data, and/or events derived from network data and/or machine data, and for identifying notable events by searching for the presence of network addresses and/or network IDs that are deduplicated across lists received from multiple external sources. One method includes receiving a plurality of lists of network locations, wherein each list is received from over a network, wherein each of the network locations includes a domain name or an IP address, and wherein at least two of the plurality of lists each include a same network location; aggregating the plurality of lists of network locations into a deduplicated list of unique network locations; and searching network data or machine data for a network location included in the deduplicated list of unique network locations.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: A system is described that secures application data being maintained in transient data buffers that are located in a memory that is freely accessible to other components of the system, regardless as to whether those components have permission to access the application data. The system includes an application processor, a memory having a portion configured as a transient data buffer, a hardware unit, and a secure processor. The hardware unit accesses the transient data buffer during execution of an application at the application processor. The secure processor is configured to manage encryption of the transient data buffer as part of giving the hardware unit access to the transient data buffer.

Abstract: This invention relates to a method and a system for performing seamless authentication and identification of a mobile subscriber requesting to access a 3rd Party Merchant's online platform. The subscriber verification system intercepts a message sent from a first network node to a second network node during a data session establishment procedure. The subscriber verification system extracts a first set of identification values associated with a user equipment (UE) from the intercepted message. After the data session is established, the UE sends an encrypted request to access the Merchant server. The Merchant server identifies a second set of identification values associated with the encrypted request and sends them for validation to the subscriber verification system. The second set of identification values is compared against the first set of identification values. If the two set of identification values match, the UE is authenticated.

Abstract: Disclosed is a network apparatus and a control method thereof. The network apparatus includes: a memory and a processor, which creates a first account based on a request for creating a new account from a first user device, associates first authentication information with the first account and store the first authentication information in association with the first account in the memory, the first authentication information being information received from the first user device for authentication with a first service provider server, allows a second user device connected to the network apparatus using the first account to access the first authentication information associated with the first account in the memory, and facilitates the second user device to perform authentication with the first service provider server based on the first authentication information.

Abstract: A data communication system has an IoT device, an information processing device capable of performing communication with the IoT device, and a server capable of performing communication with the IoT device and the information processing device. When a coupling request from the IoT device is received, the information processing device requests the server for a tentative common key which is temporarily valid. When a request for a tentative common key from the information processing device is received, the server generates a tentative common key and transmits the tentative common key to the information processing device. The information processing device transmits the received tentative common key to the IoT device, and the IoT device and the server perform authentication by using the tentative common key.

Abstract: An information security system that includes a data control engine configured to receive a data request identifying a first reference tag that is associated with a data file. The data control engine is further configured to identify a first set of encrypted data blocks that are linked with the reference tag and location information for the first set of encrypted data blocks from a data information table. The data control engine is further configured to extract the first set of data blocks from a memory based on the location information. The data control engine is further configured to identify access keys associated with the first set of encrypted data blocks from the data information table and to decrypt the first set of encrypted data blocks using the identified access keys. The data control engine is further configured to reconstruct the data file using the decrypted first set of data blocks.