Abstract: In an example, there is disclosed a data exchange layer (DXL) broker, including: a hardware platform including a processor and a memory; a DXL service store; a traditional internet protocol (IP) network stack; a DXL driver to operate a DXL layer on top of the traditional IP network stack; and instructions encoded within the memory to: enumerate a plurality of DXL endpoints connected to the DXL broker via the traditional IP network stack; store IP network routing information and DXL identification information for the DXL endpoints in the DXL service store; receive a DXL message for a DXL endpoint, the DXL message including DXL identification information for one of the plurality of DXL endpoints; and route the DXL message to the one of the plurality of DXL endpoints via the IP network routing information for the one of the plurality of DXL endpoints.

Abstract: Systems, devices and methods to protect a regional network (e.g., home network) by monitoring devices connected to and attempting to connect to the regional network. Monitoring includes assessing and addressing security concerns regarding devices attempting to or available to connect to the regional network as well as monitoring configurations and activity of connected devices. Devices to monitor include: computers, Personal Digital Assistants (PDAs), laptops, tablets, home appliances, smartphones, smart televisions, and any other type of device in the logical proximity of the regional network.

Abstract: Particular embodiments described herein provide for an electronic device that includes a binder kernel driver. The binder kernel driver can be configured to receive an application program interface (API) call, extract metadata from the API call, determine that the API call should be hooked based on the extracted metadata, and hook the API call.

Abstract: Systems and methods for real-time user verification in online education are disclosed. In certain example embodiments, user identifying information associated with a user and a request to access online education content may be received from a user device. A face template including historical facial image data for the user can be identified. Current facial image data can be compared to the face template to determine if a match exists. Biometric sensor data, such as heart rate data, may also be received for the user. The biometric sensor data may be evaluated to determine if the user is currently located at the user device. If the user is currently located at the user device and the current facial image data matches the face template, access to the online education content may be provided to the user at the user device.

Abstract: In an example, there is a disclosed a computing apparatus, including: a psychological state data interface to receive psychological state data; one or more logic elements, including at least one hardware element, including a verification engine to: receive a requested user action; receive a psychological state input via the psychological state data interface; analyze the psychological state input; and bar the requested user action at least partly responsive to the analyzing.

Abstract: Technologies for privacy-safe security policy evaluation are disclosed herein.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to identify a process running on the electronic device, assign a reputation to the process if the process has a known reputation, determine if the process includes executable code, determine a reputation for the executable code, and combine the reputation for the executable code with the reputation assigned to the process to create a new reputation for the process.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a performance monitoring unit (PMU); and one or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to provide a kernel space threat detection engine to: receive a PMU event; correlate the PMU event to a computer security threat including extracting artifacts from the PMU event, and correlating the artifacts to an artifact profile for a known attack; and identify a process associated with the PMU event as a potential attack.

Abstract: Example firewalls disclosed herein populate a first dynamic object of a firewall rule with first information to identify a first updateable set of devices that satisfy a first one of a plurality of conditions associated with the firewall rule, the first information based on first data obtained from an appliance that monitors communication traffic in at least a portion of a network. Disclosed example firewalls also populate a second dynamic object of the firewall rule with second information to identify a second updateable set of devices that satisfy a second one of the conditions associated with the firewall rule, the second information based on second data obtained from an external data source. Disclosed example firewalls further determine, based on the first dynamic object and the second dynamic object, whether the firewall rule is to apply to first network traffic associated with a first device in communication with the network.

Abstract: There is disclosed in one example, a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a data exchange layer (DXL) application programming interface (API), the DXL API including instructions to communicatively couple the apparatus to a DXL bus and provide a DXL abstraction layer on top of a TCP/IP-based communication network; and a reputation engine including instructions encoded within memory to instruct the processor to: receive a plurality of DXL messages from a first DXL endpoint; compute a composite reputation for the first DXL endpoint; receive from a second DXL endpoint a DXL message requesting a reputation for the first DXL endpoint; establish a private topic on the DXL bus between the computing apparatus and the second DXL endpoint; and publish the composite reputation to the private topic.

Abstract: Technologies are provided in embodiments to protect private data. Embodiments are configured to intercept a network flow en route from a server to a client device, identify a request for a private data item in an object of the network flow, identify the private data item in a data store, provide, to the client device, a modified object including an authorization request, and send the private data item to the server when valid authorization information is received. Embodiments are also configured to receive authorization information from the client device, determine whether the authorization information is valid, and obtain the private data item if the authorization information is determined to be valid. Embodiments may also be configured to determine an unlocking mechanism for the private data item, and create a modified object including the authorization request based, at least in part, on the unlocking mechanism.

Abstract: There is disclosed in one example a computer-implemented anti-ransomware method, including: selecting a file for inspection; assigning the file to a type class according to a file type identifier; receiving an expected byte correlation for the type class; computing, according to a byte distribution of the file, a byte correlation for the file; comparing, via statistical analysis, the byte correlation to the expected byte correlation; and determining that the file has been compromised, including determining that the file has a byte correlation that deviates from the expected byte correlation by more than a threshold, taking a ransomware remediation action for the file.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to allow for the mitigation of ransomware. For example, the system can determine that an application begins to execute, determine that the application attempts to modify a file, determine a file type for the file, and create a security event if the application is not authorized to modify the file type. In another example, the system determines an entropy value between the file and the attempted modification of the file, and create a security event if the entropy value satisfies a threshold or determine a system entropy value that includes a rate at which other files on the system are being modified by the application, and create a security event if the system entropy value satisfies a threshold.

Abstract: There is disclosed in one example a computing apparatus, including: a processor and a memory; a uniform resource locator (URL) reputation store; a network interface; and instructions encoded within the memory to instruct the processor to: receive via the network interface a request for a reputation for a URL; query the URL reputation store and determine that the URL does not have a known reliable reputation; add the URL to a URL analysis queue; perform a rough analysis of the URL, and determine from the rough analysis that the URL potentially is for a phishing website; and move the URL ahead in the analysis queue.

Abstract: Particular embodiments described herein provide for a system that can be configured to communicate chat session data during a chat session to a first display of a first electronic device, communicate the chat session data during the chat session to a second display of a second electronic device, receive sensitive data during the chat session from the first electronic device, and protect the sensitive data from being displayed on the second display during the chat session without breaking continuity of the chat session.

Abstract: There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a network interface; a user-space application including instructions to interact with a web site via a uniform resource locator (URL); and a security agent including instructions to: intercept an interaction of the user-space application with the web site; determine that the intercepted interaction is to send sensitive information to the web site; suspend the interaction; and assign a reputation to the URL.

Abstract: Methods, systems, and media for determining application permissions are provided. In some embodiments, the method comprises: receiving a description of an application to be installed on a user device and a group of permissions required by the application; identifying a subset of words in the description of the application; determining an expected group of permissions based on the subset of words; comparing the group of permissions required by the application and the expected group of permissions; determining a privacy score associated with the application based on the comparison of the group of permissions required by the application and the expected group of permissions; and causing the application to be installed on the user device based on the privacy score associated with the application.

Abstract: The present disclosure relates to a system and method for providing a service on a wearable device where the wearable device is limited in its functionality in some way when compared with a companion device. In particular, the disclosure describes use cases for configuring the wearable device, and use cases for configuring a wearable device and performing service application functions on the wearable device while leveraging a companion device.

Abstract: A pre-boot initialization technique for a computing system allows for encrypting both a manufacturer and original equipment manufacturer firmware routines, as well as handing off data between the manufacturer and original equipment manufacturer firmware routines encrypted with a key provisioned in field programmable fuses with an original equipment manufacturer key. By encrypting the firmware routines and handoff data, security of the pre-boot initialization process is enhanced. Original equipment manufacturer updatable product data may also be encrypted with the original equipment manufacturer key. Additional security may be provided by using trusted input/output capabilities of a trusted execution environment to display information to and receive information from a user. Furthermore, multiple secure phases of configuration may be achieved using wireless credentials exchange components.

Abstract: Particular embodiments described herein provide for system that can be configured to deliver a notification to a user based on the user's preference for each device that receives the notification. The user's preference is based on how the user interacted with similar notifications in the past and the system can change how it will deliver similar notifications to the user in the future based on how the user interacts with the notification.