Abstract: An apparatus receives a signal to perform secure erasure of a storage medium. The apparatus, responsive to reception of the signal, erases the storage medium by performing at least the following operations. An encryption key is erased. The encryption key is stored on the storage medium and is used to encrypt data on the storage medium. The apparatus generates a fake encryption key that is different from the encryption key and stores storing the fake encryption key on the storage medium. The encryption key and/or fake encryption key may be stored on the medium in multiple parts. The encryption key may be generated using random data from the medium. The apparatus may be the storage medium or a computer system that access the storage medium. The erasure can be performed in response to a request by a user. The medium may be an erasure-resistant storage medium.

Abstract: Disclosed are various embodiments of method and system for network access control. The method may involve traffic monitoring and vulnerability detection using process information. The system may analyze the vulnerability as a process malfunctioning where preventive action focuses on process blocking as opposed to host blocking, which can lead to improved performance and productivity of a network. Techniques may use process related information, connection information, and network packet information for network control. The information may be matched against a plurality of signatures to identify and detect a known vulnerability in network activities. On the basis of a match, a verification report may be established. Techniques may further check whether a verification report is applicable to a process associated with a network packet and allow or block the process running on the host based in the report.

Abstract: Remote administration of initial computer operating system setup options is facilitated by systems and mechanisms that provide such initial setup options to a computing device during an earlier stage of the operating system setup. An administrator defines, in a profile, how such initial setup options are to be set and when an operating system is being set up it communicates with licensing servers to validate the copy of the operating system. If authorized, and if set up by an administrator, initial setup options are provided to the computing device at such an early stage of the operating system setup. Processes executing on the computing device then utilize software licensing application program interfaces to not only validate the copy of the operating system, but also to set the initial setup options in the manner pre-specified by the administrator. A customized directory service login user interface is one such initial setup option.

Abstract: A network system that can easily augment security is provided. The network system includes an information device included in an internal network connected to an external network, the information device transmitting specific information including its own identification information and device information provided in advance, in conformity with a predefined protocol; and a management unit that monitors the internal network, and collects the specific information from the information device in conformity with the predefined protocol. The management unit collects specific information from an unknown information device, notifies a user of an authorization request for the unknown information device on the basis of the collected specific information, and determines whether or not to authorize access of the unknown information device to the internal network, in accordance with a response from the user to the authorization request.

Abstract: Systems, methods, and apparatuses are described for authenticating a user device and/or user application. A user device may receive, based on a first authentication request, a plurality of messages sent over a plurality of channels of communication (e.g., a message to a URL address associated with the user device and a binary Short Message Service (SMS) message). Based on information from the messages, the user device may transmit a second authentication request.

Abstract: Techniques are disclosed relating to the secure communication of devices. In one embodiment, a first device is configured to perform a pairing operation with a second device to establish a secure communication link between the first device and the second device. The pairing operation includes receiving firmware from the second device to be executed by the first device during communication over the secure communication link, and in response to a successful verification of the firmware, establishing a shared encryption key to be used by the first and second devices during the communication. In some embodiments, the pairing operation includes receiving a digital signature created from a hash value of the firmware and a public key of the second device, and verifying the firmware by extracting the hash value from the digital signature and comparing the extracted hash value with a hash value of the received firmware.

Abstract: A plurality of containers related to one or more containerized applications are managed by monitoring an execution of the one or more containers; determining that a given one of the one or more containers exhibits anomalous behavior; and in response to the determining, adjusting a retention time of the given container, wherein the retention time of the given container determines when the given container is one or more of terminated and changes role to a honeypot container. The anomalous behavior comprises, for example, the given container exhibiting behavior that is different than a learned baseline model of the given container or including program code consistent with malicious activity. An alert notification of the anomalous behavior is optionally generated. The retention time of the given container can be adjusted for example, to an interval between deployment of the given container and the time the anomalous behavior is detected.

Abstract: A distributed system hosts a plurality of programming interfaces managed according to a hierarchy of security policies. In response to receiving a request from a client to invoke one of the programming interfaces, the system determines whether the client is authorized to call the programming interface by mapping from an attribute of the client to a location in the hierarchy. The system calls the interface in response to determining that the client is authorized to call programming interfaces associated with the location. The programming interface implements the security policy that corresponds to the location.

Abstract: Methods, systems, and computer programs for generating cryptographic function parameters are described. In some examples, source code that defines seed information and a pseudorandom function is accessed. A parameter for a cryptographic function by operation of one or more data processors is generated. The parameter is generated from the seed information and the pseudorandom function. The parameter has a larger size in memory than the source code that defines the seed information and the pseudorandom function.

Abstract: A digital signature over a message may be compressed by determining a plurality of values based at least in part on the message. A mapping of the plurality of values over a digital signature scheme may be used to determine a value from which a portion of the compressed digital signature is decompressible by cryptographically deriving one or more components of the uncompressed digital signature. A public key may be used to verify the authenticity of the compressed digital signature and message.

Abstract: A method, computer-readable medium, and apparatus for classifying mobile traffic for securing a network or a mobile user endpoint device are disclosed. For example, a method may include a processor for classifying mobile network traffic using a probabilistic model for a plurality of mobile software applications based on a distribution of domain names, detecting an anomaly associated with a mobile software application of the plurality of mobile software applications, and performing a remedial action to address the anomaly.

Abstract: A computer system for securing computer files from modification may include a processor; a first data storage area operatively coupled to the processor; a non-volatile second data storage area; and a control circuit. The second data storage area may be physically separate from the first data storage area. The second data storage area may store files that are executable by the processor, including executable files of an operating system configured to save temporary files on the at least a first data storage area. The control circuit may operatively couple the second data storage area to the processor, and may be operable in a first mode configured to block commands received from the processor and configured to modify the second data storage area from being communicated to the second data storage area. In a second mode, all commands may be allowed to the first and second data storage areas.

Abstract: Authentication translation is disclosed. A request to access a resource is received at an authentication translator, as is an authentication input. The authentication input corresponds to at least one stored record. The stored record is associated at least with the resource. In response to the receiving, a previously stored credential associated with the resource is accessed. The credential is provided to the resource.

Abstract: Generally described, one or more aspects of the present application correspond to techniques for creating multiple encrypted block store volumes of data from an unencrypted source. These encryption techniques can use a transform fleet as an intermediary use between the unencrypted source and the encrypted volumes. The transform fleet can obtain data of the volume from one or both of two sources—an object storage “snapshot” a block storage “source volume”—and can then apply the appropriate encryption key for performing the encryption of a particular volume.

Abstract: A method includes identifying an impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node. The method further includes, in response to identifying the impersonating message, driving the attacking node into an error-passive state in which an ability of the attacking node to communicate over the bus is limited, relative to before entering the error-passive state. The method further includes, subsequently to driving the attacking node into the error-passive state, driving the attacking node into a bus-off state in which the attacking node cannot communicate over the bus, by transmitting, over the bus, a plurality of passive-error-flag-trumping messages that collide with, and trump, respective instances of a passive-error flag that the attacking node transmits over the bus. Other embodiments are also described.

Abstract: A network device includes match filters to be applied to packets transiting two or more network interfaces. In one example, a network device includes a filtering unit configured to apply one or more filters to a first packet transiting a first network interface to determine a first rule the first packet matches, send the first packet and data representing the first network interface to a first accounting filter associated with the first rule, apply the filters to a second packet transiting a second network interface to determine a second rule that the second packet matches, the second packet being different than the first packet, and the second network interface being different than the first network interface, and send the second packet and second data representing the second network interface to a second accounting filter associated with the second rule.

Abstract: An example system may comprise a first computing device comprising instructions executable by a hardware processor to: create, responsive to detecting a second computing device initially attempting to connect to a network, an unpopulated baseline profile for the second computing device; populate the baseline profile with initial processes running on the second computing device and initial system calls made by the initial processes during an initial operation time period of the second computing device; monitor, during a subsequent operation time period of the second computing device, subsequent processes running on the second computing device and subsequent system calls made by the subsequent processes; and detect an attack on the second computing device based on a comparison of the subsequent processes and the subsequent system calls to the populated baseline profile.

Abstract: There is provided a method of reducing false positive rate by using available contextual information on any sample, such as file name of the sample at a client machine, file path folder structure of the sample at client machine, download location of the sample and others, thus narrowing down the search space in first step of generic statistical classification and introducing new specific classifiers deliberately trained for each case.

Abstract: An apparatus includes a processor coupled to a memory wherein the processor and the memory are configured to provide a secure execution environment. The memory includes a shared secret value. The processor is configured to receive a certificate, wherein the certificate includes a device identifier and a digital signature. The processor validates the certificate based on the digital signature and the device identifier, recovers a cryptographic key based on the shared secret value and the device identifier, and performs a cryptographic operation based on the recovered cryptographic key.

Abstract: A network firewall detects and protects against persistent low volume attacks based on a sequence of network data having a pattern that matches by some threshold or percentage a sequence of network data from an earlier iteration of the same persistent low volume attack. The attack patterns are derived from tokenizing one or more elements from a captured sequence of network data that is representative of an attack iteration. Counts for different resulting tokens may be stored in a feature vector that represents the attack pattern. If subsequent sequences of network data have a sufficient number of similar token, a pattern match can be identified and the firewall can take protective action including blacklisting the sending clients, blocking the traffic, redirecting the traffic, sending a problem to verify the sender is an actual user, or other actions.