Abstract: A method that includes receiving, via processing circuitry of a server, a unique identifier having encoded data included in a reference patch embedded in displayed data received by an electronic device, the electronic device being instructed to display the displayed data in a first layer of the electronic device, the server being inaccessible by the first layer of the electronic device; identifying an identity of a user based on the unique identifier of the reference patch; upon determining the user is authorized to receive the secondary digital content, transmitting the secondary digital content to the electronic device; and instructing the electronic device to display the secondary digital content in a second layer of the electronic device, the server being accessible by the second layer of the electronic device, the first layer of the electronic device being different from the second layer of the electronic device.

Abstract: An authentication system includes an authentication module maintaining a store of credentials for a set of users. In response to an identity specified by credentials provided from a requestor address not being found in the store of credentials, the authentication module transmits an authentication failure response. In response to the provided credentials matching selected credentials, the authentication module transmits an authentication success response. The authentication system includes an analyzer module configured to determine a number of identity-not-found failures corresponding to a first address, identify a triggering event in response to the number exceeding a predetermined threshold, and, in response to the triggering event, add the first address to a block list.

Abstract: The present disclosure is directed towards systems and methods for validation of a secure socket layer (SSL) certificate of a server for clientless SSL virtual private network (VPN) access. An intermediary device can receive a first request from a client for a clientless SSL VPN connection to a first server. The intermediary device can determine, using a preconfigured policy, that the first server in the first request meets a condition of the preconfigured policy. The intermediary device 801 can perform, responsive to the determination, an action to validate a SSL certificate of the first server using one or more certificate authority (CA) certificate files available to the intermediary device. The one or more CA certificate files can be specified by the preconfigured policy for the action.

Abstract: Systems and methods for providing for a personal data storage, retrieval, and sharing system are described. One method includes importing known user content during an initial content upload phase. The method further includes storing at least a portion of the known user content in a user information database. The method further includes identifying the first document and the second document as including duplicate data or being duplicate copies of one another. The method further includes identifying the second document as a master copy. The method further includes extracting data from the second document. The method further includes extracting additional data associated with the user from the account holder database. The method further includes aggregating the extracted data and the extracted additional data. The method further includes updating user information associated with a user account of the user based on the aggregated data.

Abstract: Methods and apparatuses are described for decentralized authorization of user access requests in a distributed service architecture. A gateway node receives a user access request from a remote computing device. The gateway generates a signed and encrypted access token based upon the user access request using an authorization service node and a key management service node. The gateway transmits the access token, the user access request, and a security certificate received from the authorization service to a security proxy node of a microservice container. The security proxy validates the certificate and the access token. The security proxy decrypts the access token using a public key from the certificate, and determines user authorization to access a service endpoint node based upon the decrypted token. The security proxy transmits the user access request to the service endpoint, which provides the remote device with access to services based upon the user access request.

Abstract: A data processing method based on an integrated chip is provided. The method includes providing computing information of a trusted computing chip to a high-speed encryption chip, and invoking the high-speed encryption chip to perform data encryption or trusted computing based on the computing information. As such, after these two types of chips are integrated, these two types of secure computing (the trusted computing and the data encryption) can share common computing information. Compared with using individual sets of computing information before integration, corresponding hardware and management costs are reduced. Moreover, the trusted computing chip is superior to the high-speed encryption chip in terms of functional integrity and reliability for data encryption functions. Storing the computing information by the trusted computing chip can improve the security of the data encryption.

Abstract: In one or more examples, there is disclosed a system and method of detecting agent presence for self-healing. An out-of-band monitoring process, such as Intel® AMT, or any process in firmware executing on a co-processor, may monitor one or more processes to determine if one goes down or otherwise meets a security criterion. Crashed processes may be reported to an enterprise security controller (ESC). The ESC may notice trends among affected machines and instruct the machines to take appropriate remedial action, such as booting from a remedial image.

Abstract: A third-party intermediary manages a protocol that prohibits the third-party intermediary from substantively accessing data content that, at least in part, underlies received protocol-compliant requests. By one approach, these teachings provide for preventing substantive access to data information that is included within the protocol-compliant request as one or more functions of data, parts of which data may be in tokenized or untokenized form, wherein the values of the functions are generated using secrets, at least one of which is unavailable to the third-party intermediary. By one approach, tokens comprised of data in tokenized form are generated using secrets, at least one of which is unavailable to the third-party intermediary.

Abstract: A coordinating network element manages a protocol that prohibits the coordinating network element from substantively accessing data content that, at least in part, underlies received protocol-compliant requests. By one approach, these teachings provide for preventing substantive access to data information that is included within the protocol-compliant request in tokenized form, wherein the tokens are generated using secrets, at least one of which is unavailable to the coordinating network element.

Abstract: Disclosed systems and methods implement a tracking system that tracks accesses to a TPM-secured key. In embodiments, the key may be encrypted using an encryption key, which is sealed using the TPM. A first value indicating an initial access state of the key is stored in a PCR of the TPM, and the encryption key is sealed against the PCR, so that it can be unsealed when contents of PCR match a next value derived from the first value. When the key is accessed, contents of the PCR is verified against an expected access state. If successfully verified, the PCR is extended hold the next value, the encryption key is unsealed, and the key decrypted. With each access, the encryption key is repeatedly resealed against the successive states stored in PCR. In this manner, the PCR may be used to track accesses and detect unauthorized accesses to the key.

Abstract: A client system comprises processing circuitry configured to receive, from a user device, a first access request comprising a first instruction to access a protected resource; transmit a token request for an access token to be used for accessing the protected resource; and receive an access token in response to the token request, the access token having a corresponding time to expire. The client system comprises a token storage unit configured to store the access token. The processing circuitry is further configured to receive a rejection message indicating that the access token is not valid for receiving the protected resource; and store, at the token storage unit, an invalidation flag associated with the stored access token, in response to receiving the rejection message.

Abstract: A system for secured logging of a second event. The system includes a logging device and a triggering device The triggering device receives an input related to the second event, creates second event message based on received input related to the second event, and receives the first set of data related to first logged event from the logging device. The triggering device further creates a first position-lock data from the first set of data, creates a second append request, and provides the second append request to the logging device. The logging device is configured to verify the second append request. Based on positive verification, the logging device creates a logging device signature over a second log-append-approval, and combines the created logging device signature with the provided second append request to form a second logged event.

Abstract: Systems and methods, disclosed herein, of a campaign controller that stores information to a database about execution of multiple simulated phishing campaigns for multiple users, where each of the simulated phishing campaigns use one or more models for communicating simulated phishing communications. Based on this information, the campaign controller may determine a rate of success of the model, in causing a user to interact with a link in one of the simulated phishing campaigns, and may display the model's rate of success via a user interface.

Abstract: The technology disclosed describes a system. The system comprises a network security system interposed between clients and cloud applications. The network security system is configured to receive one or more incoming requests from a client during an application session, inject one or more synthetic requests into the application session independently of the incoming requests to transmit the synthetic requests to the cloud application, and receive one or more responses to the synthetic requests from the cloud application.

Abstract: It is provided a method for controlling access to an access object. The method is performed in an electronic key device and comprises the steps of: communicating with an access control device to obtain an identity of the access control device; sending an access request to a server, the access request comprising an identity of the electronic key device and the identity of the access control device; receiving a response from the server, the response comprising a key delegation to the electronic key device; and sending a grant access request to the access control device, the grant access request comprising the key delegation, to allow the access control device to evaluate whether to grant access to the access object based on a plurality of delegations comprising a sequence of delegations.

Abstract: In some examples, a non-transitory computer-readable medium storing instructions executable by the processing resource to store an encryption key on the AP, at the AP, decrypt a management frame with the stored encryption key to determine state information of a station, store the state information, and generate a management frame at the AP based on the stored state information.

Abstract: Disclosed herein are systems and methods for blocking network connections to network resources of forbidden categories.

Abstract: Disclosed herein are methods, systems, and processes for continuously renewing credentials in application development and testing environments that include application products from third-party vendors. A notification indicating that an existing credential associated with a developer account of a third-party application will expire is received via a webhook. A credential renewal request for a new set of credentials for the developer account is sent using a request method specified for the third-party application and the new set of credentials for the developer account are received within the expiration period via the webhook.

Abstract: Cloud-based Intrusion Prevention Systems (IPS) include receiving traffic associated with a user of a plurality of users, wherein each user is associated with a customer of a plurality of customers for a cloud-based security system, and wherein the traffic is between the user and the Internet; analyzing the traffic based on a set of signatures including stream-based signatures and security patterns; blocking the traffic responsive to a match of a signature of the set of signatures; and performing one or more of providing an alert based on the blocking and updating a log based on the blocking.

Abstract: To determine whether an IoT system connected with a network environment (e.g., the internet) is compromised, a networked Trust as a Service (TaaS) server receives system data indicative of various characteristics of the IoT system, wherein the system data is harvested by a software agent installed on the IoT system. The TaaS server initially establishes a baseline characteristics profile for the IoT system, such that subsequently received system data from the software agent may be compared against the baseline characteristics profile to quickly identify discrepancies between the originally established baseline characteristics profile and current operating characteristics of the system. Such discrepancies may be caused by desirable software updates, in which case the discrepancies may be integrated into the baseline characteristics profile, or the discrepancies may result from the IoT system being undesirably compromised.