Abstract: Disclosed embodiments relate to systems and methods for identifying inconsistencies between network security applications. Techniques include identifying a plurality of network security applications, each having a corresponding network security policy; determining that at least one of the plurality of network security applications has a corresponding network security policy that does not comply with a normalization model; implementing the network security policy that does not comply with the normalization model on an endpoint computing resource; determining a result of the implementing with respect to a requested action on the endpoint computing resource; identifying, based on the result of the implementing, at least one inconsistency between how the plurality of network security applications address the requested action; and performing, based on the identifying of the inconsistency, at least one of: generating a report identifying the inconsistency, or reconciling the identified inconsistency.

Abstract: A user interface is provided for receiving instructions from a user to perform a computer related task (i.e., primary task). A module can run a primary process in the background on a first server to complete the task. Once the task is completed, the module can transmit the results to the user interface to display an output to the user. The user interface includes a button to enable the user to request information relating to a secondary process or task impacted by the primary task. By pressing the button, the user interface can submit a request to the first server or a second server to obtain information relating to the secondary process or task. In response, the user interface can receive a communication from the first or second server and display the information included in the communication to the user.

Abstract: Systems for secure cloud-based collaboration over shared objects. Embodiments operate within systems in a cloud-based environment, wherein one or more servers are configured to interface with storage devices that store objects accessible by one or more users. A process receives an electronic message comprising a user request to access an object. Before providing user access to the object, the system generates a requestor-specific steganographic message that is derived from some portion of requestor identification information and/or other user attributes, and/or object storage parameters. Various forms of a requestor-specific steganographic message are applied to selected portions of the object to generate a requestor-specific protected object, which is then provided to the requestor. A web crawler can identify posted unauthorized protected object disclosures.

Abstract: A method is provided for authenticating a log message in a distributed network having a plurality of nodes coupled to a serial bus. In the method, a log session is started by a first device at a first node of the plurality of nodes. A first counter value is provided by the first device to the serial bus. A log message is generated by a second device at a second node of the plurality of nodes. A second counter value is generated by the second device. A log message payload is generated for the log message, wherein the log message payload includes a log message authentication code. A computation of the log message authentication code includes the first counter value and the second counter value. The second device does not store the first counter value in a non-volatile memory on the second device.

Abstract: A method for enabling data classification and or enforcement of Information Rights Management (IRM) capabilities and or encryption in a software application according to which, an agent is installed on each terminal device that runs the application and a central management module which includes the IRM, encryption and classification policy to be enforced, communicates with agents that are installed on each terminal device. The central management module distributes the appropriate IRM and or classification policy to each agent and applies the policy to any application that runs on the terminal device.

Abstract: A method for providing certified confidential data collaboration between untrusted parties, including creating a changeset proposal remotely performing a certified operation and passing the changeset proposal to the certified operation, creating a unique changeset reference validating the changeset proposal and creating a state-at-changeset structure extracting a section-state-at-changeset structure from the changeset proposal, performing a cryptographic hash of the state-at-changeset structure and the section-state-at-changeset structure, writing to a local transactional database a changeset fat twin record communicating a changeset reference notification for each fat twin record to the parties, performing a certified operation in a blockchain a certified thin twin smart contract and passing the changeset reference, the cryptographically hashed state-at-changeset structure and the cryptographically hashed section-state-at-changeset structure, validating that a previous certified operation with the same chang

Abstract: An external biometric reader and verification device for providing access control to a computing device, and associated methods, are disclosed. The external reader can store and verify biometrics under the control of the computing device and send identity verification messages to the computing device. One disclosed device includes a biometric reader communicatively connected to an external secure microcontroller. The external secure microcontroller stores a set of biometric data and a signing key. The signing key can be injected by a device manufacturer in a controlled key injection room in a manufacturing facility and can be used to sign a certificate. An operating system of the computing device can be programmed to send a request for the certificate, receive the certificate, and predicate control of access to the operating system using the verification messages on verification of the certificate.

Abstract: In particular embodiments, a data processing data inventory generation system is configured to: (1) generate a data model (e.g., a data inventory) for one or more data assets utilized by a particular organization; (2) generate a respective data inventory for each of the one or more data assets; and (3) map one or more relationships between one or more aspects of the data inventory, the one or more data assets, etc. within the data model. In particular embodiments, a data asset (e.g., data system, software application, etc.) may include, for example, any entity that collects, processes, contains, and/or transfers personal data (e.g., such as a software application, “internet of things” computerized device, database, website, data-center, server, etc.). The system may be configured to identify particular data assets and/or personal data in data repositories using any suitable intelligent identity scanning technique.

Abstract: Techniques to facilitate detection of real user interaction with mobile applications are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a wireless communication device. The wireless communication device executes a client security component of the mobile application to include user behavior attributes in the web service request, and utilizes a mobile application programming interface to transfer the web service request including the user behavior attributes for delivery to a web server. The web server executes a server security component of a web service to extract the user behavior attributes from the web service request and process the user behavior attributes to determine whether or not the mobile application is being operated by a human user.

Abstract: Non-informational data D is generated as an output using a non-informational data E and informational data as inputs to a function on a computing device in an information-restricted domain. The function may be an XOR and the non-informational data E may be a pseudorandom string of the same length as the informational data. The non-informational data D is moved to an unrestricted domain where it may be managed normally. When the informational data is needed it can be re-generated using the non-informational data D and non-informational data E as inputs to an inverse function (XOR is its own inverse). The non-informational data E may be generated from a smaller random seed.

Abstract: In one embodiment, a system includes a media storage device, a processor, and logic integrated with and/or executable by the processor. The logic is configured to cause the processor to associate a first subset of storage space on the media storage device with a first group of applications executing on a hardware processor. The logic is also configured to cause the processor to receive a request from an application to access the first subset of storage space on the media storage device. Moreover, the logic is configured to cause the processor to prevent any application other than an application from the first group of applications from accessing the first subset of storage space on the media storage device. Other systems, methods, and computer program products for defending against ransomware attacks on devices and systems using application authority assignment are described according to more embodiments.

Abstract: Systems and methods here may be used for authorizing network access including using a controller with a processor and memory, the controller in communication with a first network for controlling access to the first network. From a user equipment having a user registered in a visitor network, an access request to access the first network is received, wherein the access request includes a MAC address of the user equipment. Based on a query performed in a subscriber repository, if the received MAC address is not found, a credential request is sent to the user equipment, and a credential is received from the user equipment. A single use code is generated, stored in the subscriber repository, and sent to the user equipment via a trusted channel. A new code and a new credential are received via the visitor network, and are compared. If the new code and the single use code match, the new credential is registered for re-use by the user equipment.

Abstract: A system may include an interface configured to couple to a network, and includes a processor and a memory accessible to the processor. The memory may be configured to store instructions that, when executed, cause the processor to process search results corresponding to multiple data owners to selectively filter personally identifiable information (PII) associated with one or more consumers from the set of search results according to data sharing permissions for each of the data owners to produce filtered results. The instructions may further cause the processor to provide the filtered results to a user device through the network.

Abstract: A technology is provided for proxying network traffic. A computer system activates a proxy function in response to a network communication identified in a compute service of a service provider environment. The system receives parameters from the network communication originating from a client at the proxy function and the parameters identify a destination function and a network packet. The proxy function is applied to the network packet. The system launches the destination function with the network packet and parameters from the proxy function, wherein the destination function is configured to launch on a computing instance of the compute service.

Abstract: A security matrix layer between a first and second conductive shorting layers are located within a printed circuit board (PCB). The security matrix layer includes at least two types of microcapsules with each type of microcapsule containing a different reactant. When the security matrix layer is accessed, drilled, or otherwise damaged, the microcapsules rupture and the reactants react to form at least an electrically conductive material. The electrically conductive material may contact and short the first and second conductive shorting layers.

Abstract: The technology disclosed herein enables the enforcement of firewall policies based on high level identification strings. In a particular embodiment, a method provides receiving a first reply from a first identification system directed to a requestor system. In response to determining that the first identification system comprises an identification system trusted by the firewall, the method provides inspecting at least one packet included in the first reply to identify a first network address therein associated with a first high level identification string. The method further provides updating a data structure comprising allowed network addresses with the first network address and, after updating the data structure with the first network address, allowing at least one packet from the requestor system directed to a first destination at the first network address to traverse the firewall system based on the data structure.

Abstract: A stochastic estimation approach can be used to provide percentile determinations for data, such as may be received on one or more data streams. A stochastic approach can analyze each received request on a data stream and update the percentile values accordingly, providing near real time adjustment of the percentile values. One or more scaling factors or adjustment boundaries can be applied such that the estimations do not fluctuate excessively in response to individual requests. The near real time updates enable actions to be taken on the data stream, such as to generate alarms or initiate request throttling. The stochastic approach is very light weight, requiring minimal resources and having minimal latency.

Abstract: A method includes acts for establishing a subscription for an entity. The method includes receiving, at a cloud service provider, a request from an entity to establish a subscription. The request includes credentials for the entity that are not proper credentials for an organization associated with the entity that the entity should use to access services for the organization. The method further includes performing a corrective action based on detecting one or more factors to determine that the entity is associated with the organization. The method further includes providing services based on the corrective action.

Abstract: An information processing system includes circuitry that stores at least one secret key that corresponds to a public key. The circuitry causes display, on a screen, of information corresponding to the public key and information corresponding to the secret key. The circuitry also modifies the display of the first information corresponding to the public key when the public key is used and the display of the second information corresponding to the secret key when the secret key is used.

Abstract: A method and system are provided for improved distributing of a complete software image to all electronic devices of a certain type or model while using encryption to limit its use to specific ones of those devices. In the method, the entire software image is encrypted with a global key and the encrypted software image is distributed to all devices which have the capability of running that software. The global software decryption key for decrypting the software image is uniquely encrypted for every device that is authorized to use the software and the encrypted global software key is distributed to those devices from a field or factory provisioning server across a point-to-point connection.