Abstract: Methods and apparatuses for automatic determination of a content security policy for a network resource are described. A proxy server receives from a first authenticated client device a first request for a first network resource, retrieves the first network resource and transmits a first response to the first client device that includes a content tracker that causes the client device to report information on additional network resources identified when the first client device interprets the first network resource. A content security policy is determined based on the reported information. The proxy server receives, from a second client device, a second request for the first network resource. The proxy server transmits, to the second client device, a second response that includes the content security policy that is determined based on the information on the additional network resources.

Abstract: The present disclosure relates to a system, method, and apparatus for securing electronic personal identifying information. The system enhances data privacy, by minimizing the amount of authentic personal identifying information that is shared with a third party. Namely, the system includes a database of known websites, apps, etc. that require personal identifying information to sign up—and then classifies whether any given type of information is strictly necessary to the functioning of the website. The system then generates placeholder “dummy” data for any fields that are required for signup, but are not strictly necessary for the website to function. The system allows for creation of several user profiles that vary the amount of authentic personal identifying information to be shared, based on the user's preferences. The system therefore helps to secure personal information in the event that, for example, the website later has a data breach.

Abstract: A block generation unit 13 generates, in a predetermined case, a block including an ID of a user in a blockchain. The block generation unit 13 generates a new block including information indicating a service provider and service contents, when face data of the user and the service contents are received from a terminal of the service provider and face authentication is successful based on the face data and face authentication data, or when the ID of the user and the service contents are received from the terminal of the service provider, and adds the new block to the blockchain.

Abstract: A computing device receives an IP address and a port number related to a transport protocol and an application protocol version and other attributes related to an application protocol extracted from an encrypted client hello (ECH) enabled transport layer security (TLS) connection request from a client computing device and extracts, from the database, a set of all known hostnames matching the IP address. The device generates a reduced list of the set of all hostnames matching the IP address, and assigns a confidence score to each hostname of the reduced list based on an alias count and/or a popularity ranking of the hostname. Finally, a prioritized list of one or more hostnames is generated based on the confidence score, the prioritized list indicating the one or more hostnames in the order of descending probability of being requested in the ECH enabled TLS connection request.

Abstract: Systems and methods implemented by a mobile device include establishing a plurality of tunnels to a gateway, wherein each of the plurality of tunnels is on one of a plurality of link layer channels at the mobile device; intercepting network traffic on the mobile device; forwarding the network traffic to one of the plurality of tunnels based on a set of traffic forwarding rules; and responsive to a network change for the mobile device, managing the plurality of tunnels and continuing the forwarding based on the managing. The systems and methods can further include determining characteristics including bandwidth of each of the plurality of link layer channels; and utilizing the characteristics with the set of traffic forwarding rules for the forwarding.

Abstract: A system for managing custom code within a data computing platform determines that a request for one or more uniform resource identifiers external to the platform is being made by custom code executing in the platform. In response to the determination, the system checks a whitelist of allowable external URIs against the requested one or more URIs and allows access to the requested one or more URIs if a match is detected with the whitelist, otherwise access by the custom code to the requested one or more URIs is denied. In addition, or alternatively, the system checks a blacklist of disallowed external URIs against the requested one or more URIs and denies access to the requested one or more URIs if a match is detected with the blacklist, otherwise access by the custom code to the requested one or more URIs is allowed. The blacklist can override the whitelist.

Abstract: A system configured to execute instructions to perform steps of a method for preventing unauthorized network access is disclosed. The system may receive an authorization request from a first user device and determine a device fingerprint. The system may store the device fingerprint as an authorization fingerprint. The system may receive a login request from a second user device. When the authorization fingerprint matches the device fingerprint, the system may authorize the login request from the second user device. In some embodiments, the system may determine a device state and temporal identifier and create a first device hash to be stored as an authorization hash. The system may receive a login request and cause the first user device to create one or more second device hashes. If at least one second device hash is a match, the system may authorize the login request from the second user device.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, apparatuses, and processes that maintain data confidentiality in communications involving voice-enabled devices in a distributed computing environment using homomorphic encryption. By way of example, an apparatus may receive encrypted command data from a computing system, decrypt the encrypted command data using a homomorphic private key, and perform operations that associate the decrypted command data with a request for an element of data. Using a public cryptographic key associated with a device, the apparatus generate an encrypted response that includes the requested data element, and transmit the encrypted response to the device. The device may decrypt the encrypted response using a private cryptographic key and to perform operations that present first audio content representative of the requested data element through an acoustic interface.

Abstract: A method for configuring access to an Internet service, the method being implemented by a server known as a web server following at least one successful authentication request by a user to access the service, the at least one authentication request being initiated by a terminal of the user. The method includes: a first step of obtaining at least one identifier of the terminal and at least one authentication datum that are present in the at least one authentication request; a second step of obtaining, on the basis of the at least one obtained authentication datum, at least one identifier of the user; a third step of obtaining, on the basis of the at least one identifier of the user and of the at least one identifier of the terminal, at least one access parameter; and a step of configuring the service for the user on the basis of the at least one access parameter.

Abstract: Several data breaches are occurring in organizations due to insecure handling security-sensitive data. Conventional methods utilize static analysis tools and fail to capture all security vulnerabilities. The present disclosure identifies a security vulnerability by analyzing a source code. Initially, a System Dependence Graph (SDG) associated with the source code is received. Forward slicing is performed on the SDG and a plurality of forward function nodes are obtained. A plurality of security parameters associated with the security-sensitive variable are obtained. A backward slicing is performed based on a plurality of security parameters to obtain a plurality of backward function nodes. Further, a plurality of common function nodes is obtained from the plurality of forward and the backward function nodes and utilized to generate a plurality of enumerated paths. The enumerated paths are evaluated to obtain a plurality of feasible paths and are further analyzed to identify security vulnerability.

Abstract: A method at a remote proxy on a first node, the method including receiving, at the remote proxy, a first message from a first module on the first node, the first message being directed to a second module on a second node; verifying the first message at the remote proxy utilizing operating system verification; determining, based on a manifest at the remote proxy, the second node; signing, using a private key for the first node, the first message; and sending the first message to the second node.

Abstract: Systems and methods for authenticating data transmissions are provided, such as e.g., analog radio streams received at a vehicle. In one aspect, the vehicle includes features that allow for detection and decryption of an encrypted source identifier embedded or introduced into a data transmission transmitted to the vehicle. The source identifier may be used to determine whether the source is authorized to transmit data transmissions to the vehicle and the data transmission may be authenticated accordingly. In another aspect, the vehicle includes features that determine the location of the transmitting device used to transmit the data transmission to the vehicle. The location is then used to determine whether the data transmission should be authenticated.

Abstract: A method by a management server is described. The method includes receiving a credentials request from a requesting management node. The credentials request includes a public key of the requesting management node. The method also includes determining whether the management server has credentials encrypted for the requesting management node in a local cache. The credentials are encrypted using the public key of the requesting management node and cannot be decrypted by the management server. The method further includes sending the encrypted credentials to the requesting management node when the management server has the encrypted credentials. The requesting management node can decrypt the encrypted credentials using a private key.

Abstract: A system for identifying trusted machines for Machine-to-Machine (M2M) validation receives a query message from a first trusted computing device, requesting whether an unrecognized computing device is in a list of trusted devices associated with a second trusted computing device. The system determines whether the unrecognized computing device is in the list of trusted devices by determining whether an identification associated with the unrecognized computing device is among the list of trusted devices. In response to determining that the unrecognized computing device is in the list of trusted devices, the system sends a response message to the first trusted computing device, indicating that the unrecognized computing device is in the list of trusted devices.

Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.

Abstract: An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines.

Abstract: Embodiments of the present invention provide a system for dynamic masking of data in a network. The system is configured for receiving, via a graphical user interface, a data access request for accessing data from a user associated with an entity, determining that the data comprises sensitive information, determining that the user is not authorized to access the data, dynamically performing non-scramble masking of the data based on determining that the data comprises sensitive information and that the user is not authorized to access the data, and displaying masked data to the user, via the graphical user interface.

Abstract: Systems and methods include obtaining trusted network rules for a plurality of networks, wherein the trusted network rules include whether a network is untrusted or one of a plurality of trusted networks; obtaining policy configurations for each of the trusted network rules, wherein the policy configurations define configurations for a cloud-based system to use with a user device based on a corresponding network where the user device is connected; communicating with the user device and determining which network of the plurality of network the user device is connected; and applying the configurations in the cloud-based system for the user device based on the network the user device is connected. The steps can further include obtaining forwarding policies for each of the plurality of networks; and providing the forwarding policies to a connector application executed on the user device.

Abstract: Transparent web browsing recording is disclosed. A request is received, at a browser isolation system, from a client browser executing on a client device, to connect with a remote resource. A surrogate browser is provided to facilitate communications between the client browser and the remote resource. A set of browsing activities associated with use of the surrogate browser by the client browser is recorded.

Abstract: Systems and methods include intercepting traffic on the user device; forwarding the traffic to a cloud-based system for security processing therein; and, responsive to unavailability of the cloud-based system preventing the forwarding, performing local security processing of the traffic at the user device including determining whether the traffic is allowed based on a cache at the user device, forwarding the traffic separate from the cloud-based system when it is allowed, and blocking the traffic when it is not allowed.