Abstract: Theft detection in data center networks may be provided. First, a first leaf switch may create an entry in a first distributed secure cache in response to an endpoint appearing on the first leaf switch. The entry may correspond to the endpoint and may be marked as having a tentative state. Then a request message may be sent to a plurality of leaf switches. The request message may comprise data identifying the endpoint. Next, a reply message may be received in response to the request message from a second leaf switch within the plurality of leaf switches. The tentative state may then be removed from the entry in response to the reply message indicating that the endpoint is valid.

Abstract: Methods, systems, and devices for user authentication are described. A user may attempt an authentication procedure when accessing an application or cloud platform. When the user requests access to the application or cloud platform, a server may determine one or more unique identifiers to display at a first application for the user, and the user may select one of the unique identifiers. The server may then display unique identifiers (e.g., in some cases, the same unique identifiers) at a second application associated with the user. The user may verify that the selected unique identifier is displayed on the second application, and may select the same unique identifier in the second application. Additionally, the user may input a user-specific identifier to confirm their identity. The server may authenticate the user's identity if the user selected matching unique identifiers, and if the user-specific identifier matches an expected identifier for the user.

Abstract: Scalable certificate management system architectures. An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority.

Abstract: Described herein are systems, methods, and software to enhance secure communications between computing systems. In one implementation, a communication service identifies a communication request for a first application on a first computing system to transfer data to a second application on a second computing system. In response to the request, the communication service generates a packet, wherein the packet includes an encrypted portion for the data and private addressing associated with the first and second applications, and an unencrypted portion for group identifier information and public addressing information. Once the packet is generated, the packet is transferred to the second computing system.

Abstract: The disclosed technology is generally directed to device security in an IoT environment. For example, such technology is usable in IoT security. In one example of the technology, a set of security rules that is associated with an expected condition of at least one IoT device is stored. IoT data associated with the at least one IoT device is received. The IoT data may be aggregated data that includes at least two different types of data. A determination is made, based on the IoT data, as to whether the set of security rules has been violated. An alert is selectively sent based on the determination.

Abstract: Use of cryptographic key-store hardware security modules is optimized in a system having a first scarce high-security key storage device and a second more plentiful low-security key storage device comprising securing a cryptographic key to the higher security level by initially storing the key in the first storage device, then responsive to an event, evaluating the stored key against one or more rules, and subsequent to the evaluation, reclassifying the stored key for relocation, encrypting the reclassified key using a key-encryption key; relocating the reclassified key into the second, lower-security storage device, and storing the key-encryption key in the first storage device.

Abstract: In some examples, a method includes assigning, with an Access Point (AP) in a wireless network, a value for an Authentication Control Threshold (ACT) field in an advertisement packet that allows devices having a predetermined access control role to immediately attempt to associate with the AP. The method can further include transmitting, with the AP, the advertisement packet including the value for the ACT field for devices having the predetermined access control role.

Abstract: Techniques to facilitate detection of whether or not applications are executed on physical devices are disclosed herein. In at least one implementation, a mobile application that generates a web service request is executed on a computing system. The computing system executes a client security component of the mobile application to collect attributes associated with the computing system and an operating environment on which the mobile application is executing, and utilizes a mobile application programming interface to transfer the web service request including the attributes for delivery to a web server. The web server executes a server security component of a web service to extract the attributes from the web service request and process the attributes to determine whether or not the mobile application is being executed on a physical mobile device.

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives a hard copy (e.g., paper) signature document, the signer may capture an image of the signature document with a camera of a mobile device. The signer can then import the captured image into the ESS for signature, storage, and/or transmission to other parties.

Abstract: In one embodiment, an instruction is received at a blockchain server from a first digital rights management (DRM) client, the instruction including an instruction to transfer a DRM license to an encrypted content item to a second DRM client. A block to be recorded in a blockchain, is created, the block including a content item ID of said encrypted content item, one of a device ID of a device including the second DRM client or a user ID of a user of the second DRM client, DRM license information for said DRM license, and a DRM decryption key for decrypting said encrypted content item. The block is recorded in the blockchain. A confirmation message is sent to the second DRM client confirming that the block was written to the blockchain. Related systems, methods, and apparatuses are also described.

Abstract: Systems and methods are provided for managing electronic tokens for device interactions. In some embodiments, a unified graphical user interface is provided for an account, for controlling the activation status and settings associated with authorized electronic devices used for conducting transactions on the account. The electronic devices may be programmed with an electronic token that allows a server to look up sensitive account information, although the electronic token does not divulge the account information itself. Therefore, if an electronic token is compromised or stolen, the account does not need to be closed, and sensitive information remains safe. Moreover, the unified graphical user interface provides detailed and highly customizable controls for settings and restrictions associated with each of the electronic tokens, without modifying or accessing sensitive account or personal information.

Abstract: The present disclosure relates to a transaction licensing system (TLS) for managing transactions and entitlements in a cloud-based system, wherein a transaction is a communication with an external server. The TLS includes at least one transaction licensing database (TLDB) that is configure to store entitlement and transaction data. The entitlements may include a general entitlement pool, as well as specialized entitlement pools with entitlements for executing particular transactions. The TLS is configured to determine identifying information for a transaction and then use this information to determine whether the general or specialized entitlement pools associated with the transaction has entitlements available in the TLDB to execute the transaction. When a suitable entitlement is determined to be available, the transaction is executed and the general or specialized entitlement pool is appropriately decremented. When no suitable entitlements are available, the TLS returns an exception.

Abstract: In an example implementation according to aspects of the present disclosure, a method may include identifying, by a computing system, an infrastructure device and an end-host device within a network. The method may further include disseminating, by the computing system, network traffic rules to the infrastructure device, the network traffic rules to route network traffic between end-host devices through the infrastructure device. Further, the network traffic transmitted from a first end-host device to a second end-host device is passed through the infrastructure device to the second end-host device in accordance with the network traffic rules, and network traffic transmitted from the first end-host device to the infrastructure device is blocked by the infrastructure device in accordance with the network traffic rules.

Abstract: A system and a method for detecting anomalous activities in a distributed and decentralised network is provided. Anonymous users transacting in the network are identified and one or more transactional attributes are retrieved to define characteristics of users and associated transactional behaviour with other users. Further, user-level statistics are evaluated based on transactional attributes. Datatype representative of transactional behavior of users with other users is generated using user-level statistics of identified users. Users with similar transactional behavior are classified based on generated transactional attributes. One or more anomaly detection techniques are implemented for identifying optimum classification of users into data clusters based on the change detected in the classification of users in data clusters. Anomalous users are identified from the optimum classification for efficiently and effectively detecting anomalous activities in the network.

Abstract: A computing device includes a hardware resource, a component to send a transaction signal including a target address of the hardware resource, a security data associated with an initiator of the transaction signal, and a safety data associated with the initiator, and an access control unit coupled to the component and the hardware resource, the access control unit to receive the transaction signal, determine whether security access is granted based on the transaction signal, determine whether safety access is granted based on the transaction signal, and allow access to the hardware resource based on both the security access and the safety access being granted.

Abstract: The present disclosure relates to an information processing system, a storage medium and a control method through which a user privacy level in a telepresence system can be set depending on a counterpart. The information processing system includes a setting unit that automatically sets a privacy level depending on a user of a communication destination device; a communication unit that transmits a picture of a user of a communication source device to the communication destination device; and a controller that performs control to mask the picture of the user of the communication source device depending on the automatically set privacy level.

Abstract: A system receives a first request to replace a first credential used by an entity to access one or more resources with a second credential to be used by the entity to access the one or more resources. In response to receiving the first request, the system replaces the first credential with the second credential and allows use of the first credential for a predetermined period. In response to receiving a second request from the entity to access the one or more resources using the first credential after replacing the first credential with the second credential, the system allows the entity to access the one or more resources using the first credential during the predetermined period, and generates an indication that the entity used the first credential to access the one or more resources and that the entity is to be updated with the second credential within the predetermined period.

Abstract: A user profile is temporarily accessed by an accessor. A method performed by the accessor of a contact center includes receiving access data. The access data includes a user identifier for a user, an identifier identifying a third party having profile data of the user, and a user-predefined condition which must be satisfied for the profile data to be temporarily accessible by the contact center. The method includes transmitting a request to the third party to temporarily access the profile data during a time period when the condition is satisfied, the request including the user identifier. The method includes temporarily accessing the user profile when the request is granted.

Abstract: A system and computer-implemented method for providing access to data of a first party including receiving information for identifying the first party, authenticating the first party using the received information for identifying the first party and generating a first read-only personal identification number (PIN). The first read-only PIN is associated with a first set of access rights for the data of the first party and provided to a second party. The first read-only PIN is stored with the first set of access rights in a computer database. A third party receives the first read-only PIN from the second party, authenticates the received first read-only PIN using the stored first read-only PIN and provides the second party with access to at least a portion of the data of the first party using the first set of access rights associated with the first read-only PIN if the received first read-only PIN is authenticated.

Abstract: Methods and devices for monitoring scan attempts in a network. Various embodiments provide enhancements to existing honeypot devices. These enhancements may include at least one of: (1) a port access module configured to make at least one honeypot port appear to be closed; (2) a mobility module configured to change the address of the honeypot within the network; (3) an emulation module configured to discover a network neighbor's profile and further configured to emulate the network neighbor's profile.