Abstract: An approach is provided for building a scalable service platform by initiating transmission of encrypted data from a public network cache. An access control server platform determines a first authorization key for a user and a second authorization key for a resource, and then encrypts the resource with the second authorization key, and encrypts the second authorization key with the first authorization key. The access control server platform initiates distribution of the encrypted second authorization key with the encrypted resource over a network. The access control server platform further initiates caching the encrypted second authorization key with the encrypted resource that meets a predefined threshold value (e.g., a data size, an access frequency, a modification frequency, or an auditing requirement) in a cache in the network, and initiates transmission of the cached and encrypted second authorization key with the cached and encrypted resource from the cache to at least one authorized entity.

Abstract: Techniques to authenticate a client to a proxy through a domain name server intermediary are described. In one embodiment, for example, a client apparatus may comprise a data store and a network access component. The data store may be operative to store a network configuration file, the network configuration file containing a client-specific secret. The network access component may be operative to transmit a communication request from the client device to a proxy server, the communication request directed to a destination server distinct from the proxy server, and to receive a response to the communication request from the destination server based on a determination by the proxy server that the client is authorized to use the proxy server, the determination based on the client having previously sent an encoding of a client-specific secret to a domain name server embedded within a lookup domain of a domain name request. Other embodiments are described and claimed.

Abstract: Techniques for credentials enforcement using a firewall are disclosed. In some embodiments, a system, process, and/or computer program product for enforcement using a firewall includes storing a plurality of user credentials at a network device; monitoring network traffic at the network device to determine if there is a match with one or more of the plurality of user credentials; and performing an action if the match is determined.

Abstract: Access is obtained to a plurality of intermediately transformed electronic documents (with a plurality of sections and subsections) which have been transformed, by topical analysis and text summarization techniques, from a plurality of original electronic documents comprising at least some unstructured electronic documents. Audit and retrieval agent code is appended to the sections and subsections to create a plurality of finally transformed electronic documents. Users are allowed to access the finally transformed electronic documents. The users are provided with accountability reminders contemporaneous with the access. The access of the users to the sections and subsections of the finally transformed electronic documents is logged. An audit report is provided based on the logging. Also provided is a cloud service for enterprise-level sensitive data protection with variable data granularity, using one or more one guest virtual machine images.

Abstract: Provided is authentication and authorization without the use of supplicants. Authentication and authorization includes generating a profile for a device based on at least one characteristic observed during a successful attempt by the device to access an 802.1X network infrastructure. Expected characteristics for a next attempt to access the infrastructure by the device are determined. A characteristic of the next access attempt is matched to the expected characteristic and access to the network is selectively controlled as a result of the matching. This is achieved without a supplicant being installed on the device.

Abstract: Some aspects of the present disclosure relate to systems and methods for identifying potential violation conditions from electronic communications. In one embodiment, a method includes receiving data associated with an electronic communication and detecting, from the received data, and using a trainable model, an indicator of a potential violation condition, where the violation condition is associated with an activity that is a violation of a predetermined standard. The method also includes, responsive to detecting the indicator of the potential violation condition, marking the electronic communication as being associated with a potential violation condition, and presenting the potential violation condition to a user for review.

Abstract: A computer implemented method, computer program product and comprising rolling an image to a point in time in a protection window by applying write data using write metadata and examining read metadata, the write data, and the write metadata to determine if the image was accessed by an intruder.

Abstract: The present disclosure relates generally to secure data management techniques. Techniques are described for pairing devices and using the pairing information for granting or denying requests (e.g., data exchange requests) from the devices, for example, in a cloud environment, including Internet of Things (IoT) cloud. Devices can be paired with each other according to their identification information. Subsequently, when an original request is received from a first device, and a chasing request received from a second device, the pre-registered pairing information is used to determine whether the first and second devices form a valid pair and the original request is granted or denied based upon that determination. For example, the request may be granted only if it is determined that the first device and the second device have been previously paired.

Abstract: A method and a network node device run Push-Button Configuration sessions within a heterogeneous network, IEEE 1905.1, using a push button configuration mechanism that ensures that only one single new network node device is registered for a single push button key press event and thus overlapping Push-Button Configuration sessions within a heterogeneous network are prevented. After finishing the push button configuration mode, the number of new nodes is checked. If more than one node has been added, a configuration roll-back is performed. Preferably, the push button configuration roll-back is performed as soon as the authentication of more than one distinct node has been detected. The roll-back includes the deletion or deactivation of credentials established by the push-button configuration.

Abstract: An industrial process/safety control and automation system is provided. The system includes a user interface device and an industrial device/controller. The user interface device is configured to activate a password set function. The user interface device is also configured to receive a password for transmission to the industrial device/controller. The industrial device/controller is configured to receive the password from the user interface device. The industrial device/controller is also configured to detect a performance of a physical password replacement authentication procedure. The industrial device/controller is further configured to replace a current password with the received password in response to performing the physical password replacement authentication procedure.

Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

Abstract: A network directory service, responsive to receiving a target device symbolic name from a client, identifies a network access server in communication with a network on which the target device resides, notifies the network access server of an expected connection from the client, and returns a device access token to the client. The network access server, responsive to receiving and validating the device access token, forwards the client-originated traffic to the target device by implementing a Network Address Translation (NAT) scheme.

Abstract: Systems and methods are disclosed for preventing tampering of a programmable integrated circuit device. Generally, programmable devices, such as FPGAs, have two stages of operation; a configuration stage and a user mode stage. To prevent tampering and/or reverse engineering of a programmable device, various anti-tampering techniques may be employed during either stage of operation to disable the device and/or erase sensitive information stored on the device once tampering is suspected. One type of tampering involves bombarding the device with a number of false configuration attempts in order to decipher encrypted data. By utilizing a dirty bit and a sticky error counter, the device can keep track of the number of failed configuration attempts that have occurred and initiate anti-tampering operations when tampering is suspected while the device is still in the configuration stage of operation.

Abstract: A plurality of multipoint conference units (MCUs) may optimize bandwidth by selecting particular video streams to transmit to endpoints and/or other MCUs participating in a video conference. An endpoint may generate video streams and audio streams and transmit these streams to its managing MCU. During the video conference, an endpoint may also receive and display different video streams and different audio streams. In a particular embodiment, a controlled MCU receives video streams from its managed endpoints, selects potential video streams based upon the maximum number of video streams that any endpoint can display concurrently, and transmits those potential video streams to a master MCU. The master MCU may also receive video streams from its managed endpoints and may select active video streams for transmission to its managed endpoints and to the controlled MCU, which transmits selected streams to its managed endpoints.

Abstract: Techniques for marking or flagging an account as potentially being compromised may be provided. Information about the popularity of passwords associated with a plurality of accounts may be maintained. In an example, an account may be marked as potentially being compromised based at least in part on the information about the popularity of passwords and a password included in a request to change the password associated with the account. A notification indicating that an account has been marked as potentially compromised may be generated.

Abstract: Techniques for maintaining and updating authentication information for a plurality of accounts may be provided. In an example a first set of authentication information for the plurality of accounts may be maintained. A second set of authentication information that has been marked as potentially compromised may be received. A third set of authentication information may be generated based on the overlap between the first set of authentication information and the second set of authentication information. The first set of authentication information may be updated based at least in part on one or more security authentication protocols and the third set of authentication information.

Abstract: An apparatus includes an interface and logic circuitry. The interface is configured to communicate over a communication link. The logic circuitry is configured to convert between a first stream of plaintext bits and a second stream of ciphered bits that are exchanged over the communication link, by applying a cascade of a stream ciphering operation and a mixing operation that cryptographically maps input bits to output bits.

Abstract: Execution of a sample program being evaluated for malware is initiated and then suspended to set breakpoints on timing operations of the sample program. Execution of the sample program is suspended again when a breakpoint is hit, at which time a loop is identified in the sample program and evaluated for presence of stalling code. Execution flow of the sample program is changed to exit the loop when the loop is determined to include the stalling code.

Abstract: A computer analyzes a message attachment protected by a password. The message is intercepted from a sender before the message reaches the recipient. The computer cannot open, decrypt, unpack or decompress the attachment because the computer cannot parse the password. The message is modified to render the attachment unusable by the recipient and a URL is added. After the modified message is sent to the recipient, the computer receives the correct password from the recipient allowing the computer to open the attachment and perform anti-malware scanning. If malicious, the attachment is quarantined, deleted or blocked. If not malicious, the attachment (password-protected or not) is downloaded to the recipient, sent by e-mail or text message, or made available on a Web site. The recipient may be a mobile device or computer. Software may be part of an e-mail server, part of a mail transfer agent, or part of a separate computer.

Abstract: Aspects of the present disclosure are directed to authenticating a user requesting access to a computing resource. To authenticate the user, activity data describing various activities are collected and stored. The activities may be categorized, for example, as work-related activities, personal-related activities, and social-related activities. The activity data may be utilized to generate challenge questions to present to the user. If the user answers enough of the challenge questions correctly, then the user may be successfully authenticated and granted access to one or more computing resources.