Abstract: A first wireless access device, associated with a wireless service provider, establishes a wireless local area network connection with a second wireless access device and receives a certificate including a unique identifier associated with the second wireless access device. The first wireless access device determines whether the second wireless access device is authorized to connect to the first wireless access device. For example, if the certificate is signed by a certificate authority associated with the wireless service provider and the unique identifier appears in a whitelist stored at the first wireless access device, the first wireless access device and the second wireless access device perform a mutual authentication procedure based on one or more ephemeral keys. The first wireless access device provides the second wireless access device with access to a wide area network based on successful completion of the mutual authentication procedure.

Abstract: A technique for downloading a profile for access to a communication network by a security module. This access profile has been prepared by a network operator and is available from a server configured to provide this access profile by downloading to the security module. The security module obtains a first verification datum prepared by the network operator. A secure downloading session is established thereafter. During establishment, session keys are jointly generated between the server and the security module and the server is authenticated by the security module using a public downloading key. The security module verifies authenticity of the public downloading key by using the first verification datum enabling verification that the server uses a secret downloading key corresponding to that provided by the network operator during preparation of the first verification datum. When the public downloading key is not authentic, the security module interrupts downloading of the access profile.

Abstract: The present solution is directed to methods and systems for storing personal identifiable information. In some implementations, the information is collected during the authentication of identification (ID) documents. The personal identifiable information can be useful in processes such as client enrollment, mobile device management, identification processes, and transaction audits. However, the data can be a target for bad actors. The present solution includes a one-way hashing and cryptographic function that converts unique personal identifiable information into a unique digest which can be securely stored on a mobile device and rendered as an original state digital image for proof of ID.

Abstract: A computer-implemented method according to one embodiment includes identifying a topic associated with a received notification, determining a plurality of policies associated with the topic, determining a current environmental context, determining a generalization level, utilizing the plurality of policies and the current environmental context, modifying the notification, based on the generalization level, and presenting the modified notification.

Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.

Abstract: A system and method allows an app to be used to signal a server to authenticate a user using two factor authentication. The app is one previously associated with a user account, optionally using a different form of two factor authentication.

Abstract: Embodiments of the present disclosure provide a system for data characterization and tracking via cohesive information units. In particular, the system may be structured to define a cohesive information unit (“CIU”) which may serve as the fundamental functional unit that serves as the basis for data electronically stored, transferred, modified, and/or copied within computing systems. Each CIU may be electronically associated with metadata which serves to identify the CIU as the CIU is stored and/or in motion. Rather than allowing applications and/or users to change the data within the CIU directly, the system may write subsequent CIU's to reflect proposed changes by the applications and/or users. In this way, the system provides a secure and reliable way to maintain authenticity of data within the entity system.

Abstract: A method for validating access to data files using a combination of secure data values includes: storing at least a first check value and a seed value in an account profile; receiving a data request message including at least a first data value, a second data value, a timestamp, and a data file request from a computing device; identifying a second check value using a predetermined algorithm applied to at least the seed value and the timestamp; validating the first data value using the first check value and the second data value using the second check value; and transmitting one or more data files indicated in the data file request to the computing device upon successful validation of the first data value and the second data value.

Abstract: Access is temporarily allowed to selected enterprise resources. A request to carry out an action is received from a private device. The private device is associated with an enterprise device, which has one or more enterprise policies in place. One or more steps for carrying out the requested action are defined, and it is determined that at least one policy from the enterprise policies is required for at least one of the steps. It is also determined that the at least one policy is in place on the private device. The private device is then allowed to carry out the requested action according to the at least one policy.

Abstract: Access is temporarily allowed to selected enterprise resources. A request to carry out an action is received from a private device. The private device is associated with an enterprise device, which has one or more enterprise policies in place. One or more steps for carrying out the requested action are defined, and it is determined that at least one policy from the enterprise policies is required for at least one of the steps. It is also determined that the at least one policy is in place on the private device. The private device is then allowed to carry out the requested action according to the at least one policy.

Abstract: Systems and methods for transmitting critical data to a server are provided. The data structure intended for transmission to the server is divided up on the client side into a substructure containing critical data (CD) and a substructure not containing CD. The substructure containing CD is further divided up at the client side into at least two substructures and the resulting substructures are sent consecutively to the server via a node with a transformation module. The substructure not containing CD is sent directly to the server, bypassing the node with the transformation module. After receiving the substructures, they are combined at the server side into a single data structure. The critical data are data with respect to which the law of the state in whose jurisdiction the client or an authorized entity is located imposes restrictions on the gathering, storage, accessing, dissemination and processing thereof.

Abstract: A cybersecurity assessment system is provided for monitoring, assessing, and addressing the cybersecurity status of a hierarchy of target networks. The cybersecurity assessment system may scan individual target networks and produce data regarding the current state and properties of devices on the target networks. The cybersecurity assessment system may generate user interfaces to present cybersecurity information regarding individual target networks, and composite cybersecurity information regarding a hierarchy of target networks or some subset thereof. The cybersecurity assessment system can generate access configurations that specify which cybersecurity information of the hierarchy can be accessed by individual target networks of the hierarchy.

Abstract: A hash contract is disclosed herein. A hash contract may be a value generated by a device using a hash function. The hash contract itself may represent a legally enforceable contract. The hash contract may be structured in a manner such that a device operated by a contracting party can transmit a legally enforceable contract over a network using a smaller file size than is possible with conventional secure transaction techniques. In addition, the manner in which the hash contract is generated allows a receiving device to verify that the contract elements of the contract are as expected and to verify an identity of a user that allegedly accepted the contract. Thus, even if a malicious user attempts to alter contract elements or perform other fraudulent activity, the receiving device can use the hash contract to identify such activity and prevent a transaction from being completed.

Abstract: Method, apparatus and product for purpose-based data access control. Having a data about a subject, for which usage is approved for a purpose, a first encryption key associated with the first purpose is obtained. A link pointing to a first alias of the data is generated, the first alias being associated with the first purpose. The link pointing to the first alias is encrypted with the first encryption key to obtain a first encrypted link; and access is provided to the first encrypted link, whereby access to the data is obtainable by decrypting the first encrypted link with the first decryption key to obtain the first alias and using the first alias to access the data. In some cases, a second link for a second can be similarly generated. Upon revocation of approval, a corresponding alias is eliminated to prevent access thereby. The links may be retained in a decentralized ledger, such as a blockchain.

Abstract: Systems, methods, and computer-readable storage media are provided for managing application traffic. A routing policy defines the data flow path between the client device (which uses a virtual private network (VPN) client) and the appropriate network-based service. Based on various factors associated with the user, the client device, and the destination (e.g. network-based service), the routing policy will direct the VPN client to communicate with either a public DNS (via the public Internet) or to a private DNS (via the private Intranet). The resulting IP addresses will be used to establish a particular route (either over a public Internet or private Intranet) between the client device and the network-based service in accordance to the routing policy.

Abstract: A secure boot violation system includes a BIOS with an authenticated variables storage storing at least one authorization key and at least one signatures database. The BIOS receives a first policy action entry for association with a first signature in the at least one signatures database, determines that the first policy action entry is signed with the at least one authorization key and, in response, associates the first policy action entry with the first signature in the at least one signatures database. The BIOS then determines, during a boot process and subsequent to the associating the first policy action entry with the first signature, that a first secure boot violation has occurred based on the first signature in the at least one signatures database. In response to determining that the first secure boot violation has occurred, the BIOS performs a first policy action defined by the first policy action entry.

Abstract: Disclosed is a client system for facilitating authentication of a user characterized by validating a password, at the client machine, transmitted by a server. In order to authenticate the user, initially, the client machine transmits a User Identification (ID) to the server. Upon receipt of the User ID, the server receives the User ID from the client machine and accordingly transmits a password to the client machine. In one aspect, the password may be transmitted by identifying the password, pertaining to the User ID, from a server password database and altering the password, to be transmitted, based on the metadata by using a Random Character Generator (RCG) algorithm. Subsequently, the client machine receives the password pertaining to the User ID from the server. Post receipt of the password, the client machine compares the password with a complementary password stored in a client password database presents on a client machine.

Abstract: Methods, systems, and media for improving computer security and performance of security are disclosed. In one example, a computer security system comprises a key management monitor, and two key elements comprising a first key element and a second key element. The first key element is stored at a first location address within a computer memory and the second key element is stored at a second location address. The key management monitor is configured to determine or receive a time duration for performing a data dump of contents of the computer memory. In one example, the key management monitor is further configured to control a location of the first key element within the computer memory, wherein the location address of the first key element is changed within a time period that is less than the time duration for performing the data dump of contents of the computer memory.

Abstract: Disclosed are systems and methods for routing during statistics collection. A method is described of exchanging data in a client/server architecture across a node with an anonymization module situated in a regional network different from the network in which the server is located and not being in the same intranet as the server or the client when making the request.

Abstract: A technology solution for remediating a cyberattack risk for a web application, including receiving device engagement data for the web application, receiving a security scanning analysis from a static application security testing (SAST) tool that includes a security flaw found in the web application and a severity level for the security flaw, and a plurality of other security flaws found in one or more other web applications and severity levels associated with each of the plurality of other security flaws.