Abstract: To easily identify an invalid device certificate by means of a validity check when signing keys that are used to create device certificates are compromised, a piece of status information is provided for device certificates that comprises positive evidence of the existence and validity of the device certificate, and alternatively or additionally to apply a special validity model for device certificates, wherein the time of issue of the device certificate is documented by means of a signed electronic timestamp, and wherein a different signing key is used for signing the timestamp than for signing the device certificate. Additionally, all information that is required for the validity check of a device certificate is stored in a memory of the device or in a memory associated with the device, so that an identity check on the device can be performed at any time without fetching additional data.

Abstract: A computer-implemented method includes receiving an authentication request from an external device for authenticating an application on the external device, and receiving a plurality of information items in connection with the authentication request from a plurality of different externally residing information sources. The authentication request is then evaluated, which includes evaluating each of the plurality of information items, to determine an authentication status of the application. Based on the authentication status, the device is then selectively permitted access to private information through the application. A computer system and/or machine-readable media may be provided to perform some or all steps of the method.

Abstract: A system for managing custom code within a data computing platform determines that a request for one or more uniform resource identifiers external to the platform is being made by custom code executing in the platform. In response to the determination, the system checks a whitelist of allowable external URIs against the requested one or more URIs and allows access to the requested one or more URIs if a match is detected with the whitelist, otherwise access by the custom code to the requested one or more URIs is denied. In addition, or alternatively, the system checks a blacklist of disallowed external URIs against the requested one or more URIs and denies access to the requested one or more URIs if a match is detected with the blacklist, otherwise access by the custom code to the requested one or more URIs is allowed. The blacklist can override the whitelist.

Abstract: Systems and methods directed to a third-party gateway that controls egress traffic from Internet Data Centers (IDC) and/or Virtual Private Clouds (VPC) are described. When egress traffic reaches the third-party gateway, a forward proxy may obtain a service identified or otherwise associated with the source IP address and port. Once, the service is identified, the third-party gateway may obtain a configuration rule specified by a rule manager to determine if the service is allowed to access the destination host(s). If the destination host is approved for the service, the forward proxy may send the traffic to the internet. If the destination host is not approved for the service, the forward proxy may block or otherwise drop the respective communication. In some examples, one or more auditors or auditing agencies may access essential information from the third-party gateway to view egress traffic logs and verify egress traffic approved destinations.

Abstract: Systems and methods include obtaining data from a log system storing historical transactions monitored by a security system; creating one or more mock transactions based on the data; and analyzing the one or more mock transactions with a signature pattern matching engine having updates provided therein subsequent to a time of the historical transactions. The one or more mock transactions can have a header based on the data from corresponding historical transactions. The systems and methods can include performing a content scan in the one or more mock transactions based on the signature pattern matching engine having the updates, or determining malicious activity in the one or more mock transactions based on the signature pattern matching engine having the updates to determine missed matches in the corresponding historical transactions.

Abstract: Systems and methods of securing interface to a blockchain based network, including generating, by a server, a proxy communication layer for communication between the server and a computerized device, wherein the proxy communication layer replaces an IP address of the computerized device with another IP address, intercepting, by the server, data communicated through the proxy communication layer, and blocking, by the server, unauthorized communication data intercepted by the server, wherein communication requests associated with unauthorized IP addresses are blocked, where the server is in communication with the blockchain based network, and wherein the server provides a web interface to decentralized applications of the blockchain based network.

Abstract: Devices, systems and methods for authenticating a user to access electronic content include use of a processor configured to identify a technical condition for the content, access distributor logic providing a first release of the technical condition, receive a request from a subscriber to transfer the first release to an identified user, determine whether to approve or deny the request, and when approved, provide a device associated with the identified user with an authentication that permits the identified user to activate the first release and access the electronic content, and a database that stores the technical condition.

Abstract: Embodiments of the present specification disclose data processing methods, apparatuses, devices, and media. One method includes the following: receiving a data use request; determining data to be used based on the data use request; determining one or more approvers of the data to be used; sending an approval instruction to the one or more approvers, wherein the approval instruction instructs the one or more approvers to approve the data use request; receiving feedback data from the one or more approvers; and determining that the data use request is approved if the feedback data satisfies a predetermined condition.

Abstract: A tamper resistant device can be used for an integrated circuit card. The device includes memory storing a first security domain that includes a telecommunication profile and a second security domain that includes an application profile. A first physical interface is configured to be coupled to a baseband processor configured to operate with a mobile telecommunications network. A second physical interface configured to be coupled to an application processor. The first physical interface configured to allow the baseband processor to access the telecommunication profile and the second physical interface is configured to allow the application processor to access the application profile. The tamper resistant device is configured to enable accessibility to the application profile if corresponding commands are received at the first interface and to enable accessibility to the telecommunication profile if corresponding commands are received at the second interface.

Abstract: Disclosed herein are methods, systems, and processes for monitoring scan attempts in a network. A virtual security appliance with multiple ports is deployed in a network. One or more ports are obfuscated via the virtual security appliance to make the various ports appear to be closed. An address of the virtual security appliance within the network is modified, the several ports are adjusted to assume a predetermined profile, a network neighbor's profile is discovered and emulated, and a received connection attempt intended for the virtual security appliance is monitored.

Abstract: Various embodiments described herein relate to a call management system that aims to provide a more efficient, secure, and dynamic technique for authenticating a user based on a location of the user. A server of the call management system receives a phone call from a user device. The server transfers the phone call to an analyst device. When the analyst device accepts the phone call, the server starts an electronic communication session between the user device and the analyst device. The server then determines a current location of the user. The server further determines a question for authentication of the user based on the current location. The server transmits the question to the analyst device. The analyst device transmits the question to the user device via the server. In response to an answer received from the user device, the server authenticates the user.

Abstract: Systems and methods include intercepting traffic on a mobile device based on a set of rules; determining whether a connection associated with the traffic is allowed based on a local map associated with an application; responsive to the connection being allowed or blocked based on the local map, one of forwarding the traffic associated with the connection when allowed and generating a block of the connection at the mobile device when blocked; and, responsive to the connection not having an entry in the local map, forwarding a request for the connection to a cloud-based system for processing therein. The cloud-based system is configured to allow or block the connection based on the connection not having an entry in the local map.

Abstract: A transceiver for sending and receiving data from a controller area network (CAN) bus is disclosed. The transceiver includes a microcontroller port, a transmitter and a receiver. The transceiver is configured to receive a data frame from a microcontroller via the microcontroller port and to determine if the microcontroller is authorized to send the data frame or part of it based on a message identifier in the data frame and the outcome of the arbitration process. If the microcontroller is unauthorized to send the data, the transceiver is configured to invalidate the data frame and disconnect the microcontroller from the CAN bus for a predetermined period.

Abstract: A system includes a plurality of secure gateways that each use a plurality of datasets to determine how to process messages between devices on a network and websites on the internet. A version control server in the system automatically sends a dataset to each secure gateway in the plurality of secure gateways.

Abstract: The disclosed technology is generally directed to device security in an IoT environment. For example, such technology is usable in IoT security. In one example of the technology, a set of security rules that is associated with an expected condition of at least one IoT device is stored. IoT data associated with the at least one IoT device is received. The IoT data may be aggregated data that includes at least two different types of data. A determination is made, based on the IoT data, as to whether the set of security rules has been violated. An alert is selectively sent based on the determination.

Abstract: This disclosure relates to systems, methods, and apparatuses for determining access models for applications. The access models can be determined using various techniques described herein. The access models can enable the applications to be onboarded into the enterprise system and, in some cases, can be utilized by an identity and access management (IdAM) system and/or identity and governance administration (IGA) system to facilitate ongoing identity management and access control functions for the applications in the enterprise system.

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives a hard copy (e.g., paper) signature document, the signer may capture an image of the signature document with a camera of a mobile device. The signer can then import the captured image into the ESS for signature, storage, and/or transmission to other parties.

Abstract: An authentication server is connected to a client device via a network and includes: an uninterruptible power supply (UPS) that supplies power to the authentication server upon interruption of a main power supply; a storage that stores a database including: a piece of user information of a user of the client device; and a piece of authentication information for the user to log into the client device or a predetermined server on the network via the client device; and a processor that, once the UPS starts to supply the power to the authentication server, transmits to the client device the piece of authentication information corresponding to the piece of user information before the authentication server is shut down.

Abstract: A computer-implemented method of instantiating a machine learning model with a host processing system is provided. The host processing system includes a trusted execution environment (TEE) and an untrusted processing system (UPS). The method includes: preparing, with the host processing system, a compiler encoding an architecture of the machine learning model; receiving, from a client processing system, source data; and producing, with the compiler, software based on the received source data and model parameters stored on the host processing system. The software includes an untrusted software component for performance on the UPS and a trusted software component for performance on the TEE. The untrusted software component and the trusted software component are configured to, when performed in concert, instantiate the machine learning model.

Abstract: The disclosed technology is generally directed to device security in an IoT environment. For example, such technology is usable in IoT security. In one example of the technology, a set of security rules that is associated with an expected condition of at least one IoT device is stored. IoT data associated with the at least one IoT device is received. The IoT data may be aggregated data that includes at least two different types of data. A determination is made, based on the IoT data, as to whether the set of security rules has been violated. An alert is selectively sent based on the determination.