Abstract: Systems and methods for securely accessing a legacy system are disclosed herein. In an embodiment, a method for securely accessing a legacy system via an enterprise system includes requesting issuance of a security token by an STS server of a security token service, causing, by an enterprise server of an enterprise system, association of a first user account with the security token upon reception of the security token, communicating the security token to an access server of a legacy access provider for authentication of the security token, enabling creation of a second user account after the legacy access provider authenticates the security token, accessing a legacy server of a legacy system via the first user account and the second user account, and causing at least the second user account to be deleted after a single use of the legacy system.

Abstract: A method performed by a CMS and an edge node of a CDN is provided, including: sharing a server secret between the CMS and the edge node; using, by the CMS, the server secret to generate a signing key, the signing key being transmitted to a client system, wherein the client system receives a request for a content item from a user device, and wherein the client system uses the signing key to generate a signed URL for the content item, the user device being redirected to the signed URL; responsive to receiving the signed URL from the user device, then validating the signed URL by the edge node, wherein validating the signed URL uses the server secret to rederive the signing key based on the signed URL; responsive to successful validation of the signed URL, then providing the content item from the edge node to the user device.

Abstract: A determination method includes determining an attack type of an attack code included in an attack request on a server, carrying out emulation of an attack by the attack code on the server in accordance with the determined attack type, extracting a feature related to a backdoor operation appearing in an attack code on the server in a case of succeeding in an attack on the server as a result of the emulation, and determining that an attack by the attack code has succeeded in a case where a communication log of the server has the extracted feature, by a processor.

Abstract: An example method comprises receiving, by a secure content system, an email from a sender to a recipient, scanning the contents of the email, evaluating the contents of the email based on a plurality of security rules, storing the sensitive data within a secure storage, generating a replacement email including a security link and not including at least the sensitive data, the security link providing a requester access to the sensitive data providing that a security function is satisfied, sending the replacement email including the security link to the recipient, receiving a request to access the sensitive data, the request being related to the security function challenging the requester using the security function, receiving, from the requester, a response to the security function, determining if the security function is satisfied by the response, and if the security function is satisfied, providing access to the sensitive data to the requester.

Abstract: A method and system for verifying that a user is the owner of a digital listing that is associated with a WiFi Access Point. The user claims ownership of the WiFi Access Point that is associated with a digital listing of an entity/item/place/business so that he online service provider can verify and register the user as owner of the WiFi Access Point. Once verified, the user owns the WiFi Access Point and its related digital listing and configures the listing. The system includes an item information system receiving the WiFi Access Point data and associated item data, and storing the WiFi Access Point data and the item data, an owner registration and transfer system receiving owner registration data and ownership change requests and storing the ownership history, and an authentication system receiving authentication requests and generating a response based upon the information stored in the system or a connected system.

Abstract: Techniques are provided for anomaly-based ransomware detection of encrypted files. One exemplary method comprises obtaining metadata for an encrypted file; applying an anomaly detection technique to the metadata to compare at least one attribute in the metadata to one or more corresponding historical baseline values for the at least one attribute; and determining whether the encrypted file comprises a ransomware encryption based on the comparison. In some embodiments, one or more of file extension attributes, file size attributes and file name attributes in the metadata are compared to the one or more corresponding historical baseline values to identify a ransomware attack.

Abstract: Presented herein are systems and methods for end-to-end encryption for session-less communications. A first server may receive, from a second server, a request to retrieve keys for a customer device to access a service. The request may include a device identifier and a first token encrypted using a first encryption key. The first server may determine, responsive to validating, that the customer device is to be issued a second token. The first server may identify least a portion of the first token decrypted using the first encryption key. The first server may generate a set of second encryption keys to be used by the customer device. The first server may package the second token to include (i) at least the portion of the first token and (ii) the set of second encryption keys. The first server may transmit, to the second server, a response including the second token.

Abstract: A computer-implemented method of transmitting messages within a mesh network comprises: receiving at a first node included within the mesh network a network message that is to be broadcast within the mesh network; determining a security key type based on at least one of a resource parameter associated with at least one neighbor node included in the mesh network or an attribute of the network message; securing the network message with a security key of the security key type to generate n secured network message; and broadcasting the secured network message to one or more other nodes included in the mesh network that are directly connected to the first node.

Abstract: A request for password generation is received from a host system. In response to receiving the request, a password derivation key is generated based on a key derivation seed. A password is derived from the password derivation key, and a wrapping key is derived from the password. The wrapping key is used to wrap an authorization state indication, which is stored in local memory. Encrypted data is generated based on an encryption of the key derivation seed using an asymmetric encryption key. The encrypted data is provided in response to the request.

Abstract: Disclosed are various approaches for extending a single sign-on (SSO) session to multiple devices. If a device is enrolled as a managed device with a management service, a SSO session can be extended to the device if the user has previously authenticated with an identity provider from another device. The user is authenticated on the second device using a user-and-device token issued by the management service with which the device is enrolled as a managed device.

Abstract: The present embodiments relate to providing near real-time communications from a public network to a private network. A first computing device in a public network can obtain data packets to be provided to the private network from an application executing on the first computing device. A trust module executed by the first computing device can authenticate the user, application, and the data packets to be provided to the private network and add metadata relating to the sending user, recipient user, etc. The data packets can be forwarded to the private network via a cross-domain system (CDS). The metadata and the digital signature on the data packets can be verified by a trust module executing on a second computing device in the private network. The second computing device can receive the data packets and store the data packets for subsequent actions to be performed in the private network.

Abstract: One or more aspects described herein provide methods and systems for authoritatively confirming that a recipient is an intended recipient to receive personal data, and to securely transmit the personal data to the intended recipient, when both the sender and receiver are operating in a trustless ecosystem such as that used with blockchain technology. A computing device may receive an indication of a blockchain address used, by a sender computing device and via a blockchain, to send one or more virtual assets. The computing device may store an association between the blockchain address and the recipient. The computing device may send, to the sender computing device and in response to a query comprising the blockchain address, an indication of the recipient. The indication may be configured to cause the sender computing device to send, to the recipient, personal data associated with an owner of the one or more virtual assets.

Abstract: The disclosed technology is generally directed to web authentication. In one example of the technology, authentication of a broker with an identity provider is initiated. The broker is a first application that is executing in a top-level frame. At the broker, from a second application that is executing on a first descendent frame that is a descendant frame of the top-level frame, a token request is received. Via the broker, a first token is requested from the identity provider on behalf of the second application. The first token is associated with an authorization of secure delegated remote access of at least one resource by the second application. At the broker, from the identity provider, the first token is received. Via the broker, the first token is provided to the second application.

Abstract: A computer system and a method are provided for storage and distribution of encryption keys in sequence. Encryption keys, such as public keys, are provided key pointers as properties, the key pointer indicating another key, to thereby form a sequence. A current key is designated, and the sequence is advanced to a successor key indicated by the key pointer of the current key upon a predetermined succession event. The current key is transmitted upon receipt of a key request. In various embodiments, succession events can include occurrence of an expiration date, or the addition of a new key to the sequence.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate, and matches that with the user identification data stored in a database.

Abstract: A security engine may use event-stream processing and behavioral techniques to detect ransomware. The engine may detect process behavior associated with encrypting a file, encrypting a storage device, or disabling a backup file, and may assign a ransomware category to the process based thereon. The engine may initiate protection actions to protect system resources from the process, which may continue to execute. The engine may monitor the process for specific behavior corresponding to its ransomware category. Based on the extent to which such specific behavior is detected, the engine may determine that the process is not ransomware, assign a ransomware subcategory to the process, or adjust the process's threat score. Monitoring of the process may continue, and the threat score may be updated based on the process's behavior. If the threat score exceeds a threshold corresponding to the ransomware category (or subcategory), a corresponding policy action may be initiated.

Abstract: Embodiments of the present invention disclose a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. The method includes: acquiring an encryption algorithm of an access node; acquiring a root key and deriving, according to the root key and the encryption algorithm, an encryption key of the access node; sending the encryption key and the encryption algorithm to the access node, so that the access node starts downlink encryption and uplink decryption; sending the encryption algorithm of the access node to the UE so as to negotiate the encryption algorithm with the UE; and instructing the access node to start downlink encryption and uplink decryption and instructing, during algorithm negotiation, the UE to start downlink decryption and uplink encryption.

Abstract: A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.

Abstract: Embodiments of the present invention provide an index establishment method and device. The method can include receiving an access request sent by the client, the access request including a uniform resource locator (URL) and parameter information; determining a target service type of the access request according to the URL and the parameter information; converting the access request according to the target service type; and sending the converted access request to a server corresponding to the target service type.

Abstract: A system and method of encrypting data via public key cryptography with certificate verification of target. The method includes receiving an unsigned certificate signing request (CSR) for a second digital certificate associated with a second application executing on a second client device. The method includes signing, by a processing device of a secret sharing management (SSM) system, the unsigned CSR using a second private key associated with the second client device to generate a signed CSR, the second private key is inaccessible to the second client device. The method includes generating a second digital certificate associated with the second application based on the signed CSR and a different private key associated with the SSM system. The method includes causing the second digital certificate associated with the second application to be stored in a shared data storage available to a first client device.