Abstract: A control panel may prevent access to one or more aspects of the control panel based at least in part on one or more security parameters. The security parameters may include a default locked status and a takeover locked status. The default locked status may prevent a user or other personnel from accessing the software, code, or other intellectual property on the control panel while still allowing the user to interface with the security and/or automation system. The takeover locked status may prevent any access or use of the control panel. To protect the automation system and the automation system provider, it may be desired to use a unique identifier to unlock at least one or more aspects of the control panel. The unique identifier may be loaded onto an external storage device which the control panel may automatically recognize.

Abstract: Techniques are disclosed for accessing computing resources using secure single sign on authentication with a single use access token, including website-to-desktop application delivery and secure transfer of context information from the website to the desktop application once valid security credentials are provided from the same end-user computing device. A user signs onto a web application once using the security credentials. A web-based single use token generator generates a single use access token based on the user-supplied security credentials. A web-based context embedder service dynamically generates a context carrier and transfer application including the single use access token. The context carrier and transfer application is provided to an end-user computing device, which, when executed locally, installs a desktop application onto the end-user computing device. The desktop application utilizes the single use access token to access a secure, cloud-based computing resource.

Abstract: Disclosed are systems and method for detecting a malicious computer system. An exemplary method comprises: collecting, via a processor, characteristics of a computer system; determining relations between collected characteristics of the computer system; determining a time dependacy of at least one state of the computer system based on determined relations; determining the at least one state of the computer system based at least on determined time dependacy; and analyzing the at least one state of the computer system in connection with selected patterns representing a legal or malicious computer system to determine a degree of harmfulness of the computer system.

Abstract: A computer-implemented method records and maintains a record of browser events in a blockchain using a peer-to-peer network. One or more processors detect one or more browser events for a browser on a computer. One or more processors then transmit transactions that are associated with the one or more browser events from the computer to a peer-to-peer network of devices that create a blockchain, which includes one or more blocks that describe the one or more browser events, such that the blockchain records and maintains a record of browser events that occur at the computer.

Abstract: A content item service enables users to upload media for content items to be given to others. The content item service performs operations on uploaded media content, such as transcoding. A transformed instance of content is encrypted using a cryptographic key, and an identifier for the encrypted transformed instance of content is generated. The encrypted transformed instance of content and an encrypted version of the cryptographic key are stored in association with the identifier.

Abstract: Described herein are systems and methods utilizing application-specific access to a virtual private network (“VPN”). A method may comprise receiving, from an application executing on a device, a request for a network data flow to a private network, comparing identification information associated with the application against a set of rules stored on a memory of the device, wherein the set of rules identifies conditions for the application to be authorized to access the private network, and establishing a connection for the network data flow upon the identification information satisfying the conditions for the application to access the private network.

Abstract: An application is instrumented with a document protection service provider interface (SPI). The interface is used to call an external function, e.g., an encryption utility, to facilitate secure document exchange between a sending entity and a receiving entity. When the application invokes the SPI, the user is provided with a display panel. The end user provides a password for encryption key generation, together with an indication of desired encryption strength. The service provider uses the password to generate an encryption key. In one embodiment, the service provider provides the key to the service provider interface, which then uses the key to encrypt the document and to complete the file transfer operation. In the alternative, the service provider itself performs encryption. The SPI generates and sends a message to the receiving entity that includes the key or a link to enable the receiving entity to retrieve the key.

Abstract: Systems and methods for authenticating a user to access a public terminal are described. Disclosed embodiments may include reading, using the physical credential reader, a user identifier from the physical credential device. Disclosed embodiments may also include transmitting the public terminal identifier and the user identifier to a secure server. Further, disclosed embodiments may include receiving, after completing the transmission, a unique code from the secure server. Disclose embodiments may additionally include displaying the unique code on the display device. Disclosed embodiments may include receiving, after displaying the unique code, an authentication message from the secure server. Disclosed embodiments may further include, responsive to receiving the authentication message, authorizing the user to use a terminal command at the public terminal.

Abstract: Methods, systems, apparatus, and non-transitory computer readable media are described for identifying users who are likely to have unauthorized access to secure data files in an organizational network. Various aspects may include presenting the identified users on a display for a system administrator and/or security analyst to resolve. For example, the display may include a graph data structure with users represented as nodes and connections between users represented as edges. Each connection may be a pair of users belonging to the same security group. Nodes of the graph data structure may be clustered to indicate that each of the users in the cluster belong to the same security group. Moreover, the users who are connected to multiple clusters may be identified as a potential risk of having unauthorized access to secure data files. The authorized access may then be remedied or taken away.

Abstract: Disclosed are a method, a mobile terminal, a device, as well as a readable storage medium for preventing accessed data from being tampered with. The mobile terminal can: receive a data server access instruction triggered by a user for an application on the mobile terminal, and acquire from the data server a corresponding configuration file of the application and a version control file carrying verification ciphertext; encrypt the acquired configuration file according to a preset encryption method to obtain a corresponding first encrypted value of the configuration file; extract the verification ciphertext from the acquired version control file and decrypt the verification ciphertext to obtain a corresponding plaintext encrypted value; and analyze the consistency between the first encrypted value and the plaintext encrypted value and finally allow the application to access the corresponding accessed data when determining the first encrypted value and the plaintext encrypted value are consistent.

Abstract: Mechanisms are provided to detect a potentially fraudulent voice conversation. The mechanisms process a corpus of electronic information to extract a fraud feature representative of at least one fraudulent activity, receive a first voice input from a user, and convert the first voice input into a textual representation of the first voice input and a set of behavioral speech characteristics associated with the user. The mechanisms generate a speech model for the user based on the textual representation and the behavioral speech characteristics, receive a second voice input from an entity requesting access to resources associated with the user, and evaluate the second voice input based on the speech model for the user and the fraud feature. The mechanisms generate an output indicating whether or not the entity is the user based on results of the evaluation.

Abstract: Ad-blocking method, system, and computer program (the system) of the present invention uses rule-based filtering of Internet traffic through a set of interacting modules functioning at the system and user level to allow to exclude graphic, video, audio or text advertising content from the user-requested web content by filtering Internet traffic at the request stage and a response using the rules data base. The system provides the end user with the requested web content in the form of Internet pages in browsers or other representations in other applications (including instant messengers, platforms for streaming, etc.) excluding graphic, video, audio or text advertising content by filtering Internet traffic using the rules data base.

Abstract: Some embodiments of the invention may enhance security, usability, and/or efficiency for entities by identifying destination servers on behalf of the entity. In an embodiment, the destination identification may be based on secure authentication of the destination server. The entity may be a business communication agent, or a business user, or an end user. An embodiment of the invention may enhance security by preventing sensitive data from being released to unintended destination(s) and/or ensuring sensitive data is released to intended destination(s). An embodiment of the invention may improve usability by removing the need for the entity to identify the server. An embodiment of the invention may improve usability by removing the need for an entity to remember and/or specifying sensitive data. An embodiment of the invention may improve efficiency by automating the tasks of identifying the destination servers and determining whether the destination server is allowed receipt of the sensitive data.

Abstract: A login request initiated by a user at a current page is received. Whether there exists an account record matched with a login account name and login password combination in the login request is searched from an account table of the current page. If a result is positive, the user is allowed to log in. If a result is not positive, a preconfigured account name collection corresponding to the login account name is acquired. The account name collection includes login account names of the user's registered accounts in a plurality of member systems. A login account name in a member system to which the current page belongs is searched from the account name collection, and the found login account name is provided to the user. The techniques of the present disclosure prompts a correct login account name to the user, especially when there are many user login account names, thereby reducing memory burden of the user and assisting the user in implementing a quick login under multi-account management.

Abstract: A system and method for providing secondary-factor authentication with a third party application that can include enrolling a device application instance of an account into a secondary-factor authentication service on behalf of a service provider that includes at the secondary-factor authentication service, receiving a secondary factor of authentication enrollment request of an account, the request received from the service provider, transmitting an activation code, and pairing the device application instance with the account through the activation code; receiving an authentication request identifying the account; transmitting an authentication request to the device application instance paired with the account; validating a response to the application request; and transmitting an assessment to the service provider.

Abstract: The disclosed embodiments provide a method and apparatus for protecting a critical computer system from malware intrusions. An isolator containing access approval features is disclosed. The isolator requires the approval of a Supervisor which can be a person with authority or an intelligent computer before a user can have access to the critical computer system. The isolator contains features used to facilitate cascaded encryption and decryption of messages which further enhances the security of the critical computer system. The isolator can greatly improve security of infrastructure such as industrial control systems, servers and workstations. The disclosed embodiments also provide a set of software and hardware features used to provide detection, prevention and recovery from a Cyber-attack in an Internet of Things installation.

Abstract: Data may be protected using a combination of symmetric and asymmetric cryptography. A symmetric key may be generated and the data may be encrypted with the symmetric key. The symmetric key and a only a portion of the symmetrically encrypted data may then be encrypted with an asymmetric public key. The entire set of encrypted data, including the asymmetrically encrypted symmetric key, the doubly encrypted portion of data, and the remainder of the symmetrically encrypted data may then be sent to a remote device using insecure communications.

Abstract: A method is disclosed in which a system compares a first set of reports characterizing network traffic flows originating from an endpoint device with a second set of reports characterizing network traffic flows originating from the endpoint device and stored at an external network device to determine whether the first set and second set of reports characterizing network traffic flows originating from an endpoint device are different. In response to determining that the first and second reports characterizing network traffic flows are different, the system identifies the network traffic flows originating from the endpoint device and reported by an external network device, but not reported by the endpoint device, as possibly indicative of malware and forwards the network traffic flows originating from the endpoint device to an analyzer for further processing.

Abstract: A controller for user authentication and access control, configured to: store data representing a graph having: nodes representing data elements associated with accesses made using an access token; and links among the nodes representing connections between the data elements identified in details of the accesses. In response to receiving details of an access made using the access token, the controller updates the graph according to the details and identifies changes in the graph resulting from update. For each of the changes, the controller identifies a set of elements in the graph that are up to a predetermined number of degrees of separate from the change and evaluates the trustworthiness of user identities corresponding to the set of elements identified for the change. Based on the trustworthiness, the controller authenticates the user of the access and/or controls the access.

Abstract: Systems, methods, and apparatuses are described wherein a block chain or block chain network can be created and the mining of new blocks can be limited to certain actors holding a specific set of private keys and verified by the corresponding public keys accessible to consumers interested in validating the block chain. These keys are stored in software or on specific hardware devices designed to not reveal the private key. Only blocks mined using those keys are acceptable on the block chain. The signing of the blocks in the particular block chain is integrated in such a fashion as to be integral to the proof of work for the block chain.