Abstract: One or more techniques and/or systems are provided for risk assessment. Historical authentication data and/or compromised user account data may be evaluated to identify a set of authentication context properties associated with user authentication sessions and/or a set of malicious account context properties associated with compromised user accounts (e.g., properties indicative of whether a user recently visited a malicious site, created a fake social network profile, logged in from unknown locations, etc.). The set of authentication context properties and/or the set of malicious account context properties may be annotated to create an annotated context property training set that may be used to train a risk assessment machine learning model to generate a risk assessment model. The risk assessment model may be used to evaluate user context properties of a user account event to generate a risk analysis metric indicative of a likelihood the user account event is malicious or safe.

Abstract: Functionality is disclosed herein for dynamically deploying an upstream network traffic filter in a network. The upstream network filter is dynamically deployed in a location that is closer to an entry point of an attack such that attack traffic reaches the upstream network filter before reaching a network traffic filter that is configured to perform network traffic filtering for a computing resource that is under attack. The upstream network traffic filter includes rules that are based on at least a portion of the rules that are applied by the network traffic filter.

Abstract: A method of accessing a network securely using a personal device which can only access the network via one or more authorized access points, the method including establishing a connection between the network and the personal device via an access point; checking in the network whether the access point is on a white list of authorized access points for use with the network; if the access point is on the white list, allowing the personal device to access the network securely via the access point; and if the access point is not on the white list, not allowing the personal device to access the network securely.

Abstract: A method for a re-issuance of an attribute-based credential of an issuer of the attribute-based credential for a user may be provided. The user is holding backup values derived from a first credential previously obtained from the issuer, wherein the first credential is built using at least a first value of at least one authentication pair. The method comprises receiving by the issuer from the user a set of values derived from the backup values comprising a second value of the at least one authentication pair, validating by the issuer that the second value is a valid authentication answer with respect to the first value and whether the set of values was derived from a valid first credential, and providing by the issuer a second credential to the user based on the first set of values.

Abstract: An information processing system includes an information processing device, and an electronic device to utilize a service provided from the information processing device. A service delivery unit provides the service for the electronic device. An information management unit manages license information of the service, generates use permission information and sends the generated use permission information to the electronic device. An execution management unit manages an execution request of the service specifying the use permission information of the service. An execution unit determines whether to have a use authority of a function of the electronic device utilized by the service based on contents of the license included in the use permission information of the service and executes the service by utilizing the function of the electronic device upon determining that the use authority of the function of the electronic device utilized by the service is present.

Abstract: An electronic device and method for updating authentication information in the electronic device is provided. The electronic device includes a short-range communication unit configured to provide a short-range communication and a controller configured to update information for authentication information from advertisement service information received from an Access Point (AP) identified through the short-range communication unit, download authentication information using the update information for authentication information, and connect the electronic device to the AP based on the authentication information.

Abstract: Provided is an authentication system in which a client terminal that receives input of request information is connected to a server that executes a process with regard to the request information. The client terminal includes: a first authentication information generation unit that generates first authentication information based on information which is shared with the server; an encryption unit that generates encryption information; and a transmission unit that transmits the request information and encryption information to the server.

Abstract: Systems and methods are described that enable the mitigation of network attacks directed to specific sets of content on a content delivery system. A set of content targeted in the attack may be identified based at least in part on a combination of network addresses to which attacked-related packets are transmitted. Thereafter, the content delivery system may mitigate the attack based on the identified target. For example, where both targeted and non-targeted sets of content are associated with the attacked network addresses, traffic directed to these sets of content may be separated, e.g., in order to reduce the impact of the attack on the non-targeted sets of content or increase the computing resources available to the targeted content. Redirection of traffic may occur using either or both of resolution-based redirection or routing-based redirection.

Abstract: This disclosure is directed to systems and methods for securely communicating authentication information in a networked environment such as one involving a client device, a cloud based computing platform, and an enterprise computing environment. Some embodiments may include encrypting, by a client device using a public key, authentication information provided by a user. The encrypted authentication information is sent to a cloud based service which then sends it to an on-premises component residing behind a firewall of an enterprise. The on-premises component decrypts the authentication information using a private key, validates the authentication information, and returns the result to the cloud based service over a network. If validated, the cloud based service establishes a secure connection between the client device and the on-premises component such that the user can access the enterprise's content without the enterprise having to share the authentication information with the cloud based service.

Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: Permissions can be delegated to enable access to resources associated with one or more different accounts, which might be associated with one or more different entities. Accordingly, approaches for delegating security rights and privileges for services and resources in an electronic and/or multi-tenant environment are provided. In particular, various embodiments provide approaches for dynamically determining and authorizing delegation of permissions to perform actions in, on, or against one or more secured accounts, where those accounts may be associated with a number of different entities and/or resource providers.

Abstract: The management of credentials subject to a lockout policy can include dynamically determining appropriate lockout thresholds and other such values appropriate for a current situation. For example, the number of incorrect password attempts allowed before an account lockout can be based at least in part upon the amount of time that has passed since a most recent password change. There might be an unlimited number of attempts allowed for a short period after a password change, followed by a decreasing number of permissible attempts over a subsequent period of time. In some embodiments the number of correct attempts received after a password change can affect the number of incorrect attempts allowed. Further, if an incorrect attempt matches a previously correct password then that attempt might not count toward the number of incorrect attempts compared against the threshold, at least for a determined period of time after a password change.

Abstract: One or more techniques and/or systems are provided for provisioning encrypted key blobs and client certificates. That is, a trusted execution environment on a first machine may provide a key service provider with a cryptographic encryption key. The key service provider may encrypt a key blob using the cryptographic encryption key and/or wrap the encrypted key blob with one or more policies, such as a platform policy. The key service provider may provision the encrypted key blob to a client on the first machine. The client may submit the encrypted key blob to the trusted execution environment for validation so that the client may perform key actions, such as sign an email or encrypt data. Because the key blob may be specific to a particular trusted execution environment and/or machine, the key service provider may re-wrap the key blob if the client “roams” to a second machine.

Abstract: Systems and methods for providing information services are disclosed. A method includes passing an instance an object, invoked by a user, to a memory device at a hardware layer of a network information system, the object being hosted for a tenant of a network information service. The method further includes determining by a processing unit of the memory device that storage of the object is not authorized by the tenant based on a security map provided by the tenant and accessible by the processing unit within the hardware layer. The method further includes preventing storage of the instance in the memory device based on the result of the determining.

Abstract: Authenticating users comprises a computing device that receives a manual authentication input of a user and initiates a first user session between the user and the user computing device. The device communicates a request for a first user authorization data from an authentication technology associated with the one or more computing devices and receives the first user authentication data. The user or the device terminates the first user session and subsequently receives an input of the user to initiate a second user session. The device communicates a request for second user authentication data from the authentication technology and compares the first user authentication data and the second user authentication data. The device identifies a match of one or more features of the first user authentication data and one or more features of the second user authentication data and authorizes the user to conduct the second user session.

Abstract: An information processing apparatus includes a data processing section for reproducing contents stored in a medium having a general purpose area in which encrypted contents and corresponding utilization controlling information are stored and a protected area including a plurality of blocks having access limitation set thereto and including a block having an encryption key for decrypting the encrypted contents stored therein.

Abstract: Minimizing data security risks may be provided. A number and type of confidential data in a computing environment may be determined to generate a metric for the type of confidential data in the computing environment. The metric of the type of confidential data may be compared to a predetermined metric for the type. Responsive to determining the metric for the type of confidential data exceeding a predetermined metric for the type, an action may be performed to prevent more entries of the type of confidential data in the computing environment.

Abstract: Minimizing data security risks may be provided. A number and type of confidential data in a computing environment may be determined to generate a metric for the type of confidential data in the computing environment. The metric of the type of confidential data may be compared to a predetermined metric for the type. Responsive to determining the metric for the type of confidential data exceeding a predetermined metric for the type, an action may be performed to prevent more entries of the type of confidential data in the computing environment.

Abstract: Techniques are disclosed for protecting the privacy and security of data associated with a web document. A web browser is configured to manipulate the URL, which contains an access token, of a preview web page document before the browser loads external resources (e.g., web page content) linked from the preview web page document. For example, the browser may change a current page URL containing the access token to another sacrificial URL that does not include the token. In addition, the browser will send the sacrificial URL, rather than the original URL, as a referrer to the various resources that provide the web page content, which prevents exposure of the access token to those resources while the web page content is loading. After the web page content is loaded into the browser, the current page URL of the browser is changed back to the original URL.

Abstract: A method for secure data storage in a cloud storage infrastructure comprises providing a set of first upload files to be stored in the cloud storage infrastructure, providing a set of first random noise files, splitting each file of the two sets into a group of fragments, recombining the fragments by randomly intermixing fragments from different groups thus generating a set of second upload files, encrypting each second upload file with a first encryption key and storing each first encryption key in a secure storage location, storing reconstruction information about the set of first upload files, the splitting, the recombining and the first encryption keys in the secure storage location, uploading each second upload file to a respective temporary cloud storage location, repeatedly moving each uploaded second upload file to a new temporary cloud storage location in predetermined intervals of time.