Abstract: Methods and systems disclosed herein describe a universal access layer that allows a plurality of applications to obtain data and/or information from a plurality of heterogeneous data stores. The universal access layer may include one or more application data objects to validate requests, transform a format of the request, determine which data stores comprise the requested data and/or information, encrypt the request, combine responses into a single response, and retransform the response prior to sending it to the requesting application. By using the universal access layer, applications may improve the speed with which they access data and/or information from the plurality of heterogeneous data stores.

Abstract: An information processing device is shared by multiple organizations having different information protection policies, the information processing device including: a specifying unit that specifies an organization to which a user using the information processing device belongs, before identifying the user; and an application unit that applies an information protection policy corresponding to the organization specified by the specifying unit, to the information processing device.

Abstract: A method at a computing device is described. The method comprises executing an application for verifying a location of a user requesting to access a location-based service, receiving, at the application, information indicating a location of the computing device, and encoding, with the application, at least the location to thereby generate a location token for responding to a challenge for the location token. The method further comprises outputting the location token from the application, the location token configured for use in applying a location-based access policy that controls access by the user to the location-based service.

Abstract: Preserving user privacy and preventing surveillance on behalf of users of a virtual reality world. One or more plans are available when a privacy or surveillance risk to a user is detected. In one plan, configurable scripts execute on behalf of the user to create a confusing array of clone avatars that obfuscate the real user avatar behavior. A malevolent avatar, attempting to surveil the user, may have difficulty distinguishing the clones from the user and may miss out on private insights he might otherwise have learned from the user's behavior. In another exemplary privacy plan, a copy of part of the virtual world is spawned, occupied exclusively by the user's avatar, and then merged into the main world. Privacy plans may be selected manually or automatically in response to perceived privacy threats to strike a balance between privacy and enjoyment within the virtual world.

Abstract: The technology disclosed herein provides an enhanced cryptographic access control mechanism that uses a cryptographic keys that are based on proximity data. An example method may include: determining proximity data of a computing device; transforming the proximity data in view of conversion data associated with the computing device, wherein the conversion data causes a set of alternate proximity data values to transform to a specific cryptographic value; creating, by a processing device, a cryptographic key in view of the transformed proximity data; and using the cryptographic key to enable access to a protected resource.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for restricting data execution based on device capabilities. An example method may include: accessing a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute; using the cryptographic key to access program data; and executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time.

Abstract: Some embodiments of the present disclosure relate to a system that may include a replaceable module and a user device. The replaceable module may include an element and a one-wire authentication element in parallel with the element. The user device may be configured for operable coupling with the replaceable module. The user device may include a power source configured to provide power to the element, an authentication unit configured to perform a verification process for verifying authenticity of the replaceable module, and a signal conditioning unit arranged in a communication path between the one-wire authentication element and the authentication unit.

Abstract: A method of authenticating and authorizing a wireless communication device for access to a communication service. The method comprises receiving a service request from a wireless communication device by a access node, parsing the service request by the access node, based on parsing the service request, determining by the access node that the wireless communication device is seeking combined authentication and service authorization, sending the service request by the access node to a hyperledger gateway, receiving an authentication success response associated with the wireless communication device and a service authorization success response by the access node from the hyperledger gateway, and sending the service request by the access node to a communication service computer system, whereby the service request is both authenticated and authorized by the hyperledger gateway in a combined transaction and a requested communication service is provided to the wireless communication device.

Abstract: Methods, apparatuses and computer program products implement embodiments of the present invention that include protecting a computing device by specifying one or more Internet sites that are accessible by one or more computing devices that communicate over a data network and identifying process binaries that executed on the computing devices accessed and retrieved data from any of the specified one more Internet sites. The identified process binaries are classified into a plurality of classes of matching process binaries, and for a given class, a count of the computing devices that that executed one of the process binaries of the given class is computed. When determining that the count of the computing devices is less than a predefined threshold, a preventive action is initiated to inhibit command and control (C2) channel transmissions from any of the computing devices that executed any of the process binaries of the given class.

Abstract: Embodiments are directed to protection of privacy and data on smart edge devices. An embodiment of an apparatus includes a sensor to produce a stream of sensor data; an analytics mechanism; and a trusted execution environment (TEE) including multiple keys for data security, the apparatus to exchange keys with a host server to establish one or more secure communication channels between the apparatus and a TEE on a host server, process the stream of sensor data utilizing the analytics mechanism to generate metadata, perform encryption and integrity protection of the metadata utilizing a key from the TEE for the sensor, sign the metadata utilizing a private key for the analytics mechanism, and transfer the encrypted and integrity protected metadata and the signature to the host server via the one or more secure communication channels in a manner that prevents privileged users on the host from accessing the data.

Abstract: A feature selection methodology is disclosed. In a computer-implemented method, components of a computing environment are automatically monitored, and have a feature selection analysis performed thereon. Provided the feature selection analysis determines that features of the components are well defined, a classification of the features is performed. Provided the feature selection analysis determines that features of the components are not well-defined access to those features are discarded. Results of the feature selection methodology are generated.

Abstract: A method for sending sensitive information includes: receiving, by a service provider, a request for sensitive information from a user; upon receipt of the request, sending, by a security provider, a security code to the user; receiving, by the service provider, a code from the user; verifying, by the service provider, the user when the received code matches the security code; sending, by the service provider, the sensitive information to the security provider after the user is verified; and providing, by the security provider, a sensitive data link to the user. The sensitive data link includes the sensitive information and may expire after the sensitive data link is viewed once.

Abstract: A system includes a display control prime located within a central-zone in communication with a provisioned agent operating on an edge-zone device. The display control prime may implement prime-blind open-loop pixel-state control on the edge-zone device by executing pixel-state commands via the provisioned agent. The provisioned agent, operating within the edge-zone, may have access to un-sanitized data, which may be unavailable to the display control prime in the central-zone. The display control prime may provide conditional pixel-state commands via a pixel-state control parameter matrix. The provisioned agent may identify an operative pixel-state command from among the conditional pixel-state commands based on the un-sanitized data to which the display control prime is blind.

Abstract: A system enables a content creator to upload the content onto the server and set rules and conditions for the access and retrieval. The content is downloaded to a portable storage medium, the content will be encrypted for display at a particular destination device. When the content is loaded on the destination device, the destination device will check if the content is loaded on the correct destination device by checking the information of the destination device attached to the content against the device information stored on the destination device.

Abstract: Methods, media, and systems for secure provisioning of servers within a cloud computing environment are provided for herein. In some embodiments, a management service can delegate provisioning of a server of the cloud computing environment to an imaging service. In response, the imaging service can generate an operating system image for the server and can utilize disk encryption to protect to operating system image. In embodiments, a volume encryption key of the disk encryption can be encrypted utilizing a public key of a trusted platform manager of the server, to produce an encrypted volume encryption key that is protected by the trusted platform module of the server. The encrypted operating system image and the encrypted volume encryption key can then be transmitted to the server to cause the server to be provisioned with the operating system image. Other embodiments may be described and/or claimed herein.

Abstract: Provided herein are platforms and methods for exchanging escrowed data between multiple users while preserving privacy and systems, methods, and applications for event-centric matching that enables secure communications between users, and event location sharing. Further, the systems, methods, and applications herein enable users to easily find relevant and local events.

Abstract: A method for managing personal digital identifiers of a user in data elements stored in a computerized system may include receiving personal digital identifiers for identifying a user. The data elements may be searched for the personal digital identifiers and data elements may be identified as having the personal digital identifiers of the user. One or more candidate personal digital identifiers in the identified data elements may be assigned as one or more common words appearing in the identified data elements when a word count for each of the one or more common words exceeds a predefined threshold. The user may validate the candidate personal digital identifiers, which may be added to the personal digital identifiers of the user. A personal digital footprint of the user including a location in the computerized system for each of the personal digital identifiers in the identified data elements may be stored.

Abstract: Systems and techniques for centralized threat intelligence are described herein. A connection may be established to a plurality of threat data sources. An anonymized set of threat data may be obtained by application of a set of privacy rules to the threat data from the plurality of threat data. A threat database may be populated with the anonymized set of threat data. A registration request may be received for a user of a device. A unique user identifier may be assigned for the user and a unique device identifier may be assigned for the device. A threat model may be generated based on a set of the characteristics from the threat database. A set of data access attributes may be received for a data access request. The data access request may be blocked based on an evaluation of the data access attributes using the threat model.

Abstract: Apparatuses, methods, and program products are disclosed for proof of work based authentication. One apparatus includes a processor and a memory that stores code executable by the processor. The code is executable by the processor to determine, by use of the processor, a set of computer-based attributes corresponding to a first device. The code is executable by the processor to compute a proof of work based on the set of computer-based attributes. The code is executable by the processor to transmit the proof of work and the set of computer-based attributes to a second device for authentication based on the proof of work and the set of computer-based attributes.

Abstract: A method and a system for providing a bridging solution in order to ensure that a current authentication protocol remains effective when a new authentication protocol is to be introduced but has not yet been implemented at both ends of an interaction between a requesting application and a database are provided. The method includes determining whether a first authentication protocol that is currently implemented by the application is the same protocol as a second authentication protocol that is currently implemented by the database. When the two protocols are different, the first protocol is used to validate a request for data submitted by the application in conjunction with authentication information; the authentication information is converted into a format that is usable by the second protocol; and the converted information is used with the second protocol to generate information that indicates that the request has been authenticated.