Abstract: Methods and systems for faster and more efficient smart card logon in a remote computing environment are described herein. Fast smart card logon may be used to reduce latency and improve security. For example, the system may reduce the number of operations (e.g., interactions) between a server device used for authentication and the client device. A remoting channel may be established between the server device and the client device. The server may receive, from the client device and/or via a personal computer/smart card (PC/SC) protocol, a message comprising an identifier for a smart card. The server device may replace the identifier for the smart card with a substitute identifier. Based on the substitute identifier, the server may determine one or more cryptographic service providers to use for one or more cryptographic operations associated with the smart card.

Abstract: A solution is proposed for managing containers isolating corresponding application environments from one or more shared operating systems in a computing system. One or more relevant groups are determined among one or more candidate groups (each comprising private data in common among a plurality of the containers); the candidate groups are determined according to corresponding access commands submitted by the containers and the relevant groups are determined according to one or more relevance policies. The private data of the relevant groups are consolidated into corresponding shared data.

Abstract: In an example computer-implemented method, a trusted root certificate for an application running in a container is dynamically generated. The generated trusted root certificate is injected at runtime. The generated certificate is dynamically added to a list of trusted root certificates. A proxy associated with the application instance is authenticated based on the generated root trust certificate.

Abstract: An anti-counterfeit method includes: obtaining raw data to be encoded; collecting fingerprint data by analogue acquisition to obtain initial fingerprint feature information and encrypting the initial fingerprint feature information to obtain a random feature secret key, the random feature secret key comprising a first sub secret key and a second sub secret key and the first sub secret key is encoded into a micro-texture image while the second sub secret key is embedded in an encryption program; encrypting, through the random feature secret key, the raw data to be encoded to generate an information code image, the information code image comprising the micro-texture image; passing an anti-counterfeit authentication when an image sensor succeeds in integrating the first sub secret key and the second sub secret key to generate the random feature secret key; and succeeding in decrypting, by the image sensor, the information code image through the random feature secret key.

Abstract: Access to devices can be controlled dynamically. A device control driver can function as an upper filter driver so that it can intercept I/O requests that target a particular device. The device control driver can be configured to communicate with a device control server to dynamically determine whether the current user is allowed to access the particular device. The device control server can employ policy or administrator input to determine whether access should be allowed and can then notify the device control driver accordingly. When access is granted, the device control driver can pass I/O requests down the device driver stack. Otherwise, the device control driver can block the I/O requests. Also, when access is granted, the device control server can specify a permission expiration time after which the device control driver should again resume blocking I/O requests.

Abstract: Provided are techniques for mitigating security risks utilizing continuous device image reload with data integrity. Continuous reload of a first image on a device in an Internet of Things (IoT) group of devices coupled to an IoT service is performed based on triggers. A trigger from the triggers is received that indicates one of that a period of time has expired, that notification of a known infection has been received, and that there has been failure of an internal onboard security check. A second image is obtained that is not infected from the IoT service. The device is reloaded with the second image to replace the first image with the second image.

Abstract: Determining a group of figures for use in a vision test to distinguish computers from humans. An image is obtained and segmented into a plurality of parts. Based on the plurality of parts, a group of figures is determined to enable the group of figures to be displayed at a certain rate for a user to recognize the image.

Abstract: A certificate authority receives a request to issue a digital certificate from a customer. In response to the request, the certificate authority determines a network endpoint to be specific to the digital certificate that is to serve information usable to determine whether the digital certificate is valid. The certificate authority issues, to the customer, a digital certificate that specifies a network address for the network endpoint and records information about requests made to the network endpoint to obtain the information usable to determine whether the digital certificate is valid.

Abstract: A third-party can subscribe to one or more electronic message group lists without joining the group lists by creating a trust relationship between the subscriber and a group list member. In particular, the subscriber can send a trust indicator to the group member, who can then determine whether to accept the trust indicator for all or specific groups that are associated with the group member, as appropriate. In at least one embodiment, the group member can send a trust indicator acceptance message to the subscriber that identifies the group member, and any or all group lists associated with the group member. The subscriber can then receive messages directed to the trusted group member or group lists, and can send group messages to the group lists subject to a receive setting associated with the group lists or group members of the group lists.

Abstract: Verifying that influence of a user data point has been removed from a machine learning classifier. In some embodiments, a method may include training a machine learning classifier using a training set of data points that includes a user data point, calculating a first loss of the machine learning classifier, updating the machine learning classifier by updating parameters of the machine learning classifier to remove influence of the user data point, calculating a second loss of the machine learning classifier, calculating an expected difference in loss of the machine learning classifier, and verifying that the influence of the user data point has been removed from the machine learning classifier by determining that the difference between the first loss and the second loss is within a threshold of the expected difference in loss.

Abstract: A processing device in one embodiment comprises a processor coupled to a memory and is configured to obtain data characterizing a plurality of network sessions for a given user identifier. The network sessions are initiated from one or more user devices over at least one network and may comprise respective virtual private network (VPN) sessions. The processing device is further configured to extract features from the obtained data, to detect at least one potentially anomalous network session among the plurality of network sessions for the given user identifier by applying the extracted features to a support vector machine model, and to apply a rules-based verification process to the detected potentially anomalous network session in order to verify that the detected potentially anomalous network session is an anomalous network session. An alert is generated based on a result of the rules-based verification process and transmitted to a security agent.

Abstract: Evaluating computers, devices, or endpoints on a network, such as a large network of computers in an enterprise environment. Detecting computers, devices, or endpoints that may present a security risk to the network or may be compromised in some way. Generating network traffic that, in some cases, should be ignored or should prompt specific, known responses. Detecting endpoint(s) that respond to such network traffic in an anomalous way, or otherwise attempt to perform certain operations based on such network traffic.

Abstract: Verifying that influence of a user data point has been removed from a machine learning classifier. In some embodiments, a method may include training a machine learning classifier using a training set of data points that includes a user data point, calculating a first loss of the machine learning classifier, updating the machine learning classifier by updating parameters of the machine learning classifier to remove influence of the user data point, calculating a second loss of the machine learning classifier, calculating an expected difference in loss of the machine learning classifier, and verifying that the influence of the user data point has been removed from the machine learning classifier by determining that the difference between the first loss and the second loss is within a threshold of the expected difference in loss.

Abstract: Technologies are described herein for providing contextually-aware location sharing services for computing devices. In some configurations, the techniques disclosed herein can involve a number of computing devices configured to select and utilize location data from one or more resources based on one or more factors. An analysis of contextual data including, but not limited to, the capabilities of the individual devices, a status of one or more components, or the availability or cost of data, allows individual devices to dynamically select and utilize location data or a source of location data to accommodate a range of scenarios. Techniques disclosed herein can also detect the presence of a changed scenario and take one or more actions based, at least in part, on data defining the changed scenario.

Abstract: A protected memory source device including removable non-volatile memory durably stores a signature such as a serial number or identifier, which is used to mark protected multimedia content legally stored on the protected memory device. The protected multimedia content is moved from the source device to another device, such as a target device used to aggregated protected content in a library. Moving the protected multimedia content involves replacing a source-specific header, comprising digital rights management metadata and/or other security metadata allowing only a device having the source device signature access to the content, with a target-specific header comprising digital rights management metadata and/or other security metadata allowing only a device having the target device signature access to the content. The transfer is done using one of a variety of transfer methods with either a trusted or un-trusted host system connecting the source device to the target device.

Abstract: A method including registering an authority device for an account on an auth platform; receiving transaction request from an initiator to the auth platform; messaging the authority device with the transaction request; receiving an authority agent response from the authority device to the auth platform; if the authority agent response confirms the transaction, communicating a confirmed transaction to the initiator; and if the authority agent response denies the transaction, communicating a denied transaction to the initiator.

Abstract: A method and system for generating a protected version of the digital content is disclosed. The method includes obfuscating the digital content to yield a functionally equivalent obfuscated digital content, encrypting the obfuscated digital content using at least one device or non-device parameter, generating a decryption logic to be used for generating a decryption key based upon the at least one device or non-device parameter, and concatenating the encrypted digital content and the decryption logic to generate the protected version of the digital content.

Abstract: Configuration and credential data associated with a wireless network can be stored by the wireless network or by a gateway device associated with the wireless network. The configuration and credential data can be accessed via a user profile and pushed to unauthenticated wireless devices to authenticate the unauthenticated wireless devices for the wireless network. The configuration and credential data can be backed up via a manual, automatic, or semi-automatic back-up process.

Abstract: Systems, methods, and non-transitory computer-readable storage media for using mobile network authentication factors to authenticate a mobile device.

Abstract: Security mechanisms detect and intervene in a malicious attack against a runtime function, even in the presence of a coding flaw such as a buffer overrun or overflow. One such exemplary mechanism uses a predetermined security list of the valid targets for a first runtime function (such as longjmp). For every call to a second runtime function (e.g., setjmp) that prepares for a later invocation of the first runtime function, the dispatcher finds and stores a reference to this list. When a subsequent attack targets the runtime functions by creating an attacker-provided setjmp target address (e.g., the attack overwrites the longjmp target address so that the pointer points somewhere else, such as code provided by the attacker or code that already exists that will eventually pass control to code provided by the attacker), the new (attacker provided) target address is compared to a reference list of the real (valid) target addresses. The list of real target addresses is stored in memory.