Abstract: In one embodiment, a method includes providing for presentation to a user a number of content objects. At least one of the presented content objects is socially relevant to the user. wherein at least one of presented content objects is socially irrelevant to the user. The presented content objects are socially relevant or socially irrelevant to the user based on whether in a social graph a node corresponding to the user is connected by an edge to a node associated with the content object. The edge represents a social relationship between the content object and the user. The method also includes receiving an input indicating a selection of a number of the presented content objects by the user; and authenticating the user based on a determination of whether the selected content objects are socially irrelevant to the user.

Abstract: A system and method for a distributed security model that may be used to achieve one or more of the following: authenticate system components; securely transport messages between system components; establish a secure communications channel over a constrained link; authenticate message content; authorize actions; and distribute authorizations and configuration data amongst users' system components in a device-as-a-key system.

Abstract: Systems and methods are provided for authenticating a user of a computing device. An example system includes a memory storing instructions, and a processor configured to execute the instructions to receive an authentication request from a user of a computing device, determine a context of the authentication request, determine a physical location of the user, and perform, based on the context of the authentication request and the physical location of the user, an associate proximity detection. The associate proximity detection includes steps to identify an associate based on at least one of the context of the authentication request or the physical location of the user, determine a physical location of the identified known associate, and determine a proximity of the user to the identified known associate. The authentication request may be approved when the determined proximity is within a threshold.

Abstract: A method, computer program product, and computer system directed toward identification of potential social engineering activity associated with at least a portion of a communication on a communication channel based upon, at least in part, a match between a first set of audio features with a second set of one or more audio features. The first set of one or more audio features are extracted from at least a portion of a communication on a communication channel. The first set of one or more audio features from at least a portion of the communication are compared to a second set of one or more audio features to determine that at least a portion of the first set of audio features matches the second set of one or more audio features.

Abstract: Various embodiments of the present technology include methods of assessing risk of a cyber security failure in a computer network of an entity. Various embodiments also include automatically determining, based on the assessed risk, a change or a setting to at least one element of policy criteria of a cyber security policy, automatically recommending, based on the assessed risk, computer network changes to reduce the assessed risk, and providing one or more recommended computer network changes to reduce the assessed risk. Various embodiments further include enactment by the entity of at least one of the one or more of the recommended computer network changes to reduce the assessed risk to the entity, determining that the entity has enacted at least a portion of the recommended computer network changes, and in response, automatically reassessing the risk of a cyber security failure based on the enacted recommended computer network changes.

Abstract: A computer-implemented method for providing kinship-based accessibility to securely stored data may include (1) identifying encrypted data that is encrypted with a first cryptographic key which was derived from heritable biometric information obtained from a first person, (2) receiving heritable biometric information obtained from a second person related to the first person within a predetermined degree, (3) generating a second cryptographic key based at least in part on the heritable biometric information obtained from the second person, and (4) decrypting the encrypted data that is encrypted with the first cryptographic key derived from the heritable biometric information obtained from the first person by using the second cryptographic key generated based at least in part on the heritable biometric information obtained from the second person. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A first party uses a secret key to encrypt information, which is then sent through an untrusted connection to a second party. The second party, however, cannot decrypt the information on its own, and it relays the encrypted information through a secure network. The secure network includes one or more nodes linking the first and second parties through one or more trusted connections (“hops”); each hop features uses of a shared secret key unique to that hop. The first party's connection to the network (domain) receives the information relayed through the secure network by the second party, it decrypts that information according to the secret key of the first party, and it then retransmits the decrypted information to the second party using the secure hops. Techniques are provided for sharing a private session key, federated credentials, and private information.

Abstract: Protecting a runtime Web service application. A web service application is instrumented to log its operation and allow recreation of its execution trace. Trace point vulnerabilities are identified using one or more data payloads. Candidate trace point operations associated with the trace point vulnerabilities are identified. Supplementary candidate operations are computed based on the existing trace point operations and the one or more data payloads. The Web service application is further instrumented with the one or more supplementary candidate operations.

Abstract: Systems and techniques are disclosed for trust based access to records via encrypted protocol communications with an authentication system. An example system is configured to authorize and provide selective and secured access to sensitive medical information according to one or more trusted relationships. The system is configured to receive a request for access to a patient's health record from an outside entity. Authentication information associated with the outside entity is determined. Whether the outside entity is authorized to access the requested data is determined. The determination is based on existence of a trust relationship being established between the outside entity and the patient, the trust relationship established by an action of the patient or a patient's representative. Access to the patient's health record is enabled based on a positive determination.

Abstract: The invention relates to a method for computer systems based on the ARM processor, for example mobile devices, wherein the ARM processor provides fully hardware isolated runtime environments for an operating system (OS) and Trusted Execution Environment (TEE) including an embedded trusted network security perimeter. The isolation is performed by hardware ARM Security Extensions added to ARMv6 processors and greater and controlled by TrustWall software. The invention therefore comprises an embedded network security perimeter running in TEE on one or more processor cores with dedicated memory and storage and used to secure all external network communications of the host device. The invention addresses network communications control and protection for Rich OS Execution Environments and describes minimal necessary and sufficient actions to prevent unauthorized access to or from external networks.

Abstract: The invention provides a system and method for detecting intrusion is an intranet, determining of attack intent; identifying compromised servers and network elements; creating request log; and outputting alerts to users by a predetermined alert medium. The invention provides encoding of received requests such that compromised network elements can be identified.

Abstract: Techniques for provisioning access data may include receiving, by a first application installed on a communication device, user input selecting an account to provision to a second application installed on the communication device. The first application may invoke the second application and send a session identifier (ID) to the second application. The second application may send a user ID associated with the second application, a device ID, and the session ID to the first application. The first application may then generate encrypted provisioning request data and send the encrypted provisioning request data to the second application. The second application may send the encrypted provisioning request data to a remote server computer to request access data that can be used to access a resource. The second application may receive the access data provided by the remote server computer based on validation of the encrypted provisioning request data.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: The invention relates to a computer-implemented method for providing content to a particular recipient device of a plurality of recipient devices. Copies of one or more content elements of the content are generated and one or more of the copies are modified to obtain modified copies of the content elements. The content elements, including the one or more modified copies of the content elements, are stored in a storage. Selection information is transmitted to the particular recipient device in response to a request for providing the content. The selection information prescribes to the recipient device the modified copy to be retrieved by the recipient device for substantially each content element for which a modified copy is available.

Abstract: A security system determines authorizations for entities to access data objects. The security system may train an adaptive model to predict the intent of a user who provides authorization for various entities or other users. In an embodiment, the adaptive model may be configured to determine latent properties of training data by identifying common parameters between entities that are, or are not, permitted to access given data object(s). The training data may include previous authorizations provided to the entities. Based on the identified common parameters, the model may generate usage expressions for determining a likelihood that the user intends to provide authorization for a given entity to access the given data object. If the likelihood is greater than a threshold value, the security system may provide a recommendation to the user to provide the authorization for the given entity.

Abstract: Systems and methods for edge protection for internal identity providers are provided. A first claimed embodiment of the present disclosure involves a method for edge protection for internal identity providers. The method includes receiving a service authentication request at a virtual private networking (VPN) appliance on an edge of a secure network. A client device external to the secure network can send the service authentication request. The VPN appliance can then send a synthetic service authentication request to an identity provider in the secure network. This synthetic service authentication request can be based on the service authentication request. The VPN can then receive an authenticated credential from the identity provider. The authenticated credential is responsive to the synthetic service authentication request. The VPN appliance can then send the authenticated credential from the VPN appliance to the client device.

Abstract: Methods, systems, and apparatuses for varying soft information are disclosed. In an example embodiment, a security processor receives, from a transaction server, hard information to transmit to a client device related to a transaction with the client device, and soft information related to the display of the hard information on the client device. The security processor determines a variation of the soft information configured to prevent a malicious application from interacting with the hard information and determines the variation of the soft information does not change how the hard information is displayed at the client device compared to how the hard information was to be displayed using the soft information. Responsive to determining the variation of the soft information does not change how the hard information is displayed, the security processor transmits the hard information and the variation of the soft information to the client device.

Abstract: A method, system, and apparatus for providing a client access to third-party resources by utilizing third-party access tokens via a network gateway. The method can prevent the third-party access tokens from being exposed directly to the client environment. The client receives a gateway security credential, which encapsulates the third-party access token in an encrypted form. The client provides the gateway access token to the network gateway where the third-party access token is decrypted and then used to access the third-party resource. Client requests to the network gateway are executed using a custom API. The gateway relays the client requests to the appropriate third-party resources using the third-party-specific API with the decrypted third-party access token. Gateway access tokens are short-lived and can be renewed according to the client-environment life cycle.

Abstract: Methods and systems are described that support dynamic reconfiguration of document devices. A document app running on a mobile device can be configured to point to and utilize a document server providing the document services as its primary document server, wherein the document application can be configured to enable a first client of the mobile device to access documents via the primary document server. An electronic invite can be pushed via a document appliance based on input from a computing device of a second client to the mobile device of the first client. The document app can be reconfigured dynamically to use to document appliance indicated by the pushed data in the invite as its secondary document server for a specific set of document operations on the document. A specific set of operations can be performed on the document via the document app on the mobile device using the secondary document server.

Abstract: An electronic device and a control method thereof are provided. The control method for the electronic device includes: acquiring a call instruction; calling a target application to acquire collection data; acquiring a security label, in a case that the target application operates in a first operating mode; storing the acquired collection data based on the security label, as a collection data with the security label, wherein the collection data with the security label is in an accessible state when a first access authority is met.