Abstract: Embodiments of systems and methods for DNS leak prevention and protection are disclosed herein. In particular, certain embodiments include a local DNS protection agent installed on a system and an associated trusted external DNS protection server. The DNS protection agent prevents DNS leaks from applications on the system such that all DNS requests from the system are confined to requests from the DNS protection agent to the associated DNS protection server. As the DNS leak prevention provided by the DNS protection agent stops applications on the system from circumventing the DNS protection server, all DNS requests originating from the system remain under the control of the DNS protection server and thus desired DNS protection (e.g., as implemented on the DNS protection server) may be maintained. Certain embodiments prevent applications from using certain DNS security protocols, such as DoH and DoT, without going through the DNS protection agent.

Abstract: A method for dynamically creating network access control lists includes, by a processor receiving a request for an access control list (ACL). The method further includes, in response to receiving the request for the ACL: receiving a plurality of resource description from a first data source, receiving a policy enforcement point (PEP) graph for a network from a second data source, and using the plurality of resource descriptions and the PEP graph to generate the ACL, wherein the ACL comprises at least one policy for controlling network traffic through a PEP of the network. Each of the plurality of resource descriptions is associated with a plurality of computing devices in the network, and includes one or more of the following: information corresponding to an Internet Protocol definition of a computing device, information corresponding to desired access of the computing device, and information corresponding to permitted access of the computing device.

Abstract: A computer implemented method for resolving a Domain Name System, DNS, query received at a third party cloud computing environment comprises: receiving a DNS query at the third party cloud computing environment. The DNS query is forwarded to a sinkhole DNS server if the DNS query comprises an unauthorised domain name. The DNS query is forwarded to a default DNS server of the third party cloud computing environment if the DNS query does not comprise an unauthorised domain name.

Abstract: Systems and methods are provided for obtaining data to be secured based on a secret sharing technique, the data being associated with a file identifier and a split specification that includes at least a number of splits n and a minimum number of splits m required for reconstructing the data, and a Repeatable Random Sequence Generator (RRSG) RRSG scheme. An RRSG state can be initialized based at least in part on a given data transformation key to provide repeatable sequence of random bytes. For every m bytes of data: a polynomial whose coefficients are determined based at least in part on m bytes of the data and a portion of the repeatable sequence of random bytes can be determined; the polynomial can be evaluated at n unique values determined by a portion of repeatable sequence of random bytes to generate n bytes. Each byte can be stored into one of the n split stores.

Abstract: A method for providing a language agnostic contract execution on a blockchain is provided. The method includes providing a menu comprising multiple execution environments, and selecting, from a suite of virtual machine containers, a virtual machine container that runs an execution environment selected by the developer of the blockchain application. The method also includes enabling one or more functions in the virtual machine container to access a dedicated memory or a state variable in the block producer to run an action in the virtual machine container, the action provided by a server running the blockchain application, providing the action to the blockchain application in the virtual machine container, and writing an output from the action of the blockchain application to a secure ledger in a blockchain. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: Embodiments are directed to managing and monitoring endpoint activity in secured networks. In response to a client request being provided to an agent associated with the resource server. A driver associated with the resource server may be determined based on the client request. The client request may be provided to the resource server via a second network connection. Responses from the resource server may be provided to a server-tee module such that the server-tee module provides a copy of the responses to the server-handler module; employing the server-handler module to generate log information based on the copied responses; employing the server-tee module to modify the responses from the resource server such that the responses are forwarded to the client via the first network connection over the overlay network; or the like.

Abstract: A technique uses a managed computing device to extend management control by an organization to IoT (Internet of Things) devices in a local environment of the computing device. The computing device discovers any local IoT devices and participates in a communication with a server to bring one or more of the IoT devices under management control. In some examples, extending management control involves enrolling selected IoT devices into a management framework of the organization and directing communications between the server and the respective IoT devices through the managed device, which provides a point-of-presence for administering management of the selected IoT devices in the local environment.

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

Abstract: A measure of influence of a sender entity is determined for a message receiving entity based at least in part on an analysis of previous electronic messages sent by the sender entity. An electronic message associated with the sender entity is received. The measure of influence of the sender entity is utilized to determine a security risk associated with the received electronic message.

Abstract: A model checking system detects violations and conflicts in security and verification policies by running model checking processes. The system detects privilege escalation attacks in misconfigured identification and access management (“IAM”) policies by modeling security policy documents and IAM actions as logical formulas and then running model checking on the model. The system translates non-Boolean variables, such as string variables, into Boolean variables in order to apply an SAT model checker. The model checker also determines whether a policy violation can be achieved in a finite number of steps by elevating privileges of some compromised principal over multiple iterations of the model checking process, or proves absence thereof.

Abstract: Techniques are described for detecting attacks that employ a display name in an email to impersonate an email sender. A computing infrastructure hosting an email security platform may determine a similarity between the display name and an email address from which the email was received. The email security platform may determine the similarity by comparing a string associated with the display name and a string associated with the sender address. The email security platform may generate a similarity value based on a result of the display name being compared with the sender address. The email security platform may determine that the email includes the display name impersonating a name of the sender, based on the similarity value meeting or exceeding a threshold value indicative of impersonation. The email security platform may delete or quarantine the email from an inbox associated with a user account.

Abstract: A system and method for managing a plurality of network-enabled client devices such as Internet of Things (IoT) and smart devices employs a distributed ledger or blockchain to store security-related information for each client device. Access to the distributed ledger is provided through a proxy computing system that is configured to exchange security-related messages with the client devices over a first communication path, which may be over a public network; and to engage in transactions with or query the distributed ledger on behalf of the client devices over a second communication path, which is a private channel Vendible data published by the client devices may be routed by the proxy computing system to a data broker or publishing system in a manner that removes identifying information from the vendible data.

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: A collaboration system manages a plurality of content objects that are shared by multiple users at corresponding user devices in corresponding computing environments. Policies that govern interactions over the plurality of content objects are established. A content object upload request from a first user belonging to a first enterprise is processed by the collaboration system and then the content object is shared with a second user of a second enterprise. Security characteristics pertaining to the second user, and/or the second enterprise, and/or the second user's devices are initially unknown or unverified. As such, upon receiving interaction events raised by a user device of the second user, a set of interaction attributes associated with the interaction events are gathered. One or more trust policies are applied to the interaction attributes to evaluate security conditions that correspond to the interaction events. A response is generated based on the evaluated security conditions.

Abstract: Disclosed are systems and methods that require/force bots to access and interact with webpages at a similar level to humans, by including an executable script that generates/updates a test value for a webpage. The client devices must perform certain processing and/or rendering of the webpage to call the computations necessary for generating the updated test value. The script must be executed as a function of processing and/or rendering the webpage. The script may be retrieved from the webserver as a function of processing and/or rendering the webpage. When the browser executes this script, the browser generates the updated test value. At some point, the client device submits a request for certain process with the updated test value. The server compares the inbound test value from the client device against an initial/previously received test value or an expected test value to determine whether the browser is being operated by a human.

Abstract: A policy-based security system for establishing a secure session from client devices to a web server includes a policy component with policies, a client device with a local application to select a cloud service, and a mid-link server. A set of policies from the policies is determined. An encryption link specified for the set of policies and the cloud service is determined. A set of session protocols is selected to establish the secure session between the client device and the web server based on the set of policies. It is determined whether the client device satisfies security standards of one or more session protocols from the set and based on the determination, either a direct link is selected to establish the secure session using a session protocol from the set or a secure tunnel between the client device and the mid-link server and a corresponding tunnel protocol is selected.

Abstract: Embodiments for enabling or disabling application features according to application-specific security settings are described. The application-specific security settings can control when particular security levels, corresponding to authentication procedures, are required. The security levels can correspond to authentication procedures such as requiring no password, only requiring a PIN, allowing authentication by biometrics, or requiring a password. The application-specific security settings can control security levels based on a variety of circumstances such as setting particular security levels for particular locations, setting different security levels based on time since last device use, etc. In various implementations, the security levels can be mapped to application features to enable or disable.

Abstract: Described embodiments provide systems and methods for policy-based authentication, where the policy may designate locations and/or forms of proof of locations, for use in authentication. Some embodiments include or utilize a database storing authentication policies. In an example system, an authentication server in communication with the database is configured to receive a request from a device needing authentication. The request may include a credential. The authentication server is configured to retrieve, from the database storing authentication policies, an authentication policy corresponding to the device, the retrieved authentication policy specifying a location parameter. The authentication server is configured to receive location data from the device and resolve the authentication request using the credential and the received location data pursuant to the retrieved authentication policy.

Abstract: Systems, methods, and apparatuses for providing a central location to manage permissions provided to third-parties and devices to access and use user data and to manage accounts at multiple entities. A central portal may allow a user to manage all access to account data and personal information as well as usability and functionality of accounts. The user need not log into multiple third-party systems or customer devices to manage previously provided access to the information, provision new access to the information, and to manage financial or other accounts. A user is able to have user data and third-party accounts of the user deleted from devices, applications, and third-party systems via a central portal. The user is able to impose restrictions on how user data is used by devices, applications, and third-party systems, and control such features as recurring payments and use of rewards, via a central portal.

Abstract: A system automatically manages remote and local data through a declarative client that retrieves, tracks, and caches data in response to a transmission from an interface. The declarative client sits on an immutable image served by a secure private cloud platform. A serverless compute engine receives the immutable image and a plurality of tasks that process the immutable image in a container. An application programming interface in communication with the declarative client extracts data via queries from a database. The declarative client includes a normalized in-memory cache that breaks up results of the queries into individual objects that are each associated with a unique identifier and a unique name. The extracted data is deconstructed downloaded content in which original computer assigned links between data elements are intercepted and mapped to redirected computer-generated local links that locate the downloaded content in a local database.