Abstract: Preserving privacy of deleted personal data is provided. A registration of a client device is received. The client device stores a plurality of personal data corresponding to a plurality of data subjects. A copy of a set of personal data corresponding to a particular data subject deleted from the client device is received along with metadata describing the set of personal data deleted from the client device and a hash key based on the set of personal data deleted from the client device. Access to the copy of the set of personal data deleted from the client device is granted in response to receiving an access request that includes the hash key corresponding to the set of personal data from the particular data subject within a defined period of time. The copy of the set of personal data is deleted after expiration of the defined period of time.

Abstract: Some embodiments provide a method for gaining insight into authorization policy enforcement for application programming interface (API) calls to at least one service that includes multiple resources. The method generates a permissions graph including nodes that represent the resources and multiple users, based on two or more received authorization policies that restrict access to the service for the users. The method receives a selection of a node that corresponds to a user, and in response to the received selection, modifies the graph to display connections between the node corresponding to the user and one or more nodes associated with resources of the service that the user is authorized to access based on the authorization policies.

Abstract: A network processor provides for in-line encryption and decryption of received and transmitted packets. For packet transmittal, a processor core generates packet data for encryption and forwards an encryption instruction to a cryptographic unit. The cryptographic unit generates an encrypted packet, and enqueues a send descriptor to a network interface controller, which, in turn, constructs and transmits an outgoing packet. For received encrypted packets, the network interface controller communicates with the cryptographic unit to decrypt the packet prior to enqueuing work to the processor core, thereby providing the processor core with a decrypted packet.

Abstract: A system for enabling secure bidirectional communications on a network is provided, wherein a first server having a first security rating is connected to a second server having a second security rating by a first data channel configured to establish one-way communication from the first server to the second server. A second data channel incorporating a third server is configured to establish one-way communication from the second server back to the first server. The third server has a power switch that controls third server on and off states. The second data channel is enabled when the power switch is turned on. The third server arbitrates the flow of message traffic from the second server back to the first server by applying an on-board security module's encoded set of rules to determine whether the message is permitted to proceed to the first server.

Abstract: Disclosed examples to manage user credentials include providing new credentials from a non-rendered application to a website to perform credential resetting for the website; establishing an authenticated session for a user with the website based on the new credentials; and passing session configuration data corresponding to the authenticated session from the non-rendered application to a browser, the session configuration data to allow the browser to continue the authenticated session.

Abstract: The present disclosure provides an approach for granting access to a resource located on a first server, the granting being done by a second server to a third server. The method results in a decentralized granting of access to a resource, preventing a bottleneck in the first server that could develop if the first server were to grant each access to each of its resources. The access is provided in the form of an encrypted capability, and transmitted through a secure channel. The code on the second server for granting access is located within an encrypted memory region, such that unauthorized processes cannot access the code or the data within the encrypted memory region.

Abstract: A system that comprises a quantum key device configured to generate quantum information and transmit the quantum information over a first and second quantum communication channel. The system also comprises a first device, communicatively coupled to the quantum key device over the first quantum communication channel, and a second device, communicatively coupled to the quantum key device over the second quantum communication channel. The system further comprises an encryption module configured to encrypt data to create encrypted data, at the first device, using a first quantum encryption key. The system also comprises a decryption module configured to decrypt the encrypted data to create decrypted data, at the second device, using a second quantum encryption key. The first quantum encryption key is the same as the second quantum encryption key. The system further comprises a termination module configured to prevent access to the decrypted data after a predetermined period of time.

Abstract: An access control system for managing and enforcing an attribute based access control (ABAC) policy includes: a minimum ABAC implementation that produces a representation access control list in an ABAC policy system; and a local host system that produces a resource repository access control list in the local host system such that the resource repository access control list is based on the representation access control list.

Abstract: Methods, systems and devices for using different encryption keys written into interconnects of different functional blocks in different integrated circuits to securely encrypt and authenticate firmware, data, instructions and other messages transmitted among said functional blocks; and methods, systems and devices to obfuscate encryption keys to significantly increase the time and resources required to compromise those keys, ensuring encrypted data is only decrypted by authorized functional blocks, applications or users. Unique keys, small enough not to impact substrate surface area available for other device functions, can be written by charged particle beams such that multiple (or each of) functional blocks has a corresponding key unique within an IC and across a line of ICs and so that access to said keys is as limited (or nonexistent) as desired.

Abstract: In one embodiment, a network security device monitors network communications between a computer and another computer. A periodicity of transmissions made by one computer to the other computer is determined, with the periodicity being used to identify candidate time point pairs having intervals that match the periodicity. A graph is constructed with time points of the candidate time point pairs as nodes and with intervals of time point pairs as edges. A longest path that continuously links one time point to another time point on the graph is compared to a threshold length to verify that the transmissions are periodic, and are thus potentially indicative of malicious network communications.

Abstract: Prioritizing vulnerability scan results is provided. Vulnerability scan results data corresponding to a network of data processing systems are received from a vulnerability scanner. The vulnerability scan results data are parsed to group the vulnerability scan results data by vulnerability identifiers. A corresponding security threat information identifier is associated with each vulnerability identifier. A correlation of each associated security threat information identifier is performed with a set of current vulnerability exploit data that corresponds to that particular security threat information identifier. Current security threat information that affects host data processing systems in the network is determined based on the correlation between each associated security threat information identifier and its corresponding set of current vulnerability exploit data. The current security threat information is prioritized based on a number of corresponding current vulnerability exploit attacks.

Abstract: A method for providing a language agnostic contract execution on a blockchain is provided. The method includes providing a menu comprising multiple execution environments, and selecting, from a suite of virtual machine containers, a virtual machine container that runs an execution environment selected by the developer of the blockchain application. The method also includes enabling one or more functions in the virtual machine container to access a dedicated memory or a state variable in the block producer to run an action in the virtual machine container, the action provided by a server running the blockchain application, providing the action to the blockchain application in the virtual machine container, and writing an output from the action of the blockchain application to a secure ledger in a blockchain. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: A measure of influence of a sender entity is determined for a message receiving entity based at least in part on an analysis of previous electronic messages sent by the sender entity. An electronic message associated with the sender entity is received. The measure of influence of the sender entity is utilized to determine a security risk associated with the received electronic message.

Abstract: A host computer system may be configured to connect to a network. The host computer system may be configured to implement a workspace and an isolated computing environment. The host computer system may be configured to isolate the isolated computing environment from the workspace using an internal isolation firewall. The host computer system may be configured to receive a request to communicate with a first network destination. On a condition that the first network destination is determined to be trusted, the processor may be configured to communicate with the first network destination via a first browser process executed in the workspace. On a condition that the first network destination is determined to be untrusted, the processor may be configured to communicate with the first network destination via a second browser process executed in the isolated computing environment.

Abstract: A method for dynamically creating network access control lists includes, by a processor receiving a request for an access control list (ACL). The method further includes, in response to receiving the request for the ACL: receiving a plurality of resource description from a first data source, receiving a policy enforcement point (PEP) graph for a network from a second data source, and using the plurality of resource descriptions and the PEP graph to generate the ACL, wherein the ACL comprises at least one policy for controlling network traffic through a PEP of the network. Each of the plurality of resource descriptions is associated with a plurality of computing devices in the network, and includes one or more of the following: information corresponding to an Internet Protocol definition of a computing device, information corresponding to desired access of the computing device, and information corresponding to permitted access of the computing device.

Abstract: Techniques for enhancing the security of a communication device may include providing an application agent and a transaction application that executes on a communication device. The application agent may receive, from the application, a cryptogram key generated by a remote computer, and store the cryptogram key on the communication device. When the application agent receives a request to conduct a transaction from the application, the application agent may generate a transaction cryptogram using the cryptogram key, and provides the transaction cryptogram to an access device.

Abstract: Systems and methods are provided for securely providing a media stream from a server device to a remote player via a communications network. A request for a connection is received from the remote player at the server device via the communications network. In response to the request for the connection, an authorization credential is requested from a central server via the communications network. Further, in response to the authorization credential received from the central server, the media stream between the server device and the remote player can be established over the communications network. At least a portion of the media stream may be encrypted based upon the authorization credential.

Abstract: A method, apparatus, system, and computer program product for performing security testing. Information about successful payloads in payloads is determined by a computer system using crowd-sourced data in which a successful payload is a payload used in a successful attack. A set of popular payloads is determined by a computer system from the payloads using information about the successful payloads determined using the crowd-sourced data. Testing is focused by the computer system on the set of popular payloads based on a set of key features for the set of popular payloads.

Abstract: Embodiments of an invention for protecting supervisor mode information are disclosed. In one embodiment, an apparatus includes a storage location, instruction hardware, execution hardware, and control logic. The storage location is to store an indicator to enable supervisor mode information protection. The instruction hardware is to receive an instruction to access supervisor mode information. The execution hardware is to execute the instruction. The control logic is to prevent execution of the instruction if supervisor mode information protection is enabled and a current privilege level is less privileged than a supervisor mode.

Abstract: Disclosed is an improved systems, methods, and computer program products that use a cluster-based probability model to perform anomaly detection, where the clusters are based upon entities and interactions that exist in content management platforms.