Abstract: A method is provided for remotely and securely accessing a modem is provided that uses an encrypted authentication token with a modem password. The method includes receiving an encrypted authentication token from the modem, the authentication token having a modem password stored in secure memory and being encrypted according to a public key, transmitting the encrypted authentication token to an authentication server. receiving a decrypted authentication token from the authentication server, the decrypted authentication token comprising the modem password, generating an authentication key and a privacy key from the modem password, configuring modem interfaces at least in part using the authentication token, the modem interfaces including a network management protocol interface and communicating with the modem using the network management protocol interface according to at least one of the generated authentication key and the privacy key.

Abstract: A method of managing a plurality of client nodes in a network is disclosed. A plurality of domains is provided in the network, each domain isolating data from other domains. A plurality of applications is also provided, each application of the plurality of applications allowed to operate in one or more of the plurality of domains. Each of the plurality of client nodes is allowed to operate in one or more of the plurality of domains. The method includes assigning the plurality of applications to the plurality of client nodes, such that each application of the plurality of applications is assigned to a client node that is allowed to operate in a domain that the application is allowed to operate in.

Abstract: Described herein are various technologies pertaining to facilitating digital rights management of patient healthcare records. A computing system executing an electronic health records application (EHR) receives an attribute of a healthcare worker and a patient identifier from a client computing device. The computing system retrieves a computer-readable file for the patient, the computer-readable file comprising a plurality of file records and a file access portion. A file record in the plurality of file records comprises a data portion and an access portion. The computing system transmits data in the data portion to the client computing device only when both the file access portion of the computer-readable file and the access portion of the file record include the attribute of the healthcare worker.

Abstract: In accordance with a security policy regarding a setting value of an information processing apparatus, restriction information indicating whether to restrict modification of the setting value of information processing apparatus stored in a first storage unit is generated and stored in a second storage unit different to the first storage unit. Based on the restriction information stored in the second storage unit, modification of the setting value of the information processing apparatus is restricted.

Abstract: A method for performing a secure boot of a data processing system, and the data processing system are provided. The method includes: processing a command issued from a processor of the data processing system, the command directed to a memory; determining that the command is a command that causes the memory to be modified; performing cryptographic verification of the memory; and incrementing a first counter in response to the determining that the command is a command that causes the memory to be modified. The data processing system includes a processor, a memory, and a counter. The memory is coupled to the processor, and the memory stores data used by a bootloader during a secure boot. The counter is incremented by a memory controller in response to a command being a type of command that modifies the data stored by the memory.

Abstract: Systems for performing a network scan of one or more targets are provided. The systems select, from functions related to performing a network scan of a target, a first group of functions that are ready to execute at a first time. The first group of functions may be executed by a distributed computing system in parallel to generate first and second results. A third function may then be identified as ready to execute based on the first result, and a fourth function may be excluded from the network scan based on the second result.

Abstract: According to one example, a method is described for accessing a composite document in which a trigger is received. A handling instruction for a content-part, from a composite document, and a status for the content-part, from a second computer, are retrieved. An action for the content-part is determined based on the handling instruction and the status, and the content-part action is executed. In the event that the content-part action is to revoke the content-part, the content-part is revoked. In the event that the content-part action is to synchronize the content-part, the content-part is synchronized.

Abstract: In representative embodiments, architectures to improve security through use of an anomaly score are disclosed. A set of cryptographic key material is used to create a model based on a dimensionality reduction and a density estimation that captures the expected behavior of the set of cryptographic key material. An anomaly score for presented cryptographic key material is calculated based on the model. The anomaly score represents the divergence from expectations for the presented cryptographic key material. The anomaly score can be used by a relying system to determine whether to trust the presented cryptographic key material. In this way, cryptographic key material that is valid can be tested to determine whether the cryptographic key material should be trusted even though it is valid.

Abstract: Techniques for managing access control policies are described herein. According to one embodiment, access control policies (ACPs) and access control rules (ACRs) are downloaded from a management server to a network access device (NAD) over the Internet, where the network access device is one of a plurality of network access devices managed by the management server over the Internet. In response to a request from a network client device for entering a network, a device type of the network client device is detected and an ACP identifier is determined based on the device type using the ACRs An ACP is selected from the ACPs based on the ACP identifier and enforced against the network client device. At least the selected ACP is reported to the management server to distribute the selected ACP to other network access devices.

Abstract: Methods and systems for providing a third party application with access to files stored on a server are disclosed. A method may include receiving, from a browser at a client device, a request for a file stored on the server, wherein the request is received via a web page provided by the third party application and rendered by the browser, the web page comprising an embedded user interface (UI) component associated with the server to access the file stored on the server, wherein the request includes a document identifier associated with the file, an application identifier of the third-party application, and an origin identifier, wherein the origin identifier is associated with the web page provided by the third party application and rendered by the browser.

Abstract: One embodiment of the present invention provides a system for facilitating storage encryption and decryption. During operation, the system receives a first request to encrypt data which is to be stored on a remote device, wherein the first request indicates the data. The system updates a key based on a dynamic key refreshment protocol. The system determines a key label for the updated key. The system encrypts the data based on the updated key, and transmits the encrypted data and the key label to the remote device, thereby facilitating secure encryption and decryption of data on the remote device.

Abstract: Methods and systems for a networked computing system are provided. One method includes detecting that a processor executable, policy decision point (PDP) has not responded to a request for accessing data associated with a storage system; predicting a response to the request using a machine-learned, request-response association maintained by a processor executable training device; and presenting the predicted response to a processor executable, policy enforcement point (PEP) for granting access to the data and denying access to the data, based on the predicted response.

Abstract: A predicate-based row level security system is used when workers build or split an analytical data store. According to one implementation, predicate-based means that security requirements of source transactional systems can be used as predicates to a rule base that generates one or more security tokens, which are associated with each row as attributes of a dimension. Similarly, when an analytic data store is to be split, build job, user and session attributes can be used to generate complementary security tokens that are compared to security tokens of selected rows. Efficient indexing of a security tokens dimension makes it efficient to qualify row retrieval based on security criteria.

Abstract: Techniques are disclosed to provide VPN and identity based authentication to cloud-based services. In various embodiments, a request to authenticate a user to a service is received. A user identity associated with one or both of the user and the request is determined based at least in part on data comprising the request. An identity assertion is generated based at least in part on the user identity. The identity assertion is provided to a requesting node with which the request to authenticate is associated.

Abstract: A variety of techniques are disclosed for detection of advanced persistent threats and similar malware. In one aspect, the detection of certain network traffic at a gateway is used to trigger a query of an originating endpoint, which can use internal logs to identify a local process that is sourcing the network traffic. In another aspect, an endpoint is configured to periodically generate and transmit a secure heartbeat, so that an interruption of the heartbeat can be used to signal the possible presence of malware. In another aspect, other information such as local and global reputation information is used to provide context for more accurate malware detection.

Abstract: Systems, apparatuses and methods may provide for generating, in response to a decrease in trustworthiness with respect to a controller, a notification message and generating a message authentication code (MAC) based on the notification message and one or more locally stored keys. Additionally, the notification message and the MAC may be sent to the controller, wherein the notification message is directed to one or more peers in a network associated with the controller. In one example, the notification message includes one or more of an indication that the controller is compromised or an indication that the controller is suspected to be compromised.

Abstract: Systems and methods for monetizing the reproduction of digital media content for the rights-holders of the digital media content. Embodiments of the present disclosure relate to determining whether a user of a media content item has a license to reproduce the media content item. In one embodiment, the media content item may be reproduced when the user is licensed. The user is prompted to select to acquire a license to reproduce the media content item or to decline the license to reproduce the media content item when the user is not licensed. Further embodiments determine whether a user may receive a license when the user wishes to acquire a license. In an embodiment, the user is declined a license when not approved for the license.

Abstract: A computing device can install and execute a kernel-level security agent that interacts with a remote security system as part of a detection loop aimed at defeating malware attacks. The kernel-level security agent can be installed with a firewall policy that can be remotely enabled by the remote security system in order to “contain” the computing device. Accordingly, when the computing device is being used, and a malware attack is detected on the computing device, the remote security system can send an instruction to contain the computing device, which causes the implementation, by an operating system (e.g., a Mac™ operating system) of the computing device, of the firewall policy accessible to the kernel-level security agent. Upon implementation and enforcement of the firewall policy, outgoing data packets from, and incoming data packets to, the computing device that would have been allowed prior to the implementation of the firewall policy are denied.

Abstract: A method and system for connecting an Internet of Things (IoT) hub to a wireless network. One embodiment of the method includes establishing a secure communication channel between an IoT hub and an IoT service through a client device using a first secret; generating a second secret on the client device and transmitting it to the IoT hub; encrypting a wireless key using the second secret to generate a first-encrypted key and transmitting it to the IoT service; encrypting the first-encrypted key using the first secret to generate a twice-encrypted key and transmitting it to the IoT hub over the secure communication channel; decrypting the twice-encrypted key at the IoT hub using the first secret to generate the first-encrypted key and decrypting it using the second secret to generate the wireless key usable to establish a secure wireless connection between the IoT hub and the local wireless network.

Abstract: Systems and methods for monetizing the reproduction of digital media content for the rights-holders of the digital media content. Embodiments of the present disclosure relate to determining whether a user of a media content item has a license to reproduce the media content item. In one embodiment, the media content item may be reproduced when the user is licensed. The user is prompted to select to acquire a license to reproduce the media content item or to decline the license to reproduce the media content item when the user is not licensed. Further embodiments determine whether a user may receive a license when the user wishes to acquire a license. In an embodiment, the user is declined a license when not approved for the license.