Abstract: A system includes a purchase portal configured to receive a purchase order from a customer, wherein the purchase order includes a service from each of a plurality of service providers. When receipt of the purchase order is detected, a processor determines first and second ones of the service providers associated with the purchase order; and establishes a trust relationship between the first service provider and the second service provider in a context of the customer. The processor also sends a first request for a first trust artifact to the first service provider and a second request for a second trust artifact to the second service provider; receives the first trust artifact from the first service provider, receives the second trust artifact from the second service provider, sends the first trust artifact to the second service provider, and sends the second trust artifact to the first service provider.

Abstract: Methods and systems for securing unstructured data are provided. One method includes generating, by a processor, a schema from unstructured data, the schema including one or more relationships between named entities of the unstructured data; identifying, by the processor, a plurality of semantic relationships between the named entities; determining, by the processor, a sensitive relationship from the plurality of semantic relationships; and anonymizing, by the processor, sensitive data associated with the sensitive relationship by replacing, a first portion of the sensitive data with generalized information.

Abstract: Methods are provided to authorize a secondary user device for a network service provided over a network. Responsive to receiving a request from a primary user device, a voucher may be transmitted over the network to the primary user device. A request for an authorization waiver may be received from the secondary user device over the network, wherein the request for the authorization waiver includes the voucher that was transmitted to the primary user device. Responsive to receiving the request from the secondary user device including the voucher, an authorization waiver may be transmitted to the secondary user device. Related methods of operating primary and secondary user devices are also discussed.

Abstract: Devices, methods, and systems for secure communications on a computing device. A host operating system (OS) runs on a host processor in communication with a host memory. A secure OS runs on a coprocessor in communication with a secure memory. The coprocessor receives information from an external device over a secure peer-to-peer (P2P) connection. The secure P2P connection is managed by the secure OS and is not accessible by the host OS.

Abstract: An active attestation apparatus verifies at runtime the integrity of untrusted machine code of an embedded system residing in a memory device while it is being run/used with while slowing the processing time less than other methods. The apparatus uses an integrated circuit chip containing a microcontroller and a reprogrammable logic device, such as a field programmable gate array (FPGA), to implement software attestation at runtime and in less time than is typically possible with comparable attestation approaches, while not requiring any halt of the processor in the microcontroller. The reprogrammable logic device includes functionality to load an encrypted version of its configuration and operating code, perform a checksum computation, and communicate with a verifier. The checksum algorithm is preferably time optimized to execute computations in the reprogrammable logic device in the minimum possible time.

Abstract: In one implementation, a method for automatically generating a security policy for a controller includes receiving, by a security policy generation system and from a controller development environment, code for a device controller; selecting middleware that enforces a security policy; analyzing the code for the device controller; based at least in part on the analyzing, automatically generating the security policy; and providing the selected middleware along with the generated security policy.

Abstract: Methods, systems, and techniques for private identity verification involve obtaining a cryptographically secure commitment that is generated using a first user identifier and a private user identifier associated with the first user identifier; receiving, from an identity verification system, initial zero knowledge proof messages comprising the commitment; sending, to the identity verification system, a set of cryptographically secure known identifier commitments generated using a set of private user identifiers; receiving, from the identity verification system: (i) a zero knowledge proof response generated using the zero knowledge proof challenge; and (ii) proof that the private user identifier used in the initial zero knowledge proof messages comprises part of the set of private user identifiers; and verifying that the private user identifier used in the initial zero knowledge proof messages comprises part of the set of private user identifiers.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: A new network security device/appliance is proposed to not only protect, but also to control and operate an industrial IoT device. Specifically, the network security device is configured to detect and block cyber attacks such as viruses, hacking attempts, and other types of cyber threats launched from an outside network against the industrial IoT device based on a set of configurable rules. In addition, the network security device is further configured to control and operate the industrial IoT device remotely in response to the cyber attacks by issuing and communicating certain instructions/command to the industrial IoT device. Besides accepting and executing control command from the network security device, the industrial IoT device is also configured to send a request to the network security device to make certain adjustments to the rules concerning network traffic directed to the industrial IoT device.

Abstract: According to one embodiment, a communication device belongs to a communication network including a control device and a plurality of communication devices connected to the control device, and transmits a communication packet to a transmission destination communication device. The communication device and the transmission destination communication device are differently one of the plurality of communication devices. In the communication device, a memory stores first information for judging a normality of the communication packet. An analyzing unit judges the normality of a received communication packet based on the received communication packet and the first information. A transmission destination determining unit determines the transmission destination communication device and the control device as transmission destinations of the received communication packet when the analyzing unit judges that the received communication packet is not normal.

Abstract: Disclosed herein are systems and methods of executing scanning software, such an executable software program or script (e.g., PowerShell script), by a computing device of an enterprise, such as a security server, may instruct the computing device to search all or a subset of computing devices in an enterprise network. The scanning software my identify PowerShell scripts containing particular malware attributes, according to a malicious-code dataset. The computing system executing the scanning software may scan through the identified PowerShell scripts to identify particular strings, values, or code-portions, and take a remedial action according to the scanning software programming.

Abstract: Embodiments of the disclosure describe a simulated phishing campaign manager that communicates a simulated phishing communication that includes at least the telephone number and reference identifier, to a device of a user. The content of the simulated phishing communication may prompt the user to call the telephone number identified in the simulated phishing communication. The security awareness system may select a telephone number and a reference identifier to use for the simulated phishing communication, the combination of which may be later used to identify a specific user if they respond to the message. Each of a plurality of users may have a unique combination of telephone number and reference identifier. The telephone number may be selected based on the geographic location of the user, or the telephone number may be selected to correspond to content in a simulated phishing communication.

Abstract: A secure token (ST) system including at least one ST computing device to provision data using secure tokens over a network is provided. The ST computing device is configured to receive first customer data from a credit issuer computing device, the first customer data including at least one or more account identifiers associated with a customer and a social security number (SSN) associated with the customer. The ST computing device is also configured to hash the SSN, wherein the hashed SSN includes a hash value, assign a unique identifier to each of the one or more account identifiers, and generate a secure token by associating the hash value to each unique identifier. The ST computing device is further configured to store the secure token within the database, and transmit the secure token to at least one of the credit issuer computing device and a third party computing device.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically manage exchanges of data using a cryptographically secure distributed ledger and homomorphic commitments. For example, and in response to an occurrence of a triggering event, an apparatus may obtain parameter values that characterize the data exchange, first commitment values representative of the parameter values, and a first digital signature. In response to a verification of the first digital signature, the apparatus may apply a second digital signature to commitment data that includes the first commitment values and a second commitment value representative of the first digital signature. The apparatus may transmit a signal that includes the commitment data and the second digital signature to a computing system, which generates an element of distributed ledger that includes the commitment data and the second digital signature in response to a verification of the second digital signature.

Abstract: Methods and systems for processing a blockchain comprising a plurality of immutable sales records corresponding to sales made by agents of an entity are provided. According to certain aspects, a transaction request indicating a sale made by an agent of the entity may be received at a first node. A block including a sales record indicating the sale made by the agent may be added to a blockchain and transmitted to another node for validation. The first node may add the block to a copy of the blockchain, where the block may be identified by a hash value that references a previous block in the blockchain that includes at least one additional sales record.

Abstract: The use of browser context in detecting malware is disclosed. A client device requests content from a remote server. Data received by the client device from the remote server is transmitted to an external scanner for analysis by the external scanner. The external scanner is configured to use a browser executed in an instrumented virtual machine environment to analyze the data provided by the client device. The client device is configured to act as a proxy on behalf of the external scanner.

Abstract: The disclosed system and method enhances security of people, organizations, and other entities that use what has been termed “social media.” Recent trends have shown that information posted to social media may cause tremendous damage to individuals and other entities. This includes information that was posted deliberately or unintentionally, including social security numbers, financial data and other sensitive information. Further, information that previously may have been viewed as innocuous, such as location data, has caused harm on certain occasions and may need to be protected. The disclosed system provides a novel method of screening, identifying, and preventing certain information from being posted on social media and other public locations. In addition, the disclosed system and method improves security by motivating people to use security software by offering rewards for its use.

Abstract: A method and device for securely displaying data are displayed. The method includes the following. A security display state is entered after an instruction used for starting the security display state is received. A current data packet to be displayed is obtained. If a display address includes a security display address, security data corresponding to the security display address is obtained from current data to be displayed. The security data is securely processed. The security data is displayed at the security display address. A security processing result of the security data is obtained. The security display address is a fixed address.

Abstract: A method of generating a similarity hash for an executable includes extracting a plurality of characteristics for one or more classes in the executable, and transforming the plurality of characteristics into a set of one or more class fingerprint strings corresponding to the one or more classes. The set of class fingerprint strings is transformed into a hash string using minwise hashing, such that a difference between hash strings for different executables is representative of the degree of difference between the executables. The hash of a target executable is compared with hashes of known malicious executables to determine whether the target executable is likely malicious.

Abstract: A method for sharing secret data between multiple containers. In response to the initial booting of an operating system instance in a container, a unique operating system identifier is generated for the operating system instance. A grant authority stores the unique operating system identifier in a reserved area of a secure storage device. In response to a request from the operating system instance to access secret data in the secure storage device, the grant authority determines whether the unique operating system identifier is stored in the secure storage device. The operating system instance may be granted access to secret data in the non-reserved area of the secure storage device.