Abstract: Disclosed herein are embodiments of systems, methods, and products for authentication using entropic threshold. A server may require a user to create a series of security questions to which only the user has the answers. The answers to the security questions may satisfy an entropic threshold. Based on the answers to the security questions, the client device may generate a passphrase and encrypt the user's private key based on the passphrase. The server may also store the encrypted private key and the series of security questions into a database. When the user tries to access the private key, the server may send the user's security questions and encrypted private key. The client device may require the user to provide the answer to each security question. When the client device receives answers to all security questions, the client device may use the resulting passphrase to decrypt the user's encrypted private key.

Abstract: System and methods are described which are useful for efficiently combining characteristic detection rules, such as may be done to efficiently and quickly assist in the dispositioning of user reported security threats.

Abstract: A network includes a first wireless node that communicates over a wireless network connection. The first wireless node includes a first encryption engine that processes a first initialization data set and a current transmit sequence associated with a current communication to generate a next transmit sequence that is employed to communicate with a second wireless node that derives a next received sequence that corresponds to the next transmit sequence to process a subsequent communication.

Abstract: A method includes, responsive to detecting network activity indicative of a threat, selecting a threat mitigation scheme corresponding to a set of response actions. The method also include filtering the set of response actions based on a policy to generate a set of allowed response actions and executing one or more response actions of the set of allowed response actions.

Abstract: A system and method for providing secure access to an organization's internal directory service from external hosted services. The system includes a remote directory service configured to accept directory service queries from an application running on hosted services. The remote directory service passes the queries to a directory service proxy server inside a firewall of the organization via a secure rendezvous service. The directory service proxy server passes the queries to the internal directory service inside said firewall. Request responses from the internal directory service pass through the directory service proxy server to the remote directory service through said firewall via the secure rendezvous service. The remote directory servicer returns the response to the requesting application.

Abstract: Systems and methods are described for utilizing a secure environment on a mobile computing device for applying policy-based decision management in response to access requests from untrusted areas. A policy decision processor (PDP) within the secure environment provides a policy decision in response to an access query. A decision cache within the secure environment can be used to store policy decisions for faster resolution of access requests. Policy enforcement points (PEPs) are placed between external devices that are trying to access the device and the secured environment, where the PEPs are used to enforce the policy-based decision, and can be located either inside or outside the secure environment. Decision certificates can be formulated using validity information and timestamps, and used for validation policy certificates. Memory in non-secure areas can also be marked (colored) for use in performing trusted operations in order to optimize system resource usage.

Abstract: Technologies for secure collective authorization include multiple computing devices in communication over a network. A computing device may perform a join protocol with a group leader to receive a group private key that is associated with an interface implemented by the computing device. The interface may be an instance of an object model implemented by the computing device or membership of the computing device in a subsystem. The computing device receives a request for attestation to the interface, selects the group private key for the interface, and sends an attestation in response to the request. Another computing device may receive the attestation and verify the attestation with a group public key corresponding to the group private key. The group private key may be an enhanced privacy identifier (EPID) private key, and the group public key may be an EPID public key. Other embodiments are described and claimed.

Abstract: A packet transmission method and an apparatus pertain to the field of network technologies. The method includes obtaining, by a terminal device, a source IP (Internet Protocol) address in a to-be-transmitted packet and N IP addresses of the terminal device, where N is an integer, and when the source IP address in the to-be-transmitted packet is different from any one of the N IP addresses of the terminal device, determining that the source IP address in the to-be-transmitted packet is forged, and prohibiting transmitting the to-be-transmitted packet. The application can solve the problem that a virus such as Trojan in the terminal device may be prevented from forging a source IP address of another device to randomly transfer an attack packet in the network to improve network security.

Abstract: The Seed Splitting and Firmware Extension for Secure Cryptocurrency Key Backup, Restore, and Transaction Signing Platform Apparatuses, Methods and Systems (“SFTSP”) transforms transaction signing request, key backup request, key recovery request inputs via SFTSP components into transaction signing response, key backup response, key recovery response outputs. A transaction signing request message for a transaction is received by a first HSM and includes an encrypted second master key share from a second HSM whose access is controlled by M-of-N authentication policy. The encrypted second master key share is decrypted. A first master key share is retrieved. A master private key is recovered from the master key shares. A transaction hash and a keychain path is determined. A signing private key for the keychain path is generated using the recovered master private key. The transaction hash is signed using the signing private key, and the generated signature is returned.

Abstract: An input peripheral agent intercepts input commands on a host machine and enforces policy conditions and whitelist conditions before deciding whether to permit the commands to be processed by an operating system of the host or whether to ignore the commands on the host machine. In an embodiment, the policy conditions and whitelist conditions can be dynamically changed by a remote network manager without changing, stopping, and/or restarting the input peripheral agent and/or the host machine.

Abstract: Systems, methods, and other embodiments associated with handling secure interrupts between security zones are described. According to one embodiment, an apparatus includes a memory divided between a secure zone and a non-secure zone and storing a plurality of applications. The secure zone provides exclusive access to secure assets of the apparatus. A processor with an interface module configured to, in response to receiving an interrupt request from a requesting application that executes on the processor in the non-secure zone, tunnel the interrupt request into the secure zone of the processor. The non-secure zone and the secure zone are configured as operating environments of the processor with separate security controls. The processor includes a monitor module configured to issue the secure interrupt to a trusted application that is one of the plurality of applications in the secure zone, wherein the trusted application is registered to handle the secure interrupt.

Abstract: A way of sharing a set of data where each data item is stored at a different file path. The data items may be files or folders that reside on different remote storage servers or within the same file system. One or more data items in the set of data do not share a common root folder. Data items in the set of data that share a common root folder are stored amongst other data items in the common root folder that do not belonging to the set of data items to be shared. A single URL or link is generated to provide immediate access to the set of data to recipients of the URL or link.

Abstract: Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Abstract: The disclosed computer-implemented method for detecting system attacks may include (1) receiving, from a detecting system capable of detecting attacks, information that identifies an attack that originated from a compromised client system that is remote from the detecting system, (2) determining that the attack originated from the compromised client system, (3) determining that the compromised client system includes an anti-malware agent, and (4) notifying the anti-malware agent on the compromised client system that the compromised client system performed the attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Systems and methods for automating client-side synchronization and discovery of public keys and certificates of external contacts include a key synchronizer at a client device. The key synchronizer obtains, from the client device, an external contact associated with an external domain outside of a local domain of the client device and then identifies, based on the external domain, a public key registry outside of the local domain. The key synchronizer obtains, from the public key registry, a registry-supplied public key or digital certificate for the external contact and then stores the registry-supplied key as a locally-stored key in the local key store such that the client device can obtain and apply the locally-stored key to secure an email targeting the external contact as a recipient of the email.

Abstract: A conductor on glass security layer may be located within a printed circuit board (PCB) of a crypto adapter card or within a daughter card upon the crypto adapter card. The conductor on glass security layer includes a glass dielectric layer that remains intact in the absence of point force loading and shatters when a point load punctures or otherwise contacts the glass dielectric layer. The conductor on glass security layer also includes a conductive security trace upon the glass dielectric layer. A physical access attempt shatters a majority of the glass dielectric layer, which in turn fractures the security trace. A monitoring circuit that monitors the resistance of the conductive security trace detects the resultant open circuit or change in security trace resistance and initiates a tamper signal that which may be received by one or more computer system devices to respond to the unauthorized attempt of physical access.

Abstract: The present invention relates to methods and systems for binary scrambling, and applications for cybersecurity technology aimed at preventing cyber-attacks.

Abstract: An improved information tracking procedure is provided. A precise information tracking procedure is performed for a sensitive value when an application is predicted to modify the sensitive value prior to the sensitive value reaching a data sink. The sensitive value comprises an attribute that may be linked to external knowledge to reveal sensitive information about an individual. In response to the application not being predicted to modify the sensitive value prior to the sensitive value reaching the data sink, a value-based information tracking procedure is performed. The value-based information tracking procedure comprises storing one or more values that are observed at a data source, and then determining whether or not each of these one or more values are observed at the data sink.

Abstract: A message distribution system replicates a collection of messages across multiple regional data centers. When any of the data centers receives a message for distribution from an authorized publisher, it transmits the message to each of the other data centers so that the collection of messages is immediately replicated among each data center. When any data center determines that a subscriber is connected to it, that data center determines which messages in the data collection the subscriber is authorized to receive, and it automatically sends those messages to the subscriber.

Abstract: A login system allows users to access computer systems without using a password. The passwordless system and method can use other information to securely and reliably identify true authorized system users. The identity of a user can be associated with their mobile device. The login can be based upon a minimal amount of information such as a name and a phone number which can be stored as an identification record for each of the users in a database.