Abstract: A method includes: initiating a data channel over a networked gaming service, including generating a channel key, the channel key being used to encrypt content communicated over the data channel, and generating a first encrypted channel key by encrypting the channel key with a public key associated to an owner of the data channel; adding a participant to the data channel, including generating a second encrypted channel key by encrypting the channel key with a public key associated to the participant; wherein a message sent via the data channel includes encrypted content generated by using the channel key to encrypt content for the message, and further includes the first encrypted channel key and the second encrypted channel key.

Abstract: Embodiments of the present application disclose a user management method and apparatus of a hybrid cloud. The user management method of a hybrid cloud is performed by a management platform of the hybrid cloud. The method includes the steps of: obtaining user data in a role-based access control (RBAC) system; determining, according to a historical record, historical user data that has been distributed to a cloud platform in the hybrid cloud; obtaining incremental data of the user data relative to the historical user data; and sending the incremental data to the cloud platform in the hybrid cloud.

Abstract: Encrypted memory access using page table attributes is disclosed. One example is a memory system including a memory controller at a memory interface. The memory controller includes an encryptor to control a plurality of memory access keys respectively associated with memory regions, where each memory region is allocated to a respective client, and an access manager to receive an access request from a client, the access request including a client access key to access a memory element. The access manager looks up a memory access key from a page table attribute associated with a physical address of the memory element, and determines if the access request is valid by comparing the client access key with the memory access key associated with the memory region that includes the memory element. Based on the determination and a mode of operation, the access manager provides a response to the access request.

Abstract: Systems, devices methods and media are provided for selecting data received from or sent by a client device. In one example, a system is configured to initiate a user-configurable API data endpoint on the client device and issue a request for access to specified data residing on the client device. The specified data resides in a first user-designated storage area on the client device. In response to receiving an authorization by a user of the client device of the access request, the system communicates with the user-configurable API data endpoint on the client device to perform a data-pull of at least some of the requested specified data from a second user-designated data pull portion of data residing on the client device.

Abstract: A device, computer program product and method for detecting a deviation of a security state of a computing device from a desired security state, wherein the computing device is emulated by a virtual machine, where the includes the creation of a virtual copy of the virtual machine, the creation occurring during runtime of the virtual machine with operation of the computing device continuing unimpaired, the automatic start of operation of the virtual copy, automatic performance of a security check on the virtual copy with operation of the computing device continuing unimpaired, automatic generation of a result of the security check which describes a security state of the virtual copy, and includes creation of a threat indication for the computing device if the result indicates a deviation of the security state of the virtual copy from the desired security state of the computing device.

Abstract: Methods for hardening security between web services using protected forwarded access tokens are implemented via systems and devices. User applications receive user tokens with user information from an identity provider and provide the user tokens to first services with data requests. Each first service extracts and transforms a portion of a user token to validate a user token signature, and determines a target service for the data request. The first services acquire actor tokens from the identity provider that uniquely identify the first services using public keys, and then generate authentication tokens, signed with corresponding private keys, that encapsulate the actor tokens and the transformed user tokens. The signed authentication tokens are provided to target services which validate the authentication tokens as well as the encapsulated tokens and their respective signatures. Upon validation, requested data is retrieved and provided back for the user applications from the target services.

Abstract: Some embodiments are directed to a cross-domain communication system and method. The system includes a data hub connectable to first domain and to a second domain, the first and second domains being isolated from one another. The data hub may be connected independently to the first domain and to the second domain, such that it is able to receive data from the first domain and transmit data to the second domain. The data hub includes a processor, and optionally a data diode, the processor being adapted to inspect packet data received from the first domain, and to run a set of user-defined rules, such that commands are applied to the packet data in accordance with the rules. When a command applied to packet data received from the first domain it creates packet data transmittable to the second domain in real time, such that the first and second domains communicate indirectly via the data hub.

Abstract: An application runs in a first security zone of a computer system. Trace information generated from running the application is stored in a first security zone. Filtered trace information is generated by removing specified information from the trace information. The filtered trace information is stored in a particular storage location within the first security zone. An adapter application that is running within the first security zone is executable to access the particular storage location and call a second security zone. The adapter application transmits, from the first security zone to a datastore within the second security zone, the filtered trace information stored in the particular storage location. Communication between the first security zone and the second security zone is one-way from the first security zone to the second security zone.

Abstract: A method for configuring mobile online services for use with a transportation vehicle including providing a configuration system which assigns data contents to a data release class, providing a selection possibility for a user by the configuration system by which selection possibility the user allows one or more mobile online services to use the data contents of a data release class, selecting a data release class for the one or more mobile online services, and releasing the data contents of the selected data release class for use by the mobile online service by the configuration system. The method provides for enabling transparent and conveniently usable data protection configuration for the use of mobile online services together with a transportation vehicle which leads to increased trust of customers and potential buyers in the transportation vehicle manufacturer and in the offered mobile online services.

Abstract: Systems and methods of dynamic management of private data during communication between a remote server and a user's device, including receipt of a request for retrieval of at least one data packet from the user's device, wherein the user's device is configured to provide a response corresponding to the received request, determination of at least one communication data type of the at least one data packet corresponding to the received request, receipt of a privacy preference for the user's device, wherein the privacy preference comprises a list of allowed data packet communication types for sharing during communication, modification of data packets corresponding to requests for sharing of responses that are not compatible with the received privacy preference and maintenance of communication between the remote server and the user's device, with sharing of the modified data packet.

Abstract: A system that translates between Internet of Things (IoT) protocols and Internet name management protocols (domain name system—DNS) so as to allow the secure exchange of short messages through WiFi hotspots. Applications include but are not limited to remote configuration, control, tracking, telemetry, synchronization, emergency communication. The system is operated as an independent service or is integrated into hotspot or IoT management operations for public use or private use in an enterprise or home. The widespread installed base of hotspots, standardized IoT and DNS protocols allows the IoT ecosystem as a whole to immediately reap the benefits of greater communication capabilities.

Abstract: Techniques are disclosed of enabling projects to be managed for grouping artifacts about related network activity. A graphical interface can be provided to enable users to create both public and private projects with information including names, descriptions, collaborators and monitoring profiles. A project can include context and history of the project so multiple users can collaborate within a project to view the analysis process as assets are identified in the project. Information is retrieved for identified assets in separate projects and is available for display in the graphical interface.

Abstract: As a technology for preventing the leaking of confidential information more properly, provided is a work recording apparatus including: a recording control unit configured to record a work situation; a position detection unit configured to detect a position; and a usable function restriction unit configured to specify an applicable predetermined state through use of the position detected by the position detection unit and restrict a part or all of functions of the recording control unit based on the specified applicable predetermined state.

Abstract: A method for generating an authentication key for providing a digital signature at a device for authenticating an output from a ring comprising a plurality of peers, the method comprising generating respective security credentials for each peer of a plurality of peers constituting a ring of peers, at least one security credential being generated in dependence on one or more feature of the respective peer device; generating a ring key in respect of the ring in dependence on the respective security credential of each peer constituting the ring; and generating an authentication key in dependence on the ring key, a security credential of a first peer and respective security credentials of at least one of the other peers.

Abstract: A method of data transfer from a tenant to a service provider comprises encrypting the data with a public key of a key pair generated by a secure device within the service provider system. The data thus cannot be accessed by the service provider during transmission. The data is generated with a corresponding access control list, which specifies that a valid certificate must be presented in order to grant a particular use of the data once stored. The tenant can thus retain control of the use of the data even though it has been transferred out of the tenant system. A method of controlling use of data securely stored in the service provider system comprises issuing a use certificate having an expiry time to the party requesting use of the data. The use certificate must be validated before use of the stored data is granted. This enables the tenant to grant use of the stored data for a limited time period.

Abstract: Adding an internet location to a greylist includes receiving a login pairing that includes login credentials and an internet location that the login credentials are received from. A successful login number of prior successful logins associated with the login pairing is determined and the internet location may be added to the greylist based at least in part on the successful login number.

Abstract: Technologies are described for selective persistence of data utilized by software containers. A configuration policy is defined that includes data that specifies one or more data stores for which data is not to be persisted following accesses to a software container and one or more data stores for which data is to be persisted following accesses to the software container. When the software container is first accessed, the data stores identified in the configuration policy are attached to the software container. Upon a subsequent access to the container, such as at the conclusion of a user session or upon destruction of the container, the data in the attached data stores is persisted or deleted based upon the configuration policy. When the software container is once again accessed, the data store containing the persisted data can be re-attached to the software container.

Abstract: The invention utilizes a two-component system to detect third party security threats and drive improved security threat mitigation based on the detection. The first component of the system is a security threat assessment engine, which receives and/or identifies external data and internal data regarding third parties in order to determine information security threats posed by third parties. The second component of the system is an analytics engine, which may comprise a machine learning component which is configured to detect threat patterns and anomalies. In response to the detection of the threat patterns and anomalies the security threat assessment engine may be modified in order to more accurately determine security threats.

Abstract: Implementations of this disclosure provide for certificate application operations. An example method includes sending, from a terminal device, a subscription topic name to a gateway to establish a data transmission channel between the terminal device and the gateway; receiving by the terminal device, via the data transmission channel, a certificate installation instruction from a certificate server; generating, by the terminal device, a user certificate request based on the certificate installation instruction; sending the user certificate request to the certificate server; and receiving, via the data transmission channel, a user certificate from the certificate server.

Abstract: Credential phishing attacks mitigation is disclosed. A URL that is associated with a suspicious web page is received. The suspicious web page is one that includes at least one element soliciting at least one credential. An artificial credential is provided to the suspicious web page. A determination is made that an attempt has been made to use the artificial credential to access a resource. In response to the determination that the attempt has been made, at least one remedial action is taken with respect to the suspicious web page.