Abstract: Transparently identifying users using a shared VPN tunnel uses an innovative method to detect a user of a shared VPN tunnel, after authenticating the user, using an assigned userid (that may be a virtual IP). The virtual IP is used as a cookie in each request made by the user. This cookie is an authentication token used by the gateway to detect the user behind a specific request for an Internet resource (such as an http/s request). The cookie is stripped by the gateway so the cookie is not sent to the resource.

Abstract: Information is identified as sensitive and a lapsed time job (Chron Job) is created that will allow the deletion of sensitive information after a period of time. The interval could be set to be longer than vacation or other planned use, and yet short enough to limit the period where risk to the organization or individual is incurred. The Chron Job could be integrated with the user's calendar, such that the Chron Job considers holiday time as a means of delaying execution of the Chron Job which would allow a shorter interval to be selected. In addition to deletion of the information identified as sensitive, additional steps could also be taken, such as the purging of the recycle bin, modification of the FAT, and optionally the deletion of related information. Once information is identified as sensitive, the information and derivative works are tracked and managed.

Abstract: A system has an evaluation server that includes at least one database storing a plurality of cybersecurity awareness evaluations, the database connected to the server, a plurality of clients connected to the server and configured to run at least one of the cybersecurity awareness evaluations for play by users on user devices, the users performing actions in the evaluation including offensive actions and defensive actions, and an evaluation dashboard including an interface configured to display scoring results of the cybersecurity awareness evaluations as determined by the server, the scoring results including a plurality of offensive component scores for at least one of the users, a plurality of defensive component scores for at least one of the users, at least one composite offensive score for at least one of the users and at least one composite defensive score for at least one of the users, the composite offensive score being determined based on a plurality of the component offensive scores and the composit

Abstract: A method of data transmission is described. Data content is acquired by processing circuitry of a first terminal. Fingerprint identity information corresponding to the data content is acquired by the processing circuitry of the first terminal. A fingerprint-based transfer request that includes the data content and the fingerprint identity information is sent to a server. In an embodiment, the fingerprint-based transfer request enables the server to establish an association relationship between the data content and the fingerprint identity information, to acquire, in response to receiving a fingerprint-based downloading request from a second terminal, target data content matching the fingerprint-based downloading request according to the association relationship, and to send the target data content to the second terminal.

Abstract: A master digital copy of a registration is transmitted. The registration is proof that a physical object has been registered with a registration authority. A valid peripheral digital copy of the registration is received. The valid peripheral digital copy of the registration was made from the master digital copy of the registration and is incapable of being used to make other valid digital copies of the registration.

Abstract: Embodiments of the present disclose provide a method and apparatus for identifying network attacks. The method can include: acquiring access data within at least two time periods of a target website server, wherein the access data include one or more fields; determining, for each of the at least two time periods, a quantity of access data having same content in at least two of the one or more fields; determining whether the quantities of access data for each of the at least two time periods are the same; and in response to the quantities of access data being the same, determining that at least two access requests of the access data are network attacks.

Abstract: A method for configuring a field device for use in custody transfer and such a field device, wherein the field device has a computing unit and a storage, wherein parameters and/or functions are stored in the storage, and wherein the parameters and/or functions are at least partially configurable. A more flexible configuration of the field device used for custody transfer is achieved by at least two blocking groups being provided, wherein each blocking group comprises at least one parameter and/or at least one function of the field device, at least one blocking group is chosen and evaluated by the computing unit, and the computing unit blocking the parameters and/or functions contained in the chosen at least one blocking group against a subsequent change.

Abstract: An example operation may include one or more of identifying a current tool configuration used by a tool device to construct semiconductor devices, retrieving a smart contract stored in a blockchain to identify whether an updated tool configuration exists, responsive to identifying the updated tool configuration, transmitting an update that includes the updated tool configuration to the tool device, and responsive to receiving the updated tool configuration at the tool device, initiating construction of the semiconductor devices.

Abstract: Disclosed herein are an apparatus and method for booting a virtual machine. The apparatus for booting a virtual machine includes: an access unit for accessing a virtual disk, corresponding to a virtual machine that exists in a virtualization area, using a trap generated by a trap generation unit, and for controlling the input and output of data stored in the virtual disk; an extraction unit for extracting data used for booting from the virtual disk; and a verification unit for extracting a trusted boot image from image storage and verifying the integrity of the data used for booting based on a result of comparing the trusted boot image with the data used for booting.

Abstract: Example techniques facilitate for applying a share restriction to a curated playlist within a shared playback queue. In example implementations, a first media playback system may share its playback queue with a second media playback system. The playback queue of the first media playback system may include a curated playlist associated with a share restriction. When sharing its playback queue of the first media playback system, the first media playback system may enforce the share restriction on the curated playlist as queued in a second playback queue of the second media playback system.

Abstract: Apparatuses, methods, systems, and program products are disclosed for detecting man-in-the-middle attacks on a local area network. A method includes checking a first set of network settings information associated with a network router. A method includes requesting a second set of network settings information corresponding to the first set of network settings information. A method includes detecting a man-in-the-middle attacker on the network in response to at least a portion of the second set of network settings information not matching the first set of network settings information. A method includes triggering a countermeasure action related to the man-in-the-middle attacker.

Abstract: An example operation may include one or more of generating a data block for a hash-linked chain of blocks stored on a distributed ledger and accessible to a plurality of computing nodes of a blockchain network, storing governance policies within the data block, the governance polices governing interaction with the hash-linked chain of blocks, and transmitting the generated data block with the encoded governance policies therein to a plurality of peer nodes of the distributed ledger.

Abstract: Techniques are presented for (a) securely maintaining, by a computing device, a set of correspondences between encryption keys and key identifiers, (b) receiving, by the computing device, a cryptographic request from a remote device received across the network, the cryptographic request including credentials, data to be cryptographically processed, and a key identifier to be used for cryptographic processing, and (c) in response to successfully authenticating the cryptographic request: (1) obtaining, by the computing device with reference to the set of correspondences, an encryption key corresponding to the key identifier, (2) cryptographically processing, by the computing device, the received data using the obtained encryption key to generate cryptographically-processed data, and (3) sending the cryptographically-processed data from the computing device across the network to the remote device.

Abstract: Disclosed embodiments relate to systems and methods for measuring and comparing security efficiency and importance in virtualized environments. Techniques include identifying a plurality of virtualized computing environments and calculating, for a first of the plurality of virtualized computing environments, a security-sensitivity status, the security-sensitivity status being based on at least: a size attribute of the first virtualized computing environment; an activity level of the first virtualized computing environment; a sensitivity level of the first virtualized computing environment; and a security level of the first virtualized computing environment. Further techniques include accessing a reference security-sensitivity status corresponding to the first virtualized computing environment; comparing the security-sensitivity status of the first virtualized computing environment with the reference security-sensitivity status; and identifying, based on the comparing, a security-sensitivity status gap.

Abstract: The disclosed computer-implemented method for enhancing user privacy may include (i) intercepting, by a privacy-protecting network proxy, network traffic between a client device and a server device, the client device being protected by a network-based privacy solution that inhibits browser fingerprinting through the privacy-protecting network proxy, (ii) detecting, at the privacy-protecting network proxy, that the network traffic indicates an attempt by a browser fingerprinting service to perform browser fingerprinting on the client device, and (iii) modifying, at the privacy-protecting network proxy based on the detecting of the attempt to perform browser fingerprinting, the intercepted network traffic such that browser fingerprinting performed by the browser fingerprinting service is at least partially inhibited. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and apparatus for hardware based file/document expiry timer enforcement is disclosed. An example method includes instructing, by executing an instruction with a processor, a trusted execution environment to generate an encryption key and a certificate for a document, the certificate including expiry information for the document, the certificate associated with identification information of the document, and the expiry information indicative of a time period for which the encryption key is valid to decrypt the document; encrypting, by executing an instruction with the processor, the document using the encryption key; transmitting the certificate to a first remote network storage device; and transmitting the document to a second remote network storage device.

Abstract: In a storage system that includes a plurality of storage devices configured into one or more write groups, quorum-aware secret sharing may include: encrypting a device key for each storage device using a master secret; generating a plurality of shares from the master secret such that a minimum number of storage devices required from each write group for a quorum to boot the storage system is not less than a minimum number of shares required to reconstruct the master secret; and storing the encrypted device key and a separate share of the plurality of shares in each storage device.

Abstract: The present invention discloses an access control method, apparatus, and system, and belongs to the communications field. The method includes: receiving a virtual extensible local area network VXLAN request packet sent by an access device; parsing the VXLAN request packet to obtain an IP address of the access device and authentication information of a user; sending the IP address of the access device and the authentication information of the user to an authentication server, so that the authentication server authenticates the user; receiving an authentication result sent by the authentication server; and controlling the user according to the authentication result. According to the present invention, the user is authenticated according to access information of the user in a VXLAN scenario.

Abstract: Certain aspects of the present disclosure provide techniques for determining an identity of a user requesting access to a resource. An example technique for determining the identity of the user includes, upon receiving a request for a resource, determining the identity assurance strength of the user. The determination of the identity assurance strength of the user is based on personal identifying information, risk signals, user history, and the like. If the user does not have the requisite identity assurance strength to access a resource, based on policy criteria, an identity proofing operation may be determined for the user to complete in order to access the resource, where the operation is determined based on policy criteria, risk signals, and the like. Upon completion of the identity assurance operation, if the user has adequate identity assurance strength, then the user may access the resource.

Abstract: A method of starting an electronic device includes: receiving a first wireless signal carrying a first identification data by a wireless receiver before the electronic device enters a normal operating state; comparing the first identification data with a valid data; obtaining an account name and a password according to the first identification data if the first identification data matches the valid data and logging in to an operating system with the account name and the password so as to allow the electronic device to enter the normal operating state; and not logging in to the operating system if the first identification data does not match the valid data.