Abstract: A Software-Defined Networking (SDN)-based “upstream” approach is a controller-based solution that provides secure key distribution and management for multi-site data centers. The approach uses an SDN Multi-Site Controller (MSC) that acts as an intermediary between SDN controllers at sites in a multi-site data center and manages the distribution of keys to sites. The approach is not dependent upon any particular routing protocol, such as the Border Gateway Protocol (BGP), and is well suited for multicast stream encryption by allowing the same key to be used for all replicated packets sent to downstream sites from an upstream source site. The approach distributes keys in a secure manner, ensures that data transferred between sites is done in a secure manner, and supports re-keying with error handling.

Abstract: Methods and systems for securely managing personal data associated with image processing include an image sensor configured to capture an image, a local computer system local to the image sensor, and a backend computer system remote from the image sensor. The local computer system has a processor with a trusted execution environment (TEE) that detects anomalies in images from the image sensor, extracts personal data from the image, and encrypts the personal data. The local computer system then sends the extracted, encrypted personal data to the backend computer system, where a backend TEE decrypts the extracted, encrypted personal data, and performs data processing by comparing the decrypted personal data to other personal data that is stored in a backend database in the backend computer system.

Abstract: System and method of creating a multi-party computation (MPC) cryptographic signature for a blockchain based computer network, including: generating at least one first share and second share of a cryptographic key, based on a distributed key generation MPC protocol, signing a received message with the at least one first share, receiving the message signed with the at least one first share, signing the message signed with the at least one first share with the at least one second share, sending the message signed with the at least one second share and the at least one first share to a full node of the computer network, and adding a transaction to a ledger of the computer network, in accordance with the received message signed by the at least one first share and the at least one second share.

Abstract: Provided is a computer implemented method for performing mutual authentication between an online service server and a service user, including: (a) generating, by an authentication server, a server inspection OTP; (b) generating, by an OTP generator, a verification OTP having the same condition as the server inspection OTP and using the same generation key as an OTP generation key and a calculation condition different from a calculation condition is applied or a generation key different from the OTP generation key is used and the same calculation condition as the calculation condition used for generating the server inspection OTP is applied to generate a user OTP; and (c) generating, by the authentication server, a corresponding OTP having the same condition as the user OTP and comparing whether the generated corresponding OTP and the user OTP match each other to authenticate the service user.

Abstract: Computational/communication system security tools are provided. Such tools report at least one multi-dimensional (or multi-component) data-object (based on the monitored events) to an administrator of the system. The multiple components of the data object provide multiple risk indicators (e.g., risk scores) along various dimensions of security for such systems. Thus, tools provide multi-dimensional monitoring and reporting of risks and security threats to computational/communication systems. The tools may also provide at least one risk mitigation action (e.g., quarantining and/or prohibiting particular risky entities, entity groups, and/or entity activities) based on the enhanced monitoring and detection methods presented herein.

Abstract: A method for authenticated asset assessment is provided. The method involves executing a scan assistant on an asset to allow a remote scan engine to execute one or more scan operations on the asset for determining a state of the asset. The scan assistant may verify the identity of the scan engine by checking that a certificate received from the scan engine is signed with a private key associated with the scan engine. In some embodiments, the authentication may be performed as part of a TLS handshake process that establishes a TLS connection between the scan engine and the scan assistant. Once the scan engine is authenticated, the scan engine may communicate with the scan assistant according to a communication protocol to collect data about the asset. Advantageously, the disclosed technique reduces security risks associated with authenticated scans and improves the performance of authenticated scans.

Abstract: A security context obtaining method includes: a first access and mobility management function (AMF) receiving a first registration request message sent by a user equipment (UE) and validating integrity protection for the first registration request message; if the first AMF successfully validates integrity protection for the first registration request message, sending, by the first AMF, a second request message to a second AMF; the second AMF receiving the second request message; and if the second request message carries indication information and the indication information is used to indicate that the UE is validated, sending, by the second AMF, a security context of the UE to the first AMF.

Abstract: A system, process, and computer-readable medium for securely transferring user personal identification information (PII) across platforms, based on specific permissions, are described. One or more aspects provide greater control, to a user, of when that user's PII may be released from a secure storage in a first platform and securely provided to a second platform. The timing of those releases of the PII may be controlled by specific authorizations from the user via one or more processes. Also, in addition to improving the security associated with the PII transferred between platforms, one or more aspects improve users' experiences by permitting controlled reuse of users' PII to simplify how users provide their PII to separate processes being performed on separate platforms.

Abstract: Embodiments for deleting encryption keys in a data storage system by storing a current encryption key in a key table, the current key encrypting at least some data in one or more data containers of a filesystem of the data storage system. A key table maintains a starting container ID and an ending container ID for each container encrypted by the current encryption key, and a deleted container count counting a number of containers of the one or more data containers deleted from the file system. The process determines if the number of containers in the deleted container count equals a number of containers having data encrypted by the encryption key as determined by the starting container ID and ending container ID, and if so, marks the key for deletion in a garbage collection operation, which then deletes the key from the key table.

Abstract: In various embodiments, an entity may provide a WebView where a transaction between an entity and a data subject may be performed. As described herein, the transaction may involve the collection or processing of personal data associated with the data subject by the entity as part of a processing activity undertaken by the entity that the data subject is consenting to as part of the transaction. Additionally, the entity may provide a native application where the transactions between the entity and a data subject may be performed. In some embodiments, the system may be configured to share consent data between the WebView and the native application so data subjects experience a seamless transition while using either the WebView or the native application, and the data subjects are not required to go through a consent workflow for each of the WebView and the native application.

Abstract: Methods and systems for retrieving information from secondary computing systems using network access tokens are disclosed. The system can provide a user interface that lists a plurality of secondary computing systems to a client application executing at a client device associated with a user profile of the primary computing system. The system can receive, from the client device, a network token identifying a permission for accessing a second profile maintained at the secondary computing system, and retrieve the subset of data records from the secondary computing system according to a retrieval policy. The system can then update the user interface at the client application to present the subset of data records of the second profile.

Abstract: A facility applies a received query containing identifying information for a person to both (1) first accounts in a first information system each authorizing access to a resource among a set, to obtain a first result identifying any matching first accounts; and (2) second accounts in a second information system that each authorize access to a resource among the set, to obtain a second result identifying any matching second accounts. For each resource of the set whose access is authorized by at least one identified first account or one identified second account, the facility creates an entry representing any identified first account authorizing access to the resource and any identified second account authorizing access to the resource. The facility causes the created entries to be displayed, and solicits input selecting a displayed entry for administrative action with respect to at least one of the accounts it represents.

Abstract: Methods performed by a processor of a computing device for managing functionality of the computing device to interact with field equipment may include determining by the processor a location of field equipment based on information obtained by the processor proximate to the field equipment, determining by the processor a location of the computing device based on geolocation information, determining whether the location of the field equipment based on information obtained by the processor proximate to the field equipment and the location of the computing device based on geolocation information are within a threshold distance, verifying the location of the field equipment in response to determining that the location of the field equipment based on information obtained by the processor proximate to the field equipment and the location of the computing device based on geolocation information are within the threshold distance, and enabling functionality of the computing device to interact with the field equipment i

Abstract: A computing device includes a processor and a machine-readable storage storing instructions. The instructions are executable by the processor to: receive an input string including sensitive data to be encrypted; identify a first portion and a second portion of the input string, the first portion comprising the sensitive data; select, from a plurality of hash functions, a hash function based on the second portion; and generate a hash value of the first portion using the selected hash function.

Abstract: The present disclosure provides generally for systems and methods of authenticating one or more aspects of electronic communication. According to the present disclosure, authenticable communications may allow for authentication of at least a portion of the content of the electronic communication, which may limit potential damage caused by fraudulent communications. In some aspects, an authenticable communication may allow a recipient to confirm that the indicated source is the actual source of the authenticable communication. In some embodiments, the authentication may not require an exchange of encrypted communications or an exchange of communications solely within the same communication system. Authenticable communications may provide a separate layer of security that may allow a recipient to review the contents with confidence that the communication is not fraudulent. Further, authenticable communications may provide the additional security without requiring specialized software.

Abstract: A system and method is described that sends multiple simulated phishing emails, text messages, and/or phone calls (e.g., via VoIP) varying the quantity, frequency, type, sophistication, and combination using machine learning algorithms or other forms of artificial intelligence. In some implementations, some or all messages (email, text messages, VoIP calls) in a campaign after the first simulated phishing email, text message, or call may be used to direct the user to open the first simulated phishing email or text message, or to open the latest simulated phishing email or text message. In some implementations, simulated phishing emails, text messages, or phone calls of a campaign may be intended to lure the user to perform a different requested action, such as selecting a hyperlink in an email or text message, or returning a voice call.

Abstract: One variation of a method for verifying email senders includes: intercepting an email addressed to a target recipient within an organization, the email received from a sender at an inbound email address and including an inbound display name; accessing a whitelist including a verified display name and a set of verified email addresses corresponding to an employee within the organization; characterizing a display name difference between the inbound display name and the verified display name; in response to the display name difference falling below a threshold difference, comparing the inbound email address to the set of verified email addresses; in response to identifying the inbound email address in the set of verified email addresses, authorizing transmission of the email to the target recipient; and, in response to the set of verified email addresses omitting the inbound email address, withholding transmission of the email and flagging the email for authentication.

Abstract: A system and a method are disclosed for detecting an unacceptable HTTP requests by scanning the headers of the HTTP requests.

Abstract: A method includes receiving, by a data processing apparatus and from a content distribution system, a message comprising a probabilistic data structure representing a set of content items that should not be provided to a user device, content item data for content items available to be provided, and a request to determine whether any content item data is invalid, determining that the content item data for a given content item is invalid because the given content item may be in the set of content items represented by the probabilistic data structure, including removing the content item data for the given content item that was determined to be invalid; and preventing distribution of content items including the given content item.

Abstract: A micro data capture device can be configured to operate as a unidirectional connection from a first computing device to a second computing device. The micro data capture device can include a data capture side comprising a first universal serial bus (USB) interface configured to connect to the first computing device so as to extract data from the first computing device. The micro data capture device can further include a monitoring apparatus comprising an interceptor configured to copy data from the data capture side so as to define the unidirectional connection. Further, the micro data capture device can define a data storage side comprising a second USB interface configured to connect to the second computing device so as to transfer data to the second computing device. The data storage side can be configured to receive data from the data storage side via the monitoring apparatus. In some cases, the data capture side has only volatile memory, and the data storage side includes non-volatile memory.