Abstract: A method for tokenizing credentials is disclosed. In addition to a token, a verification value can be provided for each interaction. The verification value can be generated based at least in part on a dynamic data element. The dynamic data element may be kept secret, while the verification value can be distributed for use during an interaction. When the verification value is used, it can be validated by re-creating the verification value based at least on the stored dynamic data element.

Abstract: A method for tokenizing credentials is disclosed. In addition to a token, a verification value can be provided for each interaction. The verification value can be generated based at least in part on a dynamic data element. The dynamic data element may be kept secret, while the verification value can be distributed for use during an interaction. When the verification value is used, it can be validated by re-creating the verification value based at least on the stored dynamic data element.

Abstract: A secure cell broadcast method entails defining a group of mobile devices, reserving a channel for the group, associating cryptographic key material with the group, notifying the mobile devices of the channel for the group, securely providing the key material to the mobile devices of the group, and broadcasting on the channel a secure broadcast message that is encrypted such that the mobile devices of the group receiving on the channel can receive and decrypt the secure broadcast message using the key material.

Abstract: According to one embodiment, an apparatus is configured to receive a request to communicate a message including a body to an intended recipient and to receive a first public key of the intended recipient and a second public key of the intended recipient. The apparatus is further configured to encrypt the body using a first message key to produce a first encrypted body, to encrypt the first message key using the first public key to produce a first encrypted message key, to encrypt the first encrypted message key and the first encrypted body using a second message key to produce a second encrypted body, and to encrypt the second message key using the second public key to produce a second encrypted message key. The apparatus is also configured to communicate an encrypted message to the intended recipient, the encrypted message including the second encrypted message key and the second encrypted body.

Abstract: Traffic into and out of an organization-level network is monitored. A request for an encryption key from ransomware infecting a computer in the organization-level network to a remote command and control server is detected. A simulated reply to the ransomware is generated. A known encryption key for which the corresponding decryption key is also known is substituted for the encryption key supplied by the C&C server. The simulated reply containing the substituted known key is then supplied to the ransomware, such that the ransomware uses the known encryption key to encrypt files accessible from the computing device, and requests payment in order to provide a decryption key. Instead of paying the ransom, the encrypted files are decrypted using the known decryption key corresponding to the known encryption key which was provided to the ransomware.

Abstract: One or more integrated circuits for implementing a network firewall for a cloud computing platform are disclosed. The one or more integrated circuits comprise: special-purpose hardware, configured to perform: receiving an item in a transport layer from a second hardware portion through a communication bus, the item being derived from original data received by the second hardware portion from a source computer device; and applying processing in increasingly higher communication layers to the item to obtain processed data in an application layer. The applying comprises identifying a payload in the item; determining whether the item includes a security attack based on the payload, the original data, and additional data received from the source computer device before or after the original data was received; and transmitting the processed data, including a result of the determining, to the second hardware portion.

Abstract: A method of a mesh network involves generating by a source node a random token to be included in a query packet having a source ID and a query for a destination node; transmitting the query packet to the destination node through a relay node; receiving at the destination node the query packet; adding, by the destination node, the random token to a response packet for the source node; and transmitting the response packet including the random token to the source node through the relay node. Also disclosed are arrangements for a source node, a relay node and a destination node, as well as a mesh network.

Abstract: Techniques for using an aerial vehicle to provide a data service are provided. For example, information about a request for the data service is accessed. The request is sent to a provider computing device and identifies a user computing device to receive the data service. The provider computing device is configured to provide the data service. A location associated with providing the data service is determined based on the request. The aerial vehicle is flown to the location. The aerial vehicle includes a computing system configured to provide a portion of the data service. Based on detecting that the aerial vehicle is within a range of the location, the aerial vehicle provides the portion of the data service to the user computing device by using, for example, the computing system.

Abstract: Methods, non-transitory computer readable media, and security management computing devices are disclosed herein. With this technology, an executable code is sent to a client. The executable code is configured to obtain information associated with the client, assemble the information into a fingerprint, and return the fingerprint. A determination is made when the fingerprint is returned from the client. When the determining indicates that the fingerprint has been returned, a determination is made when a record of a reputation database matches the fingerprint. Historical data in the record is updated to include information associated with the request and an action is initiated based on the historical data or other data included in the record. The action includes blocking an access request or providing access to a requested resource to the client, when the determining indicates that the record of the reputation database matches the fingerprint.

Abstract: A hotspot provides an open wireless network and a secure wireless network. The open wireless network has no network-level encryption and allows open association therewith. The secure wireless network employs network-level encryption and requires authentication of a received access credential from a client device before allowing association therewith. A system for authorizing the client device for secured access at the hotspot includes an access controller configured to establish an encrypted connection between the client device and a login portal of the hotspot over the open wireless network, and to store a user-specific access credential transmitted via the encrypted connection as a valid access credential in a credential database. The credential database is accessed by wireless access points of the hotspot to authenticate the received access credential from the client device in response to a request from the client device to associate with the secure wireless network.

Abstract: Techniques for network traffic filtering and flow control are disclosed. Some implementations provide a network communication evaluation module (“NCEM”) that executes on a networking device, such as a gateway or router, and performs network traffic control, such as suppressing denial of service attacks or otherwise limiting packet flow. The NCEM performs packet filtering in order to identify and drop packets that are being (or are likely to be) transmitted as part of a denial of service attack. The NCEM conditionally drops packets that meet specified conditions or rules. For example, the NCEM may drop all packets that are using a nonauthentic source address. As another example, the NCEM may limit the volume of packets of a particular type, such as by limiting the number of DNS requests that are made during a specified time interval.

Abstract: A system, method, and computer-readable medium for reporting sensor data over a communication network are provided. A data reporting instruction that identifies at least one of a sensor or a data reporting technique is received from a trust mediator over a communication network. The data reporting instruction is based at least in part on an identified risk. Sensor data is obtained from the sensor, and the sensor data is transmitted to the trust mediator over the communication network based on the data reporting technique.

Abstract: An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

Abstract: Methods and apparatus in accordance with various embodiments provide for private service IDs for utilization in wireless devices in neighbor aware networks. One aspect of the subject matter described in the disclosure provides a method of transmitting service information in a wireless neighborhood aware network. The method includes generating a first message having a first service identifier. The first service identifier includes a first hash value based on a service name and timing information. The first hash value is generated by applying a first hash function. The method further includes transmitting the first message.

Abstract: Systems and methods for extending and re-using an IP multimedia subsystem (IMS) to extend the trust relationship from a closed group of customers of wireless service providers to users of other ecosystems (e.g., GMAIL, FACEBOOK, or YAHOO!) for IMS services are disclosed. Some embodiments include receiving a request from an initiating device to establish a service connection between the initiating device and an endpoint through an Internet Protocol Multimedia Subsystem (IMS) session. The request may include third-party domain credentials (e.g., maintained by a third-party domain) associated with an end-user. The third-party domain credentials can be extracted from the request. Communications with the third-party domain can be used to verify the third-party domain credentials. The IMS session can be established between the initiating device and the endpoint upon verification of the third-party domain credentials.

Abstract: A method and apparatus are presented for revoking cryptographic keys within a distributed ledger system in which no central trusted authority is available. A key revocation message is sent by a network connected device to other network connected devices over a peer-to-peer network for inclusion in a ledger. In one embodiment the revocation message is signed using a private key of a public/private key pair to be revoked. In another embodiment an authorization for future revocation of the public/private key pair by a plurality of other public/private keys is sent for inclusion in the ledger, and subsequently the key revocation message is signed with one of the private keys of the plurality of other public/private key pairs before sending the key revocation message. Once a valid key revocation message is included in the ledger, any future request to include a message signed by a cryptographic key revoked by the valid key revocation message is rejected.

Abstract: A system includes a tag having a machine readable tag identifier (Tag ID) configured to be read by a reader; and a device to be identified by the tag, in which: the device is configured to communicate with the reader; the device has access to a secure Tag ID; and the device communicates a verification to the reader if the machine readable Tag ID communicated to the device from the reader matches the secure Tag ID. A method includes: reading a Tag ID from a tag attached to a device; communicating the Tag ID read from the tag to the device; comparing a secure Tag ID of the device to the Tag ID read from the tag; and responding with a “match” or “no-match” message from the device, according to which the device is either trusted or not trusted as being identified by the Tag ID. A method of verifying a trusted agent (TA) on a device includes: storing a digital signature of the TA in a secure vault of the device; and verifying the TA by verifying the digital signature of the TA each time the TA is used.

Abstract: A computer-implemented method includes receiving, by a computing device within a networking environment, a workload for execution within the networking environment; initiating, by the computing device, transfers of the workload to a plurality of network elements within the cloud networking environment; providing, by the computing device, tracking information of the workload as the workload traverses through the plurality of network elements; and storing or outputting, by the computing device, the tracking information regarding of the workload.

Abstract: Techniques for using an aerial vehicle to provide a data service are provided. For example, information about a request for the data service is accessed. The request is sent to a provider computing device and identifies a user computing device to receive the data service. The provider computing device is configured to provide the data service. A location associated with providing the data service is determined based on the request. The aerial vehicle is flown to the location. The aerial vehicle includes a computing system configured to provide a portion of the data service. Based on detecting that the aerial vehicle is within a range of the location, the aerial vehicle provides the portion of the data service to the user computing device by using, for example, the computing system.

Abstract: A data file is encrypted with a file-specific encryption key and sent to a remote data storage system. The file-specific encryption key is encrypted with a master key. The encrypted file-specific encryption key and the master key are both stored remotely from the encrypted file and they are stored remotely from one another.