Abstract: A method for securing and authorizing sensitive operations is described. A computing device may receive a first authentication factor from a second computing device based on a request from the second computing device to authorize an operation; upon validating the first authentication factor, send to at least the second computing device and a third computing device, a request for a second authentication factor; and authorize the operation based on validating the second authentication factor from the second computing device or from the third computing device, or from both.

Abstract: The disclosed computer-implemented method for improving application installation may include (i) receiving, in response to initiating an installation procedure for an application published by a security application publisher, a signed web token that is formatted according to an Internet standard that defines a structure of the signed web token such that a private section of a payload of the signed web token asserts at least one private claim, and (ii) applying the private claim to customize the installation procedure of the application according to a configuration of a technology partner that partners with the security application publisher. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Server Name Indication (SNI) hostname extraction to populate a reverse Domain Name System (DNS) listing to protect against potentially malicious domains. In some embodiments, a method may include detecting a Transport Layer Security (TLS) handshake between a first client application and a first server application, extracting an SNI hostname and an Internet Protocol (IP) address from the TLS handshake, populating the reverse DNS listing with the SNI hostname as a domain paired with the IP address, detecting communication between a second client application and the IP address, accessing the reverse DNS listing to determine the domain paired with the IP address, determining that the domain is a potentially malicious domain, and in response to determining that the domain is a potentially malicious domain, performing a remedial action to protect against the potentially malicious domain.

Abstract: The disclosed computer-implemented method for providing secure access to vulnerable networked devices may include identifying a vulnerable network device connected to a local network, identifying local network traffic destined for the vulnerable network device and that has been tagged as safe, passing the local network traffic tagged as safe to the vulnerable network device, and performing a security action on local network traffic destined for the vulnerable network device that has not been tagged as safe. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying malware locations based on analyses of backup files may include (i) identifying a presence of a backup file set and (ii) performing a security action that may include (a) detecting, based on a scan of the backup file set, malware in the backup file set, (b) determining, based on a location of the malware in a system file structure of the backup file set, a subgraph of the system file structure of the backup file set that includes the malware, (c) identifying a string prefix for the subgraph of the system file structure of the backup file set, (d) using an index to cross-reference the string prefix to a pointer identifying a subgraph of an original file set, and (e) scanning a file in the subgraph of the original file set for the malware. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Purchasing related activity that is executed on computing devices on a LAN is monitored. Information is identified concerning purchases of IoT devices on the LAN, based on the monitoring of the purchasing related activity. For example, a specific purchase of a specific device (or specific device type) can be identified, or identifying information concerning a purchased device can be inferred, based on monitored purchasing related activity. IoT devices are discovered on the LAN and identified. Identifying a discovered device can further comprise interrogating the discovered device, monitoring activities of the discovered device, and/or analyzing information concerning purchases of IoT devices on the LAN. Gleaned identifying information concerning a discovered device can be used to determine or disambiguate the device's identity.

Abstract: The disclosed computer-implemented method for identifying potentially risky traffic destined for network-connected devices may include (1) receiving, at a cloud-based server, characteristics of a network-connected device being adding to a network, (2) creating a digital virtual image of the network-connected device on the cloud-based server, (3) receiving a request sent to a port on the network-connected device and (4) performing a security action including (A) sending the request to the digital virtual image of the network-connected device, (B) identifying the request as a potentially risky request by monitoring a runtime reaction of the digital virtual image of the network-connected device to the request, and (C) sending, to a network monitoring device, a message indicating the request is a potentially risky request. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for performing micro-segmenting may include (i) identifying at least a portion of a device, (ii) measuring a variance value that indicates a level of variance in terms of websites accessed by the portion of the device over a period of time, and (iii) locking, in response to determining that the variance value satisfies a threshold level of simplicity, the portion of the device by applying a security profile to the portion of the device that limits the portion of the device to accessing a set of websites that is defined in terms of the websites accessed by the portion of the device over the period of time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for generating passwords may include (i) accessing a vault of confidential information describing a user, (ii) extracting, from the vault, a set of multiple items of confidential information describing the user, (iii) executing a programmed heuristic on the set of multiple items of confidential information to generate multiple candidate passwords that each derives from a respective semirandom permutation of the multiple items of confidential information, and (iv) displaying electronically the multiple candidate passwords to the user to enable the user to select a password from the multiple candidate passwords as a specific password for accessing a protected computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for securing Universal Plug and Play connections may include (1) detecting, by a network device within a local network, an attempt by a remote device to establish a connection with a client device within the local network via a UPnP protocol, (2) identifying a forwarding rule applied by the network device on the client device based at least in part on an identity of the client device, (3) determining at least one restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, and then in response to determining the restriction placed on UPnP connections between the client device and remote devices by the forwarding rule, (4) enforcing the restriction on the connection attempted by the remote device with the client device via the UPnP protocol. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting nonfunctional endpoint devices may include (i) identifying, at a networking device, an endpoint device, (ii) identifying, at the networking device, a behavioral profile of the endpoint device that may include (a) a functional pattern of network behavior of the endpoint device that occurs while the endpoint device is in a functional state and/or (b) a nonfunctional pattern of network behavior of the endpoint device that occurs while the endpoint device is in a nonfunctional state, (iii) passively monitoring, at the networking device, network traffic of the endpoint device, (iv) determining, at the networking device, that the endpoint device is nonfunctional by detecting (a) an absence of the functional pattern in the network traffic and/or (b) a presence of the nonfunctional pattern in the network traffic, and (v) performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting preparatory-stages of rowhammer attacks may include (i) receiving, at a computing device, signatures of preparatory behaviors that are known to be exhibited by malicious virtual machines during preparatory stages of rowhammer attacks, (ii) monitoring, at the computing device, behaviors of a virtual machine that is hosted by the computing device, (iii) detecting, at the computing device while monitoring behaviors of the virtual machine, a behavior that matches one of the signatures of preparatory behaviors, and (iv) performing, in response to detecting the behavior that matches one of the signatures of preparatory behaviors, a security action to prevent the virtual machine from perpetrating a successful rowhammer attack. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for selecting questions for knowledge-based authentication based on social entropy may include (1) identifying a potential question to ask a user of a computing system during a KBA process in an attempt to verify the user's identity, (2) determining whether any information suggestive of a correct answer to the potential question is available to anyone other than the user of the computing system, (3) calculating a social entropy of the potential question based at least in part on the determination of whether any information suggestive of the correct answer is available to anyone other than the user, and then (4) selecting the potential question to be asked to the user during the KBA process based at least in part on the social entropy of the potential question. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for managing wireless-network deauthentication attacks may include (1) detecting, at the wireless access point, a deauthentication signal, transmitted over a wireless network that is managed at least in part by the wireless access point, that prompts a target computing device to disconnect from the wireless network, (2) determining both that the deauthentication signal is directed to the target computing device and that the deauthentication signal was not initiated by the wireless access point, (3) determining, based at least in part on the determination that the deauthentication signal was not initiated by the wireless access point, that the deauthentication signal represents an illegitimate deauthentication signal, and (4) performing, in response to determining that the deauthentication signal represents an illegitimate deauthentication signal, a security action to mitigate effects of the illegitimate deauthentication signal on the target computing device.

Abstract: The disclosed computer-implemented method for enforcing access-control policies in an arbitrary physical space may include (i) identifying a collection of devices that are located within a predetermined physical space, (ii) determining the physical location of each device in the collection of devices, (iii) establishing, based on the collection of devices, (a) a list of controlled devices that are subject to an access-control policy and (b) a list of monitoring devices that are capable of monitoring user activity within a physical proximity, (iv) matching each controlled device with at least one monitoring device that is capable of monitoring user activity within physical proximity to the controlled device, and (v) monitoring, for each controlled device and by each monitoring device matched to the controlled device, user activity within proximity to the controlled device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Purchasing related activity that is executed on computing devices on a LAN is monitored. Information is identified concerning purchases of IoT devices on the LAN, based on the monitoring of the purchasing related activity. For example, a specific purchase of a specific device (or specific device type) can be identified, or identifying information concerning a purchased device can be inferred, based on monitored purchasing related activity. IoT devices are discovered on the LAN and identified. Identifying a discovered device can further comprise interrogating the discovered device, monitoring activities of the discovered device, and/or analyzing information concerning purchases of IoT devices on the LAN. Gleaned identifying information concerning a discovered device can be used to determine or disambiguate the device's identity.

Abstract: The disclosed computer-implemented method for using vehicles as information sources for knowledge-based authentication may include (1) identifying a vehicle belonging to a user who is attempting to authenticate with an identity-verification authority, (2) acquiring analytic information about the vehicle, (3) generating, by analyzing the analytic information about the vehicle, at least one authentication question, where the correct response to the authentication question requires knowledge about the vehicle, (4) presenting the authentication question to the user, and (5) authenticating the identity of the user based on the user responding correctly to the authentication question. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enforcing access-control policies may include (i) determining that a user is attempting to access a controlled device that is subject to an access-control policy, (ii) locating at least one additional device that is in physical proximity to the controlled device, (iii) acquiring context information from the additional device that provides information about the identity of the user, (iv) establishing the identity of the user based on the context information acquired from the additional device, and (v) enforcing the access-control policy based on the identity of the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for enabling safe memory de-duplication in shared-computing environments may include (i) identifying a first virtual machine and a second virtual machine, (ii) calculating a trustworthiness score for the first virtual machine based on a trustworthiness score of each binary of the first virtual machine, (iii) calculating a trustworthiness score for the second virtual machine based on a trustworthiness score of each binary of the second virtual machine, and (iv) enabling the first virtual machine and the second virtual machine to share a page frame of physical memory by assigning, based on the trustworthiness scores of the first virtual machine and the second virtual machine being above a predetermined threshold, the first virtual machine and the second virtual machine to a trusted group of virtual machines that can share physical memory. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting modification attacks on shared physical memory may include (i) identifying a page frame of physical memory that is shared by a plurality of virtual machines, (ii) calculating a first checksum for the page frame, (iii) calculating, while the page frame is shared by the plurality of virtual machines and before any of the plurality of virtual machines writes to a page of virtual memory that is mapped to the page frame, a second checksum for the page frame, (iv) detecting a modification attack (such as a rowhammer attack) on the page frame by one of the plurality of virtual machines by detecting that the first checksum does not equal the second checksum, and (v) performing a security action in response to detecting the modification attack. Various other methods, systems, and computer-readable media are also disclosed.