Abstract: In some examples, a system receives information from electronic devices comprising network devices and computing devices in a computing environment that are subject to attestations of interfaces of the network devices and the computing devices. For each interface of a given computing device being attested, the system verifies that the interface of the given computing device is connected to an interface of a corresponding network device that is being attested. For each interface of a given network device being attested, the system verifies that the interface of the given network device is connected to an interface of a corresponding computing device that is being attested or an interface of another network device that is being attested.

Abstract: A system for providing decentralized network management comprises a private, secure network that has a plurality of authentication nodes that collectively authenticate client devices or perform other security functions. That is, the security functions are decentralized such that they are performed by a plurality of authentication nodes that communicate with one another to arrive at a consensus for a given security action, such as whether to authenticate a user. Decentralizing the security functions generally helps to increase the security and robustness of the network. In this regard, even if a hacker is able to access and compromise an authentication node, the other authentication nodes may act to prevent the hacker from using the compromised node to perform harmful or unauthorized actions. In addition, if any of the authentication nodes fails, the other authentication nodes may continue performing security functions allowing the network to recover from the failure.

Abstract: In some implementations, a remediation device may receive, from a database that stores information regarding security vulnerabilities, security vulnerability indicators associated with one or more cloud-based applications. The remediation device may cluster, using at least one machine learning model, the security vulnerability indicators into classes, and may determine, for each class, a corresponding remediation recommendation. The remediation device may transmit, based on a setting, a corresponding message for each class. The remediation device may receive input associated with at least one of the corresponding messages, and may trigger, for at least one of the classes of security vulnerability indicators and based on the input, an automated remediation script based on a corresponding one of the remediation recommendations. The automated remediation script causes a cloud environment to perform an action for a cloud-based application associated with the security vulnerability indicators in the class(es).

Abstract: Described herein are systems, methods, and software to manage domain name system (DNS) requests in a computing system. In one example, a computing system identifies a DNS request from an application on the computing system and, in response to the request, identifies a DNS server to support the DNS request from a plurality of DNS servers based on a domain in the DNS request. The computing system further forwards the DNS request to the DNS server, wherein the DNS server is located on the computing system, obtains a response to the DNS request from the DNS server, wherein the response indicates a private internet protocol (IP) address in a private network subnet, and provides the response to the application.

Abstract: Embodiments of systems and methods to provide a firmware update to devices configured in a redundant configuration in an Information Handling System (IHS) are disclosed. In an illustrative, non-limiting embodiment, an IHS may include computer-executable instructions to receive a request for a secret known by the IHS, and attest the RAC by verifying that the public key exists in a manifest that is configured to store identifying information about a plurality of devices configured in the IHS. The request is signed using a private key of a first asymmetric key pair generated by a Remote Access Controller (RAC). Using a second public key of a second asymmetric key pair, the instructions encrypt the requested secret; and send the encrypted secret to the RAC, wherein the RAC is configured to use the second private key of the second asymmetric key pair to decrypt the encrypted secret.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for establishing and managing a trusted connection between a peripheral device and a client device. For example, systems discussed herein include determining whether a peripheral device poses a security risk based on a combination of peripheral device data and a client profile including environmental data and historical usage data for the client device. Systems described herein may further grant a level of trust based on the determine security risk. The systems disclosed herein facilitate implementation of intelligent policies that are user friendly without exposing the client device to a variety of security threats.

Abstract: A method for authenticating a peripheral device, that includes detecting, by a baseboard management controller (BMC), a presence of the peripheral device, receiving authentication credentials from the peripheral device, making a determination, based on the authentication credentials, that the peripheral device is authentic, and sending, in response to the determination, a command to open a peripheral communication channel with the peripheral device.

Abstract: Examples of the disclosure include a host system comprising an authentication communication medium interface configured to be communicatively coupled to a connected module, a secure communication medium interface, and a controller configured to detect a connection of the connected module to the host system over a physical communication connection, generate an authentication challenge, provide the authentication challenge to the connected module over a physical authentication connection via the authentication communication medium interface, receive a challenge response to the authentication challenge from the connected module via the authentication communication medium interface, verify the challenge response, and grant the connected module access to host system data over the physical communication connection via the secure communication medium interface based on successful verification of the challenge response.

Abstract: A node comprising, a processor executing a first operating system, a peripheral port connected to a peripheral device, a system control processor executing a second operating system, where the system control processor is configured to perform a method for metering usage of the peripheral device by the first operating system, the method that includes obtaining utilization data from a peripheral device, and sending the utilization data to a remote authentication server, where the first operating system cannot access the system control processor.

Abstract: Computer implemented systems and methods are provided for an automatic teller machine. In some embodiments, an automatic teller machine may comprise a touch-sensitive display, one or more memory devices storing instructions, and one or more processors. The one or more processors may be configured to receive authentication data associated with a user, retrieve user profile information based on the authentication data, determine user interface attributes based on the user profile information; and generate an automatic teller machine interface based on the user profile information.

Abstract: Methods, systems, and apparatus are described providing networking engines. Specifically, the present specification relates to a method for implementing software containers implementing network engines that may be configured to act in a zero-knowledge environment. In such implementations, all information pertaining to the network engine associated with a user that is stored in the container is solely that of a user unless explicitly shared by the user. In some implementations, the containers may be configured to participate in a publish-and-subscribe network in order to share information. In addition, the containers may be provisioned with controls so that global operators may comply with local privacy rules.

Abstract: In some examples, a computing device may determine a replication criteria for replication of user information and/or resource information between a first computing site and a second computing site. The computing device may perform the replication between the first computing site and the second computing site based on the replication criteria. Further, the computing device may determine at least one of a user correspondence or a resource correspondence between the first computing site and the second computing site based on performing the replication. The computing device may replicate permission information between the first computing site and the second computing site based at least on the user correspondence and/or the resource correspondence.

Abstract: Systems, devices, and methods for managing operation of data processing systems are disclosed. To manage operation of the data processing systems, onboarding processes may be performed to conform the operation of the data processing systems to meet the expectations of owners of the data processing systems. During onboarding, keys usable to verify subsequently issued commands may be obtained by the data processing systems. The data processing systems may perform verifications processes for issued commands that rely on a root of trust established with the keys rather than identifies of entities that may issue the commands for command verification.

Abstract: In some implementations, a system may receive interaction request data indicating a request by a first user to perform a requested interaction via a user account, wherein the first user is associated with the user account. The interaction request data may indicate a first user identifier and first user biometric authentication data associated with the first user. The system may identify a second user identifier associated with a second user associated with the user account. If the system determines that an authorization condition is satisfied, the system may transmit, to a second user device associated with the second user, a second user authentication. The system may receive, from the second user device, second user biometric authentication data associated with the second user. The system may authorize the requested interaction based on receiving the second user biometric authentication data within a time threshold after a request time associated with the request.

Abstract: Privileged access is managed by receiving a request for privileged access to a device connected to a network, determining a risk level associated with the request based on a duration of the privileged access, a device identifier, a first user identifier, and a requested privilege level included in the request, identifying a second user to control authorization of the device based on the risk level, and scheduling, in response to receiving authorization from the second user, a process to modify an entry in a permissions database to associate the first user identifier and the device identifier with the requested privilege level for the duration.

Abstract: In a method of group creation for a pair of an unmanned aerial vehicle (UAV) and an unmanned aerial vehicle-controller (UAV-C) in a service enabler architecture layer (SEAL) architecture, the pair of UAV and UAV-C is determined by an unmanned aerial system application enabler (UAE) server in the SEAL architecture. A group creation request for the pair of UAV and UAV-C is transmitted by the UAE server to a SEAL group management (GM) server of the SEAL architecture. A first response message is received by the UAE server from the SEAL GM server for the group creation request. A group including the pair of the UAV and the UAV-C is created for quality-of-service (QoS) management. The group creation request includes an identity of an UAE client corresponding to the pair of UAV and UAV-C, an identity of the UAV, and an identity of the UAV-C.

Abstract: The present application describes a technique for enhancing an electronic version of a maintenance manual or procedure with an interactive workflow, and presenting the enhanced electronic document using mobile computing devices that can be operated easily hands-free. The workflow primarily consists of a set of interactive checklist items that a maintenance specialist can mark complete via a spoken command. The enhanced electronic documents are additionally associated with supplemental multimedia content, presented contextually based on the currently selected and active checklist item. Furthermore, the document viewing application provides for integrated reporting functionality, enabling a maintenance specialist to capture relevant information during the maintenance procedure, for subsequent use in generating and submitting a report either electronically or via hard copy.

Abstract: A card reader and a controller thereof, and a method are provided. The card reader includes a storage device and the controller, wherein the controller is coupled to the storage device. The storage device is configured to store specific identification data of a specific memory device. The controller is configured to receive identification data of the external memory device plugged into the card reader, and determine whether the external memory device is the specific memory device according to the identification data and the specific identification data, to generate a determination result. More particularly, the controller may control whether to open permission of at least one function according to the determination result.

Abstract: A data storage device comprising a non-volatile storage medium configured to store user data, a data port configured to receive and transmit data between a host computer system and the data storage device, and a controller. The controller is configured to receive, via the data port, a write command comprising a read restriction indication, receive, via the data port, data and write the data to an address of the non-volatile storage medium. The controller is further configured to determine an occurrence of a read restriction event, and in response to the occurrence of the read restriction event and in response to the read restriction indication, erase the data from the address of the non-volatile storage medium.

Abstract: Aspects of the disclosure relate to malware detection at endpoint devices. A computing platform may send rule information to a browser extension including a set of rules defining reportable behavior of network traffic associated with a website. Subsequently, the computing platform may receive report information including an identification of a loaded web page associated with the website that exhibits the reportable behavior defined by at least one rule of the set of rules and an indication of which rules of the set of rules have been met. Based on receiving the report information, the computing platform may assign a risk score for the identified loaded web page. Thereafter, the computing platform may determine that the risk score is above a predetermined threshold, and in response, the computing platform may send commands to the browser extension directing the browser extension to close the identified loaded web page.

Abstract: The subject technology performs a transaction locally at a computing node. The subject technology determines that the transaction has been completed. The subject technology determines a set of immutable attributes from the completed transaction. The subject technology generates an aggregate identifier based on the set of immutable attributes. The subject technology publishes the generated aggregate ID. The subject technology stores the published aggregate ID to an external storage location.

Abstract: A voucher management system receives, from a computing device manufacturer system, an ownership voucher that transfers ownership of a computing device from the computing device manufacturer system to the voucher management system, and a hardware attestation certificate for the computing device, and associates them with the computing device in a voucher management database. When the voucher management system determines that the ownership of the computing device should be transferred to an end user system, it automatically generates second ownership transfer data by signing an end user system public key with a voucher management system private key, provides the second ownership transfer data in the ownership voucher in order to transfer ownership of the computing device from the voucher management system to the end user system, and provides the ownership voucher and the hardware attestation certificate to the end user system.

Abstract: A system on a chip including a first-port controller for a first development port configured to receive a first development tool and a second-port controller for a second development port configured to receive a second development tool. The system on a chip further including a central controller in communication with the first-port controller, the second-port controller, and a security subsystem. The central controller being configured to manage authentication exchanges between the security subsystem and the first development tool and authentication exchanges between the security subsystem and the second development tool.

Abstract: A system and method for implementing a plugin control mechanism. A disclosed method includes: launching an application; injecting additional functionality into the application; and utilizing the additional functionality to: detect a file processing call; evaluate the file processing call against to a set of rules to determine whether the file processing call involves execution of an extension file; and call an operating system (OS) application control function in response to determining the file processing call involves execution of the extension file, wherein the OS application control function is configured to conditionally prevent execution of the extension file.

Abstract: Malicious homoglyphic domain name (MHDN) detection and associated cyber security applications are described. A domain name may be received that may be a potential MHDN. Homoglyphic domain name detection may be performed by, for example, generating a normalized character string corresponding to the input domain name by applying one or more normalization operations to the input domain name, wherein the one or more normalization operations may be configured to reduce homoglyphic characteristics in the input domain name; and generating a plurality of segmentations of the normalized character string, wherein generating each segmentation, of the plurality of segmentations, may comprise segmenting the normalized character string into a respective plurality of segments, and wherein each segmentation may comprise a different plurality of segments. A segmentation may be selected based on cost values corresponding to each respective segmentation determined using a cost function.

Abstract: A computer device, including at least a processor and a memory, can be configured to control process components on a computer device. An agent can intercept a request to instantiate a new process component. The request can originate on the computing device from an instance of a particular process component amongst a set of process components. The agent can determine whether to permit the intercepted request by validating the relationship using a policy with rules as well as and determining a trusted owner is among the set of identified owners. The agent can permit the intercepted if the determination is to permit the intercepted request.

Abstract: Systems, devices, media, and methods are presented for dynamic presentation and management of messages within a graphical user interface by presenting content icons, monitoring consumption status of the presented content represented by the content icons, transferring a content item from a first set of content to a second set of content, and causing presentation of the content item as part of the second set of content.

Abstract: An untrusted orchestrator function subsystem inventory and verification system includes an untrusted orchestrator device, an operating system, a BIOS, and a management device. In response to presentation by the untrusted orchestrator device of a function subsystem to the operating system during runtime, the operating system generates a function subsystem detection alert that identifies the function subsystem. In response to the function subsystem detection alert, the BIOS generates and transmits a BIOS inventory update. The management device receives the BIOS inventory update, and determines whether the operating system is authorized to use the function subsystem at least in part based on the BIOS inventory update. If so, the management device allows the operating system to utilize the function subsystem while, if not, the management device prevents the operating system from utilizing the function subsystem.

Abstract: Aspects of the present disclosure include a tokenless, network-attached, multi-factor authentication software based electronic access control logon system and methods of use thereof, and may provide equivalent in security to a Public Key Infrastructure smart card system. The logon system may allow tokenless, but authorized, entities to access secure systems, with the secure logon system not requiring placement of individual or organization identifying information on a physical object that may be removed from a restricted location. Aspects of the present disclosure may include maintaining user credentials within individually encrypted credential bins within a Credential Hardware Security Module (HSM) that is securely accessible by authorized endpoints in a distributed network.

Abstract: A role-based access control method and system provide for receiving a request to provide an access to a resource, identifying a plurality of permissions associated with the request, authorizing the request including determining the plurality of permissions are granted for the identity, generating a serialized token to represent the plurality of permissions, and passing the serialized token to the first service to perform the providing of the access to the resource.

Abstract: Systems and methods for providing collaboration rooms with dynamic tenancy and role-based security are disclosed herein. An example method includes establishing a digital collaboration room for an entity, generating a token for a first user, receiving a request to perform an action on a portion of the data, performing a hierarchical permissions analysis to determine if the first user has permission to perform the action and access the portion of the data and determine if the user currently has permission to enter the digital collaboration room. The method includes retrieving the portion of the data from the database for the digital collaboration room and allowing the first user to perform the action when the user currently has permission to enter the digital collaboration room and the user has permission to perform the action and access the portion of the data.

Abstract: Context driven user interfaces for storage systems including receiving, from a user account, a request to access a system interface for a system; identifying at least one critical system characteristic that describes a current aspect of the system; reconfiguring the system interface based on the at least one critical system characteristic; and presenting the reconfigured system interface to a user of the user account.

Abstract: In embodiments, a system includes a first and a second processing unit, a memory, and a firewall device. The first processing unit operates in a secure mode and generates memory access requests having a secure level. The second processing unit operates in a non-secure mode and generates memory access requests having a non-secure level. The memory includes a first memory area that can be shared between the first and second processing units. The firewall device includes a first firewall circuit with a first configuration authorizing access to the first memory area in the presence of a secure or non-secure level access request. The firewall circuit includes a second configuration prohibiting access to the first memory area in the presence of a secure level access request and authorizing access to the first memory area only in the presence of a non-secure level access request.

Abstract: A modular interface system having a modular SPE-based bus system with an SPE-based twin-core line and a plurality of SPE-based connectors, wherein a plurality of modules, each of which has an SPE-based connector, can be electrically and mechanically coupled to the SPE-based bus system by means of the SPE-based connectors.

Abstract: A system on chip (SoC) is designed to include a protective moat allowing the external interfaces of the SoC to act as security enforcers. Data is prevented from being delivered to non-trusted devices. Data may leave only to friendly devices that are able to protect the data at its respective security class. Code is prevented from accessing data or jumping to addresses which the code is not authorized to process or jump to. According to an embodiment, both data and code are stored encrypted in corresponding classes, each class having a different encryption key. An n-by-n matrix defines the way security classes may mix, specifically when two different security classes are used. This provides for securing data-data, code-code and data-code interactions. During configuration, processor context switching and secure communication, a trusted execution environment (TEE) is used. The classification rules matrix is programmable under the TEE.

Abstract: Systems and methods described herein provide for novel configuration features for setting up a user device automatically to connect to a network and register the user device to a user account. A mapping of user devices to cryptographic keys for the user devices may be maintained by a computer system. The computer system may receive information that specifies network information and user account information for a particular user device. A mapping of the network information and user account information to the particular user device may be generated. A machine-readable code that includes the network information for connecting the particular user device to the network and a token that includes credentials for the user account information may be generated and transmitted to a assistant configuration device.

Abstract: Embodiments of the present disclosure provide systems and methods for using secure schemas to address inconsistencies between standard RBAC rules and the use of inherited grants. A secure schema may be defined that transfers ownership of an object created in the secure schema to a role that owns the secure schema. An inherited grant may be attached to the secure schema, where the inherited grant specifies a permission on a first type of object in the secure schema and a grant of the permission to the role that owns the secure schema. When objects are created in the secure schema, ownership of each of the set of objects is transferred to the role that owns the secure schema to authorize the role that owns the secure schema to manage grants to the set of objects on the secure schema.

Abstract: A threat actor identification system that obtains domain data for a set of domains, generates domain clusters, determines whether the domain clusters are associated with threat actors, and presents domain data for the clusters that are associated with threat actors to brand owners that are associated with the threat actors. The clusters may be generated based on similarities in web page content, domain registration information, and/or domain infrastructure information. For each cluster, a clustering engine determines whether the cluster is associated with a threat actor, and for clusters that are associated with threat actors, corresponding domain information is stored for presentation to brand owners to whom the threat actor poses a threat.

Abstract: Systems and methods are provided for processing requests to perform a stored procedure. A document chart is created having a unique identifier that corresponds to the stored procedure name. The document chart, being specific to the stored procedure, is populated with records that are associated with potential calls of the stored procedure. Each record comprises a key parameter and an output value, wherein the key parameter corresponds to a key that is generated based on the input parameters associated with the stored procedure call. The output value is communicated to the requesting client device without having to call the stored procedure on the targeted server.

Abstract: Systems and methods are provided for operation of a media device in an obfuscated entry mode. A method for entry of personal information on a media device may include receiving a request from an external device to enter personal information. An interface screen is generated, including a first section including a plurality of characters, and a second section including directional buttons and a select button. Manipulation of the directional buttons and/or the select button causes selection of characters from the first section of the interface screen to be entered into the personal information entry field displayed by the media device in an obfuscated manner.

Abstract: Embodiments of this disclosure provide a terminal capability identifier operation method and a communications device. The operation method includes: performing a first operation related to terminal capability identifier, where the first operation related to terminal capability identifier includes at least one of the following: deleting or suspending a terminal capability identifier; changing a first-type terminal capability identifier in a terminal context to a second-type terminal capability identifier; or transmitting operation information of terminal capability identifier.

Abstract: Systems and methods are described that use software diversification techniques to improve the security of mobile applications. Embodiments of the disclosed systems and methods may, among other things, facilitate secure application distribution through deployment of diverse of applications in an application distribution channel. Software diversification consistent with certain disclosed embodiments may mitigate large-scale automated circumvention of security protections by presenting attacking malware moving and/or otherwise unpredictable diverse targets.

Abstract: Disclosed are data storage and verification methods and a device executable in a trusted execution environment. The data storage method comprises: encrypting, using a first key, user data and version information of the user data to generate first ciphertext, and storing the first ciphertext into a general storage space (S310); generating verification information of the user data (S320); and storing the version information and the verification information into a secure storage space (S330). The present disclosure effectively prevents version rollback of user data.

Abstract: A system includes a processing unit, a memory configured to store at least one first group of instructions and one second group of instructions for execution by the processing unit, the processing unit being configured to sequentially extract from the memory instructions of the first group and instructions of the second group for their execution. The system also includes a controller including a first auxiliary memory configured to store a protection criterion, a comparator configured to compare the storage address of each extracted instruction with the protection criterion, and a control circuit configured to, in response to the storage address meeting the protection criterion, trigger a protection mechanism including at least one prohibition for the processing unit to execute again at least one portion of the instructions of the first group, during the execution of the instructions of the second group.

Abstract: Methods and systems for performing a computational operation on a server host using a secure enclave are provided. Exemplary methods include: receiving an encrypted service request from a client host, the client host encrypting a service request to produce the encrypted service request using a shared secret, the service request specifying the computational operation; decrypting, in a secure enclave that is established by a secure environment, the encrypted service request using the shared secret to produce a decrypted service request; performing the computational operation, in the secure enclave, using the decrypted service request to generate a service result; encrypting, in the secure enclave, the service result using the shared secret to create an encrypted service result; and providing the encrypted service result to the client host, the client host decrypting the encrypted service result using the shared secret.

Abstract: A storage device configured for hardware verification is disclosed. The storage device comprises a first hardware component comprising a connector and a first verification logic. The first validation logic is configured to detect a criterion and generate a first signal via the connector in response to detecting the criterion. The storage device also comprises a second hardware component coupled to the first hardware component via the connector. The second hardware component comprises a second validation logic, where the second validation logic is configured to monitor and receive the first signal via the connector. In response to receiving the first signal, the second validation logic is configured to compare the received first signal to an expected signal and generate a result. The storage device is configured to take an action in response to the result.

Abstract: Ad-hoc network comprising a configurator device and a plurality of nodes, wherein each node is an electronic device, wherein each node is connected by a communication connection with at least one of the other nodes and/or with the configurator device, wherein each node can be in different states comprising at least a non-commissioned state (NC), a commissioned state and a trust ring member state (TR) wherein a first node of the plurality of nodes being in the non-commissioned state (NC) is configured to send an non-commissioned advertisement message to the configurator device comprising an identifier of the first node, wherein the configurator device is configured to send an automated commissioning initialization (ACI) message to the first node containing a token, wherein the token is encrypted by a symmetric network key, wherein the first node is configured to send out a commissioning request message containing the received encrypted token, wherein the first node is configured to change its state, when it re

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Using a domain-specific query language, the system enables rapid interrogation of a complete and centralized data model of all data and identity relationships. The data model also supports a cloud “least privilege and access” framework. Least privilege is a set of minimum permissions that are associated to a given identity; least access is a minimal set of persons that need to have access to given piece data. The framework maps an identity to one or more actions collected in cloud audit logs, and dynamically-build a compete view of an identity's effective permissions. The resulting least privilege and access policies are then applied natively to a given cloud environment to manage access.

Abstract: Systems and methods are provided that include: accessing implicit authentication data from a possession factor associated with an authorized user; at the possession factor or at an authentication platform: generating a possession confidence level using the implicit authentication data, the possession confidence level being one of a plurality of possession confidence levels, the possession confidence level indicating a likelihood that the possession factor is possessed by the authorized user; identifying, among a plurality of varying authentication requirements, an authentication requirement for the transaction based on the possession confidence level, the authentication requirement defines a process or action to prove authority to perform the transaction or a process or action to prove an identity of a user attempting to perform the transaction; and implementing the authentication requirement for the transaction.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.