Thermal imaging protection is provided by, in response to detecting input of an access code on an input device: identifying a sequence comprising the access code; generating a bait code based on the sequence; and outputting a heat signature corresponding to the bait code using heating elements, such as resistor arrays, included in the input device. In some embodiments protection includes measuring temperatures of contact surfaces of the input device where the access code has been input; and adjusting a heat level of the heating elements based on the temperatures measured. Protection is further provided by storing the bait code; and in response to receiving entry of the bait code, activating unauthorized access countermeasures. In some embodiments protection includes, in response to detecting subsequent input of the access code: generating a second, different, bait code based on the sequence; and activating the heating elements based on the second bait code.

A natural language processing system is adapted to locate, extract and analyze content and meaning of provisions in user data management agreements employed by digital service providers (DSPs) and related entities. The resulting analysis can be used to inform (and as part of a) data privacy protection systems that utilize personal/corporate privacy policies to engage with DSPs according to a desired set of protection parameters.

A method of secure data transfer and storage using a removable storage device storing encrypted information. The method uses a host that stores and transfers encrypted sensitive information and a customer that desires the information to be securely stored. The customer chooses a unique encryption code to encrypt sensitive information and places the encrypted files on the removable storage device, then physically transfers the information to the host. The encrypted sensitive information travels physically between the host and customer outside of any computer network. The host has a gapped area that remains disconnected from any network. The host takes the sensitive information and copies it to the designated armored storage unit.

Disclosed herein are methods, systems, and computer-readable media for blocking attempts at runtime redirection and attempts to change memory permissions during runtime. The present disclosure describes features that enable runtime detection of an attempt to redirect routines or change memory permissions, and determining whether to allow or deny the attempt. Such features may include changing memory write permissions on memory segments, such as those segments used by dynamic loaders after call associations have been saved or otherwise created. Other features may include swapping the addresses of system routines (e.g., open, read, write, close, etc.) to new routines that perform the same function as well as additional functionality configured to detect attempts to redirect or change memory permissions. Once detected by the new routine during runtime, a determination may be made to deny or allow the call based on a policy.

A decoy filesystem that curtails data theft and ensures file integrity protection through deception is described. To protect a base filesystem, the approach herein involves transparently creating multiple levels of stacking to enable various protection features, namely, monitoring file accesses, hiding and redacting sensitive files with baits, and injecting decoys onto fake system views that are purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. In one implementation, a kernel hot-patch is used to seamlessly integrate the new filesystem module into live and existing environments.

A method for obfuscation of operations using minimal additional hardware is presented herein. The method can begin by executing a first iteration of a set of computations, the execution of the set of computations resulting in a first iteration output. The method can continue by executing a second iteration of the set of computations, wherein the second execution is distinct from the first iteration but should satisfy a matching condition. The distinction can be a rearrangement of sub-operations, insertion of dummy sub-operations, or a combination of the two. After the iterations are complete, the iteration outputs can be compared. If the comparison of the first iteration output and the second iteration output satisfy the matching condition, the process result can be output. If the matching condition is not satisfied, an error detected signal can be output.

Methods and systems for removing sensitive information from a digital image. An instruction to share a digital image is received. It is then determined that the digital image contains a depiction of a corporate display medium that is classified as sensitive based on a policy and, based on the determination that the digital image contains the depiction of the corporate display medium that is classified as sensitive based on the policy, the digital image is processed to modify the depiction. The digital image is shared.

This disclosure describes techniques implemented partly by a service provider to monitor a cloud-based service by generating and placing canary records in storage locations along with real records to identify improper access events of the records or other data. The service provider may detect an access event where records in a storage location were accessed, and determine whether a canary record was accessed. If a canary record was accessed, the service provider may determine that the access event was potentially performed by a malicious entity because authorized users generally may not have reason to access a canary record when utilizing their cloud-based service. The service provider may generate canary records that are difficult to identify by a malicious entity, and may position canary records in the storage locations to help ensure that the canary records are accessed by a malicious entity during an improper access event.

A system for protecting an input device. The system includes a pressurizing device and a printed circuit board having a false key. The pressurizing device includes a tube for receiving a flexible pressurizing element. A spacer of a predetermined length is disposed at a bottom of the tube.

A system for providing security in a computer system is provided. The system includes a physical unclonable function (PUF) device and one or more logic circuits. At startup of the computer system, the logic circuits call the PUF device a preset plurality of times with an identical input value to generate a plurality of PUF values that are candidate identifiers of an integrated circuit. The logic circuits apply a hash function to the candidate identifiers to produce respective hash values. The logic circuits also access a reference hash value from a non-volatile memory and verify all of the respective hash values using the reference hash value. The logic circuits further enable the computer system to operate in a first mode or a second mode based on the verification results.