US20210004492A1 - Data breach prevention and remediation - Google Patents

Data breach prevention and remediation Download PDF

Info

Publication number
US20210004492A1
US20210004492A1 US16/879,680 US202016879680A US2021004492A1 US 20210004492 A1 US20210004492 A1 US 20210004492A1 US 202016879680 A US202016879680 A US 202016879680A US 2021004492 A1 US2021004492 A1 US 2021004492A1
Authority
US
United States
Prior art keywords
credential information
credential
compromised
match
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US16/879,680
Inventor
Jason Britt
Patrick A. Westerhaus
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cyber Team Six LLC
Original Assignee
Cyber Team Six LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cyber Team Six LLC filed Critical Cyber Team Six LLC
Priority to US16/879,680 priority Critical patent/US20210004492A1/en
Assigned to Cyber Team Six reassignment Cyber Team Six ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BRITT, Jason, WESTERHAUS, PATRICK A.
Publication of US20210004492A1 publication Critical patent/US20210004492A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/258Data format conversion from or to a database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD

Definitions

  • the disclosed subject matter generally relates to data security and, more particularly, to managing credential data which may have been compromised.
  • Data security is of paramount importance especially when the data includes sensitive, personal or confidential information. A breach in data security often leads to theft of data where sensitive or critical information is copied, transmitted or viewed unlawfully or without authorization.
  • Theft of sensitive data that includes financial information (e.g., credit card or bank account numbers), personal information (e.g., medical data, social security number, driver license number, etc.), secrets (e.g., government data, intellectual property, trade secret, etc.) or a combination thereof can have sever ramifications for the owners of the data and institutions that are tasked with maintaining the data secure.
  • financial information e.g., credit card or bank account numbers
  • personal information e.g., medical data, social security number, driver license number, etc.
  • secrets e.g., government data, intellectual property, trade secret, etc.
  • Such shortcomings include unknown design vulnerabilities, computing bugs, na ⁇ ve user behavior, weak credential authentication settings and mechanisms and other factors that can render a data system susceptible to attack. Some of these factors may involve phishing sites that imitate a login page, malware that is non-active but has gathered usernames and passwords from infected machines, or usernames and passwords collected from data breaches.
  • a computer-implemented data validation method may comprise generating a data set associated with a first credential information and submitting the data set to a data provider over a computing network to validate the first credential information.
  • the data provider may analyze the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised. In response to a match being found, it is determined that the first credential information has been potentially compromised.
  • a user associated with the first credential information may be requested to update the first credential information, in response to confirming that the first credential information has been compromised.
  • the data set may include a cryptographic hash of at least a part of the first credential information.
  • the data provider may search a series of hash values to find a match for the cryptographic hash.
  • the series of hash values may include a hash of at least a part of the second credential information known to have been compromised.
  • information associated with the match found may be stored in a cache locally available to a customer credential system of an institution responsible for safeguarding the first credential information.
  • a splitter may be utilized to provide the information associated with the match found to one or more of the cache or the customer credential system of the institution responsible for safeguarding the first credential information.
  • the match may be found by comparing a partial hash of the first credential information with a partial hash of the second credential information known to have been compromised.
  • a full hash value of the second credential information known to have been compromised is received.
  • the full hash value of the second credential information may be compared with the full hash value of the first credential information to confirm the first credential information has been compromised.
  • a computer program product or system may be configured or programmed to perform the steps or processes disclosed in the above-noted computer-implemented methodology.
  • FIG. 1 illustrates an example operating environment for credential validation, in accordance with one or more embodiments, in which the operations and functionalities disclosed herein may be implemented.
  • FIG. 2 is a block diagram of an exemplary system for identifying compromised credentials in accordance with one or more embodiments.
  • FIGS. 3A and 3B are flow diagrams of a method of determining whether certain credentials have been compromised, in accordance with an example implementation.
  • FIG. 4 is a block diagram of an example computing system that may be utilized to perform one or more computing operations or processes as consistent with one or more disclosed features.
  • credential data e.g., username, password
  • any type of sensitive or secret data it is important to efficiently and quickly identify the compromised data and take proactive steps to mitigate the breach. For example, if it is determined that a bank customer's username or password has been compromised, the customer can be notified. The customer may be also asked to change the compromised data.
  • the present disclosure is directed to systems and methods that can efficiently identify compromised data and effectively remediate an existing security threat.
  • a computing system 110 may be used to interact with software 112 being executed on computing system 110 .
  • the computing system 110 may be a general-purpose computer, a handheld mobile device (e.g., a smart phone), a tablet (e.g., an Apple iPad®), or other communication capable computing device.
  • Software 112 may be a web browser, a dedicated app or other type of software application running either fully or partially on computing system 110 for the purpose of managing customer credential data and detecting potentials for security breach.
  • Computing system 110 may communicate over a network 130 to access data stored on storage device 140 or to access services provided by a computing system 120 .
  • storage device 140 may be local to, remote to, or embedded in one or more of computing systems 110 or 120 .
  • a server system 122 may be configured on computing system 120 to service one or more requests submitted by computing system 110 or software 112 (e.g., client systems) via network 130 .
  • Network 130 may be implemented over a local or wide area network (e.g., the Internet).
  • Computing system 120 and server system 122 may be implemented over a centralized or distributed (e.g., cloud-based) computing environment as dedicated resources or may be configured as virtual machines that define shared processing or storage resources.
  • Execution, implementation or instantiation of software 124 , or the related features and components (e.g., software objects), over server system 122 may also define a special purpose machine that provides remotely situated client systems, such as computing system 110 or software 112 , with access to a variety of data providers and services, as provided in further detail below.
  • the provided services by the special purpose machine may include providing an operating environment 100 which supports an interface between a customer system, implemented on computing system 110 , and one or more data providers implemented on one or more computing systems 120 , for example.
  • Software 112 running on computing system 110 may be configured to provide validation information over network 130 to computing system 110 in a secure manner.
  • Software 124 running on server system 122 in relationship with software 112 , may be configured to determine if the provided sensitive data or credential information (e.g., username and/or password) are potentially compromised.
  • a credential remediation infrastructure 210 may be implemented as supported by operating environment 100 to help one or more institutions that store confidential, private or secret information maintain the integrity of such information by continually checking whether the credential information for any of their customers has been compromised.
  • the credential remediation system 210 may include a customer credential system 220 that communicates with one or more data providers (e.g., data providers 1 and 2 ).
  • An interface platform for example including an application programming interface (API), may be provided that has a customer facing interface or a data provider facing interface, or both, depending on implementation.
  • API application programming interface
  • a processing and storage platform may be provided that includes at least one data splitter, a data caching mechanism, and one or more data processors (e.g., query processors, parameters processors, etc.).
  • the computer interface may be configured to support a data provider implementation and a customer specific implementation.
  • the customer specific implementation may be configured as a portion of the customer facing interface to communicate data according to a transmission protocol or specific transmission attributes of the customer credential system 220 .
  • the data provider specific implementation on the other hand, may be configured as a portion of the data provider facing interface to communicate with the one or more data providers.
  • the data provider 1 and the data provider 2 may have a proprietary or customized implementation as configurable to communicate with the data provider facing interface.
  • the customer credential system 220 may communicate with the data providers to determine which customer or user credentials are possibly compromised. If compromised user credentials are identified, the credentials can be replaced by new credentials by requesting a user to change his username and password.
  • customer credential system 220 may use a hash algorithm to provide hashes of credential information to one or more data providers.
  • a partial hash of the credential information may be calculated.
  • a random text e.g., “salt”
  • An encrypted credential information may be transmitted to the one or more data providers by way of a series of intermediary components in the implemented interface, as provided in further detail herein.
  • a data provider upon receiving the encrypted credential information may apply the same hash algorithm to a series of credentials that are known to have been compromised.
  • Information about the hash algorithm and salt used to encrypt the credentials may be forwarded to the data provider, either along with the encrypted credentials or independently during a separate transmission.
  • various procedures may be implemented or utilized by a provider to determine whether or not customer credentials have been compromised.
  • the provider may have obtained the compromised credentials by performing a search on the dark web, for example.
  • a data provider may generate full or partial hashes of the compromised credentials and compare the generated hash values with the hash values transmitted from the customer credential system 220 to the data provider.
  • a Bloom filter for example, which can indicate that a match is possibly found (or definitely not found) may be utilized by the data provider to determine whether a credential submitted by the customer credential system 220 matches a known compromised credential. If a match is found (or is likely to be found), the data provider may notify the customer credential system that certain credentials associated with the hash have been compromised.
  • the data provider may return to the customer credential system 220 the full hash of the matched credential and additional information about the matched credential (e.g., the nature of the threat).
  • Customer credential system 220 upon receiving the information about the potential match, may compare the full hash of the credential information (e.g., the full hash of the username assigned to a customer) with the full hash of matched credentials provided by the provider. If there is a match, then customer credential system 220 may notify a customer or the corresponding institution (e.g., a bank) that the credential has been compromised.
  • additional credential information e.g., password data, pin, etc.
  • additional credential information may be also analyzed to determine the extent of the breach or security threat. This analysis may be performed by the customer credential system 220 , the data provider or an independent entity.
  • additional information about the breach may be also provided by the data provider. Such information may include, for example, the source of the breach or any other attributes or characteristics related to the breach that may be useful for the purpose of mitigating or remediating the breach or associated security concern.
  • the customer may be contacted and asked to update or change his or her credentials (e.g., username, password, etc.).
  • the updated credential values may be submitted to the provider to ensure the updated credentials are not on the list of known compromised credentials. If so, the customer may be prompted not to use the new credential.
  • a cache mechanism may be implemented to store information about compromised credentials as the corresponding information is received from the one or more data providers.
  • the credentials e.g., new or updated credential data
  • This implementation can improve credential validation efficiency and speed by avoiding the latency associated with having to transmit the credential information to data providers that are remotely situated.
  • credential validation can advantageously take place in real-time or near real-time in an expedited manner, due to time savings and resource efficiencies associated with accessing a local cache.
  • FIGS. 2, 3A and 3B a more detailed example of credential validation and data breach remediation is provided, in accordance with one or more embodiments. It is noteworthy that the details provided are by way of example and certain steps, processes and features may be implemented or performed in different configurations or orders or using similar or completely different types of computing resources, which may be capable of performing the same functionalities or operations.
  • the customer credential system 220 may invoke a process to validate one or more credentials for one or more users or customers.
  • the validation process may be invoked for a single customer, for example, when the customer initially sets up a username and password, or at a time when the customer updates the credentials.
  • a batch process may be executed at predetermined time intervals (e.g., daily or weekly) to invoke a validation process to validate the credential data periodically.
  • the customer credential system 220 may thus collect and transmit credential-related parameters (e.g., hashed usernames or passwords, prefixed or postfixed salt, the hashing algorithm used to hash the username or password) to a parameter processor via the customer specific implementation of a customer facing interface ( 310 ).
  • the parameter processor may forward the credential parameters to the data providers via the data provider facing interface ( 320 ).
  • the data providers may use the credential parameters to identify possibly compromised credentials and create compromised credential identifiers to send back to the customer credential system 220 ( 330 ).
  • the credential identifiers are collected from data providers using a data provider specific fetching implementation to get converted and tagged ( 340 ).
  • a data splitter may be configured to pull compromised credential identifiers via the data provider facing interface and store the compromised credential identifiers to a local cache and/or send the compromised credentials to the customer credential system 220 via the customer facing interface, for example ( 350 ).
  • a customer specific implementation may capture, pull or receive new compromised credential identifiers from the splitter via the customer facing interface and pushes the information to the customer credential system 220 ( 360 ). Accordingly, the customer credential system 220 may be provided with an identification of one or more credentials that may have been compromised.
  • the customer credential system 220 may request for additional information to be provided by the one or more data providers. For example, a complete hash value of the comprised credential (e.g., username) and other associated credentials (e.g., password) may be calculated or requested.
  • the additional information provided in comparison to the information available to customer credential system 220 , may indicate or confirm that the potentially compromised credentials match. If so, then it is confirmed that the potentially compromised credentials are in fact compromised. Accordingly, the customer with compromised credentials may be requested to update the affected credential (e.g., update the old username and password) with new credentials.
  • the newly updated credentials may be validated by way of the same or similar processes provided in FIG. 3A .
  • the credentials instead of forwarding the new credentials hashes all the way to the data providers, which may be remotely connected to the customer credential system 220 , the credentials are instead submitted by way of a compromised credential query to a query processor to determine if the new credentials can be matched against already compromised credentials stored in a cache ( 370 ).
  • the customer credential system 220 may thus create a compromised credential query that is forwarded to the query processor via the customer specific implementation and the customer facing interface.
  • the query processor may search the local cache to identify any instances that match the queried credential (e.g., match the customer's username and password identifiers) ( 380 ).
  • the customer specific implementation then provides or pushes the result back to the customer credential system 220 ( 395 ). In this manner, the customer may be notified that his credentials have been compromised.
  • the computing system 1000 may be used to implement or support one or more platforms, infrastructures or computing devices or computing components that may be utilized, in example embodiments, to instantiate, implement, execute or embody the methodologies disclosed herein in a computing environment using, for example, one or more processors or controllers, as provided below.
  • the computing system 1000 can include a processor 1010 , a memory 1020 , a storage device 1030 , and input/output devices 1040 .
  • the processor 1010 , the memory 1020 , the storage device 1030 , and the input/output devices 1040 can be interconnected via a system bus 1050 .
  • the processor 1010 is capable of processing instructions for execution within the computing system 1000 . Such executed instructions can implement one or more components of, for example, a cloud platform.
  • the processor 1010 can be a single-threaded processor. Alternately, the processor 1010 can be a multi-threaded processor.
  • the processor 1010 is capable of processing instructions stored in the memory 1020 and/or on the storage device 1030 to display graphical information for a user interface provided via the input/output device 1040 .
  • the memory 1020 is a computer readable medium such as volatile or non-volatile that stores information within the computing system 1000 .
  • the memory 1020 can store data structures representing configuration object databases, for example.
  • the storage device 1030 is capable of providing persistent storage for the computing system 1000 .
  • the storage device 1030 can be a floppy disk device, a hard disk device, an optical disk device, or a tape device, or other suitable persistent storage means.
  • the input/output device 1040 provides input/output operations for the computing system 1000 .
  • the input/output device 1040 includes a keyboard and/or pointing device.
  • the input/output device 1040 includes a display unit for displaying graphical user interfaces.
  • the input/output device 1040 can provide input/output operations for a network device.
  • the input/output device 1040 can include Ethernet ports or other networking ports to communicate with one or more wired and/or wireless networks (e.g., a local area network (LAN), a wide area network (WAN), the Internet).
  • LAN local area network
  • WAN wide area network
  • the Internet the Internet
  • the computing system 1000 can be used to execute various interactive computer software applications that can be used for organization, analysis and/or storage of data in various (e.g., tabular) format (e.g., Microsoft Excel®, and/or any other type of software).
  • the computing system 1000 can be used to execute any type of software applications.
  • These applications can be used to perform various functionalities, e.g., planning functionalities (e.g., generating, managing, editing of spreadsheet documents, word processing documents, and/or any other objects, etc.), computing functionalities, communications functionalities, etc.
  • the applications can include various add-in functionalities or can be standalone computing products and/or functionalities.
  • the functionalities can be used to generate the user interface provided via the input/output device 1040 .
  • the user interface can be generated and presented to a user by the computing system 1000 (e.g., on a computer screen monitor, etc.).
  • One or more aspects or features of the subject matter disclosed or claimed herein may be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • These various aspects or features may include implementation in one or more computer programs that may be executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
  • the programmable system or computing system may include clients and servers. A client and server may be remote from each other and may interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor.
  • the machine-readable medium may store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium.
  • the machine-readable medium may alternatively or additionally store such machine instructions in a transient manner, such as for example as would a processor cache or other random access memory associated with one or more physical processor cores.
  • one or more aspects or features of the subject matter described herein may be implemented on a computer having a display device, such as for example a cathode ray tube (CRT) or a liquid crystal display (LCD) or a light emitting diode (LED) monitor for displaying information to the user and a keyboard and a pointing device, such as for example a mouse or a trackball, by which the user may provide input to the computer.
  • a display device such as for example a cathode ray tube (CRT) or a liquid crystal display (LCD) or a light emitting diode (LED) monitor for displaying information to the user and a keyboard and a pointing device, such as for example a mouse or a trackball, by which the user may provide input to the computer.
  • CTR cathode ray tube
  • LCD liquid crystal display
  • LED light emitting diode
  • keyboard and a pointing device such as for example a mouse or a trackball
  • Other kinds of devices may be used to provide
  • references to a structure or feature that is disposed “adjacent” another feature may have portions that overlap or underlie the adjacent feature.
  • phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features.
  • the term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features.
  • the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.”
  • a similar interpretation is also intended for lists including three or more items.
  • the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.”
  • Use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.
  • spatially relative terms such as “forward”, “rearward”, “under”, “below”, “lower”, “over”, “upper” and the like, may be used herein for ease of description to describe one element or feature's relationship to another element(s) or feature(s) as illustrated in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if a device in the figures is inverted, elements described as “under” or “beneath” other elements or features would then be oriented “over” the other elements or features due to the inverted state. Thus, the term “under” may encompass both an orientation of over and under, depending on the point of reference or orientation.
  • the device may be otherwise oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly.
  • the terms “upwardly”, “downwardly”, “vertical”, “horizontal” and the like may be used herein for the purpose of explanation only unless specifically indicated otherwise.
  • first and second may be used herein to describe various features/elements (including steps or processes), these features/elements should not be limited by these terms as an indication of the order of the features/elements or whether one is primary or more important than the other, unless the context indicates otherwise. These terms may be used to distinguish one feature/element from another feature/element. Thus, a first feature/element discussed could be termed a second feature/element, and similarly, a second feature/element discussed below could be termed a first feature/element without departing from the teachings provided herein.
  • a numeric value may have a value that is +/ ⁇ 0.1% of the stated value (or range of values), +/ ⁇ 1% of the stated value (or range of values), +/ ⁇ 2% of the stated value (or range of values), +/ ⁇ 5% of the stated value (or range of values), +/ ⁇ 10% of the stated value (or range of values), etc. Any numerical values given herein should also be understood to include about or approximately that value, unless the context indicates otherwise.
  • any numerical range recited herein is intended to include all sub-ranges subsumed therein. It is also understood that when a value is disclosed that “less than or equal to” the value, “greater than or equal to the value” and possible ranges between values are also disclosed, as appropriately understood by the skilled artisan. For example, if the value “X” is disclosed the “less than or equal to X” as well as “greater than or equal to X” (e.g., where X is a numerical value) is also disclosed.
  • data is provided in a number of different formats, and that this data, may represent endpoints or starting points, and ranges for any combination of the data points.
  • this data may represent endpoints or starting points, and ranges for any combination of the data points.
  • a particular data point “10” and a particular data point “15” may be disclosed, it is understood that greater than, greater than or equal to, less than, less than or equal to, and equal to 10 and 15 may be considered disclosed as well as between 10 and 15.
  • each unit between two particular units may be also disclosed. For example, if 10 and 15 may be disclosed, then 11, 12, 13, and 14 may be also disclosed.
  • One or more aspects or features of the subject matter described herein can be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof.
  • ASICs application specific integrated circuits
  • FPGAs field programmable gate arrays
  • These various aspects or features can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which can be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
  • the programmable system or computing system may include clients and servers.
  • a client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • machine-readable signal refers to any signal used to provide machine instructions and/or data to a programmable processor.
  • the machine-readable medium can store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium.
  • the machine-readable medium can alternatively or additionally store such machine instructions in a transient manner, such as for example, as would a processor cache or other random access memory associated with one or more physical processor cores.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Computational Linguistics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Data validation systems and methods are provided. The method comprises generating a data set associated with a first credential information; submitting the data set to a data provider over a computing network to validate the first credential information, the data provider analyzing the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised; and in response to a match being found, determining that the first credential information has been potentially compromised.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • The present application claims priority to and the benefit of the earlier filing date of Provisional Application Ser. Nos. 62/870,332, and 62/897,197, filed on Jul. 3, 2019 and Sep. 6, 2019, respectively, the content of which is incorporated herein by reference in entirety.
    • TECHNICAL FIELD
  • The disclosed subject matter generally relates to data security and, more particularly, to managing credential data which may have been compromised.
    • BACKGROUND
  • Data security is of paramount importance especially when the data includes sensitive, personal or confidential information. A breach in data security often leads to theft of data where sensitive or critical information is copied, transmitted or viewed unlawfully or without authorization.
  • Theft of sensitive data that includes financial information (e.g., credit card or bank account numbers), personal information (e.g., medical data, social security number, driver license number, etc.), secrets (e.g., government data, intellectual property, trade secret, etc.) or a combination thereof can have sever ramifications for the owners of the data and institutions that are tasked with maintaining the data secure.
  • Unfortunately, data breaches can be detrimental to businesses, individuals, financial institutions and governmental entities. It is now well known that such incidents can lead to interference with business or political practices, financial loss, damage to reputation, identity theft and other serious threats. A variety of shortcomings can lead to a security breach, depending on the entities that have been compromised and their customers or constituents.
  • Such shortcomings include unknown design vulnerabilities, computing bugs, naïve user behavior, weak credential authentication settings and mechanisms and other factors that can render a data system susceptible to attack. Some of these factors may involve phishing sites that imitate a login page, malware that is non-active but has gathered usernames and passwords from infected machines, or usernames and passwords collected from data breaches.
    • SUMMARY
  • For purposes of summarizing, certain aspects, advantages, and novel features have been described herein. It is to be understood that not all such advantages may be achieved in accordance with any one particular embodiment. Thus, the disclosed subject matter may be embodied or carried out in a manner that achieves or optimizes one advantage or group of advantages without achieving all advantages as may be taught or suggested herein.
  • In accordance with one or more embodiments, a computer-implemented data validation method is provided. The method may comprise generating a data set associated with a first credential information and submitting the data set to a data provider over a computing network to validate the first credential information. The data provider may analyze the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised. In response to a match being found, it is determined that the first credential information has been potentially compromised.
  • A user associated with the first credential information may be requested to update the first credential information, in response to confirming that the first credential information has been compromised. The data set may include a cryptographic hash of at least a part of the first credential information. The data provider may search a series of hash values to find a match for the cryptographic hash. The series of hash values may include a hash of at least a part of the second credential information known to have been compromised.
  • In certain aspects, information associated with the match found may be stored in a cache locally available to a customer credential system of an institution responsible for safeguarding the first credential information. A splitter may be utilized to provide the information associated with the match found to one or more of the cache or the customer credential system of the institution responsible for safeguarding the first credential information. The match may be found by comparing a partial hash of the first credential information with a partial hash of the second credential information known to have been compromised.
  • In one or more implementations, in response to the match being found, a full hash value of the second credential information known to have been compromised is received. The full hash value of the second credential information may be compared with the full hash value of the first credential information to confirm the first credential information has been compromised. In accordance with some embodiments, a computer program product or system may be configured or programmed to perform the steps or processes disclosed in the above-noted computer-implemented methodology.
  • The details of one or more variations of the subject matter described herein are set forth in the accompanying drawings and the description below. Other features and advantages of the subject matter described herein will be apparent from the description and drawings, and from the claims. The disclosed subject matter is not, however, limited to any particular embodiment disclosed.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings, which are incorporated in and constitute a part of this specification, show certain aspects of the subject matter disclosed herein and, together with the description, help explain some of the principles associated with the disclosed implementations as provided below.
  • FIG. 1 illustrates an example operating environment for credential validation, in accordance with one or more embodiments, in which the operations and functionalities disclosed herein may be implemented.
  • FIG. 2 is a block diagram of an exemplary system for identifying compromised credentials in accordance with one or more embodiments.
  • FIGS. 3A and 3B are flow diagrams of a method of determining whether certain credentials have been compromised, in accordance with an example implementation.
  • FIG. 4 is a block diagram of an example computing system that may be utilized to perform one or more computing operations or processes as consistent with one or more disclosed features.
    •
  • The figures may not be to scale in absolute or comparative terms and are intended to be exemplary. The relative placement of features and elements may have been modified for the purpose of illustrative clarity. Where practical, the same or similar reference numbers denote the same or similar or equivalent structures, features, aspects, or elements, in accordance with one or more embodiments.
    • DETAILED DESCRIPTION OF EXAMPLE IMPLEMENTATIONS
  • In the following, numerous specific details are set forth to provide a thorough description of various embodiments. Certain embodiments may be practiced without these specific details or with some variations in detail. In some instances, certain features are described in less detail so as not to obscure other aspects. The level of detail associated with each of the elements or features should not be construed to qualify the novelty or importance of one feature over the others.
  • When a security breach compromises credential data (e.g., username, password) or any type of sensitive or secret data, it is important to efficiently and quickly identify the compromised data and take proactive steps to mitigate the breach. For example, if it is determined that a bank customer's username or password has been compromised, the customer can be notified. The customer may be also asked to change the compromised data. The present disclosure is directed to systems and methods that can efficiently identify compromised data and effectively remediate an existing security threat.
  • Referring to FIG. 1, an example operating environment 100 is illustrated in which a computing system 110 may be used to interact with software 112 being executed on computing system 110. The computing system 110 may be a general-purpose computer, a handheld mobile device (e.g., a smart phone), a tablet (e.g., an Apple iPad®), or other communication capable computing device. Software 112 may be a web browser, a dedicated app or other type of software application running either fully or partially on computing system 110 for the purpose of managing customer credential data and detecting potentials for security breach.
  • Computing system 110 may communicate over a network 130 to access data stored on storage device 140 or to access services provided by a computing system 120. Depending on implementation, storage device 140 may be local to, remote to, or embedded in one or more of computing systems 110 or 120. A server system 122 may be configured on computing system 120 to service one or more requests submitted by computing system 110 or software 112 (e.g., client systems) via network 130. Network 130 may be implemented over a local or wide area network (e.g., the Internet).
  • Computing system 120 and server system 122 may be implemented over a centralized or distributed (e.g., cloud-based) computing environment as dedicated resources or may be configured as virtual machines that define shared processing or storage resources. Execution, implementation or instantiation of software 124, or the related features and components (e.g., software objects), over server system 122 may also define a special purpose machine that provides remotely situated client systems, such as computing system 110 or software 112, with access to a variety of data providers and services, as provided in further detail below.
  • In accordance with one or more implementations, the provided services by the special purpose machine (e.g., server system 122 or software 124) may include providing an operating environment 100 which supports an interface between a customer system, implemented on computing system 110, and one or more data providers implemented on one or more computing systems 120, for example. Software 112 running on computing system 110 may be configured to provide validation information over network 130 to computing system 110 in a secure manner. Software 124 running on server system 122, in relationship with software 112, may be configured to determine if the provided sensitive data or credential information (e.g., username and/or password) are potentially compromised.
  • Referring to FIG. 2, a credential remediation infrastructure 210 may be implemented as supported by operating environment 100 to help one or more institutions that store confidential, private or secret information maintain the integrity of such information by continually checking whether the credential information for any of their customers has been compromised. As shown, the credential remediation system 210 may include a customer credential system 220 that communicates with one or more data providers (e.g., data providers 1 and 2). An interface platform, for example including an application programming interface (API), may be provided that has a customer facing interface or a data provider facing interface, or both, depending on implementation.
  • In certain embodiments, a processing and storage platform may be provided that includes at least one data splitter, a data caching mechanism, and one or more data processors (e.g., query processors, parameters processors, etc.). The computer interface may be configured to support a data provider implementation and a customer specific implementation. The customer specific implementation may be configured as a portion of the customer facing interface to communicate data according to a transmission protocol or specific transmission attributes of the customer credential system 220. The data provider specific implementation, on the other hand, may be configured as a portion of the data provider facing interface to communicate with the one or more data providers.
  • In some implementations, the data provider 1 and the data provider 2 may have a proprietary or customized implementation as configurable to communicate with the data provider facing interface. Relying on the interface components noted above, the customer credential system 220 may communicate with the data providers to determine which customer or user credentials are possibly compromised. If compromised user credentials are identified, the credentials can be replaced by new credentials by requesting a user to change his username and password. To ensure secured transmission, in one example embodiment, customer credential system 220 may use a hash algorithm to provide hashes of credential information to one or more data providers.
  • In one example scenario, instead of a full hash, a partial hash of the credential information may be calculated. To further secure (e.g., encrypt) the transmission of credential information, a random text (e.g., “salt”) may be also added to the partial hash. An encrypted credential information may be transmitted to the one or more data providers by way of a series of intermediary components in the implemented interface, as provided in further detail herein. A data provider, upon receiving the encrypted credential information may apply the same hash algorithm to a series of credentials that are known to have been compromised.
  • Information about the hash algorithm and salt used to encrypt the credentials may be forwarded to the data provider, either along with the encrypted credentials or independently during a separate transmission. Without limitation, various procedures may be implemented or utilized by a provider to determine whether or not customer credentials have been compromised. The provider may have obtained the compromised credentials by performing a search on the dark web, for example.
  • Accordingly, a data provider may generate full or partial hashes of the compromised credentials and compare the generated hash values with the hash values transmitted from the customer credential system 220 to the data provider. A Bloom filter, for example, which can indicate that a match is possibly found (or definitely not found) may be utilized by the data provider to determine whether a credential submitted by the customer credential system 220 matches a known compromised credential. If a match is found (or is likely to be found), the data provider may notify the customer credential system that certain credentials associated with the hash have been compromised.
  • In embodiments where a partial hash is provided to the data provider, the data provider may return to the customer credential system 220 the full hash of the matched credential and additional information about the matched credential (e.g., the nature of the threat). Customer credential system 220, upon receiving the information about the potential match, may compare the full hash of the credential information (e.g., the full hash of the username assigned to a customer) with the full hash of matched credentials provided by the provider. If there is a match, then customer credential system 220 may notify a customer or the corresponding institution (e.g., a bank) that the credential has been compromised.
  • In some embodiments, once it is determined that a certain credential (e.g., a username) is compromised, additional credential information (e.g., password data, pin, etc.) associated with the matched credential may be also analyzed to determine the extent of the breach or security threat. This analysis may be performed by the customer credential system 220, the data provider or an independent entity. Furthermore, as noted earlier, additional information about the breach may be also provided by the data provider. Such information may include, for example, the source of the breach or any other attributes or characteristics related to the breach that may be useful for the purpose of mitigating or remediating the breach or associated security concern.
  • In accordance with one implementation, if it is determined that a customer's credentials are compromised, the customer may be contacted and asked to update or change his or her credentials (e.g., username, password, etc.). When the customer updates the credentials, the updated credential values may be submitted to the provider to ensure the updated credentials are not on the list of known compromised credentials. If so, the customer may be prompted not to use the new credential.
  • In accordance with another implementation, a cache mechanism may be implemented to store information about compromised credentials as the corresponding information is received from the one or more data providers. In certain scenarios, instead of forwarding credential-related data to the data providers for monitoring, the credentials (e.g., new or updated credential data) may be compared with the information in the cache. This implementation can improve credential validation efficiency and speed by avoiding the latency associated with having to transmit the credential information to data providers that are remotely situated. In an embodiment where the cache mechanism is implemented locally in relation to the customer credential system 220, credential validation can advantageously take place in real-time or near real-time in an expedited manner, due to time savings and resource efficiencies associated with accessing a local cache.
  • Referring to FIGS. 2, 3A and 3B, a more detailed example of credential validation and data breach remediation is provided, in accordance with one or more embodiments. It is noteworthy that the details provided are by way of example and certain steps, processes and features may be implemented or performed in different configurations or orders or using similar or completely different types of computing resources, which may be capable of performing the same functionalities or operations.
  • As provided in further detail herein, the customer credential system 220 may invoke a process to validate one or more credentials for one or more users or customers. The validation process may be invoked for a single customer, for example, when the customer initially sets up a username and password, or at a time when the customer updates the credentials. In alternative embodiments, a batch process may be executed at predetermined time intervals (e.g., daily or weekly) to invoke a validation process to validate the credential data periodically.
  • As shown in FIG. 3A, the customer credential system 220 may thus collect and transmit credential-related parameters (e.g., hashed usernames or passwords, prefixed or postfixed salt, the hashing algorithm used to hash the username or password) to a parameter processor via the customer specific implementation of a customer facing interface (310). The parameter processor may forward the credential parameters to the data providers via the data provider facing interface (320). The data providers may use the credential parameters to identify possibly compromised credentials and create compromised credential identifiers to send back to the customer credential system 220 (330).
  • The credential identifiers are collected from data providers using a data provider specific fetching implementation to get converted and tagged (340). A data splitter may be configured to pull compromised credential identifiers via the data provider facing interface and store the compromised credential identifiers to a local cache and/or send the compromised credentials to the customer credential system 220 via the customer facing interface, for example (350). A customer specific implementation may capture, pull or receive new compromised credential identifiers from the splitter via the customer facing interface and pushes the information to the customer credential system 220 (360). Accordingly, the customer credential system 220 may be provided with an identification of one or more credentials that may have been compromised.
  • In some embodiments, to confirm that the partial hash values associated with the potentially compromised credentials are the same as that of a customer of the querying institution, the customer credential system 220 may request for additional information to be provided by the one or more data providers. For example, a complete hash value of the comprised credential (e.g., username) and other associated credentials (e.g., password) may be calculated or requested. The additional information provided, in comparison to the information available to customer credential system 220, may indicate or confirm that the potentially compromised credentials match. If so, then it is confirmed that the potentially compromised credentials are in fact compromised. Accordingly, the customer with compromised credentials may be requested to update the affected credential (e.g., update the old username and password) with new credentials.
  • Referring to FIG. 3B, in certain embodiments, the newly updated credentials (e.g., username and password) may be validated by way of the same or similar processes provided in FIG. 3A. In one implementation, for the purpose of efficiency, instead of forwarding the new credentials hashes all the way to the data providers, which may be remotely connected to the customer credential system 220, the credentials are instead submitted by way of a compromised credential query to a query processor to determine if the new credentials can be matched against already compromised credentials stored in a cache (370). The customer credential system 220 may thus create a compromised credential query that is forwarded to the query processor via the customer specific implementation and the customer facing interface.
  • The query processor may search the local cache to identify any instances that match the queried credential (e.g., match the customer's username and password identifiers) (380). The query processor creates a compromised credential query response and sets a flag (e.g., a binary value) depending on whether a match is found or not (e.g., flag=1 indicating a match, flag=0 indicating no match), and forwards a compromised credential query response to the customer specific implementation via the customer facing interface system (390). The customer specific implementation then provides or pushes the result back to the customer credential system 220 (395). In this manner, the customer may be notified that his credentials have been compromised.
  • Referring to FIG. 4, a block diagram illustrating a computing system 1000 consistent with one or more embodiments is provided. The computing system 1000 may be used to implement or support one or more platforms, infrastructures or computing devices or computing components that may be utilized, in example embodiments, to instantiate, implement, execute or embody the methodologies disclosed herein in a computing environment using, for example, one or more processors or controllers, as provided below.
  • As shown in FIG. 4, the computing system 1000 can include a processor 1010, a memory 1020, a storage device 1030, and input/output devices 1040. The processor 1010, the memory 1020, the storage device 1030, and the input/output devices 1040 can be interconnected via a system bus 1050. The processor 1010 is capable of processing instructions for execution within the computing system 1000. Such executed instructions can implement one or more components of, for example, a cloud platform. In some implementations of the current subject matter, the processor 1010 can be a single-threaded processor. Alternately, the processor 1010 can be a multi-threaded processor. The processor 1010 is capable of processing instructions stored in the memory 1020 and/or on the storage device 1030 to display graphical information for a user interface provided via the input/output device 1040.
  • The memory 1020 is a computer readable medium such as volatile or non-volatile that stores information within the computing system 1000. The memory 1020 can store data structures representing configuration object databases, for example. The storage device 1030 is capable of providing persistent storage for the computing system 1000. The storage device 1030 can be a floppy disk device, a hard disk device, an optical disk device, or a tape device, or other suitable persistent storage means. The input/output device 1040 provides input/output operations for the computing system 1000. In some implementations of the current subject matter, the input/output device 1040 includes a keyboard and/or pointing device. In various implementations, the input/output device 1040 includes a display unit for displaying graphical user interfaces.
  • According to some implementations of the current subject matter, the input/output device 1040 can provide input/output operations for a network device. For example, the input/output device 1040 can include Ethernet ports or other networking ports to communicate with one or more wired and/or wireless networks (e.g., a local area network (LAN), a wide area network (WAN), the Internet).
  • In some implementations of the current subject matter, the computing system 1000 can be used to execute various interactive computer software applications that can be used for organization, analysis and/or storage of data in various (e.g., tabular) format (e.g., Microsoft Excel®, and/or any other type of software). Alternatively, the computing system 1000 can be used to execute any type of software applications. These applications can be used to perform various functionalities, e.g., planning functionalities (e.g., generating, managing, editing of spreadsheet documents, word processing documents, and/or any other objects, etc.), computing functionalities, communications functionalities, etc. The applications can include various add-in functionalities or can be standalone computing products and/or functionalities. Upon activation within the applications, the functionalities can be used to generate the user interface provided via the input/output device 1040. The user interface can be generated and presented to a user by the computing system 1000 (e.g., on a computer screen monitor, etc.).
  • One or more aspects or features of the subject matter disclosed or claimed herein may be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof. These various aspects or features may include implementation in one or more computer programs that may be executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device. The programmable system or computing system may include clients and servers. A client and server may be remote from each other and may interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • These computer programs, which may also be referred to as programs, software, software applications, applications, components, or code, may include machine instructions for a programmable controller, processor, microprocessor or other computing or computerized architecture, and may be implemented in a high-level procedural language, an object-oriented programming language, a functional programming language, a logical programming language, and/or in assembly/machine language. As used herein, the term “machine-readable medium” refers to any computer program product, apparatus and/or device, such as for example magnetic discs, optical disks, memory, and Programmable Logic Devices (PLDs), used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor. The machine-readable medium may store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium. The machine-readable medium may alternatively or additionally store such machine instructions in a transient manner, such as for example as would a processor cache or other random access memory associated with one or more physical processor cores.
  • To provide for interaction with a user, one or more aspects or features of the subject matter described herein may be implemented on a computer having a display device, such as for example a cathode ray tube (CRT) or a liquid crystal display (LCD) or a light emitting diode (LED) monitor for displaying information to the user and a keyboard and a pointing device, such as for example a mouse or a trackball, by which the user may provide input to the computer. Other kinds of devices may be used to provide for interaction with a user as well. For example, feedback provided to the user may be any form of sensory feedback, such as for example visual feedback, auditory feedback, or tactile feedback; and input from the user may be received in any form, including acoustic, speech, or tactile input. Other possible input devices include touch screens or other touch-sensitive devices such as single or multi-point resistive or capacitive trackpads, voice recognition hardware and software, optical scanners, optical pointers, digital image capture devices and associated interpretation software, and the like.
    • Terminology
  • When a feature or element is herein referred to as being “on” another feature or element, it may be directly on the other feature or element or intervening features and/or elements may also be present. In contrast, when a feature or element is referred to as being “directly on” another feature or element, there may be no intervening features or elements present. It will also be understood that, when a feature or element is referred to as being “connected”, “attached” or “coupled” to another feature or element, it may be directly connected, attached or coupled to the other feature or element or intervening features or elements may be present. In contrast, when a feature or element is referred to as being “directly connected”, “directly attached” or “directly coupled” to another feature or element, there may be no intervening features or elements present.
  • Although described or shown with respect to one embodiment, the features and elements so described or shown may apply to other embodiments. It will also be appreciated by those of skill in the art that references to a structure or feature that is disposed “adjacent” another feature may have portions that overlap or underlie the adjacent feature.
  • Terminology used herein is for the purpose of describing particular embodiments and implementations only and is not intended to be limiting. For example, as used herein, the singular forms “a”, “an” and “the” may be intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, steps, operations, processes, functions, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, processes, functions, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items and may be abbreviated as “/”.
  • In the descriptions above and in the claims, phrases such as “at least one of” or “one or more of” may occur followed by a conjunctive list of elements or features. The term “and/or” may also occur in a list of two or more elements or features. Unless otherwise implicitly or explicitly contradicted by the context in which it used, such a phrase is intended to mean any of the listed elements or features individually or any of the recited elements or features in combination with any of the other recited elements or features. For example, the phrases “at least one of A and B;” “one or more of A and B;” and “A and/or B” are each intended to mean “A alone, B alone, or A and B together.” A similar interpretation is also intended for lists including three or more items. For example, the phrases “at least one of A, B, and C;” “one or more of A, B, and C;” and “A, B, and/or C” are each intended to mean “A alone, B alone, C alone, A and B together, A and C together, B and C together, or A and B and C together.” Use of the term “based on,” above and in the claims is intended to mean, “based at least in part on,” such that an unrecited feature or element is also permissible.
  • Spatially relative terms, such as “forward”, “rearward”, “under”, “below”, “lower”, “over”, “upper” and the like, may be used herein for ease of description to describe one element or feature's relationship to another element(s) or feature(s) as illustrated in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if a device in the figures is inverted, elements described as “under” or “beneath” other elements or features would then be oriented “over” the other elements or features due to the inverted state. Thus, the term “under” may encompass both an orientation of over and under, depending on the point of reference or orientation. The device may be otherwise oriented (rotated 90 degrees or at other orientations) and the spatially relative descriptors used herein interpreted accordingly. Similarly, the terms “upwardly”, “downwardly”, “vertical”, “horizontal” and the like may be used herein for the purpose of explanation only unless specifically indicated otherwise.
  • Although the terms “first” and “second” may be used herein to describe various features/elements (including steps or processes), these features/elements should not be limited by these terms as an indication of the order of the features/elements or whether one is primary or more important than the other, unless the context indicates otherwise. These terms may be used to distinguish one feature/element from another feature/element. Thus, a first feature/element discussed could be termed a second feature/element, and similarly, a second feature/element discussed below could be termed a first feature/element without departing from the teachings provided herein.
  • As used herein in the specification and claims, including as used in the examples and unless otherwise expressly specified, all numbers may be read as if prefaced by the word “about” or “approximately,” even if the term does not expressly appear. The phrase “about” or “approximately” may be used when describing magnitude and/or position to indicate that the value and/or position described is within a reasonable expected range of values and/or positions. For example, a numeric value may have a value that is +/−0.1% of the stated value (or range of values), +/−1% of the stated value (or range of values), +/−2% of the stated value (or range of values), +/−5% of the stated value (or range of values), +/−10% of the stated value (or range of values), etc. Any numerical values given herein should also be understood to include about or approximately that value, unless the context indicates otherwise.
  • For example, if the value “10” is disclosed, then “about 10” is also disclosed. Any numerical range recited herein is intended to include all sub-ranges subsumed therein. It is also understood that when a value is disclosed that “less than or equal to” the value, “greater than or equal to the value” and possible ranges between values are also disclosed, as appropriately understood by the skilled artisan. For example, if the value “X” is disclosed the “less than or equal to X” as well as “greater than or equal to X” (e.g., where X is a numerical value) is also disclosed. It is also understood that the throughout the application, data is provided in a number of different formats, and that this data, may represent endpoints or starting points, and ranges for any combination of the data points. For example, if a particular data point “10” and a particular data point “15” may be disclosed, it is understood that greater than, greater than or equal to, less than, less than or equal to, and equal to 10 and 15 may be considered disclosed as well as between 10 and 15. It is also understood that each unit between two particular units may be also disclosed. For example, if 10 and 15 may be disclosed, then 11, 12, 13, and 14 may be also disclosed.
  • Although various illustrative embodiments have been disclosed, any of a number of changes may be made to various embodiments without departing from the teachings herein. For example, the order in which various described method steps are performed may be changed or reconfigured in different or alternative embodiments, and in other embodiments, one or more method steps may be skipped altogether. Optional or desirable features of various device and system embodiments may be included in some embodiments and not in others. Therefore, the foregoing description is provided primarily for the purpose of example and should not be interpreted to limit the scope of the claims and specific embodiments or particular details or features disclosed.
  • One or more aspects or features of the subject matter described herein can be realized in digital electronic circuitry, integrated circuitry, specially designed application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) computer hardware, firmware, software, and/or combinations thereof. These various aspects or features can include implementation in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which can be special or general purpose, coupled to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device. The programmable system or computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other.
  • These computer programs, which can also be referred to programs, software, software applications, applications, components, or code, include machine instructions for a programmable processor, and can be implemented in a high-level procedural language, an object-oriented programming language, a functional programming language, a logical programming language, and/or in assembly/machine language. As used herein, the term “machine-readable medium” refers to any computer program product, apparatus and/or device, such as for example magnetic discs, optical disks, memory, and Programmable Logic Devices (PLDs), used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal.
  • The term “machine-readable signal” refers to any signal used to provide machine instructions and/or data to a programmable processor. The machine-readable medium can store such machine instructions non-transitorily, such as for example as would a non-transient solid-state memory or a magnetic hard drive or any equivalent storage medium. The machine-readable medium can alternatively or additionally store such machine instructions in a transient manner, such as for example, as would a processor cache or other random access memory associated with one or more physical processor cores.
  • The examples and illustrations included herein show, by way of illustration and not of limitation, specific embodiments in which the disclosed subject matter may be practiced. As mentioned, other embodiments may be utilized and derived therefrom, such that structural and logical substitutions and changes may be made without departing from the scope of this disclosure. Such embodiments of the disclosed subject matter may be referred to herein individually or collectively by the term “invention” merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept, if more than one is, in fact, disclosed. Thus, although specific embodiments have been illustrated and described herein, any arrangement calculated to achieve an intended, practical or disclosed purpose, whether explicitly stated or implied, may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the above description.
  • The disclosed subject matter has been provided here with reference to one or more features or embodiments. Those skilled in the art will recognize and appreciate that, despite of the detailed nature of the example embodiments provided here, changes and modifications may be applied to said embodiments without limiting or departing from the generally intended scope. These and various other adaptations and combinations of the embodiments provided here are within the scope of the disclosed subject matter as defined by the disclosed elements and features and their full set of equivalents.
  • A portion of the disclosure of this patent document may contain material, which is subject to copyright protection. The owner has no objection to facsimile reproduction by any one of the patent documents or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but reserves all copyrights whatsoever. Certain marks referenced herein may be common law or registered trademarks of the applicant, the assignee or third parties affiliated or unaffiliated with the applicant or the assignee. Use of these marks is for providing an enabling disclosure by way of example and shall not be construed to exclusively limit the scope of the disclosed subject matter to material associated with such marks.

Claims (20)

What is claimed is:
1. A data validation method comprising:
generating a data set associated with a first credential information;
submitting the data set to a data provider over a computing network to validate the first credential information, the data provider analyzing the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised; and
in response to a match being found, determining that the first credential information has been potentially compromised.
2. The method of claim 1 further comprising requesting a user associated with the first credential information to update the first credential information, in response to confirming that the first credential information has been compromised.
3. The method of claim 1, wherein the data set comprises a cryptographic hash of at least a part of the first credential information.
4. The method of claim 3, wherein the data provider searches a series of hash values to find a match for the cryptographic hash.
5. The method of claim 4, wherein the series of hash values comprise a hash of at least a part of the second credential information known to have been compromised.
6. The method of claim 1 further comprising storing information associated with the match found in a cache locally available to a customer credential system of an institution responsible for safeguarding the first credential information.
7. The method of claim 6, wherein a splitter is utilized to provide the information associated with the match found to one or more of the cache or the customer credential system of the institution responsible for safeguarding the first credential information.
8. The method of claim 2, wherein the match is found by comparing a partial hash of the first credential information with a partial hash of the second credential information known to have been compromised.
9. The method of claim 8, wherein in response to the match being found, a full hash value of the second credential information known to have been compromised is received.
10. The method of claim 9 further comprising:
comparing the full hash value of the second credential information with the full hash value of the first credential information to confirm the first credential information has been compromised.
11. A system comprising:
at least one programmable processor; and
a non-transitory machine-readable medium storing instructions that, when executed by the at least one programmable processor, cause the at least one programmable processor to perform operations comprising:
generating a data set associated with a first credential information;
submitting the data set to a data provider over a computing network to validate the first credential information, the data provider analyzing the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised; and
in response to a match being found, determining that the first credential information has been potentially compromised.
12. The system of claim 11 further comprising requesting a user associated with the first credential information to update the first credential information, in response to confirming that the first credential information has been compromised.
13. The system of claim 11, wherein the data set comprises a cryptographic hash of at least a part of the first credential information.
14. The system of claim 13, wherein the data provider searches a series of hash values to find a match for the cryptographic hash.
15. The system of claim 14, wherein the series of hash values comprise a hash of at least a part of the second credential information known to have been compromised.
16. The system of claim 11 further comprising storing information associated with the match found in a cache locally available to a customer credential system of an institution responsible for safeguarding the first credential information.
17. The system of claim 16, wherein a splitter is utilized to provide the information associated with the match found to one or more of the cache or the customer credential system of the institution responsible for safeguarding the first credential information.
18. A computer program product comprising a non-transitory machine-readable medium storing instructions that, when executed by at least one programmable processor, cause the at least one programmable processor to perform operations comprising:
generating a data set associated with a first credential information;
submitting the data set to a data provider over a computing network to validate the first credential information, the data provider analyzing the data set to determine whether a match is found for the first credential information based on second credential information known to have been compromised; and
in response to a match being found, determining that the first credential information has been potentially compromised.
19. The computer program product of claim 18, wherein the match is found by comparing a partial hash of the first credential information with a partial hash of the second credential information known to have been compromised.
20. The computer program product of claim 19, further comprising:
in response to the match being found, receiving a full hash value of the second credential information known to have been compromised; and
comparing the full hash value of the second credential information with the full hash value of the first credential information to confirm the first credential information has been compromised.
US16/879,680 2019-07-03 2020-05-20 Data breach prevention and remediation Abandoned US20210004492A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US16/879,680 US20210004492A1 (en) 2019-07-03 2020-05-20 Data breach prevention and remediation

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201962870332P 2019-07-03 2019-07-03
US201962897197P 2019-09-06 2019-09-06
US16/879,680 US20210004492A1 (en) 2019-07-03 2020-05-20 Data breach prevention and remediation

Publications (1)

Publication Number Publication Date
US20210004492A1 true US20210004492A1 (en) 2021-01-07

Family

ID=74065758

Family Applications (3)

Application Number Title Priority Date Filing Date
US16/879,683 Active 2041-02-16 US11392723B2 (en) 2019-07-03 2020-05-20 Data breach prevention and remediation
US16/879,680 Abandoned US20210004492A1 (en) 2019-07-03 2020-05-20 Data breach prevention and remediation
US17/836,923 Abandoned US20220300659A1 (en) 2019-07-03 2022-06-09 Data breach prevention and remediation

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US16/879,683 Active 2041-02-16 US11392723B2 (en) 2019-07-03 2020-05-20 Data breach prevention and remediation

Family Applications After (1)

Application Number Title Priority Date Filing Date
US17/836,923 Abandoned US20220300659A1 (en) 2019-07-03 2022-06-09 Data breach prevention and remediation

Country Status (2)

Country Link
US (3) US11392723B2 (en)
WO (2) WO2021002884A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11366892B2 (en) * 2019-02-05 2022-06-21 Shape Security, Inc. Detecting compromised credentials by improved private set intersection
US11223636B1 (en) * 2019-12-23 2022-01-11 NortonLifeLock Inc. Systems and methods for password breach monitoring and notification
US11483351B2 (en) 2020-08-26 2022-10-25 Cisco Technology, Inc. Securing network resources from known threats
US11880472B2 (en) * 2021-01-14 2024-01-23 Bank Of America Corporation Generating and disseminating mock data for circumventing data security breaches
US11797686B1 (en) * 2021-03-19 2023-10-24 Citrix Systems, Inc. Assessing risk from use of variants of credentials
US12008112B2 (en) * 2021-12-29 2024-06-11 Zerofox, Inc. Systems and methods for unified cyber threat intelligence searching
US11843619B1 (en) * 2022-10-07 2023-12-12 Uab 360 It Stateless system to enable data breach notification
US20250063055A1 (en) * 2023-08-15 2025-02-20 Wells Fargo Bank, N.A. Quantum-based information protection
US12299092B1 (en) * 2024-07-11 2025-05-13 Lookout, Inc. Compromised endpoint credentials interceptor

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9640001B1 (en) * 2012-11-30 2017-05-02 Microstrategy Incorporated Time-varying representations of user credentials
US20170161733A1 (en) * 2015-12-02 2017-06-08 Mastercard International Incorporated Method and system for validation of a token requestor
US20170364700A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable logging of access requests to distributed file systems
US20190394243A1 (en) * 2012-09-28 2019-12-26 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US20200007343A1 (en) * 2018-06-28 2020-01-02 Blockchain Integrated Partners, Llc Systems and methods for data validation and assurance
US10554637B1 (en) * 2019-05-01 2020-02-04 Cyberark Software Ltd. Secure and reconstructible distribution of data among network resources

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080148398A1 (en) * 2006-10-31 2008-06-19 Derek John Mezack System and Method for Definition and Automated Analysis of Computer Security Threat Models
US20110131130A1 (en) * 2009-12-01 2011-06-02 Bank Of America Corporation Integrated risk assessment and management system
US9392007B2 (en) * 2013-11-04 2016-07-12 Crypteia Networks S.A. System and method for identifying infected networks and systems from unknown attacks
US9490981B2 (en) * 2014-06-02 2016-11-08 Robert H. Thibadeau, SR. Antialiasing for picture passwords and other touch displays
US20160119365A1 (en) * 2014-10-28 2016-04-28 Comsec Consulting Ltd. System and method for a cyber intelligence hub
JP6736657B2 (en) * 2015-04-17 2020-08-05 エヌシー4・ソルトラ・エルエルシー A computerized system that securely delivers and exchanges cyber threat information in a standardized format
WO2017018926A1 (en) * 2015-07-24 2017-02-02 Certis Cisco Security Pte Ltd System and method for high speed threat intelligence management using unsupervised machine learning and prioritization algorithms
US10051001B1 (en) * 2015-07-31 2018-08-14 Palo Alto Networks, Inc. Efficient and secure user credential store for credentials enforcement using a firewall
US10902114B1 (en) * 2015-09-09 2021-01-26 ThreatQuotient, Inc. Automated cybersecurity threat detection with aggregation and analysis
US10277623B2 (en) * 2016-03-18 2019-04-30 AppBugs, INC. Method of detection of comptromised accounts
US9961053B2 (en) * 2016-05-27 2018-05-01 Dropbox, Inc. Detecting compromised credentials
US10129298B2 (en) * 2016-06-30 2018-11-13 Microsoft Technology Licensing, Llc Detecting attacks using compromised credentials via internal network monitoring
US20180173891A1 (en) * 2016-12-21 2018-06-21 AppBugs, INC. Provision of risk information associated with compromised accounts
US10721254B2 (en) * 2017-03-02 2020-07-21 Crypteia Networks S.A. Systems and methods for behavioral cluster-based network threat detection
US10523695B2 (en) * 2017-07-24 2019-12-31 Sap Se Threat modeling tool using machine learning
US10885393B1 (en) * 2017-09-28 2021-01-05 Architecture Technology Corporation Scalable incident-response and forensics toolkit
US10594713B2 (en) * 2017-11-10 2020-03-17 Secureworks Corp. Systems and methods for secure propagation of statistical models within threat intelligence communities
US10819752B2 (en) * 2017-12-01 2020-10-27 Massachusetts Institute Of Technology Systems and methods for quantitative assessment of a computer defense technique
JP7040535B2 (en) * 2018-01-22 2022-03-23 日本電気株式会社 Security information processing equipment, information processing methods and programs
US10924503B1 (en) * 2018-05-30 2021-02-16 Amazon Technologies, Inc. Identifying false positives in malicious domain data using network traffic data logs
US11425157B2 (en) * 2018-08-24 2022-08-23 California Institute Of Technology Model based methodology for translating high-level cyber threat descriptions into system-specific actionable defense tactics
US11374944B2 (en) * 2018-12-19 2022-06-28 Cisco Technology, Inc. Instant network threat detection system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190394243A1 (en) * 2012-09-28 2019-12-26 Rex Wiig System and method of a requirement, active compliance and resource management for cyber security application
US9640001B1 (en) * 2012-11-30 2017-05-02 Microstrategy Incorporated Time-varying representations of user credentials
US20170364700A1 (en) * 2015-06-02 2017-12-21 ALTR Solutions, Inc. Immutable logging of access requests to distributed file systems
US20170161733A1 (en) * 2015-12-02 2017-06-08 Mastercard International Incorporated Method and system for validation of a token requestor
US20200007343A1 (en) * 2018-06-28 2020-01-02 Blockchain Integrated Partners, Llc Systems and methods for data validation and assurance
US10554637B1 (en) * 2019-05-01 2020-02-04 Cyberark Software Ltd. Secure and reconstructible distribution of data among network resources

Also Published As

Publication number Publication date
US20220300659A1 (en) 2022-09-22
US20210006573A1 (en) 2021-01-07
WO2021002884A1 (en) 2021-01-07
US11392723B2 (en) 2022-07-19
WO2021002885A1 (en) 2021-01-07

Similar Documents

Publication Publication Date Title
US20210004492A1 (en) Data breach prevention and remediation
US11831785B2 (en) Systems and methods for digital certificate security
EP3190765B1 (en) Sensitive information processing method, device, server and security determination system
US10164993B2 (en) Distributed split browser content inspection and analysis
JP7088913B2 (en) Introduce dynamic policies to detect threats and visualize access
US9411958B2 (en) Polymorphic treatment of data entered at clients
US9794276B2 (en) Protecting against the introduction of alien content
CN108463827B (en) System and method for detecting leakage of sensitive information while protecting privacy
US9754098B2 (en) Providing policy tips for data loss prevention in collaborative environments
US10225249B2 (en) Preventing unauthorized access to an application server
US12316625B1 (en) Online security center
US10122830B2 (en) Validation associated with a form
WO2017019717A1 (en) Dynamic attachment delivery in emails for advanced malicious content filtering
US8898800B1 (en) Mechanism for establishing the trust tree
WO2016140929A1 (en) Disposition actions in digital asset management based on trigger events
JP7041282B2 (en) Improved data integrity with trusted code proof tokens
US9646149B2 (en) Accelerated application authentication and content delivery
US10049222B1 (en) Establishing application trust levels using taint propagation
US11736512B1 (en) Methods for automatically preventing data exfiltration and devices thereof
GB2535579A (en) Preventing unauthorized access to an application server
KR20160060792A (en) Revocable platform identifiers
CN112104625A (en) Process access control method and device
US11050780B2 (en) Methods and systems for managing security in computing networks
US9424543B2 (en) Authenticating a response to a change request
US20210075802A1 (en) Method and system for detecting fraudulent access to web resource

Legal Events

Date Code Title Description
STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

AS Assignment

Owner name: CYBER TEAM SIX, NORTH CAROLINA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BRITT, JASON;WESTERHAUS, PATRICK A.;SIGNING DATES FROM 20200615 TO 20200616;REEL/FRAME:053113/0089

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: ADVISORY ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: FINAL REJECTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION