Abstract: A method begins by a dispersed storage (DS) processing module receiving, from a user device, a data access request and accessing hierarchical data access control information. The method continues with the DS processing module obtaining a logical memory access control file from the hierarchical data access control information and determining a data access request type of the request is within access rights of the user device. When the data access request type is within the access rights of the user device, the method continues with the DS processing module obtaining a data object access control file from the hierarchical data access control information. The method continues with the DS processing module determining, from the data object access control file, whether the data access request type is restricted. When the data access request type is not restricted, the method continues with the DS processing module processing the data access request.

Abstract: Token detection at a single computing platform may be linked with a user identification to unlock content and/or effectuate modifications in virtual space instances presented via multiple computing platforms, in accordance with one or more implementations. Exemplary implementations may enhance consistency in a user's experiences of a virtual space across multiple computing platforms.

Abstract: A data storage system uses the free space that is not yet filled with data after the deployment of the data store. The free space is used to store additional ‘opportunistic’ protection information for stored data, possibly above and beyond the specified protection level. As the system fills up, the additional protection information is deleted to make room for more data and specified protection information.

Abstract: Technologies are generally described for privacy protection for a life-log system. In some examples, a method performed under control of a life-log system may include receiving, from a user account, a request to change one or more real life-log data entries relating to a real event that are stored in a first part of a database; removing the one or more real life-log data entries relating to the real event from the first part of the database; and storing, in the first part of the database, one or more misleading life-log data entries relating to a false event corresponding to the real event.

Abstract: A reporting tool includes a retrieval engine, a context switching engine, a reporting engine, a publication engine, and a subscription engine. The retrieval engine retrieves a request for subscription data. The context switching engine receives security information indicating whether a user is authorized to view reporting data. The reporting engine generates a plurality of batches of reporting data. The publication engine generates the data report by processing the batches. The subscription engine communicates the data report.

Abstract: A write operation is performed in a memory system by encoding, in the memory system, original data transmitted from a host system, according to a first type of host command, to produce an encoding result, transmitting information about the encoding result to the host system after the encoding, and writing the encoding result or the original data into a nonvolatile memory device, according to a second host command, wherein the second host command is transmitted from the host system based on the information about the encoding result.

Abstract: A method and device for avoiding manipulation of a data transmission. A message containing a message authentication code is received at a processing unit, the message from the processing unit is transferred to a hardware module, a check value as a function of the received message is computed in the hardware module, the received message authentication code and the check value are compared in the hardware module, a result of the comparison is transferred from the hardware module to the processing unit as an output variable, the message authentication code received in the message from the processing unit is checked in the processing unit based on the output variable.

Abstract: Systems, methods and media are shown for automatically detecting a use-after-free exploit based attack that involve receiving crash dump data relating to a fault event, determining whether the fault event instruction is a call type instruction and, if so, identifying a UAF attack by checking whether it includes a base address in a first register that stores a pointer to free memory and, if so, generating a UAF alert. In some examples, generating a use-after-free alert includes automatically sending a message that indicates a UAF attack or automatically triggering a system defense to the UAF attack. Some examples may include, for a call type faulting instruction, identifying a UAF attack, checking whether a base address in the first register includes a pointer in a second register to a free memory location associated with the base address.

Abstract: A Software-as-a-Service (SaaS) access control application on a client device is configured with a certificate that identifies a user, and with configuration information for one or more SaaS applications to access, and including an IDP identifier for the SaaS application. The SaaS access control application includes software to be inserted into a network software stack of the client device and software configured to serve as an identity provider for assertions. A request, made by an application on the client device to a SaaS service provider identified by a Universal Resource Locator (URL) provided during configuration of the SaaS access control application, is intercepted within the network software stack of the client device. The SaaS access control application generates an assertion based on the certificate and configuration information. The requesting application is caused to make a request to the SaaS service provider with the assertion embedded in the request.

Abstract: Technologies for managing network privileges of members of graft-network include detecting a computing device in physical presence with a network infrastructure, determining whether the computing device is a member of the graft-network, and establishing initial network privileges for the computing device if the computing device is not a member, without direct programming of the member. The network privileges of members of the graft-network are updated over time as a function of the length of time for which the computing device is in physical presence of the network infrastructure. A computing device may be in physical presence of the network by physical contacting a communication bus of the network infrastructure or being within a limited communication range of the communication bus. New members to the graft-network may be quarantined to reduce risk to the network.

Abstract: A concealed data matching method for a computer including: registering a first concealed vector obtained by concealing registered data and key data based on a first random number and a linear combination of row vectors of a determination matrix; acquiring a second concealed vector; calculating a remainder vector indicating a remainder obtained by dividing the difference between the first concealed vector and the second concealed vector; determining the similarity between the registered data and the matching data based on the remainder vector; extracting the key data from the remainder vector if it is determined they are similar; calculating an inter-vector distance between the registered data and the matching data; and determining the similarity between the registered data and the matching data based on the magnitude of the inter-vector distance.

Abstract: A secure messaging platform for an enterprise environment is disclosed. The secure messaging platform enables users to exchange encrypted communications. Further, the secure messaging platform allows enterprise platforms to review the encrypted communications to ensure that they comply with company policies. Messages that comply with company policies may be provided to their intended recipients, while messages that fail to comply with company policies are not provided to their intended recipients. Additionally, the encrypted communications may be retained for a predetermined time.

Abstract: A remote administrator device is provided outside a firewall that prevents remote devices from accessing, but allows remote devices to send electronic mail messages to a plurality of local network devices. The remote administrator device can send an electronic mail message to a respective one of the plurality of local network devices behind the firewall. The electronic mail message can include instructions for the respective local network device to establish a connection with the remote administrator device through the firewall. Once the connection is established, the remote administrator device can monitor state data received over the connection for the respective local network device.

Abstract: Determining if a computer program is malicious. The program is loaded for execution into the memory of the computer. A list of program instructions of interest is received. Prior to execution of the computer program, and at a time during execution of the computer program, computer program instructions of each of the different types in the computer program that are contained in a program instructions of interest list are counted. If it is determined that the count of the computer program instructions of one of the types determined prior to execution of the computer program differs by at least an associated threshold value from the count of the computer program instructions of the one type determined at the time during execution of the computer program, a record is made that the computer program has an indicia of maliciousness and execution of the program is terminated.

Abstract: A computer-implemented method for detecting misplaced applications using functional categories may include (1) identifying a functional category assigned to an application located on a computing system, the functional category describing a field of functionality that the application performs, (2) identifying an additional functional category assigned to at least one of the computing system and another application located on the computing system, (3) applying a security policy to both the functional category assigned to the application and the additional functional category to determine whether the application belongs on the computing system according to the security policy, and (4) performing a security action to protect users based on the application of the security policy to the functional category assigned to the application and the additional functional category. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-based method for providing information about a potential security incident ascertained from received internet protocol (IP) packets is described. The method includes capturing IP packets from a network, stripping packet header data from the captured IP packets, calculating a cyclic redundancy code (CRC) from one or more fields of the packet header data, determining whether any packet header data has occurred multiple times by comparing the calculated CRC to stored CRCs in each of successive entries in a cache, and storing, in a database, only a single instance of packet header data for any packet header data that is determined to have occurred multiple times.

Abstract: An adaptable network security system includes trust mediator agents that are coupled to each network component. Trust mediator agents continuously detect changes in the security characteristics of the network and communicate the detected security characteristics to a trust mediator. Based on the security characteristics received from the trust mediator agents, the trust mediator adjusts security safeguards to maintain an acceptable level of security. Trust mediator also uses predetermined rules in determining whether to adjust security safeguards. Despite inevitable changes in security characteristics, an acceptable level of security and efficient network operation are achieved without subjecting users of the network to over burdensome security safeguards.

Abstract: Securing access to one or more applications in an enterprise zone (e.g., a set of protected applications) is disclosed. A last activity time associated with a use of at least one mobile application in the protected subset may be retrieved from a shared storage location associated with a protected subset of two or more protected mobile applications. It may be determined that the last activity time is within a session expiration time period associated with the protected subset. Access to one or more applications in the protected subset may be allowed without credential verification based at least in part on the determination.

Abstract: To raise confidentiality of the value stored in the ROM, in an IC having a built-in or an externally-attached ROM storing a value (program and/or data) encrypted using a predetermined cryptographic key. The IC includes the ROM storing the encrypted value (program and/or data), a unique code generating unit, and a decrypting unit. The unique code generating unit generates a unique code specifically determined by production variation. The decrypting unit calculates a cryptographic key on the basis of the generated unique code and a correction parameter, and decrypts the encrypted value readout from the ROM by using the calculated cryptographic key. The correction parameter is preliminarily calculated outside the IC, on the basis of an initial unique code generated from the unique code generating unit immediately after production of the IC, and the predetermined cryptographic key used for encryption of the value to be stored in the ROM.

Abstract: The disclosed computer-implemented method for remediating the effects of malware may include (1) identifying a file on a client device, (2) determining, using a digital fingerprint that identifies the file, that the file's reputation is unknown, (3) in response to determining that the file's reputation is unknown, logging changes made by the file to the client device, (4) determining that the changes made by the file are to be reversed, and (5) in response to determining that the changes made by the file are to be reversed, instructing the client device to reverse the changes made by the file to the client device. Various other methods, systems, and computer-readable media are also disclosed.