Abstract: A bundle of public counters and a corresponding bundle of private counters are created and transmitted to a user device. The user device receives a request and processes the request without accessing a secure element processor on the user device. The user device calculates a security code using the private counter and a number. The user device transmits the calculated security code and one of the bundle of public counters in response to the request. A receiver of the response to the request determines the validity of the public counter and looks up the corresponding private counter using the public counter. The receiver determines the validity of the security code by recomputing it using the private counter and the number.

Abstract: Noisy tokens can be placed in locations of client end stations such that local operations performed upon the noisy tokens generate network traffic. A traffic monitoring module (TMM) can determine normal activity patterns of network traffic resulting from one or more of the placed noisy tokens being activated by one or more non-malicious operations, and identify that other network traffic resulting from one or more of the noisy tokens being activated does not meet the one or more normal activity patterns. In response, the TMM can cause an alert to be generated.

Abstract: An execution of a data object is identified by a computing device. In response to identifying the execution of the data object, it is determined that the data object has requested a sensitive action of the computing device before interacting with a user of the computing device. In response to determining that the data object has requested the sensitive action, the data object is classified as a high-risk data object.

Abstract: A system for managing privacy of shared content. The system includes a terminal device and a server device. The terminal device includes a content receiving device configured to receive content, a storage configured to store content by the content receiving device, a privacy setting determiner, a content obfuscator; and a transmitter configured to transmit obfuscated content. The server device includes a receiver configured to receive the obfuscated content from the transmitter of the terminal device, a publisher configured to publish the obfuscated content, and a de-obfuscator configured to, based on the received request to change privacy settings, de-obfuscate the at least a portion of the received content to generate de-obfuscated content.

Abstract: Systems and methods in a mobile device communicatively coupled to a cloud based security system, the method for detecting and processing in-channel events associated with a network agnostic mobile application, the method includes intercepting outgoing data from the network agnostic mobile application at a tunnel interface on the mobile device; monitoring the outgoing data for network transactions from the network agnostic mobile application to maintain a context of the network transactions and intended responses for every request; transmitting the outgoing data from the tunnel interface to the cloud based security system; and receiving a response from the cloud based security system responsive to the outgoing data and processing any deviation from the intended responses.

Abstract: Disclosed are systems, methods, and computer-readable storage media for guaranteeing symmetric bi-directional policy based redirect of traffic flows. A first switch connected to a first endpoint can receive a first data packet transmitted by the first endpoint to a second endpoint connected to a second switch. The first switch can enforce an ingress data policy to the first data packet by applying a hashing algorithm to a Source Internet Protocol (SIP) value and a Destination Internet Protocol (DIP) value of the first data packet, resulting in a hash value of the first data packet. The first switch can then route the first data packet to a first service node based on the hash value of the first data packet.

Abstract: An authentication server determines that a user entering authentication data is in physical possession of a client device by determining that the user has observed changes in the state of hardware elements of the client device that are effected outside of a remote desktop protocol. The authentication server causes the client device to prompt the user to observe the hardware element of the client device for state changes and receives data generated by the user representing observed state changes. If the data accurately represents the changes in the state of the hardware element, the user is determined to be in physical possession of the client device.

Abstract: A method for distributing multiple cryptographic keys used to access data includes: receiving a data signal superimposed with an access key request, wherein the access key request includes at least a number, n, greater than 1, of requested keys; generating n key pairs using a key pair generation algorithm, wherein each key pair includes a private key and a public key; deriving an access private key by applying the private key included in each of the n key pairs to a key derivation algorithm; generating an access public key corresponding to the derived access private key using the key pair generation algorithm; and electronically transmitting a data signal superimposed with a private key included in one of the n key pairs for each of the n key pairs.

Abstract: A machine has a processor and a network interface circuit connected to the processor to provide network connectivity to a client device. A memory is connected to the processor. The memory stores instructions executed by the processor to implement a persona management service that operates to receive a request for a new email account from the client device. A new email account is created in response to the request. Cryptographic credentials for the new email account are received from the client device. The cryptographic credentials are sent to a certificate authority. A certificate authority validation is received from the certificate authority. The new email account with a cryptographic credential from the certificate authority is registered. The cryptographic credential is conveyed to the client device.

Abstract: A user identity verification method is disclosed. The method includes receiving an identity verification request sent by a user through a client terminal; determining a user communication number according to the identity verification request and generating a corresponding temporary communication number for the user communication number; recording the user communication number and the temporary communication number as first data; returning the temporary communication number to the client terminal; receiving a call request initiated by the user to the temporary communication number; determining a respective user communication number and a respective temporary communication number corresponding to the call request as second data; verifying whether the first data matches with the second data; and returning a verification result to the client terminal. The method can improve security and reliability of identity verification, reduce a user's waiting time, and enhance user experience.

Abstract: A device transmits an acquisition request for first authorization information indicating that a user's authority to create a tenant-dedicated client is delegated to a vendor client on the basis of first authentication information provided from an authorization server in response to the registration of the vendor client. The device registers the tenant-dedicated client in the authorization server on the basis of the first authorization information, and transmits an acquisition request for second authorization information indicating that the user's authority in a service of a resource server is delegated to the tenant-dedicated client on the basis of second authentication information provided from the authorization server in response to the registration of the tenant-dedicated client. Then the device uses the service of the resource server on the basis of the second authorization information.

Abstract: Using an ARM processor, a method is provided for endpoint computing systems such as mobile devices or laptops to provide a hardware isolated runtime environment for multiple operating systems (OS's). OS isolation is performed by hardware ARM Security Extensions added to ARMv6 processors (or higher) and controlled by a software Secure Monitor Module (SMM). The invention therefore comprises hardware enforcement mechanisms configured by the SMM to confine each OS to its own respective resources (kernel, RAM, drivers, storage). The invention is applicable to systems with different OS switching mechanisms, such as full computer system reboot to switch OS's, suspension of one OS and resuming another, or using a virtual machine hypervisor to execute several OS's in parallel.

Abstract: A method for a Diffie Hellman key exchange, the method including selecting a field size p in the form p=hq+1, where q is a prime number that is one plus a factorial number b, such that q=(b!+1), and h is a cofactor, such that p=hq+1 is prime; selecting a generator integer g whose order modulo p is the prime q or is divisible by q; choosing a private key x; computing a public key gx mod p by raising said generator g to the power of said private key x, using arithmetic modulo said prime field size p; sending said public key gx mod p to a correspondent; receiving, from the correspondent, a second public key B comprising g raised to a second private key y selected by the correspondent, in the form gy; and creating a key Bx from the received second public key B, by raising said second public key B to the power of said private key x, using arithmetic modulo said prime field size p.

Abstract: An apparatus for detecting a malicious app. The apparatus may include a collector to collect a mobile app, a static analyzer to extract basic information from the collected mobile app, analyze the basic information of the extracted mobile app, and generate a call flow graph (CFG) of the mobile app, a dynamic analyzer to execute the collected mobile app, expand the CFG of the mobile app, generated by the static analyzer, to a dynamic action-based CFG, and determine a similarity between the expanded CFG and a flow graph that performs a malicious action, and a malicious app determiner to determine whether the collected mobile app is malicious by analyzing the basic information, the CFG, the call flow graph, and the similarity.

Abstract: Embodiments disclose systems, methods, and computer program products to perform an operation for adapting a set of devices used to authenticate a client device. The operation generally includes determining a plurality of broker devices available for attesting a location of a client device, and determining, from the available broker devices, a first and second subset of broker devices based on a credibility score determined for each of the available broker devices. The operation also includes attesting the location of the client device based on information received from the first subset of broker devices regarding devices in proximity to each of the broker devices in the first subset. The operation further includes upon determining that a number of responses with the information from at least one of the broker devices in the first subset has reached a threshold, reassigning broker devices in the first and second subsets.

Abstract: Methods and apparatus for optimizing computer detection of malware using pattern recognition by refreshing random classification forests are described. In one embodiment, the method may include building a random forest with two or more binary decision trees based at least in part on a first set of categorized data, sending the random forest to a client device with a first random forest control value, identifying a second set of categorized data different from the first set of categorized data, calculating a second random forest control value based on the second set of categorized data and sending the second random forest control value to the client device.

Abstract: A method of and system for gate-level masking of secret data during a cryptographic process is described. A mask share is determined, wherein a first portion of the mask share includes a first number of zero-values and a second number of one-values, and a second portion of the mask share includes the first number of one-values and the second number of zero-values. Masked data values and the first portion of the mask share are input into a first portion of masked gate logic, and the masked data values and the second portion of the mask share are input into a second portion of the masked gate logic. A first output from the first portion of the masked gate logic and a second output from the second portion of the masked gate logic are identified, wherein either the first output or the second output is a zero-value.

Abstract: Controlling access to sensitive data can be difficult during an application development effort. A developer may not be authorized to see the data that is to be used by the application. Credentials used in a development environment to access development data can require modification when the application is migrated to a deployed environment. Changing the code in the deployed environment increases risks of change induced incidents. The technology disclosed allows for the creation of a named credential object, where the credentials for different environments are stored, and where the named credential object is called by metadata. This allows the promotion of code from a development environment to a deployed environment without changes to code, and without giving access to sensitive data to the developer.

Abstract: An information processing device includes: a first reception unit that receives first information indicating a storage location of a document to be printed; a first transmission unit that uses the first information to generate an authorization request, generates corresponding second information, and transmits the authorization request and the second information to a terminal used by a sender of the first information; a second reception unit that receives a corresponding authorization code; a controller that uses the authorization code to acquire an access token, and controls storage of the access token, the second information, and the first information in association with each other; and a second transmission unit that, if the second information is received from an image processing device, uses the corresponding access token and information indicating a storage location to acquire a document in the storage location, and transmits the document to the image processing device.

Abstract: A method includes identifying a first node in a plurality of nodes based on a client device identifier for a client device, the client device being associated with a first network device; storing, information for the client device, on the first node; responsive to the client device associating with a second network device, retrieving the information for the client device by: identifying the first node based on the client device identifier for the client device and obtaining the information from the first node.