Abstract: Methods and systems are provided herein to enable secure proxying of network traffic between trusted and untrusted environments. In particular, a secure proxy may be provided that includes a set of policies. The policies may be applicable to various network protocol layers (e.g., an application layer), network traffic types, and/or endpoint resolution. The set of policies may be used to inspect, restrict and/or modify traffic between the trusted and untrusted environment to ensure data and network security. A proxy device may use the set of policies, for example, to obtain current service-related information (such as the list of IP addresses) currently associated with a computing resource requested by an application. Such endpoint information may be used, in turn, to update a white list.

Abstract: An apparatus for testing, inspecting or screening an electronic device for electrical characteristics, modified or unmodified hardware, or firmware modifications including Malware, Trojans, improper versioning, and the like, includes a transmitting antenna positioned at a distance from the electronic device and a electromagnetic energy receiver or sensor for examining a resulting unintentional derived electromagnetic energy from the electronic device. The receiver collects unintentional RF energy components emitted by the device and includes a processor and executable instructions that perform analysis in a response to the acquired electromagnetic energy input. The characteristics of the collected RF energy may be compared with RF energy characteristics of an exemplary device. The analysis determines one of a modified, unmodified or score of certainty of discerned condition of the device.

Abstract: A privileged account management system can maintain a database that defines a normal amount of data that should be transferred over a remote session and/or a normal rate at which the data should be transferred when performing a particular task. Using a reason code used to obtain a remote session and possibly a combination of various different characteristics of the remote session, the system can access the database to identify the appropriate normal amount and/or normal rate. The system can then compare the amount and/or rate of data transferred over the remote session to the appropriate normal amount and/or normal rate to detect when an abnormal amount and/or abnormal rate is being transferred. In cases where abnormal behavior is detected, the system can determine that the remote session is likely being used in an improper manner, and can take action to mitigate any potential harm to the server.

Abstract: Various methods and apparatuses are described for performing high speed translations of data. In an example embodiment, record layout detection can be performed for data. In another example embodiment, data pivoting prior to field-specific data processing can be performed.

Abstract: Architecture that provides a secure environment in which data (e.g., code, instructions, files, images, etc.) can be opened and run by a client application. Once opened the data can be viewed (in a “protected view”) by the user without incurring risk to other client processing and systems. Accordingly, the architecture mitigates malicious attacks by enabling users to preview untrusted and potentially harmful data (e.g., files) in a low risk manner. Files opened in the protected view are isolated from accessing key resources on the client computer and provides the user a safer way to read files that can contain dangerous content. The protected view also provides a seamless user experience. The user is unaware that the client is operating on data in a different mode and allows for the reduction of security prompts.

Abstract: Methods and systems disclosed provide for creating private networks for secured communication between devices. The devices can communicate with each other over a secure tunnel created for a closed circle of devices. Furthermore, the methods and systems can enable offline communication between devices on a private network.

Abstract: A system and a method is provided for establishing a session key in a context of communications between entities, the identifiers of which are generated cryptographically and for which one of the entities is highly resource-constrained. It includes assigning to assistant entities of the resource-constrained entity, the highest-consuming asymmetric cryptography operations.

Abstract: The Internet is becoming an essential part of our lives. This trend is even stronger with the rise of cell phones having Internet access that almost the entire population carries with them at all times. Security is a huge problem on the Internet, however, and new authentication methods are needed specifically for cell phones. Presented here is a method of identifying a mobile electronic device by its configuration settings, potentially including contact list information. This invention, in particular, fills a crucial need to secure access to the Internet from mobile phones.

Abstract: An out-of-vehicle device interface apparatus includes a request message reception unit, a response message request unit, and a response message transmission unit. The request message reception unit receives a request message from an out-of-vehicle device, generates electrical signals in electric lines, and transfers the request message. The response message request unit requests response messages for the request message from one or more devices constituting an in-vehicle network based on one or more of the electric lines in which electrical signals have been generated. The response message transmission unit receives the response messages from the one or more devices, and transfers the response messages to the out-of-vehicle device via unidirectional communication.

Abstract: A method, system, and computer program product for securing wireless network devices improves the security of wireless networks and devices, such as Bluetooth networks and devices, to prevent security attacks on and hacking of such networks and devices. A method for secure wireless communications, comprises the steps of requesting a connection with a wireless device, determining whether the wireless device is trusted, determining a security policy of the wireless device, and establishing a connection with the wireless device if the wireless device is trusted and if the security policy of the wireless device is as expected.

Abstract: A privileged account management system can detect when credentials used to access one or more servers have been shared or otherwise compromised. This detection can occur through analysis of simultaneous actions that are performed via multiple sessions associated with the same administrator. When two or more sessions associated with the same administrator are opened, the interactions performed over each of the sessions can be monitored to identify whether such interactions could be performed by a single administrator. If it is determined that the interactions over the multiple sessions could not reasonably be performed by a single administrator, various actions can be taken to address the possible breach to the security of the one or more servers.

Abstract: According to one embodiment of the disclosure, a computerized method is described to detect a malicious object through its attempt to utilize reflection. The computerized method comprises receiving, by a network device, an object for analysis. Thereafter, the network device conducts a first analysis within a sandboxed environment. The first analysis determines whether the object is configured to utilize reflection. According to one embodiment, the first analysis involves analysis of the content of the object by a static analysis engine. Alternatively, or in addition to this analysis, the behavior of the object by an attempt to access a reflection API may determine that the object is utilizing reflection. Responsive to the network device determining that the object utilizes reflection, a second analysis is conducted to determine whether the object is malicious.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for key management for Issuer Security Domain (ISD) using GlobalPlatform Specifications. A client receives from a server an authorization to update a first ISD keyset. The client encrypts, via a client-side secure element, a second ISD keyset with a server public key. The client sends the encrypted second ISD keyset to the server for updating the first ISD keyset with the encrypted second ISD keyset. Prior to updating, the client generates the first ISD keyset at a vendor and sends the first ISD keyset to the client-side secure element and sends the first ISD keyset encrypted with the server public key to the server. The disclosed method allows for updating of an ISD keyset of which only the client-side secure element and a server have knowledge.

Abstract: In a portable data carrier having a non-volatile memory, a memory controller and a memory interface, an effected initial operation of the data carrier is checked through a request to a security unit of the data carrier via a security interface connected to the security unit. For this purpose, the data carrier comprises a memory portion comprising the memory interface and a body portion comprising the security interface, which are interconnected such that the memory portion can be folded out of the body portion, so that simultaneously the memory interface is laid open for a connection to an end device and the electrical connection between the security unit and the security interface is disconnected irreversibly.

Abstract: Embodiments described herein relate to a device operable to process input for a picture password for proof of knowledge. In some embodiments, the device includes a display, an input subsystem, processor(s), and memory containing instructions executable by the processor(s) such that the device is operative to display, on the display of the device, an image for the picture password proof of knowledge. The image is associated with an overlaid grid comprising a plurality of elements, and each element corresponds to a distinct area of the image. The device is further operative to, determine an offset to be used and, in response to receiving an input via the input subsystem at a first location of the display, highlight an element of the overlaid grid at a second location on the first image on the display. The second location is offset from the first location by the offset.

Abstract: An aspect for communicating content for delivery to a device to receive an electronic message having an attached electronic file includes receiving the attached electronic file at the device. The attached electronic file contains instructions for accessing the content. Responsive to an input signal indicating a request to access the attached electronic file, an address of a remote device that hosts the content is obtained, a viewing program is executed at the device, and a launch control icon via a toolbar of the viewing program is provided. Responsive to selection of the launch control icon, the content is obtained for delivery to a recipient of the electronic message using the address of the remote device to establish a connection with the remote device.

Abstract: Web pages and applications commonly consume functionality provided by services to provide users with a rich experience. For example, a backend mapping service may provide access to these services. However, the users and application consuming the services may be anonymous and unverified. Accordingly, a two ticket validation technique is provided to validate service execution requests from anonymous applications. In particular, a user is provided with a client ticket comprising a reputation. The reputation may be adjusted over time based upon how the user consumes services. An application may request access to a service by providing the client ticket and an application ticket for validation. The reputation of the user may be used to determine an access level at which the application may access the service. Users with a high reputation may receive high quality access to the service, while users with a low reputation may receive lower quality access.

Abstract: An analysis is performed on first and second product information to determine a relationship between a first product and a second product. In response to a first notification from a first backend system, a first message is transmitted to a mobile device of the user indicating that the change of a first activity is needed. It is determined whether a modification of a second activity is needed based on the relationship information of the first product and the second product and in response to determining that the modification of the second activity is needed, a second message is transmitted to the mobile device, indicating a possible modification of the second activity and offering a list of one or more options to modify the second activity. A live communications session is established between the user and a support agent of the server to discuss the possible modification of the second activity.

Abstract: An equipment manager manages the operating state of equipment. A user verification processor performs user verification according to a request from a monitoring terminal, and when user verification is successful, generates for each facility management device a verification code in which verification data, to which a digital signature has been added using a self-owned secret key, has been encoded using a public key of each facility management device, and transmits the verification codes to the monitoring terminal. After receiving the verification code, a verification code analyzer decodes the verification code using the self-owned secret key, and performs verification by verifying the digital signature using the public key of a representative facility management device. When verification is successful, a Web server is able to monitor and manipulate data that indicates the operating states of all of the equipment that is managed by the equipment manager.

Abstract: A method for ensuring media stream security in an IP Multimedia Subsystem network is disclosed. The method includes: assigning an end-to-end media stream security key for a calling User Equipment (UE) or a called UE, by a network device with which the calling UE or the called UE is registered, respectively, and transmitting the media stream security key to a network device with which the opposite end is registered; encrypting the end-to-end media stream security key using a session key shared with the calling UE or the called UE respectively, and transmitting the encrypted end-to-end media stream security key to the calling UE or the called UE, respectively, via a session message; encrypting or decrypting a media stream, by the calling UE or the called UE, respectively, using the end-to-end media stream security key.