Abstract: A method for protecting a first secrets file. The method includes an n-bit generator generating a secrets file name for the secrets file and generating a decoy file names for decoy files. The secrets file includes a secret. Each of the decoy files includes decoy file contents, are a same size as the secrets file, and is associated with a modification time within a range of modification times. The modification time of the secrets file is within the range of modification times. The secrets file and decoy files are stored in a secrets directory.

Abstract: An approach is provided for securely authenticating an identity of a user participating in an electronic transaction. A request is received from a mobile device to initiate the electronic transaction. Attributes of the user and request are received. A request is selected for a biometric identifier or a security question to authenticate the identity of the user. The request for the biometric identifier or security question is converted to a complete Quick Response (QR) code. Based on the user and request attributes, the complete QR code is disassembled into first and second portions by employing a disassembly algorithm. The first portion, but not the second portion, is sent to the mobile device, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or security question by capturing network traffic that includes the electronic transaction.

Abstract: A method for generating one or more secrets for use by members. The method includes sending a first request for connection with a second member, and sending a second request to connection with a third member. The method further includes receiving, by the first member from the second member, a second input after the first request is sent and after communication is initiated between the first member and the second member and receiving, by the first member from the third member, a third input after the second request is sent and after communication is initiated between the first member and the third member. The method further includes generating, using an n-bit generator executing on the first member, a message digest using a first input, the second input, and the third input, extracting a secret from the message digest, and storing the secret in a secrets repository on the first member.

Abstract: k bits from the least significant bit of the current secret key are retrieved, obtaining a binary window sequence. A binary bit string of concatenation of the random number to the more significant bits of the window sequence is obtained if the most significant bit of the window sequence is 0, subtracting a bit string from the current secret key to obtain a new secret key, or the bit string of a complement of the base number for the window sequence in binary system is calculated if the most significant bit of the window sequence is 1, obtaining a bit string by adding a minus sign to a bit string obtained by concatenating the random number to the more significant bits of the bit string, subtracting the bit string from the current secret key to obtain a new secret key.

Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

Abstract: Described herein are articles, systems, and methods for using a storage controller to protect secure data blocks through the enforcement of a read only policy. In some embodiments, the articles use a combination of hardware protections and software protections (e.g., virtualization) to protect a system against attack from malware while such secure data is updated. Also described are systems and methods for securely updating data blocks secured in this fashion, and detecting and preventing the corruption of data stored on secondary storage media using a disk eventing mechanism.

Abstract: A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

Abstract: Method and system for personalizing a chip, intended to be integrated into a smart card, comprising a tester associated to an FPGA device connected to the chip, the chip being part of a wafer comprising a plurality of chips and a disposable hardware module for verifying presence of the chip on the wafer. The tester sends a first secret code to the FPGA device, which commands the chip to initiate a test mode activation. The FPGA device encrypts a second secret code by using a secret encryption algorithm parameterized with a random number received from the chip and the first secret code to obtain a first cryptogram which is sent to the chip. The chip determines a second cryptogram by carrying out a Boolean function over a result obtained by decryption of the first cryptogram using the inverse algorithm parameterized with the random number and the first secret code.

Abstract: Mutual authentication between: (i) a user terminal cooperating with a security element and an application for registering with a service, and (ii) a remote server that provides the service, by means of a third-party portal, includes: i) transmitting, to the remote server by means of the portal, signed information R enabling the security element to be authenticated in the remote server; ii) authenticating the security element in the remote server; iii) transmitting a value R? signed by the remote server to the application by means of the portal; iv) transmitting a request for verification of the signed value R? from the application to the security element; v) verifying, in the security element, the signature of the remote server and whether the requested service has been granted by the remote server; vi) establishing a secure connection with the remote server using the security element, and requesting that the service be executed.

Abstract: An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.

Abstract: In one embodiment, a method comprises receiving a verification request, sending one or more patterns for display at one or more specified locations on a screen of a device, receiving verification input responsive to the one or more patterns, and granting or denying the verification request based at least in part on the verification input. The verification input comprises one or more captured images, captured audio and tracked eye movement. The verification request may be generated in conjunction with an attempted launch of a designated application on a first device, with user access to the designated application on the first device being controlled responsive to the granting or denying of the verification request.

Abstract: A reader element is associated with an identity verification element. The reader element has a biometric input device and is configured, through enrollment of a biometric element is used to encrypt a character sequence associated with the identity verification element. In a verification phase subsequent to the enrollment, a user may be spared a step of providing the character sequence by, instead, providing the biometric element. Responsive to receiving the biometric element, the reader element may decrypt the character sequence and provide the character sequence to the identity verification element.

Abstract: A data storage device in a distributed computing system has physical block addresses that are each allocated to multiple namespaces. To access the data storage device, a host system issues a command to the data storage device that includes an access key and a virtual block address to be accessed. The data storage device converts the virtual block address to a physical block address of the data storage device using a mapping associated with the access key. Access to a physical data block associated with a particular namespace is granted only if an access key for that namespace is provided to the data storage device.

Abstract: Systems and methods are disclosed for protecting privacy in an application software (app) by detecting application repacking; detecting application tainting, including: detecting descrying information leakage; detecting vulnerability espial; and detecting a privacy leak.

Abstract: Systems and methods are disclosed for providing security monitoring in a computer network, in an embodiment, a service accessible via a network port of a network node within the network is identified. The assigned port number for the identified service is changed to a second port number and a trap is configured including one or more criterion. A trap may be configured to capture network traffic that meets the one or more criterion of the trap. A data packet is then received. It is determined whether data packet meets the one or more criterion of the configured trap, and if so, the data packet is redirected to a ghost network. The ghost network may replicate network services, applications, and infrastructure in the computer network. The ghost network may additionally gather activity data based on the redirected data packet.

Abstract: The described implementations relate to trusted platform module (TPM) security. One configuration that is implemented on a computing device includes a TPM configured to generate a key pair utilizing a factor stored on the TPM and an external cofactor that is not stored on the TPM. The computing device also includes a communication device configured to receive the external cofactor and convey the external cofactor to the TPM.

Abstract: The present invention provides a method of operating a mobile unit in a wireless communication system. Embodiments of the method may include providing access request message(s) including information indicative of a first counter and a message authentication code formed using a first key. The first key is derived from a second key and the first counter. The second key is derived from a third key established for a security session between the mobile unit and an authenticator. The first counter is incremented in response to each access request provided by the mobile unit.

Abstract: A flash storage device and a method for using the flash storage device to prevent unauthorized use of a software application are provided. An identifier may be encoded within specific sectors of the flash storage device. One bits of the identifier may be encoded as unusable ones of the specific sectors and zero bits of the identifier may be encoded as usable one of the specific sectors. Alternatively, the zero bits of the identifier may be encoded as the unusable ones of the specific sectors and the one bits of the identifier may be encoded as the usable ones of the specific sectors. The software application may be permitted to execute on a processing device connected to the flash storage device only when the identifier is encoded within the flash storage device.

Abstract: Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request.

Abstract: A method for protecting a first secrets file. The method includes an n-bit generator generating a secrets file name for the secrets file and generating a decoy file names for decoy files. The secrets file includes a secret. Each of the decoy files includes decoy file contents, are a same size as the secrets file, and is associated with a modification time within a range of modification times. The modification time of the secrets file is within the range of modification times. The secrets file and decoy files are stored in a secrets directory.