Abstract: According to one embodiment, a method for setting a trap to detect that an intruder has compromised a client end station (CES) in an attempt to gain unauthorized access to enterprise data provided by a server is described. The method includes causing a honey token to be placed on the CES secluded within a configuration repository, wherein the honey token is metadata and/or instructions indicating how applications can seemingly access the enterprise data but that is actually invalid, and the honey token is placed on the CES and not on the server. The method also includes causing attribute values to be installed on a security gateway for a security rule causing the security gateway to monitor network traffic for attempted use of the honey token, and to generate an alert when a set of one or more packets that include the honey token are received.

Abstract: A system, method, and Policy Engine for granting a first user temporary access to a second user's electronic content. The Policy Engine receives a request originating from the first user to access the second user's content, and retrieves from a relationship database, relationship information regarding a relationship between the two users. If an access rule matching the relationship information is stored in the Policy Engine, the Policy Engine applies the access rule to control access by the first user for a period of time specified in the rule. If an access rule is not stored, the Policy Engine obtains the access rule from the second user. The Policy Engine allows access when the matching rule grants access and the matching rule has not expired, and denies access when there is no matching rule, when the matching rule does not allow access, or when the matching rule has expired.

Abstract: In one exemplary embodiment of the invention, a method for evaluating at point r one or more polynomials p1(x), . . . , pl(x) of maximum degree up to n?1, where the polynomial pi(x) has a degree of ti?1, the method including: partitioning each polynomial pi(x) into a bottom half pibot(x) with bottom terms of lowest si coefficients and a top half pitop(x) with top terms of remaining ti?si coefficients; recursively partitioning the bottom half pibot(x) and the top half pitop(x) of each polynomial pi(x) obtaining further terms having a lower degree than previous terms, performed until at least one condition is met yielding a plurality of partitioned terms; evaluating the bottom half pibot(x) and the top half pitop(x) at the point r for each polynomial pi(x) by evaluating the partitioned terms at the point r and iteratively combining the evaluated partitioned terms; and evaluating each polynomial pi(x) at the point r by setting pi(r)=rsipitop(r)+pibot(r).

Abstract: Methods and apparatus for detecting cross-site request forgery (CSRF) attacks include a CSRF detector that analyzes HTTP communications for information indicative of a CSRF attack. The CSRF detector may analyze HTTP responses from a website for CSRF code that automatically performs unauthorized access of an online account of a user of a user computer upon receipt and execution of the CSRF code in the user computer. The CSRF detector may also analyze HTTP requests from a web browser for information indicative of a CSRF attack.

Abstract: A secure cloud storage and synchronization system and method is described that provides, among other things: (1) local password recovery, including a mechanism by which the user of the system can recover their password without having stored it on a remote server; (2) secure, private versioning of files, including a mechanism to privately store a version history of files on one or more remote servers in such a way that it is technically infeasible for anyone other than the legitimate owner to access any component of the file history; (3) secure, private de-duplication of files stored on one or more remote servers that reduces storage requirements by allowing for the storage of a single file when there are duplicates, even across users; and (4) secure, private sharing of files between users of the system that allows one user to share a file on the “cloud” with another user without deciphering or transporting the file.

Abstract: Techniques for managing network identities include generating, with a local computing system, a tree structure representing a network comprising a plurality of entities, the tree structure comprising a plurality of nodes, each node of the plurality of nodes representing an entity of the plurality of entities, at least one entity of the plurality of entities is represented by more than one node of the plurality of nodes; assigning a unique identifier to each node; identifying each node of the plurality of nodes as being a protected node or an unprotected node; and transmitting, to a remote computing system, the tree structure, the unique identifiers for the protected nodes, and identity information of the entities for the unprotected nodes.

Abstract: Embodiments dynamically manage privileged access to a computer system according to policies enforced by rule engine. User input to the rule engine may determine an extent of system access, as well as other features such as intensity of user activity logging (including logging supplemental to a system activity log). Certain embodiments may provide access based upon user selection of a pre-configured ID at a dashboard, while other embodiments may rely upon direct user input to the rule engine to generate an ID at a policy enforcement point. Embodiments of methods and apparatuses may be particularly useful in granting and/or logging broad temporary access rights allowed based upon emergency conditions.

Abstract: Each virtual machine in a set of virtual machines managed by the virtual machine manager is identified. For each virtual machine in the set, it is determined whether the respective virtual machine is online. For at least the virtual machines determined to be offline, a machine image is collected for each offline virtual machine. Security of the offline virtual machines is assessed from the collected images. For virtual machines identified as online, an agent is loaded on each online virtual machine in the set via the virtual machine manager. The loaded agents are used to assess security of the online virtual machines in the set.

Abstract: A system and method for authenticating a peer device onto a network using Extensible Authentication Protocol (EAP). The key lifetime associated with the keying material generated in the peer device and the authentication server is communicated from the authenticator to the peer device within the EAP Success message. The peer device, having been provided with the key lifetime, can anticipate the termination of its authenticated session and initiate re-authentication prior to expiry of the key lifetime.

Abstract: The claimed subject matter relates to architectures and/or mechanisms that can facilitate issuing, embedding and verification of an optical DNA (o-DNA) signature. A first mechanism is provided for obtaining a set of manufacturing errors inherent in an optical media instance. These errors can be non-deterministic and can be encoded into the o-DNA that can be cryptographically signed with a private key, and then embedded into the source optical media instance. A second mechanism is provided that can decrypt the o-DNA with a public key and compare the authenticated errors to the observed errors to ascertain whether the optical media instance is authentic as opposed to a forgery or counterfeit.

Abstract: A data module encrypts a first portion of a drive in a data center using a first encryption key. The data module encrypts the first encryption key using a second encryption key to obtain an encrypted encryption key. The data module stores the second encryption key in a first location and stores the encrypted encryption key in a second location that is separate from the first location and that is inaccessible from outside the data center.

Abstract: Users of a computer are prevented from directly accessing certain hardware for which a driver is installed on the computer. The users are provided a limited, indirect manner to access the hardware for a specific purpose or to do a specific job. One example of such hardware is a wireless hardware communication interface. The wireless activity of the computer may be restricted so that the wireless hardware communication interface is prevented from communicating with any devices compatible with the wireless hardware communication interface other than one or more specific devices.

Abstract: Architecture that provides trusted sensors and trusted sensor readings on computing devices such as mobile devices. The architecture utilizes a trustworthy computing technology (e.g., trusted platform module (TPM). In the context of TPM, one implementation requires no additional hardware beyond the TPM and a virtualized environment to provide trusted sensor readings. A second implementation incorporates trusted computing primitives directly into sensors and enhances security using signed sensor readings. Privacy issues arising from the deployment of trusted sensors are also addressed by utilizing protocols.

Abstract: An electronic book distribution system encrypts distributed electronic books (“eBooks”) with a content key. The content key is in turn encrypted with a voucher key. The voucher key for a particular eBook is generated based on a combination of (a) an ID or serial number of an eBook reader device to which the eBook is being distributed, (b) a user account secret associated with a user of the eBook reader device, and (c) metadata associated with the eBook itself.

Abstract: A method of determining whether a response received from an electronic device is generated by a person or by an automated software. The method receives a set of capabilities of the electronic device for detecting a group of actions that include at least a gesture or a device movement. The method selects a set of actions based on the device capabilities. The method sends a request to the electronic device for performing the set of actions in the plurality of actions. The method, based on a result of the set of actions performed on the electronic device, determining whether the set of actions are performed by a human.

Abstract: A method and an apparatus for configuring a key stored within a secure storage area (e.g., ROM) of a device including one of enabling and disabling the key according to a predetermined condition to execute a code image are described. The key may uniquely identify the device. The code image may be loaded from a provider satisfying a predetermined condition to set up at least one component of an operating environment of the device. Verification of the code image may be optional according to the configuration of the key. Secure execution of an unverified code image may be based on a configuration that disables the key.

Abstract: Among other disclosed subject matter, a computer-implemented method includes initializing a first descriptor table and a second descriptor table. The first descriptor table is associated with a first permission level and the second descriptor table is associated with a second permission level that is different from the first permission level. The first descriptor table and the second descriptor table are associated with a hardware processor and initialized by an operating system kernel. The method also includes providing a memory address associated with the first descriptor table, in response to a descriptor table address request. The descriptor table address request is provided by a software process. The method also includes updating the second descriptor table, in response to an update request.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPI) on multi-core hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: A reader element is associated with an identity verification element. The reader element has a biometric input device and is configured, through enrollment of a biometric element is used to encrypt a character sequence associated with the identity verification element. In a verification phase subsequent to the enrollment, a user may be spared a step of providing the character sequence by, instead, providing the biometric element. Responsive to receiving the biometric element, the reader element may decrypt the character sequence and provide the character sequence to the identity verification element.

Abstract: A computer system may be employed to verify program execution integrity by receiving a request to launch a program that has been instrumented to include at least one integrity marker, instantiating the program with an integrity marker value, and verifying the execution integrity of the program based on the integrity marker value and information received from the program during execution. A computer system may also be employed for program instrumentation by modifying the program to include at least one instruction for passing an integrity marker value to an operating system kernel during execution of the instruction.