Abstract: This method securely transmits data from a secure control system [110] located on an isolated computer network [100] to a separate computer [210] outside the isolated control network [100]. The method includes several features designed to minimize the risk of outside cyber attack on the control system [110] while ensuring that the data is transmitted correctly and promptly. The system uses a non-routable unidirectional physical data link [300]. Messages [400] are redundantly transmitted to computer [210] without acknowledgement along with checksums [430,450]. The checksum information is used to validate that the message header [420] and the message data [440] have been received correctly. Redundant information contained in repeated message data blocks [440] is discarded after the transmitted message [400] is correctly received and decoded. An ordered transmission sequence is used to minimize the message delay if an individual message [400] was not received correctly on its first transmission.

Abstract: In general, the subject matter described in this document can be embodied in methods, systems, and program products. A computing system receives a token that was specified during a process for logging into an account. The computing system determines whether the token matches any of a plurality of tokens that are assigned to a respective plurality of accounts. The computing system identifies, in response to determining that the token matches a particular token that is assigned to a particular one of the plurality of accounts, a username for the particular one of the plurality of accounts. The computing system provides information to cause a computer display to present the username and multiple other usernames in an obscured manner. The computing system receives an indication that user input selected the username. The computing system receives a password. The computing system provides authorization to log into the account.

Abstract: A method and system for assessing security of a network perimeter of a network. Security of an authentication computer from attack is reviewed. Users outside of the network perimeter that request access to an application within the network perimeter are authenticated. Vulnerability of a gateway computer at the network perimeter from applications outside of the network perimeter is reviewed. The reviewing of vulnerability of the gateway computer includes scanning ports on the gateway computer to determine whether an unauthorized application outside the network perimeter and/or at least one unauthorized service from the unauthorized application is available within the network perimeter via the gateway computer.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order to secure the results of privileged operations on systems such as the operating system (OS) kernel and/or the hypervisor. The interface allows a public key to be included into a request to perform a privileged operation on a hypervisor and/or kernel. The kernel and/or hypervisor use the key included in the request to encrypt the results of the privileged operation. In some embodiments, the request itself can also be encrypted, such that any intermediate parties are not able to read the parameters and other information of the request.

Abstract: An Ethernet interface module comprises a duplex port operable to transfer frames between said Ethernet network and a device and a path coupling a receive portion of the duplex port to a transmit portion of said first full duplex port. A queue is disposed in said first path. Evaluation apparatus is coupled to the queue and determines whether a received frame is addressed to said Ethernet interface module and whether a frame type field contains a frame type. The Ethernet interface module is operable in a first mode such that every said received frame is echoed back out the full duplex port; and is operable in a second mode such that each received frame that meets predetermined evaluation criteria is echoed back out the duplex port and those received frames that do not meet the predetermined evaluation criteria are discarded.

Abstract: A method includes assessing a trustworthiness level of a user computer by communication between the user computer and a first server. A record indicating the trustworthiness level is sent from the first server to the user computer, for storage by the user computer. A request is sent from the user computer to a second server, different from the first server, for a service to be provided to the user computer by the second server. The record is provided from the user computer to the second server by communicating between the user computer and the second server. At the second server, the trustworthiness level is extracted from the record, and the requested service is conditionally allowed to be provided to the user computer depending on the extracted trustworthiness level.

Abstract: The present invention relates to a converged personal network service (CPNS). More particularly, the present invention relates to a method for switching a personal network (PN) gateway in a PN from a first device to a second device, including the steps of: the first device transmitting, to the second device, a first message requesting PN gateway switching; the first device receiving a second message from the second device in response to the first message; and the first device authenticating the PN gateway when the second message includes a value indicating success, as well as to an apparatus therefor.

Abstract: A management station which manages the encryption devices in a SAN to set up encrypted LUNs. In setting up the encryption, the source and target ports are identified, along with the target LUN. LUN serial numbers used to identify unique LUNs. As paths to a given LUN are defined, the management station compares the path to existing paths and provides an indication if there is a mismatch in the encryption policies or keys being applied to the LUN over the various paths. This allows the administrator to readily identify when there is a problem with the paths to an encrypted LUN and then take steps to cure the problem. By determining the paths and then comparing them, the management station greatly simplifies setting up multipath I/O to an encrypted LUN or access by multiple hosts to an encrypted LUN.

Abstract: Systems and techniques for transferring data to a storage device. A storage device includes storage, a processor, and a wireless transceiver, as well as a connector allowing the storage device to operate according to an appropriate standard when connected to a playback or data device. The storage device can communicate with a data transfer station to wirelessly receive data from the station. A user may select data to be transferred to a removable media device, and the station transfers the data over a wireless connection. The removable media device stores the data in memory as it is received. Once the data has been received, the data can be played or otherwise used in any playback or data device to which the storage device may be connected for use as a memory device.

Abstract: Systems and methods for requesting transmission of a document from a sender device to a signer device, for purposes of obtaining an e-signature from the signer device, are disclosed. In some example embodiments, the systems and methods establish and/or determine a physical proximity between a signer device and a sender device, such as via a handshake between the devices, and a document to be signed is provided to the signer device in response to the established physical proximity.

Abstract: An electronic message threat protection system that incorporates user authorization to ensure that only authorized users receive the benefits of the system's protection. The system protects against threats such as phishing attacks or malware embedded in attached files. References to resources in messages, such as links or attachments, are transformed into protected references that may for example insert a level of indirection between the user and the resource. Use of a protected reference triggers a user authorization check; if the user is an authorized user, the system provides access via a security mechanism that mitigates potential threats. Unauthorized users are denied access. A message recipient may deliberately or inadvertently distribute copies of the message or of the protected references; however, the authorization check ensures that recipients of the copies can only access resources via these copies if they are authorized users.

Abstract: A network security system comprises a first component that generates an address for identifying a communicating device on a network. A second component receives the address generated by the first component and facilitates transitioning from an existent address to the generated address. Such transitioning is effectuated in order to protect the network against attack while providing seamless communications with respect to the communicating device.

Abstract: Securing a virtual environment includes: in a host device, intercepting a packet addressed to a virtual machine implemented by the host device; redirecting the packet to a security device external to the host device through an egress tunnel; and delivering the packet to the virtual machine if the host device receives an indication from the security device that the packet is approved.

Abstract: The present disclosure is directed to methods and systems of providing a user-selectable list of disparately hosted applications. A device intermediary to a client and one or more servers may receive a user request to access a list of applications published to the user. The device may communicate to the client the list of published applications available to the user, the list comprising graphical icons corresponding to disparately hosted applications, at least one graphical icon corresponding to a third-party hosted application of the disparately hosted applications, the third party hosted application served by a remote third-party server. The device may receive a selection from the user of the at least one graphical icon. The device may communicate, from the remote third party server to the client of the user, execution of the third party hosted application responsive to the selection by the user.

Abstract: A method for produces a video data stream for an expansion signal, wherein a base signal represents a first video quality degree and the expansion and base signals jointly represent a second video quality. Only second syntax elements of the expansion signal which are not describable by the first syntax element of the base signal are taken into account during encoding, the coding mode of a video encoding method which is encodable by all syntax elements is selected by means of statistical method, said second syntax elements are not representable by one or several first syntax elements and the method brings about to the production of the shortest video data stream for said second syntax elements. A decoding method for restoring the expansion signal from the video data stream, encoding and coding devices are also disclosed.

Abstract: A portion of the signed message in an ECPVS is kept truly confidential by dividing the message being signed into at least three parts, wherein one portion is visible, another portion is recoverable by any entity and carries the necessary redundancy for verification, and at least one additional portion is kept confidential. The additional portion is kept confidential by encrypting such portion using a key generated from information specific to that verifying entity. In this way, any entity with access to the signer's public key can verify the signature by checking for a specific characteristic, such as a certain amount of redundancy in the one recovered portion, but cannot recover the confidential portion, only the specific entity can do so. Message recovery is also provided in an elliptic curve signature using a modification of the well analyzed ECDSA signing equation instead of, e.g. the Schnorr equation used in traditional PV signature schemes.

Abstract: Embodiments of the present invention provide an efficient and scalable scheme for role-based access control to resources. The resources are assigned a protection class. Resources in the same protection class share the same access control policy. Permissions granted to various roles are then defined based on privilege sets and protection classes. Accordingly, the permissions of a role can be dynamically determined at runtime. Furthermore, as new resources are added, they can be assigned to a pre-existing protection class. The new resource may thus automatically inherit the various permissions and roles attached to the protection class.

Abstract: System, method and program for identifying a subset of a multiplicity of source networks. The subset including one or more source networks which have sent messages to one of a plurality of destination locations having a same IP address. For each of the multiplicity of source networks, a determination is made whether there are fewer intervening hops from the source network to the one destination location than from the source network to other of the plurality of destination locations. If so, the source network is included in the subset. If not, the source network is not included in the subset. One application of the present invention is to identify a source of a denial of service attack. After the subset is identified, filters can be sequentially applied to block messages from respective source networks in the subset to determine which source network in the subset is sending the messages.

Abstract: A method of updating a content detection module includes obtaining content detection data, and transmitting the content detection data to a content detection module, wherein the transmitting is performed not in response to a request from the content detection module. A method of sending content detection data includes obtaining content detection data, selecting an update station from a plurality of update stations, and sending the, content detection data to the selected update station. A method of building a content detection system includes establishing a first communication link between a central station and an update station, the central station configured to transmit content detection data to the update station, and establishing a second communication link between the update station and a content detection module.

Abstract: The tool to provide a role-based access tool is configured to receive a single sign-on login from a user; determine an identity of the user based on the single sign-on login; authorize a defined role of the user by: accessing a database comprising a plurality of users and associated roles; and determining the defined role based on the user's identity and the associated roles in the database; present one or more service catalogs to the user based on the defined role of the user; receive a request to complete an action associated with the one or more service catalogs; process the action for execution after receiving the request; and run the action on one or more systems.