Abstract: Systems and methods for adding context to prevent data leakage over a computer network are disclosed. Data is classified and contextual information of the data is determined. A transmission policy is determined in response to the classification and contextual information. The data is either transmitted or blocked in response to the classification and the contextual information.

Abstract: A content display apparatus which processes protected information configured, with an aim to prevent access from any unauthorized program, to include: a process managing unit which manages a plurality of processes operable in the content display apparatus; and an access detecting unit configured to detect access to the protected-information access detecting unit which detects access to the protected information. The process managing unit includes an application execution control unit which temporarily stops the operation of each of at least one process other than a process which accesses the protected information among the plurality of processes when the access to the protected information is detected by the protected-information access detecting unit.

Abstract: Methods and devices for pre-generating session keys for securing transactions are provided. A plurality of session cryptographic keys are generated from a master cryptographic key and a respective plurality of possible values of a transaction counter. The session cryptographic keys are encrypted to provide a plurality of encrypted session cryptographic keys, which are stored in the user terminal. The master cryptographic key is deleted from the user terminal after the session keys are generated. To secure a transaction, a cryptogram is generated based on one of the encrypted session cryptographic keys and transaction data for the transaction, and the cryptogram is transmitted to a transaction terminal. The transaction counter is updated, and the encrypted session cryptographic key is deleted from the user terminal.

Abstract: A mechanism is provided for consumption based digital content rental. Responsive to validating a request from a user to consume the digital content, one or more discrete units of a plurality of discrete units comprised by the digital content are made available to the user. A timer associated with a selected discrete unit is started that records an agreed-to consumption time for the selected discrete unit. The selected discrete unit is presented to the user and then a determination is made as to whether the tinier indicates that the agreed-to consumption time of the selected discrete unit has expired. When the agreed-to consumption time has expired, consumption of the selected discrete unit is ended white leaving each remaining discrete units in the plurality of discrete unit with its own agreed-to consumption time for the user to consume.

Abstract: Embodiments are directed to providing attribute-based data access. In an embodiment, a data request specifies one or more search data attributes describing requested data that is to be found in an anonymous directory. The anonymous directory is configured to provide access to secured data according to access controls defined one or more clients. The secured data includes data that is associated with a particular client and that is encrypted using multi-authority attribute-based encryption, which associates the data with one or more encryption data attributes and that enables the data to be provided if conditions in the corresponding access controls are met. The particular portion of data is provided based on determining that the conditions in the corresponding access controls are met, and that at least one of the search data attributes is determined to be relevant to at least one of the encryption data attributes.

Abstract: An image processing device includes a processing unit that performs processing on image data, an obtaining unit that obtains a number of users, and a control unit that executes a job by controlling the processing unit to perform the processing in one of control modes. The control unit switches between the control modes based on the number of users.

Abstract: An authentication server and user device are provided. The authentication server includes: a memory for storing a user identification code associated with a user; a function generator for generating a plurality of functions, the functions adapted to produce a pass code based on the user identification code; a memory for storing a function associated with the user; an application generator for generating an application adapted to implement the function on a user device; an application distributor for distributing the application to the user device; a transaction code generator for generating a transaction code for a transaction; a transaction code distributor for supplying the transaction code to the application; and a controller for receiving a pass code for the transaction from the user device and for authenticating the transaction based on the received pass code, the function, the user identification code and the transaction code.

Abstract: User specific logs in multi-user applications. Level data associating a user of a multi-user application with a respective log level is received. The multi-user application then records an amount of information determined by the log level corresponding to the user presently using the multi-user application.

Abstract: A system and apparatus for transferring data between communication elements is disclosed. A system that incorporates teachings of the present disclosure may include, for example, a communication device having a controller element to receive data from a web server to update one or more entries of an identity module coupled to the controller element. The data can be retrieved by the web server from a second communication device. Additional embodiments are disclosed.

Abstract: Video content uploaded from a user, and received at a web-based service, is processed to compute fingerprint data. By reference to the fingerprint data, controlled content included within the received content is identified. A similarity score between the controlled content and the received content is determined. Usage rule data to be applied to the received video content is selected (e.g., based, at least in part, on the determined similarity score), and is applied in governing distribution of the received video content from the web-based service. In some arrangements, the owner of the controlled content is identified, and selection of rule data depends on the identified owner. The owner may have established multiple usage rules, and selection between them may be based, e.g., on a percentage of the controlled content that is included in the received video content. A great variety of other features and arrangements are also detailed.

Abstract: Systems, methods and computer program products for enabling enforcement of an administrative policy on one or more mobile devices are described herein. In an embodiment, an administrator uses a policy server to create and provide an enforcement policy to a mobile device. An enforcement policy may include information on mobile device resources which may be controlled by an administrator. An enforcement policy also includes information on how mobile device features will be set, configured or disabled. An enforcement device driver and an enforcement monitor on a mobile device use the enforcement policy to control access to resources associated with the mobile device regardless of whether the mobile device is “online” and connected to a network or “offline” and disconnected from a network.

Abstract: The present invention relates to a method for transferring content to a device, the method including the steps of: receiving a request for content from the device; delivering a uniquely identifiable, ephemeral player to the device; and transferring content to the device, for presentation on the device by the player. The invention has particular application to digital rights management in respect of the distribution of audiovisual content such as film and television programs, advertisements and live event broadcasts over communication networks such as the Internet.

Abstract: To provide a configuration in which a unit classification number corresponding to a content playback path is set based on various units. A unit classification number defining a playback path of content including encrypted data having different variations generated by encrypting a segment portion which forms the content by using a plurality of segment keys and encrypted content generated by encrypting a non-segment portion by a unit key is set based on various units, such as a content management unit and an index. In a CPS unit key file storing key generating information concerning CPS units as content management units, settings of unit classification numbers are indicated. Based on the CPS unit key file, a unit classification number to which content to be played back belongs can be obtained.

Abstract: A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.

Abstract: A graphics processing unit (GPU) is configured to access a first memory unit according to one of an unsecure mode and a secure mode. The GPU may include a memory access controller configured to allow the GPU to read data from only an unsecure portion of the first memory unit when the GPU is in the unsecure mode, and configured to allow the GPU to write data only to a secure portion of the first memory unit when the GPU is in the secure mode.

Abstract: A method and computing device for managing grouped resources comprising receiving, at the computing device, a policy for a set of grouped resources; applying the policy; locking at least one of the computing device or the set of grouped resources associated with the policy; waiting for receipt of an authentication parameter at the computing device; verifying the authentication parameter; associating the set of grouped resources with the authentication parameter; and unlocking the least one of the computing device or the set of grouped resources.

Abstract: Methods and systems for cross-site scripting (XSS) defense are described herein. An embodiment includes, embedding one or more tags in content at a server to identify executable and non-executable regions in the content and transmitting the content with the tags to a client based on a request from the client. Another embodiment includes receiving content embedded with one or more permission tags from a server, processing the content and the permission tags, and granting permission to a browser to execute executable content in the content based on the permission tags. A method embodiment also includes receiving content embedded with one or more verify tags from a server, performing an integrity check using the verify tags and granting permission to a browser to execute executable content in the content based on the integrity check.

Abstract: A processor-implemented method, system, and/or computer program product securely accesses a specific data store. A non-contextual data object is associated with a context object to define a first synthetic context-based object. The non-contextual data object ambiguously describes multiple types of persons, and the context object provides a circumstantial context that identifies a specific type of person from the multiple types of persons. The first synthetic context-based object is associated with at least one specific data store in a data structure. A string of binary data that describes a requester of data is received by a security module for generating a new synthetic context-based object. If there is a match between the new synthetic context-based object and the first synthetic context-based object, then the data is returned to the requester.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: A security model restricts binary behaviors on a machine based on identified security zones. Binary behaviors can be attached to an element of a document, web-page, or email message. The binary behavior potentially threatens security on the local machine. A security manager intercepts download requests and/or execution requests, identifies a security zone for the requested binary behavior, and restricts access based on the security zone. The binary behavior can identify a security zone according to the related URL. In one example, all binary behaviors associated with a security zone are handled identically. In another example, a list of permissible binary behaviors is associated with a security zone such that only specified binary behaviors are granted access. In still another example, a list of impermissible binary behaviors is associated with a security zone such that binary behaviors that are found in the list cannot initiate access.

Abstract: Aspects of the subject disclosure are directed towards protecting machines, such as virtual machines in a cloud datacenter, from receiving unwanted traffic, and also reducing bandwidth by eliminating redundant data transmissions. In one aspect, an agent intercepts packets from a source, and determines whether the destination is allowed to receive packets from the source, based upon a communication group membership. The agent also may drop packets based upon malware/fraud signatures. The agent also attempts to reduce bandwidth by replacing redundant content with identifiers (e.g., hashcodes), which a destination machine uses to rebuild the original content. A destination-side agent may perform the same or similar communication group membership and malware/fraud signature filtering operations, and reassemble redundancy-reduced content from received identifiers as needed.

Abstract: A system and method for concealing and selectively revealing mobile messages is disclosed in which a sender generates a message, such as a text message, an image, or a video. Before being sent, the message is converted into a masked message object by a message masking function, such as a redacting function. The masked message object is transmitted to a recipient. On first being displayed, the message is not readable or viewable, because it is incorporated in a masked message object. The recipient can, however, interact with a touch screen associated with their mobile messaging device. When the recipient touches the screen in a vicinity of the masked message object, all or part of the original text message, image, or video is then displayed in readable or viewable form.

Abstract: A system and computer-implemented method for securely managing enterprise related applications and associated data on one or more portable communication devices is provided. The system comprises one or more appboxes, residing on the one or more portable communication devices, configured to secure, monitor and collect information related to at least one of: one or more applications and associated data and the one or more portable communication devices. The system further comprises a server configured to facilitate one or more administrators to monitor and manage overall functionality of at least one of: the one or more applications and associated data and the one or more portable communication devices using the collected information.

Abstract: An apparatus, e.g. a database verifier, includes an instruction memory and a processor operatively coupled to the instruction memory. The processor is configured by instructions in the memory to verify that a record set is authorized to be transmitted by comparing a received first authenticator value to a calculated second authenticator value determined from the record set and a received verification key.

Abstract: Technologies for labeling diverse content are described. In some embodiments, a content creation device generates a data structure that may include encrypted diverse content and metadata including at least one rights management (RM) label applying to the diverse content. The RM label may attribute all or a portion of the diverse content to one or more authors. The metadata may also be signed using an independently verifiable electronic signature. A consumption device receiving such a data structure may verify the authenticity of the electronic signature and, if verification succeeds, decrypt the encrypted diverse content in the data structure. Because the metadata is encapsulated with the diverse content in the data structure, it may accompany the diverse content upon its transfer or incorporation into other diverse content.

Abstract: The disclosed subject matter provides for event driven permissive sharing of information. In an aspect, user equipment can include information sharing profiles that can facilitate sharing information with other devices or users, such as sharing location information. The information sharing profiles can include trigger values, such that when a target value transitions the trigger value, a permission value is updated to restrict access to sharable information. As such, event driven permissive sharing of information allows for designation of temporary friend information sharing with user-defined triggers.

Abstract: A memory device includes but is not limited to a substrate, a non-volatile memory array integrated on the substrate, and data security logic integrated with the non-volatile memory array on the substrate. The data security logic is operable to perform at least one data security function associated with the non-volatile memory array.

Abstract: A mobile terminal supporting dual operating systems and an authentication method thereof. The mobile terminal includes a memory configured to store at least two different operating systems configured to act in at least two different modes, respectively, and a controller configured to perform an authentication procedure for authenticating that one mode can be switched to the other mode, and to display a type identifier only in one group identifier corresponding to a currently activated mode among the at least two different operating systems.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: Various hardware and software configurations are described herein which provide improved security and control over protected data. In some embodiments, a computer includes a main motherboard card coupled to all input/output devices connected to the computer, and a trusted operating system operates on the main motherboard which includes an access control module for controlling access to the protected data in accordance with rules. The trusted operating system stores the protected data in an unprotected form only on the memory devices on the main motherboard. The computer may also have a computer card coupled to the main motherboard via a PCI bus, on which is operating a guest operating system session for handling requests for data from software applications on the computer.

Abstract: A secure computing environment that prevents malicious code from “illegitimately” interacting with programs and data residing on the computing platform. While the various embodiments restrict certain programs to operate in a virtualized environment, such operation is transparent to the user from the operational point of view. Moreover, any program operating in the virtualized environment is made to believe that it has full access to all of the computing resources. To prevent a user from unknowingly or inadvertently allowing the program to adversely affect the computer, the user is also presented with “feel” that the program is able to perform all operations in the computing environment.

Abstract: A communication device may be configured to control access to geolocation services for applications on the communication device utilizing a first privacy access level setting that enables access to the geolocation services when selected, a second privacy access level setting that disables access to the geolocation services when selected, and other privacy access level settings that are different from, and fall between, the first privacy access level setting and the second privacy access level setting, and enable one time access to the geolocation services for the communication device when selected. The applications can include applications on the communication device that are managed and/or handled by a particular application service provider. The privacy access level settings comprise an anonymous one-time access and a non-anonymous one-time access.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: Systems and methods for accessing digital content using electronic tickets and ticket tokens in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor, a network interface, and memory configured to store an electronic ticket, and a ticket token, and the processor is configured by an application to send a request for digital content, receive a ticket token from a merchant server, wherein the ticket token is generated by a DRM server and associated with an electronic ticket that enables playback of the requested digital content, send the ticket token to a DRM server, receive an electronic ticket that enables playback of requested digital content, request the digital content associated with the electronic ticket, and play back the requested digital content using the electronic ticket.

Abstract: Techniques for determining whether firmware should trust an application sufficiently so as to provide a service to the application. Firmware, executing on a device, receives an indication that an application, also executing on the device, is requesting a service provided by the firmware. The firmware obtains (a) an operating system signature associated with the application and (b) a firmware signature associated with the application. The operating system signature is a signature that is used by the operating system, executing on the device, to authenticate the application, while the firmware signature is a signature that is used by the firmware to authenticate the application. If the firmware determines that the operating system signature matches the firmware signature, then the firmware storing trust data that permits the application to access the service provided by the firmware. The firmware need not calculate a signature based on the in-memory image of the application.

Abstract: Components of a mobile traffic network and components in communication with the network cooperate to confirm whether a mobile station user or account owner has previously purchased media content for a particular mobile station. Media content that has already been purchased by a user can be downloaded by that user to a new mobile station after the initial mobile station is lost, damaged, or upgraded.

Abstract: A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: The instant disclosure describes various exemplary systems and methods for exonerating an untrusted software component based solely on a trusted software component's non-optional or “hard” dependency on the untrusted software component. In one example, a method for exonerating untrusted software components in this manner may include: 1) identifying a dependent software component, 2) determining that the dependent software component is a non-optional dependent component of at least one trusted software component, and then 3) classifying the dependent software component as a trusted software component. As detailed herein, such a method may enable security software to quickly and efficiently exonerate untrusted components by association without having to scan or perform other intrusive and/or resource-intensive security operations on such untrusted software components.

Abstract: The technology disclosed relates to automated compliance with data privacy laws of varying jurisdictions. In particular, it relates to constructing trust filters that automatically restrict collection, use, processing, transfer, or consumption of any person-related data that do not meet the data privacy regulations of the applicable jurisdictions. The trust filters are constructed dependent on associating person-related data entities with trust objects that track person-related data sources.

Abstract: The present invention provides a method and system for securing sensitive data from unauthorized access or use. The method and system of the present invention is useful in a wide variety of settings, including commercial settings generally available to the public which may be extremely large or small with respect to the number of users. The method and system of the present invention is also useful in a more private setting, such as with a corporation or governmental agency, as well as between corporation, governmental agencies or any other entity.

Abstract: A method and system for mobile information security protection may include extracting, by a first processor, identification information corresponding to a plurality of applications installed on a mobile device, sending the extracted identification information to a server, matching, by a second processor, the identification information to information stored in a database storage, receiving matched information from the database storage as a result of matching the identification information, sending the matched information to the mobile device, and presenting the matched information to a user of the mobile device.

Abstract: An electronic device generates an access signal according to user input. The electronic device includes a processor, a key circuit to generate a key signal according to press of the user, a storage unit to store data, a clock generator circuit to generate a clock signal, and a protection circuit. The protection circuit generates an enable signal or a disable signal according to the key signal and the clock signal to control the storage unit to unlock or lock, and transmits the access signal to the storage unit to access the data.

Abstract: A system, method, and computer program product are provided for validating receipt of digital content by a client device. In one embodiment, a transmission of digital content over a network to a client device is identified. Additionally, receipt of the digital content by the client device is validated utilizing a system remote from the client device. In another embodiment, it is determined whether actual digital content transmitted over a network to a client device is digital content expected by the client device. Further, the transmission of the actual digital content is validated to a remote third party system, based on the determination.

Abstract: An authentication system includes an apparatus and an authentication apparatus configured to perform authentication of a user of the apparatus. The apparatus includes an identification information obtaining unit configured to obtain identification information of the user and an authentication requesting unit configured to send the obtained identification information and group information indicating a group to which the user belongs to the authentication apparatus to request authentication of the user. The authentication apparatus includes an authentication unit configured to search records of identification information associated with the group information to find matching identification information matching the obtained identification information of the user.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: Methods, systems, and computer-readable media for implementing a multi-factor authentication scheme utilizing barcode images in computing devices, such as standard mobile devices and smartphones having no native hardware support for reading barcodes other than standard digital camera componentry for capturing digital images of real-world phenomena. A mobile device may be configured by software to require a user, as a first authentication factor, to present a barcode, such as a Quick Response (QR) Code for image scanning using digital camera componentry built into the mobile device. The device analyzes the digital image of the barcode to decode the barcode into its encoded character data. If the device recognizes the character data as valid, then, as a second authentication factor, the device prompts the user to enter a valid password associated with the barcode. If the user-entered barcode is also valid, then the device may grant the user access.

Abstract: A method for manipulating security of an integrated circuit layout, comprising: rendering a PCell that is created by an original user for a successive user; providing an open access to the PCell; providing a PCell evaluator to execute evaluating steps of: getting license information from the PCell, and checking the PCell license information; and generating a layout of a sub-master by instantiating a super-master of the PCell if the PCell license information is valid, or leave the sub-master empty in a PCell view if the PCell license information is invalid.

Abstract: Techniques are disclosed for dynamically mitigating a noncompliant password. The method comprises obtaining a password; generating one or more quality scores for the password using a password policy for an authentication and authorization service; determining whether the password has sufficient score quality; in response to determining that the password does not have sufficient score quality, granting to the user a different level of access to the service than if the password meets the quality criteria; wherein the method is performed by one or more computing devices.

Abstract: A method of enabling detection of tampering with data provided to a programmable integrated circuit is described. The method comprises modifying a portion of the data to establish randomness in the data; and inserting, by a computer, a redundancy check value in the portion, wherein the redundancy check value is based upon the modified portion of the data. A programmable integrated circuit is also described.