Abstract: A platform including a security system is described. The security system comprises, in one embodiment, a multi-state system having a plurality of modes, available whenever the platform has a source of power. The modes comprise an unarmed mode, in which the security system is not protecting the platform, an armed mode, in which the platform is protected, the armed mode reached from the unarmed mode, after an arming command, and a suspecting mode, in which the platform is suspecting theft, the suspecting mode reached from the armed mode, when a risk behavior is detected.

Abstract: A platform including an always-available theft protection system is described. In one embodiment, the system comprises an arming logic to arm the platform, when an arming command is received, a risk behavior logic to detect a potential problem when the platform is armed, and a core logic component to provide logic to analyze the potential problem, and to move the platform to a suspecting mode, when the potential problem indicates a theft suspicion. The system, in one embodiment, further comprises configuration logic to configure settings for the system when the platform is in an unarmed mode, the configuration logic including a user logic enabling an authorized user to alter settings and an administrator logic enabling an administrator to alter the settings using an authenticated set request.

Abstract: Systems and methods for cloning a Wi-Fi access point. A determination is made by a network monitoring device to transition communications between a Wi-Fi device and a first access point (AP) to a second AP. The SSID and the security configuration information, and, optionally, network address translation (NAT) information of the first access point are acquired and provided to a second AP. The second AP instantiates the SSID and the security configuration information and, optionally, the NAT information. The networking monitoring device directs the first AP to cease using the SSID and the security configuration information and, optionally, the NAT information in response to receipt of confirmation that the second AP has instantiated the SSID and the security configuration information and, optionally, the NAT information of the first AP.

Abstract: A mobile device operating system pools any available entropy. The resulting entropy pool is stored in device memory. When storing entropy in memory, preferably memory addresses are randomly allocated to prevent an attacker from capturing entropy that might have already been used to create a random number. The stored entropy pool provides a readily-available entropy source for any entropy required by the operating system or device applications. Then, when a cryptographic application requests a true random number, the operating system checks to determine whether the pool has available entropy and, if so, a portion of the entropy is provided to enable generation (e.g., by a TRNG) of a true random number that, in turn, may then be used for some cryptographic operation. After providing the entropy, the operating system clears the address locations that were used to provide it so that another entity cannot re-use the entropy.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to applying application security to an extension point oriented application framework, and provide a novel and non-obvious method, system and computer program product for log-in module deployment and configuration in an extension point oriented application. In this regard, a method for log-in module deployment and configuration in an extension point oriented application can include installing a proxy to a login controller plug-in for the extension point oriented application, and proxying login module directives from an external security service to the login controller plug-in for the extension point oriented application.

Abstract: The invention relates to a method and system for managing and checking different identity data relating to a person. According to the invention, a derived-identity management server generates for the person at least part of the identity data with which said person can be authenticated in relation to a service provider for the derived-identity domain, on the basis of information derived from identity data from parent domains. The identity data generation processing ensures that no link can be established from two authentications in two separate domains in the absence of link information. If necessary, said link information is transmitted by a parent domain to a derived-identity server so that the latter establishes the link between the identity data of the derived-identity domain and the identity data of the parent domain, e.g. for the cascade revocation of a person from various domains.

Abstract: Methods, computer-readable media, systems and apparatuses for firewall policy system are described. The firewall policy system may include a unified format converter, a firewall policy browser, and a firewall policy converter. The firewall policy converter may convert firewall policies between different configuration formats. A first firewall policy may be received in a first configuration format. The first firewall policy may be converted into a second configuration format, and a command to convert the first firewall policy from the second configuration format into a third configuration format may be received. In response to receiving the command, the first firewall policy may be converted from the second configuration format into the third configuration format. The first firewall policy may be outputted in the third configuration format.

Abstract: A server uses an encryption key to decrypt authentication information thereby facilitating communication with network-accessible applications that may be remotely located from the server. Servers can also use encryption keys to decrypt files containing sensitive data. The encryption key is obtained by a collection of software agents, each providing a portion of information necessary for generating the encryption key. Each software agent performs a respective examination, the results of which determine whether the respective portion of information is valid or not. A complete encryption key can be obtained only when all of the contributing portions of information are valid.

Abstract: A system and method for controlling use of content in accordance with usage rights associated with the content and determined in accordance with the environment of a user device. A request is received for secure content from a user device and the integrity of the environment of the user device is verified. Appropriate usage rights are retrieved based upon the results of the verification of integrity and the content is rendered on the user device in accordance with the appropriate usage rights.

Abstract: Extracting data from a source system includes generating an authorization model of the data protection controls applied to the extracted data by the source system. The authorization model is used to map the data protection control applied to the extracted data to generate corresponding data protection controls provided in target system. The extracted data is imported to the target system including implementing the corresponding data protection controls.

Abstract: A security payload is attached to a received binary executable file. The security payload is adapted to intercept application programming interface (API) calls to system resources from the binary executable file via export address redirection back to the security payload. Upon execution of the binary executable file, the security payload replaces system library export addresses within a process address space for the binary executable file with security monitoring stub addresses to the security payload. Upon the binary executable computer file issuing a call to a given API, the process address space directs the call to the given API back to the security payload via one of the security monitoring stub addresses that is associated with the given API. The security payload then can assess whether the call to the given API is a security breach.

Abstract: A secure message that includes an attachment is received at a server. The secure message may have a secure layer that indicates that the secure message is at least digitally signed. The secure message may be provided without the attachment to the mobile device over a wireless network. A request may be received from the mobile device to access the attachment. The request may include an attachment identifier (ID) that identifies the attachment in accordance with a message-attachment indexing system. In response to the request to access the attachment, the server may perform an index lookup to find the attachment based upon the attachment ID, may look through the secure layer of the secure message in order to locate the attachment within the secure message, and may render at least an initial portion of the attachment by the server in a format for viewing by the mobile device.

Abstract: Enhanced cryptographic techniques are provided which facilitate higher data rates in a wireless communication system. In one aspect, improvements to the ZUC algorithm are disclosed which can reduce the number of logical operations involved key stream generation, reduce computational burden on a mobile device implementing ZUC, and extend battery life. The disclosed techniques include, for instance, receiving, at a wireless communication apparatus, a data stream having data packets for ciphering or deciphering. The wireless apparatus can generate a cipher key for the cryptographic function, determine a starting address of a first data packet in the data stream and shift the cipher key to align with the starting address of the first data packet. Once aligned, the processing apparatus applies the cryptographic function to a first block of the first data packet using the shifted cipher key and manages a remaining portion of the cipher key to handle arbitrarily aligned data across multiple packets.

Abstract: An improved approach for classifying computer files as malicious (malware) or benign (whiteware) is disclosed. The invention classifies any computer file as malware or whiteware after using Bayes Theorem to evaluate each observable feature of each file with respect to other observable features of the same computer file with reference to statistical information gathered from repositories of known whiteware and malware files.

Abstract: There is provided a transmitting device including a public key information adder that adds information on a public key corresponding to an electronic signature to a sender address in an email with the electronic signature attached, and a transmitter that transmits the email.

Abstract: Techniques are provided for users to authenticate themselves to components in a system. The users may securely and efficiently enter credentials into the components. These credentials may be provided to a server in the system with strong authentication that the credentials originate from secure components. The server may then automatically build a network by securely distributing keys to each secure component to which a user presented credentials.

Abstract: A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data.

Abstract: Methods and systems for an integrated solution to flow collection for determination of rate-based DoS attacks targeting ISP infrastructure are provided. According to one embodiment, a method of mitigating DDoS attacks is provided. Information regarding at least one destination within a network for which a distributed denial of service (DDoS) attack status is to be monitored is received by a DDoS attack detection module coupled with a flow controller via a bus. The DDoS attack status is determined for the at least one destination based on the information regarding the at least one destination. When a DDoS attack is detected the flow controller is notified of the DDoS attack status for the at least one destination by the DDoS attack detection module. Responsive thereto, the flow controller directs a route reflector to divert traffic destined for the at least one destination to a DDoS attack mitigation appliance within the network.

Abstract: A method of advertising using an electronic processor authorization challenge. An advertisement is combined with an authorization key to form an image. An electronic processor disassembles the image and presents the disassembled image to a user by a graphical user interface as an authorization challenge. The authorization challenge can be successfully overcome by a human user reassembling the divided image, then recognizing the authorization key, and then responding to the authorization key. The authorization key is data configured to be inputted into an electronic processor by a human user or data corresponding to a command configured to be performed by a human user. The authorization key can be an advertisement, a feature of an advertisement, a coupon, a CAPTCHA, a Reverse Turing Test, a command, an image, a string of text, a number, a letter, a symbol, a combination of a number, a letter, or a symbol.