Abstract: A system and method for the secure storage of executable code and the secure movement of such code from memory to a processor. The method includes the storage of an encrypted version of the code. The code is then decrypted and decompressed as necessary, before re-encryption in storage. The re-encrypted executable code is then written to external memory. As a cache line of executable code is required, a fetch is performed but intercepted. In the interception, the cache line is decrypted. The plain text cache line is then stored in an instruction cache associated with a processor.

Abstract: A web application is described that is capable of assuming a plurality of states and being arranged to process a received event from among a predeterminable set of events to change from one state to another. A permission record defines a set of permitted or forbidden events and the web application comprises an event filter arranged to consult the permission record on receipt of an event in order to determine whether to permit or not permit the event to be processed. Related methods of access control and computer program products are also described.

Abstract: Disclosed are techniques for performing an antivirus task in a mobile wireless device running an embedded operating system. In one embodiment, calls intended for an application programming interface (API) function code is redirected to an antivirus function code. The redirection to the antivirus function code may be performed by modifying a kernel structure to point to a modified entry list instead of an API entry list. The redirection to the antivirus function code may also be performed by modifying the API function code to allow the antivirus function code to execute before the API function code. The kernel structure or the API function code may be properly restored back to its original form. Software implementations of these techniques may be readily loaded and unloaded, and may not require re-installation of the embedded operating system.

Abstract: An information input-output system comprises a mobile communication terminal, and a host computer that performs communications with the terminal over a radio transmission line and has a database relating to services that can be provided to the user of the terminal. This system also comprises an input-output gateway server that verifies whether the user is a subscriber who can be provided with a variety of services, and an input-output control unit that receives data from the database over an established line and then outputs the data.

Abstract: A network security module for protecting computing devices connected to a communication network from identified security threats communicated in a secured communication is presented. The network security module is interposed, either logically or physically, between the protected computer and the communication network. Upon detecting a secured communication, the network security module obtains a decryption key from the computing device to decrypt the secured communication. The network security module then processes the decrypted communication according to whether the decrypted communication violates protective security measures implemented by the network security module.

Abstract: A network security module for protecting computing devices connected to a communication network from security threats is presented. The network security module is interposed, either logically or physically, between the protected computer and the communication network. The network security module receives security information from a security service. The security information comprises security measures which, when enforced by the network security module, protect the computer from a security threat to the computer. The network security module implements the security measures by controlling the network activities between the protected computer and the network. The network security module also temporarily implements security patches until corresponding patches are installed onto the protected computer.

Abstract: Systems and methods are described for recovering a personal identification number. A method, includes: comprising recovering from a lost personal identification number situation and restoring programmability to a device, including: generating a SEED PIN using the device calculating a KEY PIN using an algorithm within a code of the device and storing the KEY PIN in the device, without displaying the KEY PIN, wherein the KEY PIN is a function at-least-in-part of both the SEED PIN and an identifier associated with the device; sending the SEED PIN and the identifier associated with the device to an authenticating source; recalculating the KEY PIN at the authenticating source using the algorithm within the code and the SEED PIN and the other identifying information; receiving the KEY PIN from the authenticating source; and entering the KEY PIN into the device to temporarily assign hierarchical access to a user.

Abstract: In some embodiments, the invention is a personal digital network (“PDN”) including hardware (sometimes referred to as Ingress circuitry) configured to transcrypt encrypted content that enters the PDN. Typically, the transcryption (decryption followed by re-encryption) is performed in hardware within the Ingress circuitry and the re-encryption occurs before the decrypted content is accessible by hardware or software external to the Ingress circuitry. Typically, transcrypted content that leaves the Ingress circuitry remains in re-encrypted form within the PDN whenever it is transferred between integrated circuits or is otherwise easily accessible by software, until it is decrypted within hardware (sometimes referred to as Egress circuitry) for display or playback or output from the PDN.

Abstract: Disclosed herein are several digital certificate discovery and management systems. Detailed information on various example embodiments of the inventions are provided in the Detailed Description below, and the inventions are defined by the appended claims.

Abstract: A wireless communication device is implemented with a smart card module to secure the transmission of sensitive or confidential information. The user of the device must request permission to activate an application on the smart card module from a remote source. After this first level of security is satisfied, the application on the smart card module enables the user to scan data via a machine-readable medium in order to make a data request to the remote source. If a second level authorization is met in regard to the data request, the remote source will transmit the requested sensitive or confidential information to the user to view and/or update.

Abstract: A system and method for securing data in mobile devices includes a computing node and a plurality of mobile devices. A node security program executed in the computing node interfaces with a device security program executed at a mobile device. The computing node is responsible for managing the security based on a node security profile interpreted by a node security program executed in the computing node. A device discovery method and arrangement also detects and locates various information about the mobile devices based on a scan profile.

Abstract: The public-key encryption method uses the sender-side apparatus by the creator of a ciphertest and creates the ciphertext of a plaintext x (?{0, 1}n), in y1=f(x0k1G(r)), y2=H(x0k1G(r))r with respect to the published trapdoor-equipped unidirectional function f and the random functions G, H. Meanwhile, the receiver of the ciphertext, who has received the ciphertext by the receiver-side apparatus via the communications line, performs the decryption processing with the use of f?1, i.e., the secret key, in accordance with the steps inverse to those of the encryption processing.

Abstract: A DRM scheme that may be optionally invoked by the owner. With the DRM protection turned on, the media is encrypted before it is distributed in a P2P network, and is decrypted prior to its use (play back). The peers may still efficiently distribute and serve without authorization from the owner. Nevertheless, when the media is used (played back), the client node must seek proper authorization from the owner. The invention further provides a hierarchical DRM scheme wherein each packet of the media is associated with a different protection level. In the hierarchical DRM scheme of the invention there is usually an order of the protection level. As a result, in one embodiment of the invention, the decryption key of a lower protection layer is the hash of the decryption key at the higher protection level. That way, a user granted access to the high protection layer may simply hold a single license of that layer, and obtain decryption keys of that layer and below.

Abstract: A cluster of computer system nodes share direct read/write access to storage devices via a storage area network using a cluster filesystem. At least one trusted metadata server assigns a mandatory access control label as an extended attribute of each filesystem object regardless of whether required by a client node accessing the filesystem object. The mandatory access control label indicates the sensitivity and integrity of the filesystem object and is used by the trusted metadata server(s) to control access to the filesystem object by all client nodes.

Abstract: The invention concerns a security device (10) for online transaction between a service provider equipped with a computer (15) and operator equipped with a computerized station comprising a display (16) and a keyboard (18). The device essentially comprises: a signal receiving element (22) designed to be pressed against said display (16) for receiving a signal coming from said computer (15), said signal being processed to generate a code, and communication means (24) to provide the operator with access to said code. It further comprises a biometric sensor (26) adapted to acquire data concerning the operator, and a locking and unlocking member arranged between the signal receiving element (22) and the communication means (24), the code being accessible only in case of conformity between the read fingerprint and the stored imprint.

Abstract: A computer system for managing and deploying a plurality of software with a plurality of associated licenses in the computer system. Software allocation workflow requests are obtained from a requester for a target server referencing specific software and then redirected to a license broker. The license broker determines availability of the plurality of associated licenses referenced in the request and provisions the target server with said plurality of software. The requester of software allocation is then notified of the results. The workflow need not be concerned with monitoring resource status and providing requester feedback. Provisioning is handled on a just-in-time basis by the license broker as requested by the workflow making necessary licenses available (and software) only on as needed basis.

Abstract: An enterprise network can have sanctioned and unsanctioned servers on it. Sanctioned servers are approved by an administrator and perform tasks such as web page serving and mail routing. Unsanctioned servers are not approved by the administrator and represent possible security risks. A service monitor accesses one or more metadata sources having information describing the enterprise network, such as domain name system (DNS) records on the Internet. The service monitor analyzes the metadata and creates a security profile for the enterprise network. The security profile identifies the sanctioned servers. The service monitor monitors network traffic for compliance with the security profile, and detects unsanctioned servers on the network. The service monitor reports violations of the profile and informs the administrator of the unsanctioned servers.

Abstract: A web service includes a web service manager for servicing an originating message received from an originating client application, wherein the originating message has verification information a data package having an encrypted portion. The web service manager verifies that the originating message originated from an authorized originating client application, using the verification information. An identifier generator creates a data package identifier associated with the data package and a location within a data package store used for storing the data package. A message generator generates a notification message which is sent to a receiving computing system. Upon receipt of at least a portion of the notification message from the receiving computing system, the web service manager retrieves the data package from the data package store and initiates transfer the data package to the receiving computing system.

Abstract: Information leaked from smart cards and other tamper resistant cryptographic devices can be statistically analyzed to determine keys or other secret data. A data collection and analysis system is configured with an analog-to-digital converter connected to measure the device's consumption of electrical power, or some other property of the target device, that varies during the device's processing. As the target device performs cryptographic operations, data from the A/D converter are recorded for each cryptographic operation. The stored data are then processed using statistical analysis, yielding the entire key, or partial information about the key that can be used to accelerate a brute force search or other attack.

Abstract: Phishing detection, prevention, and notification is described. In an embodiment, a messaging application facilitates communication via a messaging user interface, and receives a communication, such as an email message, from a domain. A phishing detection module detects a phishing attack in the communication by determining that the domain is similar to a known phishing domain, or by detecting suspicious network properties of the domain. In another embodiment, a Web browsing application receives content, such as data for a Web page, from a network-based resource, such as a Web site or domain. The Web browsing application initiates a display of the content, and a phishing detection module detects a phishing attack in the content by determining that a domain of the network-based resource is similar to a known phishing domain, or that an address of the network-based resource from which the content is received has suspicious network properties.