Abstract: A method and apparatus for securely executing a plurality of actions requiring elevated privilege using less than a corresponding plurality of prompts for privilege elevation, and in some embodiments, only a single prompt for privilege elevation, comprising: receiving a request to perform a first action requiring an elevated privilege; acquiring the elevated privilege to perform the first action; executing the first action, wherein the first action is executed based on the elevated privilege; receiving a request to perform a second action requiring an elevated privilege; and executing the second action using the elevated privilege acquired for the first action.

Abstract: A method and apparatus for use in securely relaying data. The data is received by a first relay unit from a data provider. The data is sent by the first relay unit to a mail server. The data is retrieved by a second relay unit in a second network from the mail server. The data is sent by the second relay unit to a data subscriber.

Abstract: A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data.

Abstract: A method includes establishing, by a wireless docking center, a secure wireless communication connection with a wireless dockee, receiving, by the wireless docking center, from the wireless dockee, an ASP session request for a wireless docking service of the wireless docking center, receiving, by the wireless docking center, from the wireless dockee, a passphrase for authenticating with the wireless docking service, determining, by the wireless docking center, whether the wireless dockee is authorized to access the wireless docking service based on the received passphrase, responsive to determining that the wireless dockee is not authorized to access the wireless docking service, denying, by the wireless docking center, the wireless dockee access to the wireless docking service, and responsive to determining that the wireless dockee is authorized to access the wireless docking service, granting, by the wireless docking center, the wireless dockee access to the wireless docking service.

Abstract: An improved approach for classifying computer files as malicious (malware) or benign (whiteware) is disclosed. The invention classifies any computer file as malware or whiteware after using Bayes Theorem to evaluate each observable feature of each file with respect to other observable features of the same computer file with reference to statistical information gathered from repositories of known whiteware and malware files.

Abstract: Trustworthy systems require that code be validated as genuine. Most systems implement this requirement prior to execution by matching a cryptographic hash of the binary file against a reference hash value, leaving the code vulnerable to run time compromises, such as code injection, return and jump-oriented programming, and illegal linking of the code to compromised library functions. The Run-time Execution Validator (REV) validates, as the program executes, the control flow path and instructions executed along the control flow path. REV uses a signature cache integrated into the processor pipeline to perform live validation of executions, at basic block boundaries, and ensures that changes to the program state are not made by the instructions within a basic block until the control flow path into the basic block and the instructions within the basic block are both validated.

Abstract: Disclosed are various embodiments for synchronizing authentication sessions between applications. In one embodiment, a first authentication token is received from a first application in response to determining that the first application is authenticated with a service provider. A second authentication token is requested from a token exchange service associated with the service provider. The second authentication token is requested using the first authentication token. The second application is configured to use the second authentication token in order to access a resource of the service provider.

Abstract: In a method for protecting digital information, a processor converts a protected address range into a plurality of address blocks of a storage device based on a preset conversion unit, and generates an address block rearranging rule using the address blocks as a parameter. When it is desired to load data into a space of an address batch of the protected address range, the processor converts the address batch into a plurality of address blocks based on the conversion unit, locates rearranged addresses of the address blocks in the protected address range according to the address block rearranging rule, and loads the data into spaces of the rearranged addresses.

Abstract: Methods and apparatus are provided for identity verification for at least one user to a text-based communication. An identity of at least one user to a text-based communication is verified by obtaining a plurality of characteristic features of at least one prior text-based communication between the at least one user and at least one additional user; comparing the plurality of characteristic features to a current session of the text-based communication; and verifying the identity of the at least one user based on a result of the comparison. The text-based communication can optionally be suspended if a user is not verified and/or an alarm can be generated.

Abstract: Tools and methods in which user interaction via a common user interface enables the assessing of network security prior to implementation of the network, as well as assessing the security of existing networks, portions of existing networks, or modifications to existing networks. A network security model useful in realizing the tools and methods is also disclosed.

Abstract: Systems and methods for cloning a Wi-Fi access point. A determination is made by a network monitoring device to transition communications between a Wi-Fi device and a first access point (AP) to a second AP. The SSID and the security configuration information, and, optionally, network address translation (NAT) information of the first access point are acquired and provided to a second AP. The second AP instantiates the SSID and the security configuration information and, optionally, the NAT information. The networking monitoring device directs the first AP to cease using the SSID and the security configuration information and, optionally, the NAT information in response to receipt of confirmation that the second AP has instantiated the SSID and the security configuration information and, optionally, the NAT information of the first AP.

Abstract: A protocol provides authentication of peripheral devices by a computing device to which the peripheral device connects. Computing devices include a verifier with a public key that authenticates multiple associated private keys. Private keys are embedded on peripheral devices. When the verifier is able to authenticate a connected peripheral, particular functionality is enabled that may not be enabled for peripherals that do not authenticate.

Abstract: A data transfer method performed at a proxy server includes intercepting a data request from a client computer that is directed to a target server, encrypting profile information, augmenting the data request by adding the encrypted profile information to the data request, and sending the augmented data request to the target server. A data transfer method that is performed at an information server includes receiving a data request from a proxy server, extracting profile information added to the data request by the proxy server, using the extracted profile information to generate a response, and sending the response to the proxy server.

Abstract: A method includes receiving an indication of at least one detected security issue at a network device. The indication is received at a security manager processor from a security agent. The method includes selecting, via the security manager processor, at least one executable security object responsive to the indication. The security manager processor verifies compatibility between the at least one executable security object, the network device, and communication media. The method also includes sending the at least one executable security object to the network device via the security manager processor to provide a protective security measure to the network device against the at least one detected security issue upon execution of the at least one executable security object.

Abstract: In a Reverse Turing Test an applicant seeking access to a computer process is presented with an image containing human-readable data that is intended to be inaccessible to an automated process or bot. In an improved Reverse Turing Test the applicant is presented with multiple sub-images that have to be rearranged in order to yield the overall image. This does not substantially increase a human applicant's difficulty in dealing with the test, but makes it much more difficult for a bot to interpret the image.

Abstract: Techniques are described for enabling authentication and/or key agreement between communications network stations and service networks. The techniques described include the negotiation and use of a cryptographic primitive shared between a service network and a home environment of a station. The techniques described also feature a key usage indicator, such as a sequence number, maintained by the service network and a station. Comparison of the key usage indicators can, for example, permit efficient authentication of the service network.

Abstract: A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser (308), the method comprising: monitoring all incoming traffic (310), generated by the web browser, and outgoing traffic (326) generated by a server (318) to form monitored traffic; determining whether a unique element, defined in a configuration file, is matched with an input value of the monitored traffic to form a matched input value; responsive to a determination that the unique element is matched with an input value of the monitored traffic, saving the matched input value, determining whether an output contains the matched input value in an expected location; responsive to a determination that the output contains the matched input value in an expected location, encoding the matched input value using a respective definition from the configuration file; and returning the output (330) to the requester.

Abstract: A computer-implemented method for generating secure passwords may include 1) displaying a user interface for entering a textual password, 2) receiving user input via the user interface to select a color for at least one character of the textual password, 3) displaying the entered textual password via the user interface by displaying the character in the selected color and by displaying at least one additional character in at least one additional color, and 4) generating a modified textual password by encoding the textual password with information relating the selected color to the character. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A security system assesses the response time to requests for information to determine whether the responding system is in physical proximity to the requesting system. Generally, physical proximity corresponds to temporal proximity. If the response time indicates a substantial or abnormal lag between request and response, the system assumes that the lag is caused by the request and response having to travel a substantial or abnormal physical distance, or caused by the request being processed to generate a response, rather than being answered by an existing response in the physical possession of a user. If a substantial or abnormal lag is detected, for example due to the fact that the information was downloaded from the Internet, the system is configured to limit subsequent access to protected material by the current user, and/or to notify security personnel of the abnormal response lag.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to applying application security to an extension point oriented application framework, and provide a novel and non-obvious method, system and computer program product for log-in module deployment and configuration in an extension point oriented application. In this regard, a method for log-in module deployment and configuration in an extension point oriented application can include installing a proxy to a login controller plug-in for the extension point oriented application, and proxying login module directives from an external security service to the login controller plug-in for the extension point oriented application.