Abstract: A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Abstract: An agent on a device within a network receives a request to access a resource outside the network. A first encrypted connection is established between the device and the agent, and a second encrypted connection is established between the agent and the resource, to facilitate encrypted communication traffic between the device and the resource. The agent sends a policy request to a network appliance within the network, the request specifying the resource. The agent receives a policy response indicating that the resource is associated with one or more security policies of the network. Traffic passing between the device and the resource is selectively decrypted and inspected depending on the security policies.

Abstract: Example embodiments disclosed herein relate to distributing updated execution information to a cluster of nodes. Licensing information about whether the nodes are licensed to receive the updated execution information is generated. The licensing information is validated. The validated licensing information is used to distribute the updated execution information to the nodes.

Abstract: An apparatus for securing communications includes a processor and memory storing executable computer code causing the apparatus to at least perform operations including receiving a request to activate a service transferring communications of a cellular network to a wireless local network. The computer program code may further cause the apparatus to provide an activation key to a device responsive to an indication that the device is authorized to utilize the service based on determining an identifier(s) of the request is valid. The computer program code may further cause the apparatus to provide a private key to the device, to enable the device to utilize the private key to subsequently register to transfer communications of the cellular network to a wireless local network(s), responsive to receiving a message for the private key from the device and a message from the cellular network. Corresponding methods and computer program products are also provided.

Abstract: A communication gateway consistent with the present disclosure may detect unauthorized physical or electronic access and implement security actions in response thereto. A communication gateway may provide a communication path to an intelligent electronic device (IED) using an IED communications port configured to communicate with the IED. The communication gateway may include a physical intrusion detection port and a network port. The communication gateway may further include control logic configured to evaluate physical intrusion detection signal. The control logic may be configured to determine that the physical intrusion detection signal is indicative of an attempt to obtain unauthorized access to one of the communication gateway, the IED, and a device in communication with the gateway; and take a security action based upon the determination that the indication is indicative of the attempt to gain unauthorized access.

Abstract: An apparatus comprises a processing device comprising a near field communication (NFC) network interface, a memory and a processor coupled to a memory. The processing device is configured under control of the processor to connect to a host device using the NFC network interface, receive an authentication request from another device through the NFC connection with the host device and authenticate the other device using information stored in the memory. A passcode is presented to the host device responsive to a successful authentication of the other device, the passcode being utilizable to authenticate to a resource protected by the other device.

Abstract: One or more techniques and/or systems are disclosed for detecting and/or mitigating a potentially compromised online user account. One or more baselines can be established for a user's online account to determine a normal usage pattern for the account by the user (e.g., frequency of incoming/outgoing emails, text messages, etc.). The online user account can be periodically or continually monitored for use of the same resources used to determine the baseline(s). If a deviation from the baseline is detected, the deviation may be compared against a threshold to determine whether the deviation indicates that the account may be compromised. When an indication of a potentially compromised account is detected, the user can be notified of the indication, so that one or more actions can be taken to mitigate the potentially compromised account.

Abstract: A system, apparatus, or method for controlling access to a network and to the associated network resources or services. The invention may be used to provide a user authentication or authorization process for a computer network, a telecommunications network, or other suitable system, apparatus, device, process, operation, etc. In some embodiments, the present invention uses a combination of device identification data (such as a device identifier or other form of token) and user-specific biometric data (such as a physical characteristic associated with the user or data generated as a result of a signal being altered by a physical characteristic of a user) to identify a user and permit the user to access the network or network resources or services.

Abstract: A method for an autonomous rights administration component of a computer system includes recording devices of the computer system, determining unique identifiers for each recorded device, permanently storing the unique identifiers, defining a usage rights contingent and a usage rights requirement and activation of at least one application function on the basis of a comparison of the usage rights contingent with the usage rights requirement. The invention furthermore relates to an autonomous rights administration system and a device for a rights administration of this type.

Abstract: A method, system, and apparatus for agile generation of one time passcodes (OTPs) in a security environment, the security environment having a token generator comprising a token generator algorithm and a validator, the method comprising generating a OTP at the token generator according to a variance technique; wherein the variance technique is selected from a set of variance techniques, receiving the OTP at a validator, determining, at the validator, the variance technique used by the token generator to generate the OTP, and determining whether to validate the OTP based on the OTP and variance technique.

Abstract: A software diversity system including an executable provider to provide an executable program including component blocks such that different combinations of blocks are operative to perform a functionally encryption keys functionally equivalent data transformation, a cipher to encrypt the component blocks with cryptographic keys, a key selector to select a first selection of keys for a first device, such that the first selection is operative to decrypt a first combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and select a second selection of keys for a second device, such that the second selection is operative to decrypt a second combination of the blocks operative when executed to perform the same functionally equivalent data transformation, and a transfer module to prepare for transfer the first and second selection of cryptographic keys for transfer to the first and second device, respectively. Related apparatus and methods are also included.

Abstract: Methods, systems, and computer readable media for measuring detection accuracy of a security device using benign traffic are disclosed. According to one method, the method occurs at an Internet protocol (IP) traffic simulator having a first communications interface and a second communications interface. The method includes sending, by the first communications interface, a plurality of benign data packets to a security device, wherein the plurality of benign data packets is engineered to be similar to one or more malicious data packets. The method also includes receiving, by the second communications interface, zero or more of the plurality of benign data packets via the security device. The method further includes determining, using statistics associated with the plurality of benign data packets, a detection accuracy metric associated with the security device.

Abstract: This invention leverages DNSSEC to makes post-password technologies work against endpoints across the globe, rather than solely within company walls. It describes a system by which DS records are encoded in NS names, which traverse well from the customer to the registry. This invention also proposes a series of steps through which DNSSEC can be explored as a useful solution to real world problems. By creating and further developing a mirror of the real DNS, which grows by combination of true DNS record information with specially synthesized authentication keys, DNSSEC scales, providing greater security and less risk of corrupting or erroneous online material. This same technology also evaluates user activity to create a database of statistics regarding automated activity, as compared to human activity. This database assists in identification and prevention, or at least mitigation, of potential future attacks on any given client by automated bot-driven activity.

Abstract: A multifactor authentication (MFA) enforcement server provides multifactor authentication services to users and existing services. During registration, the MFA enforcement server changes a user's password on an existing service to a password unknown to the user. During normal usage when the user accesses the existing service through the MFA enforcement server, the MFA enforcement server enforces a multifactor authentication enforcement policy.

Abstract: Methods and systems for operating a Smart Device 102 with a secure communication system. A SPARC Security Device (SSD) 104 is in communication with one or more Smart Devices 102. SSD 104 receives a request for a transaction from a Smart Device 102 executing an application obtained from an Application Controlling Institution (ACI) 101, and is asked to verify the validity of the transaction. A one-time identifier (SSD ID, which replaces the user's account number) is generated by the SPARC Security Device 104. The one-time identifier comprises a unique SSD 104 unit identifier and a one-time transaction number; and optionally comprises a date, a time, an ACI 101 identifier, and a subject matter field. In one embodiment, the Smart Device 102 is not able to send or receive messages to other external devices without first receiving approval from the SSD 104.

Abstract: An embodiment of the invention provides a method for sharing digital images on an image-sharing application, wherein a digital image is received from a user, the digital image including a first access setting defined by the user. A user-defined select region is identified on the digital image with a processor, wherein the select region includes a second access setting. Access to the digital image is permitted with an access controller based on the first access setting; and, access to the select region is permitted with the access controller based on the second access setting. In at least one embodiment, the digital image is displayed only to a first group of individuals based on the first access setting; and, the select region is displayed only to a second group of individuals based on the second access setting.

Abstract: An intermediary system facilitates a connection request from a client to a server. The intermediary system may participate in either or both of a token creation phase and a server connection phase. If participating in the token creation phase, the intermediary system generates a token that may later be used by the client during a server connection phase. The token includes a session identifier and is returned to the client. If participating in the server connection phase, the intermediary receives the token, which is sent from the client in conjunction with a connection request, extracts the session identifier from the token, and compares against the session identifier for the session in which the token was created. If the session identifiers match, then the intermediary connects to the server to complete the connection request for the client.

Abstract: The systems and methods described herein can be used for enhancing the security of computer passwords by electronically receiving a password, the password comprising a plurality of components, each of the components being of a type of component, storing the received password in an electronic data store, converting the stored password to a topological representation of the password by which each of the plurality of components is represented and stored as its type of component, and storing the topological representation of the password in an electronic data store.

Abstract: An embodiment of the invention provides a method for sharing digital images on an image-sharing application, wherein a digital image is received from a user, the digital image including a first access setting defined by the user. A user-defined select region is identified on the digital image with a processor, wherein the select region includes a second access setting. Access to the digital image is permitted with an access controller based on the first access setting; and, access to the select region is permitted with the access controller based on the second access setting. In at least one embodiment, the digital image is displayed only to a first group of individuals based on the first access setting; and, the select region is displayed only to a second group of individuals based on the second access setting.

Abstract: In one embodiment, a method includes initiating integrity monitoring at a network device, continuously monitoring the network device to detect changes at the network device over a period of time, and transmitting information collected during said integrity monitoring to a security device for use in determining if the network device is allowed access to a trusted network. An apparatus and logic are also disclosed.