Abstract: Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Abstract: A method of storing data from a whiteboard application executed on a computing system including an interactive display device is provided. The method comprises storing, in a memory of the computing system, whiteboard data input to the whiteboard application in response to user interaction with the interactive display device, displaying a login selector on the interactive display device, upon detecting actuation of the login selector, identifying the user based on credentials of the user; and in response to identifying the user, (i) retrieving previews of stored whiteboard files from a user account in a cloud-based storage system corresponding to the identity of the user, (ii) displaying the previews on the interactive display device, and (iii) uploading the whiteboard data as a whiteboard file from the memory of the computing system to the user account.

Abstract: A platform including an always-available theft protection system is described. In one embodiment, the system comprises an arming logic to arm the platform, when an arming command is received, a risk behavior logic to detect a potential problem when the platform is armed, and a core logic component to provide logic to analyze the potential problem, and to move the platform to a suspecting mode, when the potential problem indicates a theft suspicion. The system, in one embodiment, further comprises configuration logic to configure settings for the system when the platform is in an unarmed mode, the configuration logic including a user logic enabling an authorized user to alter settings and an administrator logic enabling an administrator to alter the settings using an authenticated set request.

Abstract: In an approach for providing auditable retrieval of privileged credentials in a privilege identity management (PIM) system, a processor invokes a checkout of a PIM credential, based on, at least, a determination that a PIM server cannot be accessed. A processor receives a request to access the PIM credential by a user. A processor receives validation of the request to access the PIM credential and an identity of the user. A processor retrieves the PIM credential from a database, wherein the database stores a plurality of PIM credentials owned by a system owner.

Abstract: When user information to be registered for SNMP authentication is input, an information processing apparatus confirms whether or not user information for MFP authentication is already managed for a user to be registered who is indicated by the input user information. In the case where the user information for MFP authentication is not managed for the user to be registered, the information processing apparatus registers the input user information as user information for SNMP authentication. In the case where the user information for MFP authentication is managed for the user, the information processing apparatus registers information specific to SNMP authentication, i.e. information other than an authentication password, out of the input user information.

Abstract: A method in a multimedia device (130) including obtaining protected content having a limited exercisable right associated therewith, obtaining an extension of the limited exercisable right when a condition is satisfied, for example, when the device enters a DRM system different than the DRM system from which the protected content originated, wherein the extension of the limited exercisable right is obtained from an entity other than the multimedia device, for example, from an anomaly detector.

Abstract: Concepts and technologies are disclosed herein for personal virtual core networks. A processor executing a network access service can determine if the user device should be isolated from a core network that provides devices at a location with connectivity. If the processor determines that the user device should be isolated, the processor can identify resources supporting the connectivity. The resources can include network resources and the core network. The processor can create a virtual core network to support the connectivity, and activate the virtual core network.

Abstract: While cloud services can offer processing from personal devices or synthesized data from multiple sources, many users prefer their data to remain private. According to some embodiments, private user data may be processed in the cloud without revealing the user identity to the cloud service provider. Only the user or an authorized agent of the user and the service's hardware platform have access to certain keys. The service application software and operating system only have access to encrypted data.

Abstract: A computer-implemented method for identifying malware may include (1) determining, for multiple commands within bytecode associated with a malware program, whether each command constitutes an invocation command, (2) filtering, based on the determination, invocation commands from the bytecode, (3) adding, for each invocation command filtered from the bytecode, an opcode, a format code, and a function prototype to a collection of opcodes, format codes, and function prototypes, (4) generating a digital fingerprint of the collection including the opcode, the format code, and the function prototype for each invocation command filtered from the bytecode, and (5) performing, by a computer security system, a remedial action to protect a user in response to detecting the presence of a variant of the malware program by determining that the digital fingerprint matches a candidate instance of bytecode under evaluation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Methods and apparatus are provided for silent alarm channels using one-time passcode authentication tokens. A message is transmitted indicating a potential attack on a protected resource by obtaining the message; combining the message with a tokencode generated by a security token to generate a one-time passcode; and transmitting the one-time passcode to a receiver. A plurality of the messages can be obtained in parallel, and the plurality of parallel messages can be combined with the tokencode to generate the one-time passcode. A subsequent message can optionally be generated by applying a hash function to a prior n-bit value to provide a counter identifying each message. The message optionally also comprises one or more additional bits to provide an annotation of the message.

Abstract: The cyber threat monitor and control apparatuses, methods and systems (hereinafter “CTMC”) determines risk across a global Internet network graph model for various virtual or physical network elements. In one embodiment, the CTMC defines a factor mechanism representing interactions among the set of network elements, the factor mechanism including a factor indicative of a correlation between a pair of network elements from the set of network elements, and dynamically calculate the probabilistic network security measure for each network element in the global Internet graph model based at least in part on the factor mechanism and any observed threat indicators related to the global Internet graph model.

Abstract: A security device and controlling method thereof are provided. The security device includes: a storage configured to store a plurality of passwords, wherein a complexity of the passwords increases according to a security level; an inputter configured to receive a password input by a user; a detector configured to detect a security level of the received password by comparing the received password and the plurality of passwords stored in the storage; and a controller configured to provide an authority to access an element of an electronic device connected with the security device according to the detected security level.

Abstract: Protection of resources hosted on enterprise systems. In an embodiment, an enterprise system receives a request from a portable device to download a resource, and in response formulates multiple security actions and associated conditions for the requested resource. The enterprise system sends the requested resource, the security actions and the conditions to the portable device. The portable device determines whether each condition is satisfied and performs the security actions associated with the conditions determined to have been satisfied. Due to the ability to send multiple security actions and associated conditions, better control in protection and retention of downloaded resources is obtained.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server-being coupled to the client computer via the network, wherein the database comprises a set of first relations, wherein each first relation in the set of the first relations comprises first data items, wherein for each first relation the first data items are encrypted with a respective first cryptographic key in the first relation, wherein the first data items form a partially ordered set in each first relation, in each first relation the partial order being formed with respect to the first data items of said first relation in non-encrypted form.

Abstract: The present disclosure is directed to systems and methods for performing single sign on by an intermediary device for a remote desktop session of a client. A first device intermediary to a plurality of clients and a plurality of servers authenticates a user and establishes a connection to the user's client device. The device provides a homepage including links to one or more remote desktop hosts associated with the user. The device receives a request to launch an RDP session with a remote desktop host via the homepage and generates RDP content, including a security token, for the user. The device receives a second request that includes the security token to launch the RDP session. The device validates the user using the security token and establishes a connection to the remote desktop host. The device signs into the desktop host using session credentials.

Abstract: Methods, systems, and techniques for managing groups of entities, such as individuals, employees, or systems, and providing entitlement and access to computer resources based on group membership are provided. Example embodiments provide a Group Management System having a Group Management Engine “GME,” an Entitlement Engine, and a Provisioning Engine, which work together to allow simplified grouping of entities and providing entitlement and access to the entities based upon the group membership. In one embodiment, the GME leverages dynamic programming techniques to enable accurate, scalable systems that can manage near real time updates and changes to the group's status or to the entities' status. These components cooperate to enable provisioning of applications based upon current entitlement.

Abstract: Systems and methods for cloning a Wi-Fi access point. A determination is made by a network monitoring device to transition communications between a Wi-Fi device and a first access point (AP) to a second AP. The SSID and the security configuration information, and, optionally, network address translation (NAT) information of the first access point are acquired and provided to a second AP. The second AP instantiates the SSID and the security configuration information and, optionally, the NAT information. The networking monitoring device directs the first AP to cease using the SSID and the security configuration information and, optionally, the NAT information in response to receipt of confirmation that the second AP has instantiated the SSID and the security configuration information and, optionally, the NAT information of the first AP.

Abstract: A vehicular data communication system includes an authentication device for authenticating an external tool connected to a bus, an authentication control device for determining whether an external tool is authenticated by the authentication device and for setting an authenticated state to permit a data communication between the external tool and an access target ECU on the bus upon determining that the external tool is authenticated by the authentication device, and an authentication maintain device for maintaining the authenticated state within a predetermined period after the authenticated state is set by the authentication control device.

Abstract: A request handler may be configured to receive an enforcement request for enforcement of an obligation required as a condition for a previously-granted first resource access request. n obligation enforcer may be configured to enforce the obligation, based on the enforcement request, and a compliance manager may be configured to obtain certification of execution of the obligation from an obligation certification service, and to provide the certification as a basis for granting a second resource access request.

Abstract: Systems and methods for detecting the generation of authentication credentials for virtual machine instances are described. In various embodiments, an intermediary system may detect or determine, for a virtual machine instance, one or more states associated with a credential (e.g., a password) generation process and/or a get password request from a requesting user. Based on detected or determined virtual machine states, the intermediary system may provide useful and/or timely status indicators or notifications to the requesting user. In various embodiments multiple states may be determined sequentially or in parallel in order to provide more detailed information regarding whether and why a credential is or is not available, contributing to an improved user experience. For example, timely indication that a password may not be available may be useful to the requesting user who can take immediate steps to remedy the situation, such as by contacting customer service.