Abstract: Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.

Abstract: A method and system for streamlining a voting process performed by a web application is provided. As the web application may require that a voting action is effectuated after the user is registered to vote and also has supplied valid credentials, a voting application may be configured to intercept a request from a user to effectuate voting process directed to the web application, access credentials of the user stored by the web-based social networking application, and provide these credentials to the web application, such that the web application can process the request to effectuate voting process by registering the user to vote and storing the vote information for the user.

Abstract: The present disclosure relates generally to managing compliance of remote devices that access an enterprise system. More particularly, techniques are disclosed for using a compliance policy to manage remediation of non-compliances of remote devices that access an enterprise system. A device access management system may be implemented to automate remediation of non-compliances of remote devices accessing an enterprise system. Remediation may be controlled based on different levels of non-compliance, each defined by one or more different non-compliances. In some embodiments, a level of non-compliance may be conditionally defined by one or more user roles for which non-compliance is assessed. Access to computing resources of an enterprise system may be controlled for a remote device based on compliance of the remote device. Access may be inhibited for those resources not permitted during a time period of a non-compliance.

Abstract: The present teaching relates to exchanging a key with a device. In one example, a secret value is generated. A message is transmitted to the device. The message includes information related to the secret value based on which the device is to create a cryptographic key. A visual code displayed on the device is captured. The visual code includes a first piece of information and a second piece of information. A key value is generated based on the first piece of information and the secret value. A test value is calculated based on the key value. It is determined whether the device is securely connected based on the test value.

Abstract: An approach is provided for registering specific content in a portable storage medium to a digital locker. The portable storage medium is configured to include a content access application which causes the user interface to display a content access and registration part on a terminal executing the content access application, to request user entry of access validation information associated with the specific content. Upon access validation, the specific content can be registered to the digital locker of the user.

Abstract: In methods, systems, and computing devices configured to implement methods of authenticating a computing device, a first computing device and a second computing device may share a dynamically updated shared data set. The first computing device may select elements of the shared data set stored at the first computing device and may generate a rule set for extracting the selected elements from the shared data set. The first computing device may send the rule set to the second computing device, and may generate a first result using the selected elements. The second computing device may extract the selected elements from the shared data set using the rule set, may generate a second result, and may send the second result to the first computing device. The first computing device may determine whether the second computing device is authenticated based on whether the first result matches the second result.

Abstract: Methods and systems are provided for detecting dead tunnels associated with a VPN. An indicator of a tunnel capability, for example, a DPD vendor ID, is received from a peer through a VPN connection. The tunnel capability is associated with one or more phase II tunnels associated with the VPN. Traffic generated by the peer is detected, and if traffic is detected at a tunnel, the tunnel is presumed to be alive. When no traffic is detected in a tunnel, a DPD packet exchange with the tunnel is initiated. A determination is made, based on the packet exchange, whether the tunnel is alive.

Abstract: Techniques are described for communicating encoded data using start code emulation prevention. The described techniques include obtaining at least one partially encrypted packet, identifying at least one portion of the packet that is unencrypted, and determining that the identified unencrypted portion(s) emulates a start code. Start code emulation prevention data or emulation prevention bytes (EPBs) may be inserted into only the encrypted portion of the packet. The modified packet may be communicated to another device/storage, along with an indication of which portion(s) of the packet are unencrypted. Upon receiving the packet and indication, the receiving device may identify and remove the EPBs in the identified unencrypted portion(s) of the packet, and decrypt the packet to recover the data. In some aspects, upon identifying the indication, the receiving device may only search for EPBs in the unencrypted portion(s) of the packet, thus yielding a more efficient start code emulation prevention process.

Abstract: A first electronic device is provided. The first electronic device includes a transceiver, and a processor configured to encrypt a part of information related to a second communication based on information related to a first communication performed between the first electronic device and a second electronic device and control the transceiver to transmit information related to the second communication to the second electronic device through the transceiver.

Abstract: A method of providing one or more assertions about a subject is provided. The method includes obtaining, at an assertion directory access server and over a network, a first assertion about a first attribute of the subject from a first assertion issuer; obtaining, at the assertion directory access server and over a network, a second assertion about a second attribute of the subject from a second assertion issuer; and providing, from the assertion directory access server, the first assertion and the second assertion to an assertion directory authority server over a network.

Abstract: A login page of an online service is received in a user computer. False credentials, such as a false user identifier (ID) and a false password, are entered into the login page to login to the online service. The login page is classified as phishing when the online service does not serve a legitimate login-fail page in response to the entry of the false credentials in the login page.

Abstract: A vehicle processing device authenticates that an authorized user has requested an action by the vehicle, and generates an authentication acknowledgement message. At least two security devices being present within the cabin of, or close to, the vehicle during a predetermined period following an authentication trigger event that occurs while the user performs a predetermined sequence of authentication activities (i.e., button presses, operating the vehicle or a part of it, etc.) provides a basis for the authentication acknowledgement message. Typically, information unique to each security device has been associated with the vehicle at a service provider's server. The authentication acknowledgement may include an activation code that results from processing the information, unique to each security device, received from the security devices and other random information, such as date.

Abstract: A method of controlling secure vehicle communication in a vehicle gateway includes: detecting whether a vehicle is started; generating a new public key for each network connected to the vehicle gateway for message encryption upon detecting that the vehicle is started; transmitting a first message including the new public key; allocating a new identification (ID) to each controller connected to the vehicle gateway with reference to a stored routing table for message routing between controllers upon detecting that the vehicle is started; and transmitting a second message including the new ID.

Abstract: A system for remotely storing data includes a communication component that is configured to receive a data file to be stored on a remote data storage system. An encryption system is configured to obtain at least one key and encrypt the data file with the at least one key. A processor is configured to generate a request to a master key storage system through the communication component to operatively encrypt the at least one key using a master key stored in the master key storage system. The communication component is configured to transmit the encrypted data file to at least one remote storage location. The processor is configured to receive the encrypted key(s) from the master key storage system and store the encrypted key(s) in a data store.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats. The method includes: activating a security application configured to handle a cyber-threat; receiving a plurality of feeds during a runtime of the security application; analyzing the plurality of received feeds to determine if the security application is required to be re-programmed to perform an optimized action to efficiently protect against the cyber-threat; and re-programming, during the runtime, the security application, when it is determined that the security application requires performance of the optimized action.

Abstract: Motion sensing devices for computer security are provided. In various embodiments, a security device includes a sensor for receiving periodic signals from a mobile device, the sensor being for detecting movement of a computing device to which the security device is removably coupled. The security device can receive from the sensor messages indicative of the movement of the computing device. The security device can further determine if the computing device has been moved, using the sensor messages. The security device can be paired with the mobile device, the mobile device having an application. The security device can output a warning message to the mobile device, the warning message being outputted via the application, if the strength of the signals received is below a predetermined threshold. A decrease in the strength of the signals may be indicative of the computing device being moved.

Abstract: Embodiments of an invention for a return address overflow buffer are disclosed. In one embodiment, a processor includes a stack pointer to store a reference to a first return address stored on a stack, an obscured address stack pointer to store a reference to an encrypted second return address stored in a memory, hardware to decrypt the encrypted second return address to generate a decrypted second return address, and a return address verification logic, responsive to receiving a return instruction, to compare the first return address to the decrypted second return address.

Abstract: A method includes acts for establishing a subscription for an entity. The method includes receiving, at a cloud service provider, a request from an entity to establish a subscription. The request includes credentials for the entity that are not proper credentials for an organization associated with the entity that the entity should use to access services for the organization. The method further includes performing a corrective action based on detecting one or more factors to determine that the entity is associated with the organization. The method further includes providing services based on the corrective action.

Abstract: A safety apparatus for providing a safe operation of a subsystem within a safety critical system, SCS is disclosed herein. The safety apparatus includes: a system communication interface for communication with components of the subsystem and other subsystems of the safety critical system; a backend communication interface for communication with a safety cloud backend; an integrated identifier memory storing a unique identifier of the subsystem; and an authorization control unit configured to perform a handshake authorization procedure with another target subsystem of the safety critical system via the system communication interface, and with the safety cloud backend via the backend communication interface to get authorization for the subsystem to execute a safety critical function on the target subsystem of the safety critical system based on the unique identifiers of both subsystems.

Abstract: This disclosure relates to enforcing restrictions on data collected from a first set of systems and disseminated to a second set of systems. For example, a method for enforcing a set of restrictions includes receiving a first trait and a second trait that include data describing a user that has interacted with an online service. The first trait is labelled with a first usage restriction and the second trait is labelled with a second usage restriction different from the first usage restriction. The method further includes combining the first trait and the second trait into a segment. The segment preserves labelling of the first trait with the first usage restriction and the second trait with the second usage restriction. The method further includes controlling use of the segment based on the first usage restriction and the second usage restriction.