Abstract: Techniques are provided for granting authorization to restricted content on a display device from an authorizing device. In one embodiment, the display device may operate in a display mode where only unrestricted content is accessible. To access restricted content, the display device may transmit an authorization request signal to the authorizing device. The authorizing device, having received the authorization request, prompts an authorized user to enter an authentication input, such as a password or gesture, on the authorizing device. Upon verification of the authentication input, the authorizing device is authenticated. An authorization signal is transmitted to the display device, and the display device may operate in an authorized mode, having access to otherwise restricted content or functions.

Abstract: Content filtering of data containers of multiple content types is performed using multiple filtering modules operating concurrently. An apparatus for content filtering has a set of content-specific filtering modules and a network interface for parsing a received data container into components and directing each component to a respective filtering module. A filtering module edits a component of a specific content type according to respective rules. A multiplexer combines edited components produced by the set of filtering modules to form an edited data container. A root module applies a set of basic rules to a data container and any attachments. In an alternative configuration, the apparatus employs multiple filtering modules each applying rules for all content types. Received data containers are distributed among the filtering modules and an output module arranges edited data containers of a data stream in proper sequential order.

Abstract: Aspects of the disclosure provide a method. The method includes generating an identification based on a public key of an asymmetric key pair for a device, including the identification into an information unit to identify the device as a source of the information unit and transmitting the information unit.

Abstract: A method and apparatus to establish a trustworthy local time based on trusted computing methods are described. The concepts are scaling because they may be graded by the frequency and accuracy with which a reliable external time source is available for correction and/or reset, and how trustworthy this external source is in a commercial scenario. The techniques also take into account that the number of different paths and number of hops between the device and the trusted external time source may vary. A local clock related value which is protected by a TPM securely bound to an external clock. A system of Accuracy Statements (AS) is added to introduce time references to the audit data provided by other maybe cheaper sources than the time source providing the initial time.

Abstract: A system for creating protected functional descriptions of integrated circuits provides an encrypted functional description that allows the integrated circuit to be simulated with respect to producing outputs for given sets of inputs without identification of the constituent components of the integrated circuit such as the logical gates making up the integrated circuit. The encrypted functional description may include encrypted truth-tables describing the generic gates of the integrated circuit, the encrypted truth-tables securing the function of each logical gate by including multiple redundant table entries mapped to alias values of Boolean logical states and erroneous table entries.

Abstract: A method for use in a system with multiple processor-based devices, the method including: running a first application on a first processor-based device; maintaining a second application in a standby mode on the first processor-based device; and providing a service to each of the first and second applications on the first processor-based device by a service-providing application on the first processor-based device, wherein providing the service includes maintaining a record regarding service statuses of the first application and the second application in which the record stores a respective entry for each of the first and second applications to reflect an active service status for the first application and a standby service status of the second application.

Abstract: A method includes sending an open request to a directory server for a first key, the first key being a trusted key wrapped in a public key. The open request includes an authentication request value that identifies the open request as a verified setup directory service, the public key, an email address and a specified out-of-band communication channel. The directory server sends a first reply after generating the first key, which first reply is sent directly back with a first half of the first key offset by a unique value and wrapped using the public key. The second reply is sent via email to the email address, which second reply includes a second half of the first key offset by the first half of the first key. The third reply is sent to the out-of-band channel, which third reply includes the unique value.

Abstract: A cloud client device identifies one or more devices within a predetermined range of the cloud client device operable to communicate with the cloud client device. The cloud client device pairs with one or more of the devices. To provide secure access to the cloud client device and to other functionality provided by the paired devices, the cloud client device accepts tones as a password. The cloud client device receives a password after a prompt as one or more tones and translates the tones for comparison with the password for the cloud client device. Access is allowed if the translated tones match the password for the cloud client device.

Abstract: The present embodiments provide a method and system for rapidly scanning a file, wherein the method includes obtaining a data packet, the data packet comprising secure file characteristic information for determining whether a file in a system is a secure file, and scanning file characteristic information of files in the system one by one, if the currently scanned file characteristic information matches secure file characteristic information in the data packet identifying a file as a secure file, skipping an anti-virus scanning for the current file, and continuing to scan a next file. By using the data packet, when a new user performs a first scanning, a file with identical characteristic information as that in the data packet can be skipped, which can reduce the time for the first scanning.

Abstract: Disclosed are system and method of distributed detection of malware. An example system includes a security client deployed on a computer node. The security client is operable to identify and communicate with similar security clients deployed on other computer nodes located in a local or remote computer networks. The security client is configured to: perform a malware analysis of files on the computer node; identify unknown files; collect information and statistics data about the unknown file; transmit to other computer nodes a request for identification about the unknown file; receive from at least one other computer node a response containing the identification of the unknown file as a malicious file and a malware remediation tool, wherein the remediation tool includes information, statistics data and malware repair or removal instructions for the malicious file; and use the received malware remediation tool to repair or remove the malicious file.

Abstract: Described is a system, method, and computer program product for preventing security flaws in untrusted computer source code by implementing information flow security in an existing programming language through use of an information flow security library. Confidentiality and integrity are encoded separately into the security information flow library. A security policy written in the host programming language is typechecked with a host programming language typechecker algorithm. Additionally, an untrusted module written in a restricted subset of the host programming language is typechecked with the host programming language typechecker algorithm. The untrusted modules cannot access confidential data in the host programming language. Typechecking of the untrusted modules enforces the security policy with the security information flow library.

Abstract: A restricted account may be created responsive to a successful login by a user for a shared account. The restricted account may have fewer access privileges to resources of the computer system than the shared account. The user may have access to the operating system through the restricted account rather than the shared account. The user is prompted for higher authentication information responsive to a request by the user to promote the restricted account to a higher authentication account during the session. The restricted account is promoted to the higher authentication account during the session. The higher authentication account has greater access privileges to resources of the computer system than the restricted account.

Abstract: In certain embodiments, a system having a memory and a processor. The memory is operable to store a credential verifier associated with a user account and a counter. The processor is coupled to the memory and the memory includes executable instructions that cause the system to receive a first authentication attempt and increment the counter if validation of the first authentication attempt against the credential verifier fails. The instructions also cause the system to receive a second authentication attempt and increment the counter only if validation of the second authentication attempt against the credential verifier fails and the second authentication attempt is distinct from the first authentication attempt.

Abstract: A system and a method using that system is provided for establishing a secure communication channel between a vehicle and a mobile device. The method may include providing at least one unique mobile device identifier and at least one unique vehicle telematics unit identifier associated with the mobile device identifier to a call center. At least one of the two identifiers may be provided to a wireless service provider. Two private keys may be generated—a first private key based on the at least one unique mobile identifier and a second private key based on the at least one unique vehicle telematics unit identifier. The first private key may be provided to the mobile device within a first cryptographic envelope signed with a first cryptographic key. And the second private key may be provided to the vehicle telematics unit within a second cryptographic envelope signed with a second cryptographic key.

Abstract: A method is provided in one example embodiment that includes storing a reference measurement of an object in a trusted storage and retrieving the reference measurement from the trusted storage before an operating system is loaded. In a pre-operating system environment, the reference measurement can be compared with a golden measurement and a policy action can be applied if a variance is detected between the reference measurement and the golden measurement. In more particular embodiments, the reference measurement is a measurement of firmware, and yet more particularly, the measurement is a hash of the firmware.

Abstract: A data protection method for an electronic device is disclosed. The data protection method includes setting a log-in password for a private file stored in a public folder, creating a private folder having a same folder name as the public folder to store the private file in the private folder, and comparing an input password with the log-in password for the private folder to determine to display the private folder or the public folder.

Abstract: Improved buffer overflow protection for a computer function call stack is provided by placing a predetermined ShadowKEY value on a function's call stack frame and copying the ShadowKEY, a caller EBP, and a return pointer are pushed onto a duplicate stack. The prologue of the function may be modified for this purpose. The function epilogue is modified to compare the current values of the ShadowKEY, caller EBP, and the return pointer on the function stack to the copies stored on the duplicate stack. If they are not identical, an overflow is detected. The preserved copies of these values may be copied back to the function stack frame thereby enabling execution of the process to continue. A function prologue and epilogue may be modified during compilation of the program.

Abstract: A credential caching system includes receiving a set of authentication credentials, storing the set of authentication credentials in a credential cache memory, wherein the credential cache memory is coupled with a management controller, and supplying the set of authentication credentials for automatic authentication during a reset or reboot. In the event of a security breach, the credential caching system clears the set of authentication credentials from the credential cache memory so that the set of authentication credentials may no longer be used for a reset or reboot.

Abstract: An embodiment of the invention allows a user to back-up/store data to a cloud-based storage system and synchronize that data on the user's devices coupled to the storage system. The devices have secure out-of-band cryptoprocessors that conceal a private key. The private key corresponds to a public key that is used to encrypt a session key and information, both of which are passed to and through cloud based storage, all while remaining encrypted. The encrypted material is communicated from the cloud to another of the user's devices where the encrypted material is decrypted within a secure out-of-band cryptoprocessor (using the private key that corresponds to the aforementioned public key) located within the device. The embodiment allows for secure provisioning of the private key to the devices. The private key is only decrypted within the cryptoprocessor so the private key is not “in the open”. Other embodiments are described herein.

Abstract: Classification of electronic communications includes receiving an electronic communication, evaluating the received communication against a collection of terms, and classifying the received communication based at least in part on the evaluation. The collection of terms is representative of a particular strategy of an attacker. The evaluation includes determining a presence of a portion of the collection of terms in the electronic communication.