Abstract: Implementations relate to systems and methods for pre-signing of DNSSEC enabled zones into record sets. A domain name system (DNS) can receive and/or impose a set of DNS policies desired by an administrator, or the DNS operator itself to govern domain name resolution with security extensions (DNSSEC) for a Web domain. The DNS can generate a set of answers to user questions directed to the domain based on the set of policies. Those answers which differ or vary based on policy rules can be stored as variant answers, and can be labeled with a variant ID. The variant answers can be pre-signed and stored in the DNS. Because key data and other information is generated and stored before a DNS request is received, the requested variant answer can be returned with greater responsiveness and security.

Abstract: A method and apparatus for establishing a wireless connection. A digital certificate having a second name is obtained by a processor unit in response to receiving a selection of a network using a first name broadcast by a wireless access point. A determination is made by the processor unit as to whether the digital certificate is valid. A determination is made by the processor unit as to whether the second name in the digital certificate matches the first name broadcast by the wireless access point. The processor unit establishes the wireless connection to the wireless access point in response to the digital certificate being valid and the second name in the digital certificate matching the first name broadcast by the wireless access point.

Abstract: Devices, systems, and methods for generating a secure token specific to an online service provider are provided. User account information of a user is transmitted to a token processor from an online service provider requesting a secure token generation. The token processor also receives exchange information for an exchange between the user and the online service provider. The token processor generates, based on the exchange information and the user account information, a secure token to be used for the exchange. The generated secure token is mapped to the online service provider and transmitted to the online service provider. The stored secure token is usable only at the mapped online service provider.

Abstract: A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device.

Abstract: A mobile device can receive, from an application installed on a wearable device, an authentication query. Based upon the authentication query, an application installed on the mobile device can be determined to have been authenticated. In response to determining that the application installed on the mobile device has been authenticated, a temporary password can be generated at the mobile device and converted into a vibration pattern. The vibration pattern can be vibrated at the mobile device. The temporary password sent from the mobile device can be compared with user input received via a tap interface on the wearable device. In response to determining that the user input corresponds to the temporary password, the application installed on the wearable device can be authenticated based on authentication parameters of the corresponding application on the mobile device.

Abstract: A computer-implemented authenticated encryption method for converting a plaintext message into a ciphertext message. The method includes dividing the plaintext message into at least two working blocks, each working block having a mathematical relationship to the plaintext message. For each working block, a working block ciphertext is computed as a function of such working block, a deterministic working block initialization vector, and a deterministic working block encryption key. For each working block, a message authentication tag is computed as a function of a deterministic working block message authentication key and at least one of (a) the working block ciphertext computed for such working block and an indication corresponding to the mathematical relationship of such working block to the plaintext message and (b) such working block.

Abstract: A password input device comprises a storage unit for storing character strings according to each icon; an input window generation unit for generating and displaying an input window on which a plurality of icons are arranged; a secret icon recognition unit which confirms a shift coordinate value and recognizes icons, which are arranged on coordinates inversely moved up to the shift coordinate value from a coordinate value at which a selected icon is arranged, as secret icons selected by the user if the user selects the icon; and an authentication processing unit which confirms a character string corresponding to each secret icon recognized in the secret icon recognition unit, generates a combined character string in which the one or more confirmed character strings are arranged, and authenticates the user by confirming whether the generated combined character string is consistent with the user's password stored in the storage unit.

Abstract: Disclosed are methods and systems for providing a mobile signaling channel during a distributed denial of service (DDoS) attack. An example method for providing a mobile signaling channel during a DDoS attack may include communicatively coupling a mobile device to a DDoS device protecting upstream data communications during the DDoS attack. The mobile device may be operable to signal the DDoS attack via the mobile signaling channel. Furthermore, the method may include determining that a capacity of a primary signaling channel associated with the DDoS device is below a predetermined threshold capacity. The method may further include activating signaling of the DDoS attack by the mobile device via the mobile signaling channel. The activation may be performed based on the determination that the capacity of the primary signaling channel associated with the DDoS device is below the predetermined threshold capacity.

Abstract: A system and method for providing access credentials for a wireless network is provided. The system and method comprises sending a request for access credentials for a wireless network never previously accessed from a requesting client device to a connection helper service hosted by a server. The connection helper service determines a subset of user accounts that have the access credentials for the wireless network stored in an associated remote database. The connection helper service then searches social media to determine whether any of the subset of user accounts are connected with a user account associated with the requesting client device. If there is a connection, then the connection helper service facilitates requesting permission to acquire the access credentials from a remote database associated with a user account for the connection with the access credentials. In this manner, access to the wireless network is provided without manually entering access credentials.

Abstract: A computer-implemented method for digitally signing executables with reputation information is disclosed. This method may include (1) receiving a request for a reputation certificate for an executable file, (2) identifying reputation information associated with the executable file, (3) generating a digitally signed reputation certificate for the executable file that includes at least the reputation information associated with the executable file, and then (4) providing the reputation certificate in response to the request. Additional computer-implemented methods for evaluating the trustworthiness of executable files based at least in part on reputation information contained within such digitally signed reputation certificates, along with corresponding systems and computer-readable media, are also disclosed.

Abstract: A mobile device can receive, from an application installed on a wearable device, an authentication query. Based upon the authentication query, an application installed on the mobile device can be determined to have been authenticated. In response to determining that the application installed on the mobile device has been authenticated, a temporary password can be generated at the mobile device and converted into a vibration pattern. The vibration pattern can be vibrated at the mobile device. The temporary password can be transmitted from the mobile device to the wearable device for use in authenticating the application installed on the wearable device.

Abstract: Methods and systems for pairing a device to an account managed by a remote service include connecting to a commissioning device. The commissioning device is a device that manages pairing of devices to a remote service. Pairing the device to the fabric in a remote service also includes receiving service configuration details from the commissioning device. The commissioning device has previously retrieved the service configuration details that contain details configured to enable the joining device to connect to the remote service. Using the service configuration details, a device connects to the remote service using the received service configuration details.

Abstract: The disclosed computer-implemented method for determining types of malware infections on computing devices may include (1) identifying multiple types of security events generated by a group of endpoint devices that describe suspicious activities on the endpoint devices, each of the endpoint devices having one or more types of malware infections, (2) determining correlations between each type of security event generated by the group of endpoint devices and each type of malware infection within the group of endpoint devices, (3) identifying a set of security events generated on a target endpoint device that potentially has a malware infection, and (4) detecting, based on both the set of security events generated on the target endpoint device and the correlations between the types of malware infections and the types of security events, at least one type of malware infection likely present on the target endpoint device.

Abstract: Authenticity and responsiveness of evidence (e.g., biometric evidence) may be validated without regard for whether there is direct control over a sensor that acquired the evidence. In some implementations, only a data block containing evidence that is (1) appended with a server-generated challenge (e.g., a nonce) and (2) signed by the sensor may validate that the evidence is responsive to a current request and belongs to a current session. In some implementations, trust may be established and/or enhanced due to one or more security features (e.g., anti-spoofing, anti-tampering, and/or other security features) being collocated with the sensor at the actual sampling site.

Abstract: Systems and methods for preparing and re-commissioning a controlled device in a home area network are described. A utility meter is communicated with. An authentication key and encryption data for communicating with the utility meter may be determined. The authentication key and encryption data are sent to a controlled device. A set of translation rules for a message are determined. The translation rules are sent to the controlled device. The controlled device establishes a secure communication link with the utility meter using the authentication key and the encryption data. The controlled device receives a request to change power usage from the utility meter over the secure communication link. The controlled device translates the request to change power usage into control instructions using the translation rules.

Abstract: The disclosed computer-implemented method for detecting advertisements displayed to users via user interfaces may include (1) monitoring, via an accessibility API provided by an operating system of the computing device, accessibility events that indicate state transitions in user interfaces of applications running on the computing device, (2) determining, based on an analysis of at least one accessibility event, that an advertisement is being displayed to a user within a user interface of an application running on the computing device, and (3) in response to determining that the advertisement is being displayed, performing at least one action to prevent the advertisement from interfering with interactions between the user and the application. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A proxy device intercepts requests from client devices to access message data through a message data device, such as accessing e-mail messages through a mail server implementing post office protocol (POP) or other messaging protocol. The proxy device determines to authenticate of a client device when, for example, the client device, is located within certain areas that differ from a geographic region associated with a message account holder. Authentication of the client device may include collecting additional information, such as a universal identifier that may be used by the client device to access various services. The proxy device may further forward a notification message to the client device indicating the access to the message data is pending until the client device is authenticated. If the client device is successfully authenticated, the proxy device forwards the request to the message data device to enable the client device to access the message data.

Abstract: Systems, methods, and other embodiments associated with secure cloud based multi-tier provisioning are described. In one embodiment, a method includes storing, in server-side computer storage medium, an activation key for a networked device and a set of configuration parameter values associated with an application to be run by the networked device. The method includes managing access to the computer storage medium such that access to the activation key and the configuration parameter values by unauthorized entities is prevented. Upon receiving the activation key from an authorized installation entity, the method includes identifying a configuration for the networked device comprising the set of configuration parameter values. A network connection is made with the networked device and the configuration is transmitted to the networked device, such that the configuration is not provided to the authorized installation entity.

Abstract: The disclosure is directed to a wearable device that is configured to secure itself based on signals received from a pulse sensor. According to one implementation, the pulse sensor includes a light source (e.g., a light-emitting diode) and a photo sensor. The light source, under the control of a processor, shines light having a particular wavelength (e.g., green or infrared). The photo sensor generates signals based on light that it senses. For example, when the light from the light source reflects off a person's skin, then the photo sensor will generate signals based on the reflected light that the photo sensor detects. In this manner, the wearable device can accurately determine whether it is being worn by a user (e.g., by taking a photoplethysmogram) and, when necessary, secure the wearable electronic device.

Abstract: A method and system for authenticating a user to a target server. A request is received from a user computer system to authenticate the user for access to a target server at level N of N levels (N?2). Each record of a stored authentication plan associated with the user has authentication records each having information relating to authentication of the user for access to N?1 target servers at respective levels 1 through N?1. Each record of a received current authentication plan for the user has authentication records each having current information relating to authentication of the user for access to the N?1 target servers at respective levels 1 through N?1. It is determined that there is at least a partial match between the stored and current authentication plans, and in response, the user is authenticated for access to the target server at level N.