Abstract: Embodiments of the invention relate to methods of generating and using an image-based derived key. In various embodiments, the image-based derived key may be used to facilitate user authentication and data encryption. For some embodiments, a method is disclosed comprising determining an image-based derived key, wherein the image-based derived key is generated from a selection of authentication images chosen by a user, encrypting data using the image-based derived key, and transmitting the encrypted data.

Abstract: A method and device are described which provide a security interface, preferably for a mobile device. The security interface provides user-selectable non-secure data that is displayed without the need for a password. The non-secure data is preferably updated on a regular basis, and can be obtained from different sources, as selected by a user. The secure data can be accessed after successful authentication, such as a positive password verification. Additional non-secure data, related to the displayed non-secure data, can preferably be accessed, with or without a need for a password. An indication can be provided to inform a user that secure data has been updated, without the need to access such secure data. The security interface is preferably enabled after a predetermined timeout period. The interface allows the device to operate in three data access states: a controlled access state; a verification state; and a full access state.

Abstract: A computer-implemented method for preventing the execution of online malvertising may include (1) maintaining a database of software version information for at least one client device, (2) detecting a request from the client device to access a website that contains active advertising content, (3) identifying, by querying the database of software version information, a vulnerability in at least one software element on the client device that may be used to deliver the active advertising content, and (4) preventing delivery of the active advertising content to the client device. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Using a system distinct from a mobile device, the mobile device is switched from a first mode to a second mode to access a set of data storage locations in the mobile device. All malware-susceptible data stored in the set of data storage locations is received at the system from the mobile device to form received data, which is analyzed at the system to detect a malware from a set of malware in a first portion of the received data. Responsive to the analyzing, the first portion of the received data is modified at the system to form a modified first portion, wherein the modifying removes the malware from the first portion. The system stores the modified first portion in a first data storage location in the mobile device and a second portion of the received data in a second data storage location in the mobile device.

Abstract: Logic on a first remote device receives a first transaction number and personal data transmitted from a second remote device. The first transaction number was received from a distributed public database in response to a transmission, from the second remote device, of a signed hash value and a first public key associated with a first private key on the second remote device. The signed hash value was created by signing a hash value with the first private key and the hash value was generated by hashing the personal data with a hashing algorithm on the second remote device. The logic uses the first transaction number to retrieve the signed hash value and the first public key from the distributed public database. The logic hashes the personal data using the hashing algorithm to create a generated hash value and verifies the signed hash value against the generated hash value.

Abstract: An aspect of cipher text translation includes a memory configured to store predetermined conditions for performing an encryption operation, and a processor communicatively coupled to the memory. The processor is configured to execute computer readable instructions. The computer readable instructions include determining through analysis of an inbound key and an outbound key of the encryption operation that the encryption operation includes a translation from a first class of encryption to a second class of encryption. The second class of encryption is determined to be weaker than the first class of encryption. The instructions also include applying the predetermined conditions to the input key and the output key and authorizing the translation via the processor, based on the applying, when aspects of the predetermined conditions are satisfied.

Abstract: A system includes a processor configured to transfer a newly generated encryption key for a newly paired device to the device and utilize the encryption key to create and encrypt a new virtual storage space corresponding to the device and accessible using the encryption key on a memory connected to the processor.

Abstract: Systems and methods for account security are provided. In one example embodiment, a first login request including a username and a password is analyzed to identify a first internet protocol (IP) address and a first request time associated with the first login request. A login history comprising login request data for the server computer is analyzed to identify a plurality of usernames, wherein each username of the plurality of usernames is associated with a corresponding login request from the first IP address within a threshold time period of the first request time. In response to determining a login success ratio is below a threshold login success ratio and a number of unique usernames in the analyzed data is above the unique username threshold, the system automatically performs a security action.

Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

Abstract: A system and method for monitoring, modeling and assessing networked devices. A continuous device profiling (CDP) system builds and maintains device-specific and network-specific behavioral models based on observation of network traffic. The behavioral models may be used for network management, detecting misconfigured or malware infected devices, performing network asset inventory, network access control, network discovery in support of network integration, and information security incident response management. CDP models and monitors the active roles that devices assume on the network based on a set of matching profiles, monitors transitions between roles, and triggers corrective action when role transitions violate the policies of the network.

Abstract: Various embodiments include a resource control system. The resource control system can receive consumption demand requests to access one or more electronic resources. The resource control system can assign license entitlements, each with varying quantity, to consumption demand requests to enable access to the electronic resources. An ambiguity resolution engine can make license entitlement assignments to consumption demand requests when a set of license entitlements can cover a target electronic resource specified by the consumption demand requests. The ambiguity resolution engine can rank license entitlements based on ratios of their resource costs and the consumption demand requests based on their electronic resource usage efficiency. The ambiguity resolution engine can assign the license entitlements by comparing the rankings of the license entitlements and the rankings of the consumption demand requests.

Abstract: Methods, systems, and devices are described for encryption key storage and modification in a data storage device. A portion of an encryption key may be stored in a first storage medium, and one or more bits of the encryption key may be stored in a one-time writable storage location. Data received at the data storage device may be encrypted using the encryption key, and may be stored in a storage medium. In the event that it is no longer desired to allow users to access the encrypted data stored in the storage medium, the one or more bits of the encryption key stored in a one-time writable storage location may be modified. Such modification thereby prevents decryption of the encrypted data and effectively precludes access to the encrypted data.

Abstract: Using a system distinct from a mobile device, the mobile device is switched from a first mode to a second mode to access a set of data storage locations in the mobile device. All malware-susceptible data stored in the set of data storage locations is received at the system from the mobile device to form received data, which is analyzed at the system to detect a malware from a set of malware in a first portion of the received data. Responsive to the analyzing, the first portion of the received data is modified at the system to form a modified first portion, wherein the modifying removes the malware from the first portion. The system stores the modified first portion in a first data storage location in the mobile device and a second portion of the received data in a second data storage location in the mobile device.

Abstract: An electronic device has a lower power state in which power to a storage device is disabled. Predetermined information stored in a memory is useable to unlock the storage device during a procedure to transition the electronic device from the lower power state to a higher power state. The predetermined information is different from a credential for use in unlocking the storage device.

Abstract: An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.

Abstract: Authenticating a client device coupled to an authenticator network device for a network. A service request is received from the client device at the authenticator network device. User credentials, including a user ID, a user key, and a nonce for a user are received at the authenticator network device. A token is generated using the received user credentials. The service request is modified to include the token and a user ID parameter that is the user ID to generate a modified service request. The modified service request is used to provide single sign-on access to a service that is the subject of the service request.

Abstract: Technologies for securely provisioning a personal computing device for enterprise connectivity includes a trusted computing device for wirelessly communicating with the personal computing device, generating a key pair for the personal computing device, generating a certificate signing request, sending the certificate signing request on behalf of the personal computing device, receiving an access certificate for enterprise connectivity, and securely exporting the access certificate and a private key of the key pair to the personal computing device.

Abstract: Disclosed herein is a technique for revoking a root certificate from at least one client device. In particular, the technique involves causing a secure element—which is included in the at least one client device and is configured to store the root certificate as well as at least one backup root certificate—to permanently disregard the root certificate and prevent the at least one client device from utilizing the specific root certificate. According to one embodiment, this revocation occurs in response to a receiving a revocation message that directly targets the root certificate, where the message includes at least two levels of authentication that are verified by the secure element prior to carrying out the revocation. Once the root certificate is revoked, the secure element can continue to utilize the at least one backup root certificate, while permanently disregarding the revoked root certificate.

Abstract: There are disclosed techniques for use in detecting malicious websites. In at least one embodiment, there is disclosed a technique for generating a profile in connection with a website. The profile comprising at least one attribute associated with the website. The technique also comprises collecting information relating to the website during a visit to the website. The technique further comprises detecting a change in connection with the website. The detection of the change comprises identifying a variation between the generated profile and the collected information.

Abstract: Systems, methods, and apparatuses are provided for ciphering error detection and recovery. A method may include using a first set of one or more cipher input parameters to decipher ciphered data ciphered using a second set of one or more cipher input parameters. The method may further include comparing a value of at least a portion of the deciphered data to an expected value. The method may additionally include determining an occurrence of a ciphering error when the value of the at least a portion of the deciphered data is not equal to the expected value. The method may also include initiating a ciphering resynchronization procedure in response to the determination that a ciphering error occurred so as to resynchronize at least one of the first set of cipher input parameters with at least one of the second set of cipher input parameters. Corresponding systems and apparatuses are also provided.