Abstract: An API provides a frontend interface to one or more backend services. Access to an API is controlled by a set of frontend credentials, and access to the one or more backend services is controlled by a set of backend credentials. A credential-translation table maintained within the API links each backend credential to one or more frontend credentials. Links between frontend and backend credentials may be managed by an administrator of the API. The API uses the translation table to translate frontend credentials provided with an API call into backend credentials used to access backend services. The API provides users with the ability to update the backend credentials in the credential-translation table based at least in part on the frontend credentials provided by the user. The API may limit the ability to extract backend credentials to administrative users.

Abstract: A method of providing a distributed scheme for executing a RAM program, without revealing any information regarding the program, the data and the results, according to which the instructions of the program are simulated using SUBLEQ instructions and the execution of the program is divided among a plurality of participating computational resources such as one or more clouds, which do not communicate with each other, while secret sharing all the program's SUBLEQ instructions, to hide their nature of operation and the sequence of operations. Private string matching is secretly performed by comparing strings represented in secret shares, for ensuring the execution of the right instruction sequence. Then arithmetic operations are performed over secret shared bits and branch operations are performed according to the secret shared sign bit of the result.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes receiving indicators of compromise from multiple security data providers. Each indicator of compromise can include data specifying one or more characteristics of one or more computer security threats. Each indicator of compromise can be configured to, when processed by a computer, cause the computer to detect the presence of the specified one or more characteristics of the one or more computer security threats. Telemetry data for computing systems of users can be received. The telemetry data can include data describing at least one event detected at the computing system. A determination is made that the telemetry data for a given user includes the one or more characteristics specified by a given indicator of compromise.

Abstract: A content distribution system is disclosed that supports verification of transmission. In some embodiments, a remote probe device captures content and sends the content to a decrypting device so that decryption may be performed. The decrypting device may archive the content and may subsequently send the content to the probe device or to a playback device so that the content may be displayed. Consequently, the content distribution system can verify that specified content (e.g., an advertisement) was correctly distributed according to scheduled information.

Abstract: A novel key management approach is provided for securing communication handoffs between a UE and two base stations. A UE establishes a secure communication session with a first base station based on a first master session key based on a master transient key. The UE obtains a second base station identifier associated with a second base station and sends a message associated with a handoff to either the first base station or the second base station. The UE generates a second master session key based on at least the master transient key and the second base station identifier. The second master session key is used for secure communications with the second base station in connection with an intra-authenticator handoff from the first base station to the second base station. The UE then moves the secure communication session to the second base station.

Abstract: Some embodiments relate to a method of authorizing the establishment of a peer-to-peer stream between two user terminals of a mobile telecommunications network. The method is implemented in a platform of the mobile telecommunications network and comprises receiving, from a server of a peer-to-peer service provider, a request to establish a peer-to-peer stream between a first user terminal and a second user terminal, the establishment request including a stream identifier, the stream identifier including at least an identifier of the first user terminal and an identifier of the second user terminal. The method also comprises deciding whether to authorize the establishment of the peer-to-peer stream between the first user terminal and the second user terminal and sending an authorization or rejection message for the peer-to-peer stream to a network gateway in charge of controlling the streams transiting on the mobile telecommunications network, the message including the stream identifier.

Abstract: A reception device includes: a receiver unit which receives a program that is encrypted, handles confidential information and includes identification information for identifying a target of use of the program, and a notification signal for notifying of delivery of the program and including delivery destination information for identifying a delivery destination of the program; a processor which determines whether the reception device is a delivery target of the program on the basis of the delivery destination information included in the notification signal, and prepares for receiving the program when the reception device is the delivery target of the program; and an information protection unit which determines whether the reception device is the target of use of the program with reference to the identification information included in the program, and decrypts the program when the reception device is the target of use of the program.

Abstract: Techniques are described for providing users with access to perform commands on network-accessible computing resources. In some situations, permissions are established for user(s) to execute command(s) on computing node(s) provided by an online service, such as by maintaining various permission information externally to those provided computing nodes for use in controlling users' ability to access, use, and/or modify the provided computing nodes. An interface component may use such external permissions information to determine if a particular user is authorized to execute one or more particular commands on one or more particular computing nodes, and to initiate simultaneous and independent execution of the command(s) on the computing node(s) when authorized. The interface component may further aggregate results from each computing node that executed the command(s), prior to providing the results to the user.

Abstract: Various examples are directed to systems and methods for exchanging encrypted information. A first computing device may select a first private key and generate a session key based at least in part on the first private key. The first computing device may receive from a second computing device a second public key and generate a first public key based at least in part on: the second public key, a shared secret integer, and the first private key. A second computing device may select a second private key and generate the second public key based at least in part on the second private key; a generator, a first group constant and the shared secret integer.

Abstract: Embodiments of the invention relate to a method and a system for safely transmitting a document from a first network to a second network, while obviating the risk of transferring malware contained within the document to the second network. Embodiments of the invention involve separating binary data elements from text based data elements in a document, preferably a document in digital form. The binary data is then converted into analog media using an analog convertor, and then received by an analog receiver associated with the second network. Text-based data elements may remain in digital form, be cleaned of scripts, and are transferred to the second network in digital form. The document may be reconstructed using a computing device of the second network by combining data received via the analog receiver and the digital data comprising text-based data.

Abstract: A method for execution by a security module operating in a device of a dispersed storage network (DSN). The method begins by identifying storage unit(s) having security risk(s) and determining the security risk(s). The method continues by determining a type of security response and a level of security response. When the security response is a storage unit security response and the level of the security response is a first local level, the method continues by instructing the identified storage unit to implement one or more of a read only mode, ceasing multiple phase write operations, and ceasing issuance of rebuild requests. When security response is a DSN security response and level of the security response is a first network level, the method continues by instructing devices to perform at least one of revoking digital certificates of the identified storage unit and deleting access permissions of the identified storage unit.

Abstract: A technology is provided for certificate authentication for registering a certificate in computing service environment. A request may be received to register a certificate authority (CA) certificate. A registration token associated with a customer account in a service provider environment may be generated to enable association of the customer account with the CA certificate and to authenticate a registration of the CA certificate. The registration token may be sent to a requester desiring to register the CA certificate. A verification certificate that contains the registration token and that is signed by a certificate authority (CA) of the CA certificate and the CA certificate that is signed by the CA may be received to register the CA certificate with the customer account within a service provider environment The CA certificate is persisted with the service provider environment after verifying the registration token is associated with the customer account and the CA certificate is signed by the CA.

Abstract: Protecting personally identifiable information data collected and/or stored in physical objects with embedded electronic devices by performing at least the following: obtaining a plurality of personally identifiable information algorithms for a plurality of electronic user devices, determining a relevant personally identifiable information algorithm from the plurality of personally identifiable information algorithms, executing the relevant personally identifiable information algorithm over the relevant personally identifiable information from one of the electronic user devices to construct a personally identifiable information data result, and transmitting the personally identifiable information data result without transmitting the relevant personally identifiable information to a remote computing system.

Abstract: A method and system for transmission of digital content via e-mail with point of use digital rights management is disclosed. The secured access rights to the digital content may be customized for individual recipients by the sender, and may evolve over time. The access rights are enforced according to a time-dependent scheme. A key server is used to arbitrate session keys for the encrypted content, eliminating the requirement to exchange public keys prior to transmission of the digital content. During the entire process of transmitting and receiving e-mail messages and documents, the exchange of cryptographic keys remains totally transparent to the users of the system. Additionally, electronic documents may be digitally signed with authentication of the signature.

Abstract: An apparatus, method, and computer readable medium for management of infinite data streams. The apparatus includes a memory that stores streaming data with a data set and a processor operably connected to the memory. The processor transforms the data set to a second data set. To transform the data set, the processor determines whether a difference level exceeds a threshold, and transforms the data set by adding a noise when the difference level exceeds the threshold. When the difference level does not exceed the threshold, the processor determines whether a retroactive count is greater than a threshold, transforms the data set by adding a second noise when the retroactive count is greater than the threshold, and transforms the data set by adding a third noise when the retroactive count is not greater than the threshold. The processor transmits the second data set to a data processing system for further processing.

Abstract: A method for detecting a modification to stored data includes continuously creating a point-in-time copy of a storage level logical unit, the point-in-time copy comprising a volume copy of the storage level logical unit and a signature of the storage level logical unit, comparing at least a portion of the point-in-time copy with a previous copy of the storage level logical unit, and monitoring, based on the comparing, changes on certain logical blocks of the stored data, using the signature of the storage level logical unit.

Abstract: Systems and methods for credential character selection are provided. The system includes one or more sensors configured to detect a character selection and generate a character selection signal, and detect a character selection completion and generate a character selection completion signal. The system also includes one or more processors coupled to the one or more sensors, the one or more processors configured to receive the character selection signal and the character selection completion signal, and generate an output signal based on the received character selection signal that includes components of a credential. The system also includes a network interface component configured to transmit the output signal. The credential characters may be components of a PIN or password. Moreover, the credential character selections may be made on one device, but displayed on a separate coupled device. The character selections may be a selection of a character or a modification of character.

Abstract: Methods and systems are presented for identifying user accounts selectively authorized to modify at least respective first and second fields of a data table, obtaining field-dependent validation rules selectively applicable to the respective fields, transmitting spreadsheet files to devices associated with the respective user accounts, filtering user-modified spreadsheet files so that the first field is selectively accepted from the first device and the second field is selectively accepted from the second device, allowing the values of the first and second fields to be edited contemporaneously, and recording an edited version of the data table.

Abstract: Various systems and methods are provided that retrieve raw data from issuers, reorganize the raw data, analyze the reorganized data to determine whether the risky or malicious activity is occurring, and generate alerts to notify users of possible malicious activity. For example, the raw data is included in a plurality of tables. The system joins one or more tables to reorganize the data using several filtering techniques to reduce the processor load required to perform the join operation. Once the data is reorganized, the system executes one or more rules to analyze the reorganized data. Each rule is associated with a malicious activity. If any of the rules indicate that malicious activity is occurring, the system generates an alert for display to a user in an interactive user interface.

Abstract: The object of the invention is a method for transmitting electronic mail messages securely encrypted to a recipient, to whom an unencrypted electronic mail to be delivered cannot be assured of its information security. In the method: the sender (C1) sends an electronic mail message (1) to an electronic mail server (M1) that is his own or that of a known organization using an encrypted electronic mail transmission protocol, and the electronic mail message is marked as secured mail by adding the domain identifier of the secured mail server to the end of the electronic mail address of the recipient, wherein the server M1 sends it as guided by the name service further, using an encrypted transmission protocol, to the secured mail server TP, which stores it. The secured mail server sends to the sender a dispatch acknowledgment request (2.1), to which the sender answers with a dispatch acknowledgment (2.