Abstract: A device may determine a resource identifier for accessing a segment of streaming media content. The device may determine that a signature associated with the resource identifier is not stored in memory. The signature may be generated based on a character string of the resource identifier. The device may request validation of the resource identifier based on determining that the signature is not in memory. The device may receive the signature associated with the resource identifier based on requesting validation. The device may store the signature based on receiving the signature. The device may request the segment of streaming media content using the resource identifier and the signature, stored in memory, to receive toll-free access to the segment of streaming media content.

Abstract: A method of implementing a keyed cryptographic operation using a plurality of basic blocks, includes: generating a balanced encoding function; applying the balanced encoding function to the output of a first basic block; and applying an inverse of the encoding function to the input of a second basic block, wherein the second basic block receives the encoded output of first basic block as an input.

Abstract: Encryption operations may be performed by a computer system for various reasons. It is often unclear, however, whether one of the many processes executing on a system is performing encryption. Encryption can be computationally expensive, and a process that engages in a large amount of encryption may represent a performance bottleneck for the system, limiting the ability of the system to do additional work (or weakening it to a Denial of Service attack). Further, while encryption is used in many legitimate contexts, it is also used by malware in certain scenarios to communicate with a remote attacker (e.g. command and control software) or used as part of ransomware. Thus, detecting whether a process is performing encryption can be important to identifying a performance bottleneck or uncovering malware. By monitoring a process and examining certain aspects of its activity, however, encryption operations can be detected and further remedial actions can be taken if needed.

Abstract: For securing content accessed from storage device, the storage device is associated with a licensee identifier. The licensee identifier is provided as input to an algorithm that generates, based on the identifier, a determinate set of instructions for a computer, for example, source code in a coding language, compiled binary code, or pseudo code that is capable of being translated into source code. The code, once compiled to machine-usable form, can be executed by a processor to perform a permutation operation that is unique to the licensee identifier. The output of the permutation operation can be used for protecting data provided by the storage device.

Abstract: A technique allows for a hybrid hypervisor-assisted security model that monitors and protects an operating system from rootkits or other malware through use of monitoring policies for the operating system (OS). The OS monitoring policies may be separated into rules that can be enforced using an in-guest agent running in a monitored guest OS domain and an out-of-guest agent running in a privileged/monitoring guest OS domain. Embodiments may use virtualization technologies including permissions and policies in one or more page tables (and virtualization exceptions (# VE) to avoid virtual machine (VM) exits during runtime events and thereby, avoid context switching into a hypervisor. An embodiment includes configuring the in-guest agent in a monitored OS such that hardware events can be switched to lightweight events and can be dynamically switched to complex processing in the privileged OS domain only when requested.

Abstract: A mobile computing device of a user transmits a digital certificate to a server computing device over a non-networking connection established with the server computing device. The digital certificate identifies the user, a particular server computing device, a validity period in which the digital certificate is valid, and a list of actions that the user is permitted to perform on the particular server computing device during the validity period. The server computing device authenticates the digital certificate, such as by determining whether a current time is within the validity period and whether the particular server computing device is the server computing device. When authentication is successful, the user can perform any action of the list of actions, including an action to power off the service computing device. The non-networking connection is such that the user is not provided a user account and a password to access the server computing device.

Abstract: Various embodiments are described that relate to data set communication. Security information, such as a key list, can be generated and transmitted from a first node to a second node by way of a secure high throughput communication channel with high latency. The key list can be used to encrypt the data set and the encrypted data set can be sent to the second node by way of low latency signaling. The second node can decrypt the encrypted data set with the key list and perform a function that is indicated by the data set.

Abstract: A system and method of conference messaging between Universal Plug and Play (UPnP) telephony devices and Wide Area Network (WAN) devices is where a conference messaging session with WAN devices is initiated by at least one Telephony Control Point (TCP) via a session request which includes session information, media capabilities of at least one TCP, a list of WAN devices, and a subject of the conference messaging session. The conference messaging session is then established between the at least one TCP and the WAN devices by a Telephony Server (TS) in an UPnP telephony based home network based on the session request.

Abstract: A system and method for identifying distributed attacks, such as, but not limited to, distributed denial of service attacks and botnet attacks, in a first network serviced by a first carrier and configured to alert a second network serviced by a second carrier that is different from the first carrier is disclosed. Once an attack has been identified, an attack alert is generated and provided to the second network or other aspects of the first network, or both. The attack alerts may be distributed dynamically with the second network via diameter based security protocol Rs. Such system and method may mitigate distributed malicious attacks by sharing destination internet protocol and bad international mobile subscriber identity information across carriers.

Abstract: By implementing a mutable certificates approach, a server to which a digital certificate has been issued may update one or more certificate fields without the need for a new certificate or other intervention from the issuing certificate authority. A certificate authority uses extensions to identify fields that a server may update, and to identify a set or range of allowable values for those fields. A server may use the extensions to identify one or more fields to be updated, and the values to which those fields should be updated. The server may sign those field values with its private key. A client, upon receiving a digital certificate from a server with fields for updating, validates the field values using the server's public key, and then proceeds to update the certificate field values.

Abstract: An electronic circuit is disclosed which has a process subsystem including a compliance circuit, a microprocessor, an interrupt controller, and a bridge. The electronic circuit also has a control block including a clock manager, a reset manager, a power manager, and a system control. The electronic circuit includes a crypto-block including a master sub-block, a slave sub-block, a direct memory access circuit, a packet buffer, and a crypto-engine. An interconnect communicatively connects the process subsystem to the control block and the crypto-block. A communications system is disclosed in which the electronic circuit is housed in one or more personal computing devices. A remote disablement system may be communicatively connected to the electronic circuit and configured to disable the electronic circuit. An emergency communications system may be communicatively connected to the electronic circuit to track and identify the location of each personal computing device.

Abstract: Processing in an asymmetrically distributed file system may include storing first data representative of the content of the files in a file system volume among a plurality of storage nodes. Second data representative of attributes of the files in the file system volume may be stored in only one of the storage nodes. Time-limited leases allow clients direct access to the plurality of storage node in order to access portions of the file system volume. The time-limited leases may be provided to client lessors. Snapshots of the file system volume may be generated after sending a revocation to the client lessors to revoke time-limited leases provided to the client lessors and having received the acknowledgements of the revocations or after the leases have expired for non-responding lessors, to ensure that changes are not made to the file system volume during snapshot processing.

Abstract: Embodiments are directed to methods, apparatuses, computer readable media and systems for authenticating a user on a user device across multiple mobile applications. The identity of the user is validated by encoding and subsequently validating cryptographically encrypted data in a shared data store accessible by the mobile applications tied to the same entity. Specifically, the application leverages the authentication process of a trusted mobile application (e.g. a banking mobile application) to authenticate the same user on a untrusted mobile application (e.g. a merchant mobile application).

Abstract: A first encoded data slice is received for storage by a DST execution unit from a first vault. A first encryption key corresponding to the first encoded data slice is generated, and a first encrypted data slice is generated by utilizing the first encryption key. A second encoded data slice for second storage by the DST execution unit from a second vault, a second encryption key corresponding the second encoded data slice is generated, and a second encrypted data slice is generated by utilizing the second encryption key. The first encrypted data slice and the second encrypted data slice are stored in a file of a memory of the DST execution unit, where the file and the memory are common to the first encrypted data slice and the second encrypted data slice.

Abstract: In one embodiment, a system and method are disclosed for receiving a request for authorization to commission a target device based, at least in part, on a plurality of requested commissioning actions; determining whether each of the requested commissioning actions is authorized; sending a commissioning authorization, which includes information identifying the one or more authorized commissioning actions; receiving a commissioning complete confirmation message, which includes information identifying one or more completed commissioning actions; validating the commissioning complete confirmation message, in order to ensure that each of the completed actions had been previously authorized; and if all of the completed commissioning actions were previously authorized, sending an acknowledgement message.

Abstract: Methods and apparatus are provided for detecting suspicious network activity, such as in an enterprise network. An exemplary method comprises obtaining network event data for a plurality of user-server communications for a given user, determining a number of distinct servers the user communicated with during a predefined time window; determining a number of distinct servers the user failed in authenticating to during the predefined time window; and assigning a risk score to the user based on the number of distinct servers the user communicated with and the number of distinct servers the user failed in authenticating to during the predefined time window. Generally, the risk score provides a measure of an anomalousness of the user communicating with the number of servers during the predefined time window. An absolute score is optionally assigned based on an evaluation of the number of distinct servers the user communicated with during the predefined time window relative to a predefined threshold number.

Abstract: According to some embodiments, a proxy server comprises one or more processors operable to establish communication with a secure client application of a device. The client is configured with a partition that contains data received from the proxy server within the secure application. If the client passes authentication, the server communicates preview information to the client previewing files that the server received from a business server on behalf of the client. The client requests a selected file. The server renders the selected file into a first portion and a second portion based on the immediate display capabilities of the client. The server communicates the first portion, determines that a trigger point was reached, and then communicates the second portion in response to the trigger point being reached. The client is configured to delete the first portion and the second portion in response to a completion event.

Abstract: Embodiments provided in this disclosure include a method, computer program product, and system for protecting sensitive data in a processing system comprising a plurality of processor cores. The method includes designating at least one processor core for processing sensitive data, and during a dump event, capturing data from each of the plurality of processor cores except the designated processor core to prevent unauthorized access to sensitive data.

Abstract: Embodiments provided in this disclosure include a method, computer program product, and system for protecting sensitive data in a processing system comprising a plurality of processor cores. The method includes designating at least one processor core for processing sensitive data, and during a dump event, capturing data from each of the plurality of processor cores except the designated processor core to prevent unauthorized access to sensitive data.

Abstract: An application executed on a first device presents a user interface on a device display. The application is associated with a validation system used by the device. Based on receiving a first user input, the application controls the first device to scan, using a first communication protocol, for other devices that are located within a first communication range of the first device. Based on the scan, the application discovers a second device that is located within the first communication range of the first device. The application receives, from the second device, an identification information that uniquely identifies a user associated with the second device on the validation system. The application validates the identification information by communicating with a validation server. Based on validating the identification information, the application displays an indication that the second device associated with the user is located within the first communication range of the first device.