Abstract: A taint processing applied to a tainted value of an application is identified and an output context of the application associated with output of the tainted value is determined. It is determined whether the taint processing is effective in mitigating a security vulnerability caused by the tainted value for the output context.

Abstract: Method for providing access to private digital content installed on a content server C(s), wherein a content manager server C(a) has a number of clients potentially interested in the private content; the method comprising the following steps performed at the content management server C(a): establishing a first communication channel with a client C(b) of the number of clients; receiving a query for private digital content from the client C(b) and sending an appropriate response, causing the client to establish a second communication channel with the content server; establishing a secure session with the content server C(s) over the first and second communication channel; establishing a new session key for the secure session and transmitting said new session key to the client C(b), so that the client can obtain the queried private digital content from the content server as if the client is the content management server.

Abstract: A system and method can provide subnet management packet (SMP) firewall restrictions in a middleware machine environment. A secure firmware implementation can be provided on a host channel adaptor (HCA), wherein the HCA is associated with a host in the middleware machine environment. The secure firmware implementation operates to receive at least one SMP from the host or destined to the host, and prevent the host from sending or receiving the at least one SMP. Furthermore, the secure firmware implementation can include a proxy function that can communicate with external management components on behalf of the host.

Abstract: A universal authentication token is configured to securely acquire security credentials from other authentication tokens and/or devices. In this manner, a single universal authentication token can store the authentication credentials required to access a variety of resources, services and applications for a user. The universal authentication token includes a user interface, memory for storing a plurality of authentication records for a user, and a secure processor. The secure processor provides the required cryptographic operations to encrypt, decrypt, and/or authenticate data that is sent or received by universal token. For example, secure processor may be used to generate authentication data from seed information stored in memory.

Abstract: An email security system is described that allows users within different organizations to securely send email to one another. The email security system provides a federation server on the Internet or other unsecured network accessible by each of the organizations. Each organization provides identity information to the federation server. When a sender in one organization sends a message to a recipient in another organization, the federation server provides the sender's email server with a secure token for encrypting the message to provide secure delivery over the unsecured network.

Abstract: In general, techniques are described for protecting optical networks from consecutive identical digit (CID) errors. An optical network device comprising a control unit and an interface may implement the techniques described in this disclosure. The control unit determines whether a data packet will result in a CID error prior to encapsulating at least a portion of the data packet to form a passive optical network (PON) frame and then, in response to the determination that the data packet will result in the CID error, modifies the data packet to form a modified data packet so that the modified data packet will not result in the CID error. The control unit encapsulates the modified data packet to form a PON frame. The control unit applies a scrambling polynomial to the PON frame to form a scrambled PON frame. The interface transmits the scrambled PON frame.

Abstract: An information processing device comprises: a non-linear transformation unit that takes a k/2-number of odd-numbered string data Bi (i=1, 3, . . . , k?1), k being an even number not smaller than 6, out of a k-number of string data {B1, B2, . . . , Bk}, as intermediate data Wi, and that XORs data transformed from the odd-numbered string data Bi based on a bijective F-function, in which an as-transformed value is determined responsive to a value of key data, and even-numbered string data Bi+1, to give intermediate data Wi+1; and a permutation unit that permutes the intermediate data {W1, W2, . . . , Wk} by the data {B1, B2, . . . , Bk}; in so permuting the intermediate data, the permutation unit permuting odd-numbered data by even-numbered data and permuting even-numbered data by odd-numbered data; the permutation unit not permuting Wi+1 by B((i+1)mod—k)+1, where i=0, 1, 2, . . . , k?1 and x mod y is a remainder left after dividing x by y, and not permuting Wi+1 by B((i+k-1)mod—k)+1.

Abstract: A content server device includes a request section for requesting a key server to transmit key data for decrypting encrypted content data to a client side in response to the content distribution request from the client side and a control unit which prohibits the transmission of the encrypted content data in response to the content distribution request when the reception number of notification received from the client side and indicating the reception of the key data from the key server is not less than the transmission number of key data to the client side by the key server and which transmits the encrypted content data in response to the content distribution request when the number of reception is not more than the number of transmission.

Abstract: A computer-implemented method for detecting illegitimate applications may include 1) identifying an installation of an application on a computing system, 2) determining, in response to identifying the installation of the application, that at least one system file with privileged access on the computing system has changed prior to the installation of the application, 3) determining that the application is illegitimate based at least in part on a time of the installation of the application relative to a time of a change to the system file, and 4) performing a remediation action on the application in response to determining that the application is illegitimate. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A clickjacking protector in an electronic system helps prevent unwanted clickjacking. The elements clicked on by the click position are evaluated to determine whether any of the elements clicked on by the click position is obscured (including being transparent or partially transparent). A protective action is generated in response to a determination that an element clicked on by the click position is obscured.

Abstract: In some embodiments, techniques for computer security comprise presenting a data field in a spoof-resistant manner, receiving field data, and securing field data. In some embodiments, the integrity of an input device may be verified. In some embodiments, techniques for computer security comprise hashing a credential and a characteristic associated with a data recipient, and performing password-authenticated key agreement using the hashed value. In some embodiments, techniques for computer security comprise monitoring an input, determining that the input is associated with confidential information, and enabling secure data entry.

Abstract: An enterprise system includes a storage having stored thereon a private key and a processor that is configured to receive a data object including an encrypted datum; decrypt the encrypted data based on the private key to generate a first string of digits, each digit including N bits, wherein N is a positive integer; shuffle the N bits of the each digit according a pre-determined pattern of bit positions to generate a second string of digits; and substitute a subset of the N bits of the each digit with pre-determined bits to generate a third string of digits.

Abstract: A method and a system for detecting one or more security vulnerabilities. The method comprises providing test instructions for an application, such as a web application or a client server application, adding test code to a code segment of the application according to the test instructions, sending at least one message to the application according to the test instructions at runtime thereof, monitoring test information pertaining to at least one reaction of the application to the at least one message during an execution of the test code, performing an analysis of the at least one reaction, and detecting a presence or an absence of at least one security vulnerability according to the analysis.

Abstract: A system and method for protecting data communications in a system including a load-balancer connected to a cluster of security network components, e.g. firewall node. The load-balancer transfers one or more of the data streams respectively to the security components. The security network components transmit control information to the load-balancer and the control information includes an instruction regarding balancing load of the data streams between said components; The load-balancer balances load based on the control information. Preferably, network address translation (NAT) is performed by the load-balancer based on the control information or NAT is performed by the security network component and the control information includes information regarding an expected connection based on NAT.

Abstract: A security management system, comprising: an authentication unit for authenticating an operator of an operating terminal in order to determine whether the operator is permitted to log in or release a lock; a current operator information inquiry unit for inquiring for login status information and current operator information; an authority information inquiry unit for inquiring for authority information regarding the operator and that regarding the current operator; a lock unit for detecting an event, where a predetermined lock condition is satisfied, in the login status to allow the operating terminal to change to a lock status, and for allowing the operating terminal to change to an operable status in response to a login instruction or an instruction for a release; and a lock control unit for transmitting the instruction for a release to the lock unit when a predetermined condition is satisfied.

Abstract: Techniques are provided for users to authenticate themselves to components in a system. The users may securely and efficiently enter credentials into the components. These credentials may be provided to a server in the system with strong authentication that the credentials originate from secure components. The server may then automatically build a network by securely distributing keys to each secure component to which a user presented credentials.

Abstract: With migration of network technology and more and more requirements of user equipment for accessing to Internet, the network security faces more and more severe situation. There is provided a method for distributed security control in communication network system and the device thereof in order to improve security and operatability of network operator. In the method, firstly the network controller establishes a network security control mechanism, which is used for a second network device to check the validity of the data package from the user equipment; secondly, the network controller sends the network security control mechanism to the second network devices; lastly, the second network device checks the validity of the data package from the user equipment according to the network security control mechanism, and discards the data package if the data package is invalid.

Abstract: A method for an encryption of a data stream is provided. The method includes: providing the data stream, providing at least two first random number generators having a first cryptographic strength, wherein each of the at least two first random number generators is switchable between states including a clocked state and a working state, and providing a second random number generator having a second cryptographic strength, wherein the second cryptographic strength is higher than the cryptographic strength. The method further includes switching the states of the at least two first random number generators using an output of the second random number generator and using an XOR-function for combining the data stream with an output of one of the at least two first random number generators, which is in the working state, such that a ciphered data stream is created.

Abstract: Methods and systems for maintaining data connectivity in a secure data storage network are disclosed. In one aspect, a method includes assigning a volume to a primary secure storage appliance located in a secure data storage network the primary secure storage appliance selected from among a plurality of secure storage appliances located in the secure data storage network, the volume presented as a virtual disk to a client device and mapped to physical storage at each of a plurality of storage systems. The method further includes detecting at one of the plurality of secure storage appliances a failure of the primary secure storage appliance. The method also includes, upon detecting the failure of the primary secure storage appliance, reassigning the volume to a second secure storage appliance from among the plurality of secure storage appliances, thereby rendering the second secure storage appliance a new primary secure storage appliance.

Abstract: Approaches for processing a digital file in a manner designed to minimize exposure of any malicious code contained therein. A digital file resides with a virtual machine. When the virtual machine receives an instruction to print, fax, or email the digital file, the virtual machine creates, from the digital file existing in an original format, a copy of the digital file in a different format within the virtual machine. The different format preserves a visual presentation of the digital file without supporting metadata or file format data structures of the original format. The virtual machine instructs the host OS to print the copy of the digital file, send a facsimile of the copy of the digital file, or email the copy of the digital file. The host OS may consult policy data in determining how to carry out the request vis-à-vis the digital file.