Abstract: The subject matter of this specification can be embodied in, among other things, a method that includes receiving, by one or more servers associated with an application marketplace, a policy that includes data that identifies one or more users, and a restricted permission. A request is received, by the servers associated with the application marketplace, to access one or more applications that are distributed through the application marketplace, wherein the request includes data that identifies a particular one of the users. One or more of the applications that are associated with the restricted permission are identified by the servers associated with the application marketplace, and access by the particular user to the applications that are associated with the restricted permission is restricted by the servers associated with the application marketplace.

Abstract: An optimized hardware architecture and method introducing a simple arithmetic processor that allows efficient implementation of an Elliptic Curve Cryptography point addition algorithm for mixed Affine-Jacobian coordinates. The optimized architecture additionally reduces the required storage for intermediate values.

Abstract: A processor-based method to defeat file and process hiding techniques in a computing device is provided. The method includes generating one of a path permutation, a symlink, or an address, for a path to open or obtain status of a tool or function in a library in a mobile computing device and making an open or status call for the tool or function, using the one of the path permutation, symlink or address. The method includes avoiding a pattern match and blocking, by an injected library, of the open or status call, the avoiding being a result of making the open or status call using the path permutation, symlink or address.

Abstract: A system and method of client side redirection with pluggable authentication and authorization is disclosed. In a particular embodiment, an operating system of a first computing device receives a request to cause remote desktop protocol (RDP) client device to connect to a second computing device. The client is coupled to the first computing device via a first RDP connection. The first computing device may use information associated with the first RDP connection to qualify the client to connect to the second computing device. If qualified, first computing device may send a redirect instruction to the client that redirects the client from the first computing device to the second computing device. The first computing device may send credentials to the client for use in establishing a second RDP connection to the second computing device. The redirect instruction and credentials may be sent via a virtual channel of the first RDP connection.

Abstract: A method, and associated system and computer program product, for dynamically modifying rules in a firewall infrastructure. A unit of deployment is received at a requestor module at a server. The unit of deployment includes the application code and a signed passport. The passport includes a firewall rule and a first application hash value. The received passport is authenticated, the received application code is hashed resulting in a second application hash value, and it is validated that the received first application hash value and the generated application hash value are equal. In response to the validation, the passport is received by a border control agent of the firewall from the server, a firewall is modified in the firewall infrastructure according to the received firewall rule, and communicating with the application is enabled through the modified firewall.

Abstract: Methods and apparatus for encrypting and decrypting data for wearable devices that are not based on authentication techniques, such as login/password or handshaking, are provided. A computing device receives a message. The message includes encrypted data and a cryptographic reference. The encrypted data includes physiological data of a wearer of the wearable device. The cryptographic reference includes a reference to a first cryptographic technique. The computing device determines the first cryptographic technique based on the reference to the first cryptographic technique. The computing device determines a cryptographic key. The computing device decrypts the encrypted data using the first cryptographic technique and the cryptographic key to obtain decrypted data. The computing device stores the decrypted data.

Abstract: A first collection including a pattern of life (POL) feature vector and a Q&A feature vector is constructed. A second collection is constructed from the first collection by inserting noise in at least one of the vectors. A third collection is constructed by crossing over at least one of vectors of the second collection with a corresponding vector of a fourth collection, migrating at least one of the vectors of the second collection with a corresponding vector of a fifth collection. Using a forecasting configuration, a POL feature vector of the third collection is aged to generate a changed POL feature vector containing POL feature values expected at a future time. The changed POL feature vector is input into a trained neural network to predict a probability of the cyber-attack occurring at the future time.

Abstract: The disclosed computer-implemented method for identifying potentially risky data users within organizations may include (1) monitoring computing activity of a member of an organization with respect to the member's access to data related to the organization, (2) generating, based at least in part on the member's computing activity, a baseline representation of the member's access to the data, (3) detecting at least one attempt by the member to access at least a portion of the data, (4) determining that the member's attempt to access the portion of data represents an anomaly that is suspiciously inconsistent with the baseline representation, and then in response to determining that the member's attempt to access the portion of data represents the anomaly, (5) classifying the member as a potential risk to the security of the data. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: User identities, password, etc. represent the barrier between a user's confidential data and any other third party seeking to access this data. As multiple software applications, web applications, web services, etc. embody this confidential data it is a tradeoff between easy recollection of said identities, passwords, etc. and data security. Generally for most users the balance is too far to convenience and ease of recollection such that the probability of third party illegally accessing the confidential data increases. Accordingly, it would be beneficial for users as well as organizations providing/controlling access to systems, resources, and data to be provided with an automatic means of entering password and/or security credential information without the user, for example, selecting the password, knowing the password, having access to the password, or entering the password where the organizations providing/controlling access can establish geo-fences relating to the credential information.

Abstract: A method for implementing a third party application in a micro-blogging service is provided, in which upon reception of a first request for presenting a media message provided by a third party media source, a micro-blog server obtains login information of a user and configuration information corresponding to the third party media source, converts the login information to authorization information, generates a second request for presenting the media message provided by the third party media source, and transmits the second request to a third party application server; the third party application server extracts the media message corresponding to the second request from the third party media source through a micro-blog open platform, by using the authorization information of the user and the configuration information corresponding to the third party media source, and presents it for the user.

Abstract: The described method is analogous to handling credentials in the physical world where agents and notary publics affix their attestations using their notary seals. The described method enables a person having a personal identity device and an electronic credential (e-credential) to create a digital seal to affix the owner's identity and attestation to an electronic artifact such as a transaction, document, or e-credential. The e-credential owner cannot repudiate having affixed the attestation to the electronic artifact. This enables other parties, including the e-credential owner, to inspect the digital seal affixed to the electronic artifact to identify the owner and the electronic artifact, verify the digital seal, and thereby obtain objective evidence that the attestation is truthful.

Abstract: An anonymized biometric representation of a target individual is used in a computer based security system. A detailed input biometric signal associated with a target individual is obtained. A weakened biometric representation of the detailed biometric signal is constructed such that the weakened biometric representation is designed to identify a plurality of individuals including the target individual. The target individual is enrolled in a data store associated with the computer based security system wherein the weakened biometric representation is included in a record for the target individual. In another aspect of the invention, a detailed input biometric signal from a screening candidate individual is obtained. The detailed biometric signal of the screening candidate is matched against the weakened biometric representation included in the record for the target individual.

Abstract: Various embodiments of systems, computer program products, and methods for encrypting data in a multi-tenant cloud environment are described herein. In an aspect, an encryption time frame to encrypt data associated with a user in a multi-tenant cloud environment may be retrieved. Based on the encryption time frame, a list of object types to be encrypted may be identified. A batch encryption period may be determined for encrypting data corresponding to the list of object types. Further, batches are sequentially selected based on the batch encryption period, for a selected batch: one or more data records may be retrieved based on the batch encryption period and the one or more data records may be encrypted in groups based on at least one throttling value.

Abstract: Access to content may be administered by storing content, the content comprising one or more selections, accessing a passive optical out-of-band token associated with the content, determining an access right for the content based on the passive optical out-of-band token, and enabling access to the content in accordance with the access right.

Abstract: Disclosed are methods and devices for securely updating firmware of locking devices. One method includes receiving a lock identifier from a locking device; determining that the lock identifier is associated with a user profile by comparing the lock identifier to a set of lock identifiers; receiving a firmware update packet from a server, wherein the firmware packet is encrypted by a lock key; transmitting the firmware update packet to the lock; decrypting the firmware update using the lock key; validating the encrypted firmware update; and installing the firmware update.

Abstract: A method of managing access to a physical mailing address using a virtual mailing address is presented. The method includes: setting up a proxy system as a server, assigning, by a server, a virtual mailing address identifier to natural or juristic person that registers with the server; linking, by the server, a physical mailing address entered by the user to the virtual mailing address identifier to generate the virtual mailing address; and enabling, by the server, a second natural person to manually access the physical mailing address when the server determines that the second user has permission to access the virtual mailing address; enabling, by the server, an institute or business (juristic person) to access the physical mailing address automatically using an Application programming interface (API) through a computer system when the server determines that the second user has permission to access the virtual mailing address.

Abstract: Techniques described herein may provide for affiliation and disaffiliation of devices, such as office communication devices, associated with a user. The affiliation/disaffiliation may be performed using a mobile device (e.g., a smart phone). In one implementation, a method may include receiving a request to affiliate a user with one or more office devices; and receiving context data, from a mobile device, relating to a current context of the mobile device. The method may further include determining, based on the context data, to authorize the affiliation of the user with the one or more office devices; and provisioning, based on the determination to authorize the affiliation, the one or more office devices to customize the one or more office devices for the user.

Abstract: Proposed is a Capability Management System (CMS) in a distributed computing environment that controls access to multiple objects by multiple subjects based upon a specified access order. A capability is dynamically constructed when the capability is needed. After the capability is used to access an object, a new capability is generated. In the alternative, multiple capabilities for enforcing an access order are generated independently of each other. The new capability is then employed by the same or another subject to access the object according to a prescribed access sequence. In this manner, at any particular time there is one capability valid to access the object by the appropriate subject. In addition, the capability includes information for verifying the authenticity of the capability and for specifying an expiration time associated with the capability. The technology may also be enhanced by providing a linkage between capabilities intended for use in a sequence.

Abstract: According to one embodiment, in response to receiving a plurality of uniform resource locator (URL) links for malicious determination, any known URL links are removed from the URL links based on a list of known link signatures. For each of remaining URL links that are unknown, a link analysis is performed on the URL link based on link heuristics to determine whether the URL link is suspicious. For each of the suspicious URL links, a dynamic analysis is performed on a resource of the suspicious URL link. It is classified whether the suspicious URL link is a malicious link based on a behavior of the resource during the dynamic analysis.

Abstract: A processing apparatus performs: in response to reception of first information by one of the network interface and the user interface, identifying, as a first function, a function corresponding to the first information out of a plurality of functions relating to image data; setting a first authority corresponding to the first information, the first authority being authority to use the first function; after setting the first authority, when one of the network interface and the user interface receives second information different from the first information and when functions identified by the second information out of the plurality of functions include at least part of the first function and a function other than the first function, identifying the function other than the first function as a second function; and setting a second authority corresponding to the second information, the second authority being authority to use the second function.