Abstract: In an embodiment, a method enables authentication of devices connected to a network. The method also enables the devices to digitally sign communication on the network with private keys. When a new device is added to the network, a mobile device may be connected to the new device. The mobile device receives identification from the new device and sends the identification to an authorization server, over a public network. The mobile device also sends a request for a private key to the authorization server. The authorization server contains an inventory of the devices authorized to communicate over the network. If the identification of the new device exists in the inventory, the authorization server sends a private key to the mobile device, over the public network. The mobile device forwards the private key to the new device.

Abstract: A method and apparatus for selectively securing records in a Near Field Communication Data Exchange Format (NDEF) message in a Near Field Communication (NFC) device are provided. The method includes generating a place marker signature record by setting a URI_present field to ‘0’ and setting a signature_type field to a predefined value, wherein a combination of the URI_present field set to ‘0’ and the signature_type field set to the predefined value indicates that a signature Record Type Definition (RTD) is a place marker signature record; and placing the place marker signature record in the NDEF message, wherein a set of records following the place marker signature record are secured.

Abstract: Technologies for labeling diverse content are described. In some embodiments, a content creation device generates a data structure that may include encrypted diverse content and metadata including at least one rights management (RM) label applying to the diverse content. The RM label may attribute all or a portion of the diverse content to one or more authors. The metadata may also be signed using an independently verifiable electronic signature. A consumption device receiving such a data structure may verify the authenticity of the electronic signature and, if verification succeeds, decrypt the encrypted diverse content in the data structure. Because the metadata is encapsulated with the diverse content in the data structure, it may accompany the diverse content upon its transfer or incorporation into other diverse content.

Abstract: Provided are methods and computer program products for monitoring the performance of network applications executing within operating-system-level virtualization containers. Methods may include enumerating operating-system-level virtualization containers on a networked device; creating a named pipe accessible by at least one application running in each operating-system-level virtualization container; retrieving, via the named pipe, performance data gathered by the at least one application, including an identification of each operating-system-level virtualization container; generating metrics based on the retrieved performance data; and generating an event incorporating the metrics, including operating-system-level virtualization container identifiers.

Abstract: Virtual firewalls may be established that enforce sets of policies with respect to computing resources maintained by multi-tenant distributed services. Particular subsets of computing resources may be associated with particular tenants of a multi-tenant distributed service. A tenant may establish a firewalling policy set enforced by a virtual firewall for an associated subset of computing resources without affecting other tenants of the multi-tenant distributed service. Virtual firewalls enforcing multiple firewalling policy sets may be maintained by a common firewalling component of the multi-tenant distributed service. Firewalling policy sets may be distributed at multiple locations throughout the multi-tenant distributed service. For a request targeting a particular computing resource, the common firewalling component may identify the associated virtual firewall, and submit the request to the virtual firewall for evaluation in accordance with the corresponding firewalling policy set.

Abstract: In an embodiment, an administrative computer system receives user login credentials from a user and makes at least one of the following determinations: that the user identifier does not match any existing user account, that the user identifier matches at least one existing user account, but that the user's account is in a locked state, or that the user identifier matches at least one existing user account, but the user's password does not match the user identifier. The administrative computer system then returns to the user the same response message regardless of which determination is made. The response indicates that the user's login credentials are invalid. The response also prevents the user from determining which of the credentials was invalid, as the response message is the same for each determination and is sent to the user after a measured response time that is the same for each determination.

Abstract: A system to address resource management and security in a computer system may include an operating system kernel executing on a computer processor. The system may also include a data processing application and a mediator configured to execute on the computer processor. The mediator may operate between the operating system kernel and the data processing application. The mediator may control access of user generated state data of the data processing application and may restrict access of the operating system kernel to the user generated state data.

Abstract: A system and method for allowing requests generated as a result of dynamic URLs to be efficiently looked up in a cache are provided. The system and method involve receiving a request for a content element, the request being generated from a dynamic URL. A static content element identifier is generated from the request. In an embodiment, the static content element identifier includes only the content identification parameters and the dynamic parameters are removed. The static content element identifier is then used to determine whether the content element is in the cache.

Abstract: A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria.

Abstract: A web services hub receives a request from a data source system, transforms the request, and transmits the transformed request to an external system. A secure service router is coupled to the web services hub. The secure service router authenticates the data source system and locates a transformation service to transform the request.

Abstract: Methods and systems for maintaining user privacy preferences based on one or more user identifications across a plurality of applications are provided. Two or more user identifications are received with associated user privacy preferences. The received user identification is compared against other user identifications to determine if the user identifications relate to the same user. It may be determined that two user identifications are related if they have at least one browser property in common. A consolidated data stream of the user privacy preferences for the related user identifications is created. The consolidated data stream is communicated to one or more applications and propagated to maintain the user privacy preferences across the applications relating to the user identification.

Abstract: An authentication method and system provides for a user requesting authentication where the authentication request includes Personally Identifiable Information (PPI) such as geolocation data. The user's device requesting authentication alters or encrypts the PII in order to prevent the PII's unintentional discovery by third parties or to comply with jurisdictional requirements for the safeguarding of PII. The receiving party saves the altered or encrypted PII for later use. In order to use the PII and perform calculations for authentication, the receiving party requests a trusted third party with knowledge of the methodology or key used to alter or encrypt the PII to perform calculations on the original values of the PII without saving the PII. The trusted third party returns a computed value to the receiving party where it is used to determine whether the user will be authenticated.

Abstract: VoIP systems often use multiple ciphers for different components. The present invention includes a system and method for early detection of encrypted signals in packet networks that may be encrypted using any of a multitude of ciphers.

Abstract: In some embodiments, a system may comprise a database and one or more servers. The database may, for example, store a plurality of content claims for previously evaluated data items, with each of the plurality of content claims being associated in the database with a corresponding stored digital fingerprint of a previously evaluated data item. The server(s) may, for example, be configured to receive a determined digital fingerprint of a data item from a client device on another network node, to submit a query to the database using the determined digital fingerprint as a primary key, and to transmit one or more content claims returned by the query to the client device. In some embodiments, the server(s) may be further configured to receive the content claim(s) and the digital fingerprint associated therewith from one or more computers on another network node, and to cause the received content claim(s) and digital fingerprint associated therewith to be stored in the database.

Abstract: Various embodiments for detecting harmful software are disclosed.

Abstract: The preferred embodiments involve a mechanism to bootstrap Kerberos from EAP in which EAP is used for initial network access authentication and Kerberos is used for provisioning session keys to multiple different protocols. The preferred embodiments make use of an EAP extension method (EAP-EXT) to realize the mechanism.

Abstract: An authentication apparatus includes: a database section that stores a password; an entry section through which a password is entered; a storage section that stores an entered password which is entered through the entry section; an authentication section that authenticates whether the password and the entered password match with each other; and a determining section that determines whether or not a re-entered password is to be subjected to an authentication processing performed by the authentication section when the re-entered password is entered through the entry section after the authentication section determines that the password and the entered password do not match with each other.

Abstract: A communication system is provided with an information processing device, and a management device capable of updating old data stored in the information processing device by outputting new data to the information processing device. The management device is provided with an old data input device that inputs the old data, a first new data input device that inputs the new data, an encryption device that encrypts the new data by utilizing the old data as a key, and a new data output device that outputs the new data encrypted by the encryption device to the information processing device. The information processing device is provided with an old data storage that stores the old data, a second new data input device that inputs the encrypted new data output by the management device, a decryption device that decrypts the encrypted new data by utilizing the old data as a key, and an updating device that updates the old data stored in the old data storage to the new data decrypted by the decryption device.

Abstract: A method and system for reducing memory required to maintain connection states in a traffic manager. A network device receives a message from a client in which at least a portion of the message is to be forward to a first server. If the network device is maintaining information for facilitating a first connection with a second server, the network device maintains a subset of the information for use in restoring the first connection and frees memory associated with information that is not needed for restoring the first connection. The network device then employs other previously stored information to restore the state of a second connection to the first server. The network device then sends at least a portion of the message to the first server using the second connection.

Abstract: An improved system and method are disclosed for peer-to-peer communications. In one example, the method enables endpoints to securely send and receive messages to one another within a hybrid peer-to-peer environment.