Abstract: A method and system are provided for environmental credit scoring of a plurality of users, partners, and distributors comprising: registering the plurality of users, partners, and distributors; receiving information from the registered users; receiving environmental activity records from partners, and distributors; assigning each activity an identification number; verifying the environmental activity records; calculating a score of each environmental activity; calculating an environmental credit score of the partners and distributors; receiving data from a point of service system; identifying the environmental activity records of users, partners and distributors, and crediting respective environmental activity records; calculating an environmental credit score for the users based on the environmental activities' data credited under the environmental activity record of the users; analyzing the environmental credit score of the users, partners, and distributors; and publishing the environmental credit scores.

Abstract: In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

Abstract: A computer program product for transmitting data flow in a network between two resources using a processing circuit to perform a method which includes obtaining a data record from a first resource, storing the data record and an associated data record identifier in a first memory, transmitting the data record from a first network to a second network, storing the data record and an associated data record identifier in a second memory, determining by an inline service provider whether the data record is suitable for transmission from a first resource to a second resource; based on determining that the data record is suitable for transmission by the inline service provider transmitting only the data record identifier stored in the second memory to the first switch and retrieving the data record stored in the first memory associated with the data record identifier for transmission to the second resource.

Abstract: The technology disclosed relates to enforcing multi-part policies on data-deficient transactions of independent data stores. In particular, it relates to combining active analysis of access requests for the independent object stores with inspection of objects in the independent object stores, each of the analysis and inspection generating and persisting object metadata in a supplemental data store, actively processing data-deficient transactions that apply to the objects by accessing the supplemental data store to retrieve object metadata not available in transaction streams of the data-deficient transactions, and actively enforcing the multi-part policies using the retrieved object metadata.

Abstract: A request for authentication from a user of a computer system is received. An authentication prompt is transmitted to the user, wherein the authentication prompt corresponds to a plurality of stored authentication responses, and wherein each of the plurality of stored authentication responses is used to authenticate the user. A first user authentication response is received. Whether to accept the first user authentication response based on a degree of similarity between the first user authentication response is determined and a stored authentication response from the plurality of stored authentication responses. Responsive to accepting the first user authentication response, a security score is calculated representing a level of confidence with respect to verifying the user for authentication, based on a type of authentication response for the first user authentication response. Responsive to determining that the security score is greater than an authentication score the user is authenticated.

Abstract: A system for generating an enhanced distributed online registry that utilizes an interoperable framework, and machine learning and natural language processing technologies to automatically provide compatible registry items. A persistent secure connection across distributed systems facilitates automatic synchronization of the generated online registry items across the distributed systems and devices accessing those systems. The online registry application processor utilizes machine learning and natural language technologies to generate an acquisition trending model which may be utilized to generate an enhanced distributed online registry that may determine and provide registry items that are compatible with the customer acquisition. Utilizing a persistent bi-directional connection, the online registry application processor may automatically synchronize the enhanced distributed online registry in real time as registry items are added and purchased.

Abstract: Disclosed are systems, methods, and computer-readable storage media for automatic security list offload with exponential timeout. A second layer of a firewall can determine that a first data, that previously passed through a first layer of the firewall, should be blocked. The second layer of the firewall can utilize more resources than the first layer of the firewall to determine whether to block a data packet. In response, a first rule can be applied at the first layer of the firewall to block data packets received from a source of the first data packet. Accordingly, a second data packet received from the source of the first data packet will be blocked at the first layer of the firewall based on the first rule.

Abstract: A code signing system operating a web portal for user clients and a web service for automated machine clients. The web service can receive an operation request from a code signing module running on a remote machine client, the operation request including a request for a cryptographic operation and user credentials retrieved from a hardware cryptographic token connected to the machine client. The code signing system can perform the requested cryptographic operation and return a result to the machine client if the code signing system authenticates the machine client and the requested cryptographic operation is within a permissions set associated with the machine client.

Abstract: A method and apparatus of a device that installs a new access control list for a port of a network element is described. In an exemplary embodiment, a network element receives an indication that the first access control list for the port is to be updated with a second access control list and the port processes data communicated with port with the first access control list. In addition, the network element configures the port to use a fallback access control list, where the fallback access control list includes a plurality of rules and the port uses the fallback access control list to process data communicated with the port. Furthermore, the network element loads the second access control list for the port. The network element additionally configures the port to use the second access control list, wherein the port uses the second access control list to process data communicated with the port.

Abstract: The present disclosure provides new methods and systems for managing access to service accounts by user accounts. For example, a user account and a service account may be created. The user account may be granted a first permission to access the service account. The first permission may provide a user with a capability to access the service account by at least one of accessing the service account through the user account and directly accessing the service account. A first credential may be issued to the service account. A user account status event regarding a change to the first permission may automatically be detected. It may be determined that the first permission provided access to the service account A second credential may be issued to the service account. The second credential may invalidate the first credential and may prevent the user from directly accessing the service account.

Abstract: Techniques for an ID federation gateway include determining whether a user associated with a request for a particular network resource is to be identified by the provider of the particular service or by a different party. The service also comprises causing the different party to provide identification data that indicates an identity for the user, if the user is to be identified by the different party. The method further comprises causing user credentials data, based on the identification data, to be sent to an authentication process of the provider for a set of one or more network resources that includes the particular network resource requested by the user, if the data indicates that the user is successfully identified.

Abstract: Technologies for securely booting a computing device includes a security engine of the computing device that consecutively determines a hash value for each block of initial boot firmware and generates an aggregated hash value from the hash value determined for each of the blocks. A processor of the computing device determines whether the aggregated hash value matches a reference checksum value. Initialization of the processor is completed in response to a determination that the aggregated hash value matches the reference checksum value. In some embodiments, the security engine consecutively retrieves each block of the initial boot firmware from a memory of the computing device, stores each retrieved block in a secure memory of the security engine, and determines the hash value for each stored block. Each block stored in the secure memory is copied to a portion of a cache memory of the processor initialized as Cache as RAM.

Abstract: In some examples, a system receives a response from a web server, the response being responsive to a web request sent to the web server. The system executes a script in the response with a web browser, links a document object model (DOM) method to application code executed during the executing of the script, and determines a vulnerability based on the DOM method linked during the executing of the script.

Abstract: The invention discloses a method for deep data inspection over an industrial internet field broadband bus, the method including: obtaining, by a first node, a message to be transmitted; judging, by the first node, whether a bus device address in the message to be transmitted lies in a preset range of bus device addresses; and if the bus device address lies in the preset range of bus device addresses, then transmitting, by the first node, the message to be transmitted to a processor of the first node. The first node only forwards the message to be transmitted, lying in the preset range of bus device addresses to thereby improve the security of transmitting the message.

Abstract: Disclosed herein are techniques for authenticating a user via gestures, QR codes, and passphrases generated to incorporate typing habits of the user. A passphrase system generates a one-time use passphrase, which incorporates hallmarks and/or quirks of the user's typing, and presents the generated passphrase as an authentication challenge to authenticate as the user. If metrics collected during the authentication challenge are statistically similar to metrics of the user's typing, the authentication succeeds; otherwise, the authentication fails. A user's gesture habits during input of an authentication drawing may be used as a target for future authentication attempts. A user's input motions (typing and/or gestures) may be converted into a secure QR code; a different host device may use the secure QR code to obtain the target metrics for future authentication attempts of the user.

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resources' security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient's public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient's public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient's private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

Abstract: Circuitry to facilitate verification of the integrity of a target instance of a computing platform is described. Specifically, a processor can include circuitry to measure execution parameter values during an execution of a portion of a software image, wherein the execution parameter values represent a sequence of execution states that the target instance of the computing platform passes through while executing the portion of the software image. During operation, a software image can be generated that, when executed at the target instance of the computing platform, verifies integrity of the computing platform. Next, the software image can be sent to the target instance of the computing platform. The processor at the target instance of the computing platform can execute the software image, thereby enabling the verification of the integrity of the target instance of the computing platform.

Abstract: Disclosed is a system whereby it is possible to verify the safety of a person even if the person is not aware that the person is being searched for as a missing person. In this system, each verification requesting person who is searching for another person registers, in a database of a portal server (4), a set comprising a feature value of the face of the searched-for person and personal information (e.g., telephone number) about the searched-for person or the verification requesting person. A field server (2) constantly compares feature values of captured face images with the database, and if a close match is found between the feature value of a captured face image and the stored feature value of the face of a person, the field server (2) presents the registered personal information associated with that person to the person from which the captured face image was derived and requests verification from the latter person.

Abstract: A method for applying policies to an email message includes receiving, by an inbound policy module in a protected network, message metadata of an email message. The method also includes determining, based on the message metadata, whether receiving the email message in the protected network is prohibited by at least one metadata policy. The method further includes blocking the email message from being forwarded to the protected network if receiving the email message in the protected network is prohibited by the metadata policy. In specific embodiments, the method includes requesting scan results data for the email message if receiving the email message in the protected network is not prohibited by one or more metadata policies. In further embodiments, the method includes receiving the scan results data and requesting the email message if receiving the email message in the protected network is not prohibited by one or more scan policies.