Abstract: In some aspects, an encryption method comprises encrypting a first portion of a message using a first secret key. The first secret key is generated based on the public key of an entity. A one-way function is used to generate a second secret key from the first secret key, and the first secret key is subsequently discarded. A second portion of the message is encrypted using the second secret key. The encrypted first portion of the message and the encrypted second portion of the message are provided to the entity.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for providing a permanently affixed un-decryptable coded identifier onto a mobile device. The identifier may be one or more applications, pictures, widgets, tokens, or the like that may be transformed into an identifier to include the objects original functionality plus additional coding. The identifier, once selected by the user may be coded to include a tracker, beacon, and coded with remote access abilities. The identifier may then be permanently installed onto the user's mobile device. As such providing a trackable code associated with a mobile device, if the mobile device is misplaced. Furthermore, the identifier may be permanently stored within the mobile device preventing complete erasing of the identifier upon complete data deletion of the user device.

Abstract: Detecting computer anomalies by determining probabilities of encountering call stack configurations at various depths, the call stacks being associated with software application instances on computers having the same operating system, where snapshots of the call stacks are recorded on the computers responsive to detecting predefined software application events, determining entropies of call stack configurations at various call stack depths using their associated probabilities, determining stack frame rarity scores of call stack configurations at various depths based on their associated stack frame entropies in accordance with a predefined rarity function, determining a call stack rarity score of any given call stack configuration as the maximum stack frame rarity score of the given configuration, and detecting an anomaly associated with any given one of the computers where any of the snapshots recorded on the given computer is of a call stack whose call stack rarity score meets a predefined anomaly condition.

Abstract: This document generally relates to systems, method, and other techniques for identifying and interfering with the operation of computer malware, as a mechanism for improving system security. Some implementations include a computer-implemented method by which a computer security server system performs actions including receiving a request for content directed to a particular content server system; forwarding the request to the particular content server system; receiving executable code from the particular content server system; inserting executable injection code into at least one file of the executable code; applying a security countermeasure to the combined executable code and executable injection code to create transformed code; and providing the transformed code to a client computing device.

Abstract: Methods and systems for a networked storage environment are provided. For example, one method includes generating by a processor in response to a request, a storage service level class (SLC) defined by a storage attribute and a protection SLC defined by a protection attribute for a storage item managed by a storage server, where the storage attribute provides a performance level for the storage item and the protection attribute provides a protection level for the storage item; identifying by the processor, a first resource for complying with the storage attribute of the storage SLC for storing the storage item; configuring a second resource for complying with the protection attribute of the protection SLC for storing information associated with the storage item; and monitoring the first resource for compliance with the storage attribute for the storage SLC.

Abstract: Some embodiments provide a method for performing stateful processing of a packet at a flow-based managed forwarding element (MFE). The method receives a packet at the MFE without stateful connection status information. The method sends the packet to a module separate from the MFE that stores stateful connection information for a plurality of connections. The method receives the packet from the module with stateful connection status information appended to the packet. The method performs an action on the packet based on the appended stateful connection status information.

Abstract: A method for biometric authentication of a user of a mobile device, and a case for performing the method is provided. The method includes, by the case, coupling the mobile device to the case, receiving from the mobile device biometric data of the user of the mobile device that was captured by the mobile device, storing the biometric data, receiving a request from the mobile device for authenticating the user of the mobile device, the request including biometric data captured by the mobile device, comparing the biometric data stored in the case and the biometric data included in the request, and sending to the mobile device a response to the request for authenticating the user of the mobile device based on a result of the comparison, wherein the response to the request is for use by the mobile device to perform an operation based on the authentication of the user.

Abstract: A method of packet management for restricting access to a resource of a computer system. The method includes identifying client parameters and network parameters, as a packet management information, used to determine access to the resource, negotiating a session key between client and server devices, generating a session ID based on at least the negotiated session key, inserting the packet management information and the session ID into each information packet sent from the client device to the server device, monitoring packet management information in each information packet from the client device, and filtering out respective information packets sent to the server device from the client device when the monitored packet management information indicates that access to the resource is restricted.

Abstract: Method and devices for making access decisions in a secure access network are provided. The access decisions are made by a portable credential using data and algorithms stored on the credential. Since access decisions are made by the portable credential non-networked hosts or local hosts can be employed that do not necessarily need to be connected to a central access controller or database thereby reducing the cost of building and maintaining the secure access network.

Abstract: Techniques for representation of operating system context in a trusted platform module are described. In at least some embodiments, authorization principals that corresponds to representations of operating system context are derived in a trusted platform module. The authorization principals can be used to define authorization policies for access to security assets stored in a trusted platform module.

Abstract: An information processing system comprises: a management unit that performs management by associating an electronic certificate for a first group with notification destination information regarding a user who belongs to a second group and has a role in managing to allow the service to be used by the user belonging to the first group; and a notification unit that, in response to a remaining period until an expiration date of the electronic certificate falling below a predetermined value, identifies the notification destination information regarding the user belonging to the second group associated with the electronic certificate from among notification destination information, and performs a notification to update the electronic certificate based on the identified notification destination information.

Abstract: Method and devices for making access decisions in a secure access network are provided. The access decisions are made by a portable credential using data and algorithms stored on the credential. Since access decisions are made by the portable credential non-networked hosts or local hosts can be employed that do not necessarily need to be connected to a central access controller or database thereby reducing the cost of building and maintaining the secure access network.

Abstract: The present disclosure is directed to a system and method for applying unique routing rules to encrypted data packets being transmitted via a tunneling protocol. Because encrypted data packets are unintelligible at intermediary points along a secured link or “tunnel,” a multi-path router located between the tunnel endpoints is typically unable to apply unique routing rules. To enable unique routing, the disclosed method relies on a unique identifier that is associated with the secured link established between an initiator and a receiver (i.e., the tunnel endpoints). The unique identifier is transmitted with one or more encrypted data packets and is used at intermediary points to differentiate the encrypted data packets so that unique routing rules can be applied.

Abstract: A peer-to-peer wireless connection is established between a mobile client computing device and a server computing device, and information is communicated between the mobile client computing device and the server computing device over this connection. The information is sufficient for the server computing device and/or the mobile client computing device to authenticate the mobile client computing device with the server computing device. After the mobile client computing device has been authenticated with the server computing device, a user of the mobile client computing device is permitted to perform management tasks on the server computing device using the mobile client computing device, such as over the peer-to-peer wireless connection. For example, license keys can be moved from the mobile client computing device to the server computing device to upgrade the server computing device, and from the server computing device to the mobile computing device to downgrade the server computing device.

Abstract: Systems and methods for detecting potential steganography use to hide content in computer files transmitted via electronic communications are provided. An electronic communication associated with a computer file may be identified. The communication and the computer file may be analyzed to determine whether the computer file potentially includes hidden content. To determine whether the computer file potentially includes hidden content, a set of steganographic criteria may be analyzed. If at least a portion of the steganographic criteria are satisfied, then it may be determined that the computer file potentially includes hidden content. If at least a portion of the steganographic criteria are not satisfied, then it may be determined that the computer file does not potentially include hidden content. If the computer file is determined to potentially include hidden content, an individual may be notified of the communication associated with the computer file.

Abstract: A system, apparatus, method, and machine readable medium are described for authentication with asymmetric cryptography. For example, a method in accordance with one embodiment comprises: generating a challenge at a server; encrypting the challenge at the server using a public encryption key; transmitting the encrypted challenge to a connected device having a first connection over a network with the server; providing the encrypted challenge from the connected device to a user device; decrypting the encrypted challenge using a private encryption key corresponding to the public encryption key to determine the challenge; converting the challenge to a converted challenge, the converted challenge having a different format than the original challenge; receiving the converted challenge at the connected device and providing the converted challenge from the connected device to the server; and validating the converted challenge at the server to authenticate the user.

Abstract: Systems and methods for detecting potential steganography use to hide content in computer files transmitted via electronic communications are provided. An electronic communication associated with a computer file may be identified. The communication and the computer file may be analyzed to determine whether the computer file potentially includes hidden content. To determine whether the computer file potentially includes hidden content, a set of steganographic criteria may be analyzed. If at least a portion of the steganographic criteria are satisfied, then it may be determined that the computer file potentially includes hidden content. If at least a portion of the steganographic criteria are not satisfied, then it may be determined that the computer file does not potentially include hidden content. If the computer file is determined to potentially include hidden content, an individual may be notified of the communication associated with the computer file.

Abstract: A secure DNS query may be made by establishing a secure connection with a specific DNS server to determine an address for a hostname. A client device may have a database that may contain a record of a secure DNS server for one or more hostnames. When a DNS request contains one of the specified hostnames, an authenticated session may be created with the designated secure DNS server and a network address for the hostname is returned using the session. The authenticated session may authenticate a client device to the server as well as authenticate the server to the client. In some embodiments, the secure DNS server may accept connections from authenticated clients and may disregard connection requests from non authenticated clients.

Abstract: A method for detection and use of device identifiers to enhance the security of data transfers between electronic devices. A first electronic device can transmit access data to a second electronic device. The access data can be associated with a first access code that can be generated based at least in part on data representing a device identifier of the first electronic device. A device identifier can uniquely identify the first electronic device from a plurality of electronic devices. Transferring the access data can involve transforming the first access code into a second access code that can include data representing a device identifier associated with the second electronic device. Transforming the first access code into the second access code can facilitate access to a resource associated with the access data for a second user, but not for a first user.

Abstract: Systems and methods for passporting credentials provide a mechanism by which a native app on a client device can invoke a service provider's core web site web addresses (URL) while keeping the existing session active and shared between the two experiences (native app and web flow) so that the end user does not need to re-login at each context switch. The mechanism can include a unique way for the web flow context to communicate conditions and pass control back to the native app context of the shared session.