Abstract: Improved document processing workflows provide a secure electronic signature framework by reducing attack vectors that could be used to gain unauthorized access to digital assets. In one embodiment an electronically signed document is removed from an electronic signature server after signed copies of the document are distributed to all signatories. The electronic signature server optionally retains an encrypted copy of the signed document, but does not retain the decryption password. This limits the amount of data retained by the electronic signature server, making it a less attractive target for hackers. However, the electronic signature server still maintains audit data that can be used to identify a signed document and validate an electronic signature. For example, a hash of the document (or other document metadata) can be used to validate the authenticity of an electronically signed document based on a logical association between an electronic signature and the signed document.

Abstract: In an example, there is provided a system and method for execution profiling detection of malicious software objects. An execution profiling (EXP) engine may be provided in conjunction with a binary translation engine (BTE). Both may operate within a trusted execution environment (TEE). Because many malware objects make assumptions about memory usage of host applications, they may cause exceptions when those assumptions prove untrue. The EXP engine may proactively detect such exceptions via the BTE when the BTE performs its translation function. Thus, malicious behavior may be detected before a binary runs on a system, and remedial measures may be provided.

Abstract: The disclosed computer-implemented method for filtering log files may include (1) identifying, on the endpoint computing device, log files that recorded events performed by processes executing on the endpoint computing device, (2) prior to sending the log files from the endpoint computing device to a security server for analysis, filtering, based on an analysis of the events recorded by the log files, the log files by excluding log files that recorded non-suspicious events, and (3) forwarding the filtered log files from the endpoint computing device to the security server for analysis. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In one embodiment, a data storage client may establish a virtual replay protected storage system with an agnostic data storage. The virtual replay protected storage system may maintain a trusted counter and a secret key in a trusted client environment. The virtual replay protected storage system may encode a hash message authentication code signature based on the trusted counter, the secret key, and a data set. The virtual replay protected storage system may send a write request of the data set with the hash message authentication code signature to an agnostic data storage.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline, and actions include receiving a request from a user of a web application during offline use of the web application in a web browser, the request implicating a data item, receiving an offline password from the user, decrypting an encrypted offline key to provide an offline key, and selectively using the offline key to process the data item based on a data protection policy stored in storage of the web browser and a protection level assigned to the data item.

Abstract: Receive a first device identifier from a first computing device; determine whether the first device identifier matches the second device identifier stored in a database at the second computing device; locate first user data associated with the first device identifier in the database of the second computing device based on a match; transmit the first user data to the first computing device based on a location of the first user data associated with the first device identifier; select an application to automatically launch on the first computing device based on application information within the first user data; update a user data list with the first user data, wherein the user data list is associated with the application and is stored at the second computing device; and launch the application on the first computing device, wherein the application uses second user data determined from the user data list.

Abstract: At a client computer, a web browser displays a control for a local utility executed on the client computer, wherein the control includes a link. The web browser receives a user input selecting the control and, in response to the user input, issues a request through the link to a local web server coupled with the local utility. The link includes a domain that resolves to a loopback network address. The loopback network address is a self-referencing address for the local web server at the client computer. The local web server receives the request and provides the local utility with a command portion of the request. In response to receiving the command portion of the request from the local web server, the local utility takes one or more actions based on the command portion of the request.

Abstract: A web server includes a servlet and a pluggable API firewall filter coupled to the servlet. The pluggable filter protects the web server from content based attacks by rejecting messages received from a client device. The pluggable filter includes a .jar, and the .jar is placed into a class path of the web server or packaged into a target web application archive (WAR).

Abstract: A method for safeguarding a system-on-a-chip includes a hardware-programmable logic unit. In the course of a programming process, a public PUF key and a private PUF key are generated in the hardware-programmable logic unit with the aid of a physical unclonable function, and the public PUF key is signed with the aid of a second private key. The public PUF key and its signature are stored in an external memory of the system-on-a-chip, a security module is signed with the aid of a third private key, the security module and its signature are stored in the external memory of the system-on-a-chip, and the security module includes software which is used for safeguarding the system-on-a-chip.

Abstract: A method for remote triggered black hole filtering can include advertising a first modified next hop address for a destination address of network traffic, and advertising a second modified next hop address for a source address of network traffic. The first next hop address of the destination address might be overwritten with the first modified next hop address. Filtered traffic then can be forwarded to the first modified next hop address, wherein filtered traffic comprises only network traffic addressed to the destination address or from the source address. In some cases, the filtered traffic is transported and received via a sinkhole tunnel. A second next hop address of the source address can be overwritten to a second modified next hop address. The attack traffic, which can be filtered traffic that is both addressed to the destination address and from the source address, might be forwarded to a discard interface.

Abstract: A method for authenticating a mobile device in real-time. The method includes detecting the mobile device, sending a text message containing a unique uniform resource locator (“URL”) to the mobile device, and detecting an access of the unique URL by the mobile device through a first communication path. In response to detecting the access of the unique URL, requesting and subsequently receiving, by the host system in real-time, a phone number and a subscriber identification ID associated with the mobile device through a second communication path distinct from the first communication path, and a device fingerprint of the mobile device through the first communication path. The method further includes initiating a risk analysis based on the phone number, the subscriber ID, and the device fingerprint and determining an authentication status of the mobile device based on the risk analysis.

Abstract: A login method and a login apparatus are provided. A third party server receives a login request of a first client and returns an identification code, the first client displays the identification code, and the third party server receives an authentication request of a second client to obtain a user unique identifier of the second client, wherein, the authentication request is sent by the second client according to an address of the third party server contained in the identification code after performing image acquisition to the identification code, and the third party server performs login authentication to corresponding third party account information bound to the user unique identifier and returns a login authentication result. The third party account information bound to the user unique identifier varies depending on the difference in the address information of the third party server contained in the identification code.

Abstract: A method for installing embedded firmware is provided. The method includes generating one or more firmware file instances and generating one or more digital certificate instances that are separate instances from the firmware file instances. The method includes associating the one or more digital certificate instances with the one or more firmware file instances to facilitate updating signature-unaware modules with signature-aware firmware or to facilitate updating signature-aware modules with signature-unaware firmware.

Abstract: Technologies to provide a secure data storage service in a cloud computing environment are generally disclosed. In some examples, a method comprises: partitioning a data resource into data particles, assigning logic groups to the data particles, assigning physical storage groups to the data particles, and/or storing each physical storage group at corresponding storage resource, receiving a request for the data resource, determining whether the request for the data resource is valid, and if the request is valid, transmitting the data particles of the data resource to the client. The method enables improved security for accessing data, and also improves the user experience in cloud computing environments.

Abstract: In various example embodiments, a system and method for providing policy-based authentication is provided. In example embodiments, a request to access and sign a document is received from a device of an intended signer. A policy assigned to the intended signer is determined. Based on the policy, a determination is made whether an authentication mechanism is applicable to the intended signer. In response to the determining that the authentication mechanism is applicable to the intended signer, the intended user is required to perform the authentication mechanism. The intended user is provided access to view and sign the document based on the intended user satisfying the authentication mechanism.

Abstract: Disclosed are various embodiments relating to a security framework for media playback. In one embodiment, a client device has a decryption module, a streaming module, and a playback module. The playback module may be configured to request media data from the streaming module and render the media data on an output device. The streaming module may be configured to obtain the media data from the decryption module by a request that specifies a size of the media data. The size may be dynamically determined based at least in part on an amount of available temporary data storage. The decryption module may be configured to decrypt a portion of an encrypted media file based at least in part on the specified size to produce the media data.

Abstract: Disclosed are an apparatus and method of verifying an application installation procedure. One example method of operation may include receiving an application at a computer device and initiating the installation of the application on the computer device. The method may also provide executing the application during the installation procedure and creating a hash value corresponding to the executed application data. The method may further provide storing the hash value in memory and comparing the hash value to a pre-stored hash value to determine whether to continue the installation of the application.

Abstract: A method, system and computer program for recoupling Kerberos Authentication and Authorization requests, the method including the steps of: (a) extracting authorization information, including a copy of a Ticket Granting Ticket (TGT), from an authorization request; (b) retrieving authentication information including the TGT, the authentication information having been previously extracted from an authentication transaction and stored; (c) cross-referencing the extracted authorization information with the retrieved authentication information, such that a discrepancy between the cross-referenced information invokes a security event alert.

Abstract: A device that incorporates the subject disclosure may perform, for example, generating a security domain root structure for a universal integrated circuit card of an end user device, where the security domain root structure includes a hierarchy of a link provider operator security domain above a mobile network operator trusted security domain, where the link provider operator security domain enables transport management by a link provider operator, and where the mobile network operator trusted security domain enables card content management and subscription eligibility verification by a mobile network operator trusted service manager. Other embodiments are disclosed.

Abstract: The invention features systems and methods for detecting and mitigating network attacks in a Voice-Over-IP (VoIP) network. A server is configured to receive information related to a mitigation action for a call. The information can include a complexity level for administering an audio challenge-response test to the call and an identification of the call. The server also generates i) a routing label based on the identification of the call, and ii) a script defining a plurality of variables that store identifications of a plurality of altered sound files for the audio challenge-response test. Each altered sound file is randomly selected by the server subject to one or more constraints associated with the complexity level. The server is further configured to transmit the script to a guardian module and the routing label to a gateway.