Abstract: A method is provided for securing telecommunications traffic data that are incurred with the telecommunications service provider of the telecommunications service when at least one telecommunications service is used by a number of subscribers is provided, wherein the telecommunications service is performed in a secure environment, the telecommunications service receives a message from at least one first subscriber of the telecommunications service, the message being intended for at least one second subscriber of the telecommunications service, and the telecommunications service, in response to the receipt of the message, sends a notification to the at least one second subscriber, wherein between the receipt of the message and the sending of the notification, a predetermined time delay is provided. Further, a system is provided for securing telecommunications traffic data is provided being adapted to execute the method according to the invention.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a profile for the eUICC. The profile can include a first and second shared secret key K for authenticating with a wireless network. The first shared secret key K can be encrypted with a first key, and the second shared secret key K can be encrypted with a second key. The module can (i) receive the first key, (ii) decrypt the first shared secret key K with the first key, and (iii) subsequently authenticate with the wireless network using the plaintext first shared secret key K. The wireless network can authenticate the user of the module using a second factor. The module can then (i) receive the second key, (ii) decrypt the second shared secret key K, and (iii) authenticate with the wireless network using the second shared secret key K. The module can comprise a mobile phone.

Abstract: Methods and apparatus are described for automatically modifying web page code. Specific implementations relate to the modification of web page code for the purpose of combatting Man-in-the-Browser (MitB) attacks.

Abstract: A method and device for selectively securing records in a Near Field Communication Data Exchange Format (NDEF) message in a Near Field Communication (NFC) device are provided. The method includes generating a record by setting a first field to ‘0’ and setting a second field to a predefined value, wherein the record indicates a beginning of at least one record to be secured in the NDEF message; and placing the record in the NDEF message, wherein, at least one record preceding the record is unsecured and at least one record following the record is secured.

Abstract: A system and method of executing a script includes receiving, by a service user account module, a user script from a first user account. The method includes issuing, by a management system, execution data including the user script and validation parameters. The method includes signing, by the management system, the execution data with a private key. Responsive to signing the execution data, the execution data further includes a digital signature. The method further includes authorizing, by the management system, communication to a remote execution tool, where authorization requires the digital signature. The method further includes sending, to the remote execution tool, the execution data including the digital signature. The method further includes confirming, by the remote execution tool, the validation parameters. The method further includes, responsive to confirming the validation parameters, executing, by the remote execution tool, the user script on a remote system for the first user account.

Abstract: The disclosure is directed to securely bootstrapping devices in a network environment. Methods and systems include hardware and/or operations for receiving, based on an identifier provisioned at a relying entity, instances of a security credential of an information system, wherein the instances are associated with respective certifying entities. The operations also include verifying the authenticity of the instances of the security credential using information of the certifying entities provisioned at the relying entity. The operations further includes determining matches between the instances of the security credential. Additionally, the operations include determining based on the matches that a first instance of the security credential satisfies a policy provisioned at the relying entity. Further, the operations include verifying the authenticity of information requested from the information system using the first instance of the security credential.

Abstract: In an embodiment, an integrated circuit (IC) device for detecting fault attacks is disclosed. In the embodiment, the IC device includes a main CPU core, memory coupled to the main CPU core, and a co-processor core including a checksum generation module, the co-processor core coupled to the main CPU core, wherein the main CPU core is configured to direct the co-processor core to process data from the memory and the co-processor core is configured to process the data, in part, by feeding internal signals to the checksum generation module and wherein the co-processor core is further configured to return a checksum value generated by the checksum generation module to the main CPU core.

Abstract: Methods, systems, apparatuses, and computer program products are provided for secure handling of queries by a data server (DS) and a database application (DA). A parameterized query is received by the DS from the DA based on a user query received from a requestor. The DS analyzes the parameterized query to attempt to determine an encryption configuration for a transformed version of the user query capable of being evaluated by the DS on encrypted data values. The DS responds to the DA with either a failure to determine the encryption configuration, or by providing the determined encryption configuration to the DA. The DA generates the transformed version of the user query, and provides the transformed version to the DS. The DS evaluates the transformed version of the user query, and provides results to the DA. The DA decrypts the results, and provides the decrypted results to the requestor.

Abstract: Methods and systems for encrypting data are disclosed. A circuit uses a white noise generator to capture a random string of bits as an encryption key. The encryption key is generated at a central server and is provided to a subscriber on a physical memory device. The subscriber uses the encryption key to encrypt a source data file. The encrypted data file is sent to the central server, which uses the encryption key to decrypt the encrypted data file and to recover the source data file. The file name for the source data file may be encrypted into the encrypted data file and a new name assigned to the encrypted data file. A random number index may be used to identify the starting point of the encrypted file.

Abstract: A method for enhancing security in a cloud computing system by allocating virtual machines over hypervisors, in a cloud computing environment, in a security-aware fashion. The invention solves the cloud user risk problem by inducing a state such that, unless there is a change in the conditions under which the present invention operates, the cloud users do not gain by deviating from the allocation induced by the present invention. The invention's methods include grouping virtual machines of similar loss potential on the same hypervisor, creating hypervisor environments of similar total loss, and implementing a risk tiered system of hypervisors based on expense factors.

Abstract: Registering a computer system for use in an enterprise. A method includes receiving, from a device management infrastructure of the enterprise, an executable system management component (SMC), and installing the SMC at a storage device. The method also includes executing the SMC, causing the computer system to register with the device management infrastructure, including applying a device settings policy to a configuration of the computer system. Executing the SMC also causes the computer system to configure itself to periodically execute a maintenance task received from the device management infrastructure.

Abstract: The present disclosure is directed to a flexible counter system for memory protection. In general, a counter system for supporting memory protection operations in a device may be made more efficient utilizing flexible counter structures. A device may comprise a processing module and a memory module. A flexible counter system in the memory module may comprise at least one data line including a plurality of counters. The bit-size of the counters may be reduced and/or varied from existing implementations through an overflow counter that may account for smaller counters entering an overflow state. Counters that utilize the overflow counter may be identified using a bit indicator. In at least one embodiment selectors corresponding to each of the plurality of counters may be able to map particular memory locations to particular counters.

Abstract: A method for authenticating a document comprises obtaining the contents of a document, obtaining biometric characteristics from an individual, forming a message based on the contents of the document and the biometric characteristics of the individual, generating a digital signature based on the message and a key, and writing the digital signature to an Radio Frequency Identification (RFID) tag affixed to the document.

Abstract: An improved technique involves setting an administrator password in a server to a temporary password upon receipt of a request for administrator access to the server. Along these lines, when a support engineer receives a support ticket from a customer, the support engineer sends a request to obtain administrator access to the customer's server to an access control computer. The access control computer, upon receipt of the request, generates a temporary password that grants the support engineer a one-time administrator access to the server. The access control computer then changes the administrator password on the server to the temporary password and reveals the temporary password to the support engineer. At some time either after the engineer obtains administrator access to the server or after some specified time has passed, the access control computer invalidates the temporary password by changing the administrator password to a different password.

Abstract: A method and system configured to produce a cryptographic signature on a message, under a key, at a user computer wherein the key is shared between the user computer, which stores a first key-share, and an authentication computer, which stores a second key-share and a first authentication value. The user computer encodes the message to produce a blinded message, produces the first authentication value from a user password and a secret value, and produces a second authentication value by encoding the first authentication value and a nonce. The authentication computer uses the nonce to determine if the first authentication value is correct and, if so, encodes the blinded message using the second key-share to produce a partial signature. The user computer produces a signature on the message under the key by encoding the partial signature and the message using the first key-share and an unblinding function.

Abstract: Technologies for remote device authentication include a client computing device, an identity provider, and an application server in communication over a network. The identity provider sends an authentication challenge to the client. A capability proxy of the client intercepts an authentication challenge response and retrieves one or more security assertions from a secure environment of the client computing device. The capability proxy may be an embedded web server providing an HTTP interface to platform features of the client. The client sends a resource access token based on the security assertions to the identity provider. The identity provider verifies the resource access token and authenticates the client computing device based on the resource access token in addition to user authentication factors such as username and password. The identity provider sends an authentication response to the client, which forwards the authentication response to the application server.

Abstract: Technologies for secure server access include a client computing device that loads a license agent into a secure enclave established by a processor of the client computing device. The license agent receives a request from an application to access a remote server device. The license agent opens a secure connection with the server device and performs remote attestation of the secure enclave. The license agent authenticates the user and transmits a machine identifier and a user identifier to the server device. The machine identifier may be based on an enclave sealing key of the client computing device. The server device verifies that the machine identifier and the user identifier are bound to a valid application license. If the machine identifier and the user identifier are successfully verified, the application communicates with the server device using the secure connection. Other embodiments are described and claimed.

Abstract: Systems and methods for recognizing and reacting to malicious or performance-degrading behaviors in a mobile device include observing mobile device behaviors in an observer module within a privileged-normal portion of a secure operating environment to identify a suspicious mobile device behavior. The observer module may generate a concise behavior vector based on the observations, and provide the vector to an analyzer module in an unprivileged-secure portion of the secure operating environment. The vector may be analyzed in the unprivileged-secure portion to determine whether the mobile device behavior is benign, suspicious, malicious, or performance-degrading. If the behavior is found to be suspicious, operations of the observer module may be adjusted, such as to perform deeper observations. If the behavior is found to be malicious or performance-degrading behavior the user and/or a client module may be alerted in a secure, tamper-proof manner.

Abstract: A method and apparatus includes providing a cryptographic key, in an inactive state, to a point in a supply chain for manufactured items, providing the cryptographic key, in an active state, and an activation code for activating the cryptographic key, to a verification center, and providing the activation code to the point in the supply chain in response to the point in the supply chain transmitting information relating to the received cryptographic key. The method includes generating, at the point in the supply chain, an identification (ID) code for each manufactured item, derived from the cryptographic key in the active state and a dynamic key generated for each batch of manufactured items. Including providing the dynamic key for each batch of manufactured items to the verification center, marking each manufactured item with the ID code, and counting the actual or correct number of ID codes marked on the manufactured items.

Abstract: A secure communications arrangement including an endpoint is disclosed. The endpoint includes a computing system. The computing system includes a user level services component and a kernel level callout driver interfaced to the user level services component and configured to establish an IPsec tunnel with a remote endpoint. The computing system also includes a filter engine storing one or more filters defining endpoints authorized to communicate with the endpoint via the IPsec tunnel. The computing system also includes a second kernel level driver configured to establish a secure tunnel using a second security protocol different from IPsec.