Abstract: A computer-implemented authenticated encryption method for converting a plaintext message into a ciphertext message. The method includes dividing the plaintext message into at least two working blocks, each working block having a mathematical relationship to the plaintext message. For each working block, a working block ciphertext is computed as a function of such working block, a deterministic working block initialization vector, and a deterministic working block encryption key. For each working block, a message authentication tag is computed as a function of a deterministic working block message authentication key and at least one of (a) the working block ciphertext computed for such working block and an indication corresponding to the mathematical relationship of such working block to the plaintext message and (b) such working block.

Abstract: As disclosed herein a computer system for secure database backup and recovery in a secure database network has N distributed data nodes. The computer system includes program instructions that include instructions to receive a database backup file, fragment the file using a fragment engine, and associate each fragment with one node, where the fragment is not stored on the associated node. The program instructions further include instructions to encrypt each fragment using a first encryption key, and store, randomly, encrypted fragments on the distributed data nodes. The program instructions further include instructions to retrieve the encrypted fragments, decrypt the encrypted fragments using the first encryption key, re-encrypt the decrypted fragments using a different encryption key, and store, randomly, the re-encrypted fragments on the distributed data nodes. A computer program product and method corresponding to the above computer system are also disclosed herein.

Abstract: A method of automatically modifying a computer data query is disclosed herein. The modification of the computer data query can be performed to restrict access to data. The computer data query can be modified by receiving the computer data query, identifying tables in the query and retrieving providers associated with the tables identified in the query. These providers can be linked to one or several predicates. These predicates can be retrieved and used to modify the query. The modified query can then be used to retrieve data from one or several tables identified within the query.

Abstract: A password input device comprises a storage unit for storing character strings according to each icon; an input window generation unit for generating and displaying an input window on which a plurality of icons are arranged; a secret icon recognition unit which confirms a shift coordinate value and recognizes icons, which are arranged on coordinates inversely moved up to the shift coordinate value from a coordinate value at which a selected icon is arranged, as secret icons selected by the user if the user selects the icon; and an authentication processing unit which confirms a character string corresponding to each secret icon recognized in the secret icon recognition unit, generates a combined character string in which the one or more confirmed character strings are arranged, and authenticates the user by confirming whether the generated combined character string is consistent with the user's password stored in the storage unit.

Abstract: A method of detecting suspicious code that has been injected into a process. The method includes identifying suspicious executable memory areas assigned to the process and, for each thread in the process, inspecting a stack associated with the thread to identify a potential return address; determining whether or not the potential return address is located within a suspicious memory area; and, if the potential return address is located within a suspicious memory area, determining whether or not the instruction at the address preceding the potential return address is a function call and, if yes, determining that the potential return address is a true return address and identifying the thread and associated code as suspicious.

Abstract: Disclosed are methods and systems for providing a mobile signaling channel during a distributed denial of service (DDoS) attack. An example method for providing a mobile signaling channel during a DDoS attack may include communicatively coupling a mobile device to a DDoS device protecting upstream data communications during the DDoS attack. The mobile device may be operable to signal the DDoS attack via the mobile signaling channel. Furthermore, the method may include determining that a capacity of a primary signaling channel associated with the DDoS device is below a predetermined threshold capacity. The method may further include activating signaling of the DDoS attack by the mobile device via the mobile signaling channel. The activation may be performed based on the determination that the capacity of the primary signaling channel associated with the DDoS device is below the predetermined threshold capacity.

Abstract: This invention allows connection of an apparatus with a low security level without lowering the security level of a network even when such apparatus issues a connection request. This invention is directed to an access point which makes wireless communications with a station using an encryption method (AES). Upon reception of a connection request message including information indicating an encryption method (WEP) that can be used by a station, the access point checks if the encryption method (WEP) recognized based on the received connection request message is different from the encryption method (AES). When it is determined that the two encryption methods are different, the access point launches a controller which makes wireless communications with the station using that encryption method (WEP).

Abstract: Implementations provide for a secure shell (SSH) proxy for a Platform-as-a-Service (PaaS) system. A method of the disclosure includes receiving, by a processing device executing a Secure Shell (SSH) proxy server, a request to establish an SSH connection with a component of an application of a multi-tenant Platform-as-a-Service (PaaS) system, the component is separate from the SSH proxy server, authenticating credentials provided as part of the request, establishing the SSH connection with a device originating the request, receiving, in view of authenticating the credentials and establishing the SSH connection, routing information for the application, the routing information comprising a location of a node of the multi-tenant PaaS system executing the application, establishing an internal communication session with an executing proxy of the node, and forward information conveyed over the SSH connection to the executing proxy via the internal communication session.

Abstract: In some examples, a client device receives, from a network-attached storage (NAS) system, installer code. Executing the installer code at the client device causes display of a user interface at the client device. Questions are presented in the user interface at the client device. Responsive to answers to the questions received in the user interface, the installer code executing at the client device installs a subset of software components relating to the NAS system the client device.

Abstract: A method begins by a module to generate a secure signature on an item by selecting a first key representation index of a set of key representation indexes, wherein a first mathematical encoding of a private key generates a first plurality of key shares as a first key representation. The method continues with the module determining whether a first plurality of signature contributions have been received in response to a signature request for the item based on the first key representation index, wherein one of a first set of dispersed storage (DS) units executes a first mathematical signature function using one of the first plurality of key shares on the item to produce a signature contribution of the first plurality of signature contributions and when the first plurality of signature contributions have been received, generating the secure signature on the item from the first plurality of signature contributions.

Abstract: Architecture for generating a temporary account (e.g., an email address) with a user-supplied friendly name and a secret used to the sign the temporary account. For example, when a user wishes to create a temporary email address to use with an online organization, a friendly name is provided and the system generates a temporary email address including the friendly name. A signing component signs the temporary email address with a secret. One or more of these secrets can be provisioned prior to the user's creation of a friendly name, which eliminates propagation delay. During use, only incoming email messages having the temporary email address signed with the secret are validated. When the user revokes the temporary email address, the secret is revoked and the revocation is propagated to network gateways, rejecting any email sent to that address.

Abstract: High conversion rate content can be displayed with primary content from one or more publishers in order to determine whether the content is being displayed to human users or provided to automated processes such as robots. Convertible content such as advertising will generally result in conversions or other actions within an expected range of occurrences. Convertible content performing significantly below the range can be indicative of robotic traffic. Such determinations can be difficult for publishers with low volume traffic, however, as there may not be sufficient data to make an accurate determination. For such publishers, or users viewing content for such publishers, high conversion rate content can be displayed that will allow such determinations to be made with fewer data points. The rates can be used to determine robotic users, which can be blocked, as well as to determine poorly performing placements of the content by the publishers.

Abstract: Techniques for user authentication are disclosed. In one embodiment, the techniques may be realized as a method including during registration of a user, receiving a first captured image of a physical key having a blade; identifying from the captured image a plurality of features associated with the blade of the physical key; associating the identified plurality of features with the user as key feature data; in response to a subsequent access request by the user requiring authorization of the user, prompting the user to present the physical key; receiving a second captured image in response to prompting the user; analyzing the second image to determine if the key feature data is represented in the second image; and in response to determining that the key feature data is represented in the second image, authorizing the user's access request.

Abstract: A system and method for providing access credentials for a wireless network is provided. The system and method comprises sending a request for access credentials for a wireless network never previously accessed from a requesting client device to a connection helper service hosted by a server. The connection helper service determines a subset of user accounts that have the access credentials for the wireless network stored in an associated remote database. The connection helper service then searches social media to determine whether any of the subset of user accounts are connected with a user account associated with the requesting client device. If there is a connection, then the connection helper service facilitates requesting permission to acquire the access credentials from a remote database associated with a user account for the connection with the access credentials. In this manner, access to the wireless network is provided without manually entering access credentials.

Abstract: Generally, this disclosure provides systems, devices, methods and computer readable media for prevention of cable swap security attacks on storage devices. A host system may include a provisioning module configured to generate a challenge-response verification key-pair and further to provide the key-pair to the storage device to enable the challenge-response verification. The system may also include a link error detection module to detect a link error between the host system and the storage device. The system may further include a challenge-response protocol module configured to initiate, in response to the link-error detection, a verification challenge from the storage system and to provide a response to the verification challenge based on the key-pair.

Abstract: Disclosed are various examples of selectively enabling multi-factor authentication for applications on managed devices. An identity provider receives an authentication request for a first client application executed in a managed client device. The authentication request includes a first authentication factor corresponding to a management credential. The identity provider then determines whether one or more second authentication factors should be requested. If so, the identity provider then requests the second authentication factor(s) from a second client application. The identity provider receives the second authentication factor(s) from the second client application. The identity provider then authenticates the first client application in response to verifying the first authentication factor and the second authentication factor(s).

Abstract: An information processing apparatus includes a policy acquisition unit configured to acquire a policy on disclosure of information on a target user; a collection unit configured to collect attributes that may be related to the target user from public information disclosed on a network to create an attribute set related to the target user; and a determination unit configured to determine whether or not the attribute set satisfies the policy.

Abstract: A system and method of verifying integrity of software for verifying the integrity of software installed on a mobile terminal is provided. The system includes the mobile terminal configured to transmit mobile terminal information including a first software hash value and a software identification (ID) with respect to the software, and an office trust software monitor server configured to transmit the software ID transmitted from the mobile terminal to a software publishing server, receive a second software hash value with respect to the software corresponding to the software ID from the software publishing server, compare the first software hash value and the second software hash value, and verify the integrity of the software.

Abstract: A method is provided to share a content stored on a secured server. The content is associated to a first electronic device and encrypted using a public key of the first electronic device. The secured server stores a first re-encryption key from the first electronic device to a second electronic device. The method is implemented by the secured server and includes the steps of determining association of the content with the second electronic device, re-encrypting the content using the first re-encryption key, sending the content to the second electronic device for encryption using a second device public key and storing the encrypted content received from the second electronic device in association with the second electronic device.

Abstract: A computer-implemented method for digitally signing executables with reputation information is disclosed. This method may include (1) receiving a request for a reputation certificate for an executable file, (2) identifying reputation information associated with the executable file, (3) generating a digitally signed reputation certificate for the executable file that includes at least the reputation information associated with the executable file, and then (4) providing the reputation certificate in response to the request. Additional computer-implemented methods for evaluating the trustworthiness of executable files based at least in part on reputation information contained within such digitally signed reputation certificates, along with corresponding systems and computer-readable media, are also disclosed.