Abstract: A system and method to exchange data among applications are disclosed. A request for information that includes private information is received from a user application. A respective indicator for each private information field within the requested information is determined. A protected set of information is provided to the user application. The protected set of information comprises the requested information with the respective indicator replacing the private information in each private information field of the requested information. At least one indicator is received from the user application. The original data corresponding to the received at least one indicator is determined.

Abstract: Management of key information as described herein enables a respective service provider to distribute encrypted content to subscribers, preventing improper use of the content without authorization. For example, the service provider can distribute encrypted content for recording by a subscriber at a remote location. At or around a time of recording the encrypted content, and on behalf of the user, the service provider initiates storage of the corresponding decryption information that is needed to decrypt the recorded encrypted content. In order to play back the recorded segments of the encrypted content, the subscriber communicates with a server resource to be authenticated. Subsequent to being authenticated, the server resource distributes a copy of decryption information needed to decrypt the previously recorded segments of encrypted content to the subscriber.

Abstract: Devices, systems, and methods for performing particularized encryption of confidential information within real-world data files that are subsequently stored within a cloud environment are described. Specific rules/logic are executed in a local computing environment to identify the type(s) and/or magnitude(s) of confidential information contained within each real-world data file. The identified type(s) and/or magnitude(s) of confidential information is thereafter specifically encrypted using various encryption processes. Once encrypted, the data is packaged and stored within a cloud environment without the need for further encryption at either the local computing or cloud environments.

Abstract: Large-scale, time-sensitive secure distributed control systems and methods are disclosed. According to an aspect, a method includes detecting an anomaly at a module among a plurality of modules in a network. The method also includes adjusting a reputation level of the module associated with the detected anomaly. Further, the method includes controlling interaction of the module associated with the detected anomaly within the network based on the adjusted reputation level.

Abstract: In representative embodiments, a system and method to calculate a security reliance score is illustrated. The security reliance score is calculated from an aggregation of property sub-scores. The property sub-scores are, in turn, based on scores for attributes that make up the properties. A learning model is employed to adjust scores over time based on collected information. Additionally, statistical sampling can adjust scores based on context, including geo-location context. Security reliance scores can be used to identify weaknesses that should be fixed in cryptographic material and/or configurations. The system can also make recommendations for changes that will have the biggest impact on security reliance scores. Additional uses are also identified.

Abstract: A method and system for managing document dissemination, including obtaining a plurality of operation logs from a plurality of local agents, where each of the plurality of local agents is executing on one of a plurality of clients. The method further includes identifying a document stored on a client of the plurality of clients, determining, using at least one of the plurality of operation logs, a dissemination path of the document between the plurality of clients, and performing an action based on the dissemination path of the document.

Abstract: Systems, methods, and computer program products to perform an operation comprising receiving digital content associated with an account identifier, parsing the digital content and extracting a set of attributes from the digital content, receiving via a network connection, from each of a plurality of online identity services, a set of identities matching at least one attribute of the set of attributes, intersecting the sets of identities to create a set of candidate identities, computing a score for each identity in the set of candidate identities, wherein each score reflects a likelihood that the respective candidate identity is associated with the account identifier; and returning a ranked list of the scored candidate identities and an indication of at least one item of evidence linking the respective candidate identity to the account identifier.

Abstract: In a network authentication method, a client device stores a reference first private key portion obtained by encrypting a first private key portion of a private key. The private key and a public key cooperatively constitute an a symmetric key pair. After receipt of a second private key portion of the private key, the client device generates a digital signature for transaction data using a current key which combines the second private key portion and a current key portion obtained by decrypting the reference first private key portion. A verification server verifies, based on the public key, whether a received digital signature is signed with the private key, and obtains the transaction data when verification result is affirmative.

Abstract: Techniques for securing a computing device are provided. An example method detecting contact with a touchscreen of the computing device, monitoring the contact with the touchscreen to determine whether the contact matches a predetermined pattern of movement, and performing one or more predetermined actions responsive to the contact with the touchscreen matching the predetermined pattern. The predetermined pattern includes a plurality of predetermined movements separated by pivot points. The pivot points represent a transition point in the predetermined pattern from a first type of movement to a second type of movement. The contact with the touchscreen can be broken at one or more of at least one pivot point, between a first instance of the first type of movement and a second instance of the first type of movement, or between a first instance of the second type of movement and a second instance of the second type of movement.

Abstract: Methods, systems, and computer-readable storage media for encrypting data to provide encrypted data for storage in a database. Implementations include actions of receiving, at client-side computing device, an input set including a plaintext value that is to be encrypted to provide an encrypted value, determining whether the plaintext value is stored in a search tree that is stored by the client-side computing device, if the plaintext value is not stored in the search tree, the encrypted value is provided using deterministic encryption of the plaintext value, and if the plaintext value is stored in the search tree, the encrypted value is provided using randomized encryption of the plaintext value, updating the search tree to include a node including the plaintext value and the encrypted value, and transmitting the encrypted value to a server-side computing device for storage of the encrypted value in the database.

Abstract: In Software-Defined Network (SDN), a trust controller and trust processor exchange hardware-trust data over an SDN southbound interface to maintain hardware-trust. A flow controller transfers a Flow Description Table (FDT) modification to the data-plane machine over the southbound interface. The flow controller transfers an FDT modification notice to the trust controller which transfers FDT security data over the southbound interface to authorize the FDT change in the SDN data-plane machine. The data-plane machine authorizes the FDT modification based on the FDT security data from the trust controller. The data-plane machine modifies the FDT in response to the successful authorization and processes user data traffic using the modified FDT. The trust controller may also transfer a Threat Description Table (TDT) to the data-plane machine to filter the user traffic for other threats.

Abstract: A mobile device is related to a user account. An agent implemented as processor instructions on a computing device sends login information to a service provider server. The service provider server compares the login information to the user account, performs a proximity check of the mobile device and the computing device, and sends authorization to the agent to approve an exchange of data with an application on the computing device. In some implementations the service provider may be an authorization service provider. Alternatively the service provider may be a wireless communications service provider and the mobile device is a cellular phone. In some implementations the mobile device is one of a card or a key fob that may include a biometric reader.

Abstract: Data privacy is becoming increasingly important and, in some jurisdictions, required. Access to private data can be controlled by forcing all access to go through minimizations services that allow only authorized access to private data. These minimization services can become processing bottlenecks if the only way to modify private data is by way of requests to the minimization service. Certain homomorphic operations allow for encrypted data to be modified without being first decrypted although other operands must be encrypted. Augmenting a minimization service to provide a public encryption key provides for encryption of the other operands. Providing a records manager that can take advantage of homomorphic operations allows certain data operations to be performed without compromising security and without accessing the minimization service.

Abstract: Disclosed are techniques for privacy preserving mobile demographic measurement of individuals, groups, and locations over time and space. A method of estimating demographic information associated with a user of a mobile device and/or a location while preserving the privacy of the user based at least in part on a location estimate of the mobile device of the user includes receiving an estimated geographical location of the mobile device of the user and receiving a time at which the mobile device was at the estimated geographical location. The method includes assigning substitute identifiers for the geographical location and the time at which the mobile device was at the estimated geographical location. The method includes associating the geographical areas substitute identifiers with demographic information and estimating demographic information associated with the user of the mobile device based on the substitute identifiers and based on the demographic information associated with substitute identifiers.

Abstract: Managing and accessing media items, including: a plurality of domains configured to provide access to media items; a plurality of clients associated with the plurality domains, and providing a pathway for accessing the media items; and a spanning application configured to track and aggregate accessible media items from the plurality of domains based on authentication and registration information and associated rights of the plurality of clients and the plurality of domains, wherein the spanning application enables accessing of the media items across the plurality of domains.

Abstract: A method of detecting correlated operations in a common storage. The method comprises providing at least one input operation, each the input operation being designated to write uniquely identifiable data on a memory unit of an application, monitoring a plurality of output operations of the application, each the output operation includes data read from the memory unit, comparing between the at least one input operation and the plurality of output operations to identify at least one matching group of input and output operations wherein each member of the at least one matching group has correlated written or read data in a common correlated target address in the memory unit, and outputting an indication of the at least one matching group.

Abstract: A mechanism for allowing a user to prove their identity on touch-based devices employing the use of a touch surface in firmware-controlled environments is discussed. The user may prove his or her identity by entering a series of strokes on the touch-based device to form a word or image. Characteristics of the entered strokes such as stroke order and stroke direction are compared to stored stroke characteristics that were gathered from a drawing of the same word or image during a user enrollment process. If the stroke characteristics comparison is acceptable, the user identity is verified.

Abstract: A method and apparatus for securely and remotely enabling the playing of a media program encrypted by a content encryption key over the Internet is disclosed. A license encryption key and a content decryption key are separately and securely transmitted to the receiver. The license encryption key is stored in the CAM and later used to decrypt the content encryption key so that the media program may be recovered.

Abstract: Systems and methods for managing a content encryption key and a seed to generate the content encryption key are provided. In one example, a method may include receiving a request for a content encryption key at a content encryption key service. The request includes a requesting entity fingerprint that corresponds to a requesting entity and a seed identifier that corresponds to a seed. The seed identifier is mapped to the seed and the requesting entity fingerprint mapped to a corresponding seed permission. If the seed permission entitles the requesting entity to receive the content encryption key, the key is derived using the seed and provided to the requesting entity.

Abstract: A portable self-contained node apparatus establishes a connection to a host apparatus having one or more peripheral devices connected directly thereto. The node apparatus is configured to view the one or more peripheral devices while being unaware of the host apparatus, and to act as a master device interacting directly with the one or more peripheral devices.