Abstract: Systems and methods for web application firewall tunneling are disclosed. In one embodiment, the method may include (1) receiving a plurality of characters entered by a user into a field of a HTML page that is executed in a client runtime environment of a client device; (2) executing a client tunneling application to encode at least some of the characters; (3) passing the plurality of characters through the web application firewall; (4) executing a server tunneling application to decode the encoded characters; and (5) providing the plurality of characters, including the decoded characters, to a host application. Parts of the method may be performed by at least one computer processor.

Abstract: According to one aspect of the present invention, a system and methodology is provided which controls whether or not content is permitted to be transmitted from a source device depending upon the nature of the content and/or other factors more fully described herein. Source devices may include devices such as mobile phones, tablets, netbooks, laptops, desktop computers, and any other devices which are capable of transmitting content which is resident on such device. As an example, inappropriate photographs may be identified by the system of the present invention, and when a user attempts to transmit one or more of these photographs, the system will prevent the user from doing so.

Abstract: An automated system for signing up users invited to join a site based on their existing identity includes an invitation generator, an invite processor, a federated authentication module, a user information retrieval module, an account population and creation module, and a user interface module. The automated sign up module is responsive to an invite request. The automated sign up module sends an authorization request, receives the authorization response, verifies the response and retrieves user data. The automated sign up module uses the retrieved data to populate a sign up form and initialize an account. The automated sign up module sends new account information to a user for confirmation. Once confirmation has been received, the automated sign up module creates the new account and allows the user to access the system. The present disclosure includes a method for signing up users invited to join a site based on their existing identity.

Abstract: A method for controlling and switching terminals includes a writing step and a logoff step. In the writing step, when there is a connection request from a given terminal, a processor of a switching device writes, into a memory, user identification information, a password, identification information of a communication system, and an IP address and port number so that their information and data are associated with one another. In the logoff step, if the same user identification information, password, and identification information of communication system as the above are already written in the memory, the processor logs off the other terminal that has the IP address and port number that are already so written in the storage unit as to be associated with the user identification information, the password, and the identification information of communication system.

Abstract: Encryption key rotation is performed in computing environments having mirrored volumes by initializing a target storage media with a new key, performing a mirror revive operation from a first storage media to the target storage media, and configuring the first storage media and the target storage media to comprise a mirrored volume.

Abstract: A method of authenticating a device and a user comprises obtaining a device ID for the device, performing a biometric measurement of the user, obtaining helper data for the user, and generating a key from the biometric measurement and helper data. There is then generated a message comprising the key or a component derived from the key, which transmitted to a remote service, and at the service there is carried out the step of authenticating the device and the user with the message. In a preferred embodiment, the generating of the key further comprises generating the key from the device ID.

Abstract: Instrumented networks and platforms having target subjects (devices, transactions, services, users, organizations) are disclosed. A security orchestration service generates runtime operational integrity profiles representing and identifying a level of threat or contextual trustworthiness, at near real time, of subjects and applications on the instrumented target platform. Methods and systems are disclosed for network flow and device/platform remediation in response to reconnaissance-based intelligence correlation based on network monitoring, to accomplish network flow remediation and device/platform remediation. In an embodiment, a system receives system warnings and endpoint threat intelligence. The system correlates risk based on inputs from sensory inputs that monitor network activity, system configuration, resource utilization, and device integrity.

Abstract: The independencies of a plurality of layers executing dividingly a transaction can be easily enhanced. Anode (30) assigns to a transaction to anode (30) of a lower layer through a distributed transaction management section. The node (30) shares a predetermined transaction with the node (30) of the lower layer along with other nodes (30). The node (30) shared by the nodes (30) is a read-only node or a node to which data can be written by the characteristic of a function. Thus the node (30) searches for an unused node (30) in lower layers through the distributed transaction management section (34) when the node starts a new transaction. First, second, and third node hosts (3,4,5) check if each node (30) is used for which transaction or if each node (30) is used or not and store the results.

Abstract: In one embodiment, a host device creates a super-distribution token by encrypting a content encryption key with a super-distribution key and stores the super-distribution token and encrypted content retrieved from a source storage device in a target storage device. In another embodiment, a host device provides a super-distribution token to a server, wherein the server is configured to generate an activation token from the super-distribution token, receive the activation token from the server, retrieve a content encryption key from the activation token, and decrypt encrypted content received from a storage device using the content encryption key retrieved from the activation token.

Abstract: A management system includes a plurality of components within a computer system. A plurality of component resource managers is provided, and each of the components is controlled by at least one of the plurality of component resource managers. A plurality of component management interfaces is also provided. Each of the components communicates with at least one of the controlling component resource managers via one of the component management interfaces. At least one runtime manager autonomously controls operation of the components and the component resource managers.

Abstract: A security interface system creates plausible deniability, and consists of a security interface device having a port for a releasable connection to a PC and to a memory key containing an encrypted operating system, the interface device containing logic to decrypt the memory key and a plaintext bootloader, and a further port for a memory card containing a key. The key is entirely encrypted and appears as random data when inspected. The interface device may have a port(s) for a keyboard and mouse. An encryption and decryption method is described, for decrypting a ciphertext into one of two plaintexts by choice of a key, the choice of which plaintext depending on whether the secret is to be revealed or remain confidential.

Abstract: A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.

Abstract: A computer-implemented method for replacing sensitive information stored within non-secure environments with secure references to the same may include (1) identifying sensitive information stored within a non-secure environment on a computing device, (2) removing the sensitive information from the non-secure environment, (3) storing the sensitive information within a secure environment, (4) replacing the sensitive information originally stored within the non-secure environment with a reference that identifies the sensitive information stored within the secure environment, (5) identifying a request to access at least a portion of the sensitive information identified in the reference, (6) determining that at least a portion of the request satisfies a data-loss-prevention policy, and then (7) providing access to at least a portion of the sensitive information via the secure environment. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A role based security infrastructure for data encryption that does not require a key management system is provided. For each defined role, a unique key pair is generated. To encrypt a data set, a random encryption key is generated on the fly, and used to encrypt the data. To allow a role access to an encrypted data set, the corresponding encryption key is encrypted with the public key of that role, and stored in association with the encrypted data set. To access an encrypted data set, a private key associated with a role allowed access is used to decrypt the copy of the associated encryption key, which has been encrypted using the corresponding public key and stored in association with the data set. The decrypted encryption key is then used to decrypt the encrypted data set.

Abstract: Protection of a computer system against exploits. A computer system has a memory access control arrangement in which at least write and execute privileges are enforced for allocated portions of memory. An association of the process thread and the first portion of memory is recorded. A limited access regime in which one of the write and execute privileges is disabled, is established, and is monitored for any exceptions occurring due to attempted writing or execution in violation thereof. In response to the exception being determined as a write exception, the associated process thread is looked up, and analyzed for a presence of malicious code. In response to the exception type being determined as an execute exception, the first portion of memory is analyzed for a presence of malicious code. In response to detection of a presence of malicious code, execution of the malicious code is prevented.

Abstract: Disclosed is a system and method by which a multimedia source device communicates with a display device, allowing the multimedia devices to securely confirm the identity of the devices and confirm their trustworthiness through a trust authority.

Abstract: A secure component communication management system provides secure, trusted communication between components in a hypervisor based virtual computing environment. A hypervisor security extension generates a container level private key/public key pair. The hypervisor security extension container injects the container level public key into one or more VM(s) that are to securely receive trustworthy data. The hypervisor security extension container encrypts data to transmit to VMs with the container level private key, and injects the encrypted data into one or more target VM(s), such that the injected data is trusted by the VM(s). The one or more VM(s) receive the container level public key and data encrypted with the container level private key, injected by the hypervisor security extension container. These VM(s) use the public key to decrypt injected data encrypted with the private key, such that the decrypted data is trusted.

Abstract: A computer system includes a first storage area accessible by an operating system and a second storage area accessible by authorized functions only. According to some embodiments of the invention at least one protected storage area is implemented into the second storage area, wherein the operating system installs at least one secret key and/or at least one customized processing function into regions of the at least one protected storage area, wherein the operating system transfers data and/or parameters to process into regions of the at least one protected storage area, wherein the operating system selects one of the customized processing functions to execute, wherein the selected customized processing function is executed and accesses storage regions of the at least one protected storage area to process the data and/or parameters, and wherein resulting process data is read from the at least one protected storage area.

Abstract: In an embodiment, the present invention includes a method for receiving a request for user authentication of a system, displaying an authentication image on a display of the system using a set of random coordinates, receiving a plurality of gesture input values from the user, and determining whether to authenticate the user based at least in part on the plurality of gesture input values. Other embodiments are described and claimed.

Abstract: A remote site downloading system is disclosed in which a local computer establishes a session with a content server, and a content file and geographic destination drive are selected. The local computer is typically on a first access network and the user wishes to have the file downloaded to a geographic drive, i.e., a remote site computer whose location and other properties are mapped in a mapping file on the local computer. The geographic drive is usually on a different access network in a dynamic location such as a hotspot or a fixed location such as broadband cable or DSL. The local computer is specially programmed to allow selection of the geographic target drive, pack information comprising cookies and a URL, and sends it to the remote geographic drive computer, where it may act as a proxy to cause downloading from the content server to the geographic drive on the remote site computer.