Abstract: The present document describes systems and methods that provide pluggable cipher suites. In one embodiment, a client and a server perform a secure transport handshake that negotiates a set of supported cipher suites. The server determines if the cipher suites supported by the client are acceptable. When the server determines that the cipher suites supported by the client are not acceptable, the server provides a pluggable cipher suite to the client. The client runs the pluggable cipher suite in a sandboxed environment, and uses the pluggable cipher suite to add support for one or more additional cipher suites. In some implementations, the pluggable cipher suite is provided by a third-party server.

Abstract: Embodiments as disclosed provide systems and methods that use a local authenticator within a domain to provide a credential to access a resource of the domain to a non-local requestor. When a request is received from a non-local requestor at the domain the non-local requestor can be authenticated based on the request. The local authenticator can then be accessed to obtain a credential. This credential may be the same type of credential provided to members of the domain when they authenticate using the local authenticator. The credential is provided to the non-local requestor so the non-local requestor can access the resource of the domain using the credential and authentication of the non-local requestor with respect to these accesses can be accomplished using the local domain authenticator and the credential.

Abstract: Aspects of the disclosure are related to a method for verifying whether a message was digitally signed by a user. The example method comprises: receiving a public key of a public-key signature scheme and one or more pieces of plaintext identification information associated with the user; applying a hash scheme to a combination of the public key and the one or more pieces of plaintext identification information, the hash scheme yielding a hash result; determining whether the hash result satisfies one or more criteria; determining whether the public key is associated with the user based on the determination of whether the hash result satisfies the one or more criteria; and verifying a digital signature of the message with the public key.

Abstract: A system(s) and method(s) for secure session establishment and secure encrypted exchange of data is disclosed. The system satisfies authentication requirement of general networking/communication systems. It provides an easy integration with systems already using schemes like DTLS-PSK. The system follows a cross layer approach in which session establishment is performed in a lightweight higher layer like the application layer. The system then passes resultant parameters of such session establishment including the session keys to a lower layer. The lower layer like the transport layer is then used by the system to perform channel encryption to allow exchange of encrypted data based on a cross layer approach, over a secure session. As the exchange of data becomes the responsibility of the lower layer like the transport layer, the data is protected from replay attacks since the transport layer record encryption mechanism provides that kind of protection.

Abstract: The system may comprise receiving a data element, and receiving an encryption key and an associated encryption key identifier from an encryption keystore database. The system may further comprise transmitting the data element to an encryption module for encryption using the encryption key to form an encrypted data element. The system may also comprise receiving the encrypted data element from the encryption module and concatenating the encryption key identifier with the encrypted data element to form a protected data field entry.

Abstract: A method for operating a mobile device includes generating a user interface at a processor. The user interface includes one or more virtual objects. The method also includes changing a configuration of the one or more virtual objects. The method further includes monitoring a mannerism of a user of the mobile device. The mannerism is affected by a change in configuration of the one or more virtual objects. The method also includes performing a function based on the mannerism.

Abstract: A healthcare enterprise has an associated management resource that manages operation of one or more medical devices in the healthcare enterprise. To determine what functionality to enable in a respective medical device, the respective medical device establishes a communication link to communicate in a network environment. Subsequent to establishing the communication link, the medical device initiates communications over the communication link from the medical device to the remotely located management resource. The communications include a unique identifier value assigned to the medical device. Depending upon feedback (such as granting or denial of authorization) from the management resource with respect to the unique identifier value, the medical device operates in one of multiple different operational modes such as a fully functional mode or a reduced functionality mode.

Abstract: Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of information from the certificate chain. The file is evaluated by comparing the signature with a set signatures having a known desirable or undesirable status. The file is classified based on a result of the evaluating into a category of multiple categories, including one indicative of an associated file being an undesired file or a file suspected of being undesired. The file is handled in accordance with a policy associated with the category.

Abstract: Systems and methods for detecting false code in web pages linked to a web site are provided. One system includes a web server for administering the web site and a surveillance server for collecting generated or updated web pages from among the web pages linked to the web site, selecting tags of a given tag type included in the collected web pages, determining whether the selected tags comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result. One method includes collecting web pages that were generated or updated within a set time period from among the web pages linked to the web site, determining whether tags included in the collected web pages comprise false code, and providing the determination result to an administrator terminal such that an administrator can check the determination result.

Abstract: In an electronic device, a first application sends a request to a second application for access by the first application to a resource of the electronic device, wherein the first and second applications run on an operating system of the electronic device. In response to the first request, the second application is used to ask a user of the electronic device for permission for the first application to access the resource. A first user input is received, providing permission for the first application to access the resource. In response to the first user input, the second application is used to grant permission to the first application to access the resource.

Abstract: Systems and methods for analyzing applications for risk are provided. In the example method, the applications reside on a mobile device that is configurable to access an enterprise system. The example method includes evaluating each of a plurality of applications variously for privacy, data leakage, and malicious behavior. The example method also includes calculating a risk score for each of the plurality of applications based on the evaluating; and automatically remediating (e.g., quarantining) the applications, of the plurality of applications, for which the risk score meets or exceeds a risk score threshold. The method may evaluate all of the applications residing on a mobile device. The method may include grouping application behaviors, for each of the applications, that indicate an increased risk into groups comprising various combinations of a privacy risk, a data leakage risk, an account takeover risk, a device takeover risk, and a malware risk.

Abstract: A manufacturing system for a data storage device including a non-networked manufacturing device configured to write manufacturing data into a data storage device reliability log in a memory of a data storage device, and a networked manufacturing device configured to read the manufacturing data from the data storage device reliability log in the memory of the data storage device.

Abstract: A computing system record security architecture comprises, in one example, a record generation component configured to receive a record generation request that includes a set of attributes and to generate a record in a computing system based on the record generation request, wherein the record includes the set of attributes and an owner property that identifies a first user as an owner of the record. The architecture comprises a record security component configured to receive a record modification request that requests a modification to the record, to analyze an identifier in the record modification request that identifies a second user as a sender of the record modification request, and to process the record modification request based on an analysis of the identifier in the record modification request relative to the owner property of the record.

Abstract: Multivariate public key signature/verification system including a signature module and a verification module. The signature module contains a processor, first affine transformation inversion component, isomorphic inversion component, trapdoor component, isomorphic component, and second affine transformation inversion component. Corresponding computations are executed sequentially by the components on a message to be signed; solutions are generated after being processed by the trapdoor component; one solution is selected randomly and transmitted to the isomorphic component and second affine component for processing, and a signature generated is transmitted with the message to the processor. The verification module contains the processor and a public key transformation component. The signature is transmitted by the processor to the transformation component and substituted into each multivariate polynomial in a public key mapping.

Abstract: A device may receive a request to access a resource. The resource may be associated with resource information. The device may obtain rating information based on receiving the request. The rating information may identify a rating associated with the resource. The device may apply an access rule based on the rating information. The access rule may identify an access indicator to generate based on the rating information. The access indicator may indicate an action to perform related to the resource. The device may generate the access indicator based on applying the access rule to the rating information. The device may store, locally in one or more memories, information that indicates an association between the access indicator and the resource information.

Abstract: Described are techniques for determining and mitigating leakage of sensitive data into log data. An application programming interference (API) is instrumented to recognize data classification tags indicative of sensitive data in a message to or from a service. Values associated with the data classification tags may be sampled and added to a dictionary of watch data. Log data may be searched for the values in the dictionary. If the occurrence of one or more of these values in the log data exceeds a threshold value mitigation actions may be taken. Also described is a system to sample non-sensitive information about the API interactions known to have occurred. The log data may be inspected to find these interactions, with their absence indicative of a failure in the logging system.

Abstract: Various aspects include methods and computing devices implementing the methods for evaluating device behaviors in the computing devices. Aspect methods may include using a behavior-based machine learning technique to classify a device behavior as one of benign, suspicious, and non-benign. Aspect methods may include using one of a multi-label classification and a meta-classification technique to sub-classify the device behavior into one or more sub-categories. Aspect methods may include determining a relative importance of the device behavior based on the sub-classification, and determining whether to perform robust behavior-based operations based on the determined relative importance of the device behavior.

Abstract: Disclosed are various examples for facilitating a virtual content repository on behalf of a user. In a virtual content repository, files are stored in content repositories external to the virtual content repository that are associated with a user account that can be different from an enterprise user account linked to the virtual content repository. Files and portions thereof can also be stored in multiple content repositories that are external to the virtual content repository. A file can also be encrypted, in which case the encryption key can be stored by the virtual content repository but, in some scenarios, not in the content repository where the file is stored.

Abstract: In the case of a secure communication connection to a communication device connected to the industrial automation system via a non-secure subnetwork, a monitoring unit checks whether a new communication network address assigned to the communication device for a connection to the non-secure subnetwork becomes valid. In the event of a change in a communication network address and in the case of a still existing secure communication connection, the monitoring unit transmits an address change notification via the existing secure communication connection, where upon receiving the address change notification, the set-up of an additional secure communication connection and a changeover from the existing secure communication connection to the additional secure communication connection are initiated.

Abstract: Techniques for using short-term credentials using asymmetric session keys are described herein. A request for a short-term credential is received that is digitally signed with a different credential. In response to the request, short-term credential data is generated and populated with a public session key corresponding to a private session key. The short-term credential data is then encrypted with a session encryption key to produce the short-term credential token, which can then be used by the requester as a short-term credential for subsequent requests.