Abstract: A method, apparatus, media and data structure for rendering a wrapper. The wrapper includes at least one data structure in a format that is renderable by a standard rendering engine and containing censored content comprising source content identification information. When the wrapper is opened by a standard rendering engine, the censored content is rendered. When opened by a trusted rendering engine, the source content is rendered.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for wireless data protection utilizing cryptographic key management on a primary device and a backup device. A system encrypts a file with a file key and encrypts the file key twice, resulting in two encrypted file keys. The system encrypts each file key differently and stores a first file key on the primary device and transmits one of the encrypted file keys in addition to the encrypted file to a backup device for storage. On the backup device, the system associates the encrypted file key with a set of backup keys protected by a user password. In one embodiment, the system generates an initialization vector for use in cryptographic operations based on a file key. In another embodiment, the system manages cryptographic keys on a backup device during a user password change.

Abstract: Methods and apparatus for optimizing security configurations of a set of computers are disclosed. A set of local servers, each functioning as a deep-security manager supporting a respective subset of the computers, maintains protection software containing filters and rules for deploying each filter. A local server receives updated protection software from a central server. Each local server interrogates each computer of its subset of computers to acquire computer-characterizing data and applies relevant rules to determine an optimal set of filters for each computer. Each rule adaptively determines required characterizing data elements from each computer for determining an optimal security configuration. A local server updates the security configuration of a computer to suit changes in the operational environment of the computer.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for allocating resources to processes based on security risk. The methods include actions of receiving a request from a process executing on a system for an allocation of resources and identifying other processes executing on the system. Additional actions include determining, for each of the processes, a risk score that reflects a likelihood that the process is a malicious process and determining a resource allocation priority based on the risk scores of each of the processes. Further actions include allocating resources to the processes based on the resource allocation priority.

Abstract: Systems, methods, and computer-readable media are disclosed for processing and message padding an input message as well as processing an extended output message (EOM) in a manner that ensures that the input message and the padded message are processed only a single time, thus avoiding generation of an incorrect message digest. In addition, in those scenarios in which multiple padded message blocks are generated, the disclosed systems, methods, and computer-readable media ensure that all of the padded message blocks are processed.

Abstract: This disclosure facilitates managing lost devices. In some embodiments, a system receives a first device type from a first agent on a first device, and a different second device type from a second agent on a second device. The system receives a first group associated with the first device and a different second group associated with the second device. The system determines that the first device and the second device are lost and accesses a database storing first and second configuration classes associated with the first and second devices, respectively. The system creates first and second device-dependent classes based on the first and second device types and the first and second configuration classes, respectively. The system melds the first device-dependent class into a first melded profile and the second device-dependent class into a second melded profile, using the respective groups, and applies the melded profiles to the corresponding device.

Abstract: An example method for controlling access to services coupled to an application server includes receiving a set of method calls issued from originator services to target services and recording information about the set of method calls into a data structure. The method also includes modifying, based on user input, the data structure to exclude each unauthorized method call from the data structure. The method further includes receiving a first method call from a first originator service to a target service, and determining, based on searching the data structure, whether the first originator service is authorized to issue the first method call to the first target service. In response to a determination that the first originator service is not authorized to issue the first method call to the first target service, the application server may block the first originator service from issuing the first method call to the first target service.

Abstract: Techniques for use of carbon nanotubes as an anti-tampering feature and for use of randomly metallic or semiconducting carbon nanotubes in the generation of a physically unclonable cryptographic key generation are provided. In one aspect, a cryptographic key having an anti-tampering feature is provided which includes: an array of memory bits oriented along at least one bit line and at least one word line, wherein each of the memory bits comprises a memory cell, wherein the cryptographic key is stored in the memory cell, and wherein the memory cell is connected to the at least one bit line; and a metallic carbon nanotube interconnect which connects the memory cell to the at least one word line. A cryptographic key and method for processing the cryptographic key are also provided.

Abstract: In accordance with a designation of a private alias endpoint as a routing target for traffic directed to a service from within an isolated virtual network of a provider network, a tunneling intermediary receives a baseline packet generated at a compute instance. The baseline packet indicates a public IP (Internet Protocol) address of the service as the destination, and a private IP address of the compute instance as the source. In accordance with a tunneling protocol, the tunneling intermediary generates an encapsulation packet comprising at least a portion of the baseline packet and a header indicating the isolated virtual network. The encapsulation packet is transmitted to a node of the service.

Abstract: The exemplary embodiments include a method to perform, based on at least one of hypertext transport protocol and non-hypertext transport protocol traffic tests failing, sending an hypertext transport protocol message to a subscription remediation server URI that carries a package1 message, receiving an hypertext transport protocol response from the subscription mediation server with a package2 message, and automatically replacing a password with a new value, automatically initiating creation of a new client certificate, or launching a browser to a URI provided in the response to enable user intervention. In addition, to receive an access request from a device, determining whether credentials are valid, and if the credentials are determined valid, sending an access-accept message with a success indication, and if the credentials are determined not valid, sending an access-accept message with a success indication and an indication that access by the device is limited to only a subscription remediation server.

Abstract: The system may comprise receiving a data element, and receiving an encryption key and an associated encryption key identifier from an encryption keystore database. The system may further comprise transmitting the data element to an encryption module for encryption using the encryption key to form an encrypted data element. The system may also comprise receiving the encrypted data element from the encryption module and concatenating the encryption key identifier with the encrypted data element to form a protected data field entry.

Abstract: A system and method are provided for allocating wireless channels in a base station processor to messages sent between a subscriber and the base station processor in a wireless network. A latency period is determined corresponding to a return message to be received from a responsive node in response to an outgoing message sent from a sender via the base station processor. A latency manager in the base station processor computes the latency period and stores the latency period in an allocation table. A scheduler schedules a channel to be available at the end of the latency period indicated in the allocation table. At the end of the latency period, the return message is received and the scheduler allocates a channel as defined in the allocation table. The scheduled channel is used to transmit the message to or from the corresponding subscriber.

Abstract: Methods and systems for detecting undesirable computer files based on scanning and analysis of information contained within an associated digital certificate chain are provided. According to one embodiment, a file having associated therewith a certificate chain is received. A type and structure of the file are identified. A location of the certificate chain is determined based on the identified type and structure. A signature of the file is formed by extracting a targeted subset of information from the certificate chain. The file is evaluated by comparing the signature with a set signatures having a known desirable or undesirable status. The file is classified based on a result of the evaluating into a category of multiple categories, including one indicative of an associated file being an undesired file or a file suspected of being undesired. The file is handled in accordance with a policy associated with the category.

Abstract: Disclosed herein are methods, systems, and software for handling secure transport of data between end users and content serving devices. In one example, a method of operating a content server includes identifying a content request from an end user device. The method further includes, responsive to the user request, determining a transmission control protocol window size and a secure layer protocol block size. The method also provides scaling the secure layer protocol block size to match the transmission control protocol window size, and transferring secure layer protocol packets to the end user device using the scaled secure layer protocol block size.

Abstract: Aspects of the subject disclosure are directed towards detecting instances within a web application where code and data are not separated, e.g., inline code in the application. One or more implementations automatically transform the web application into a transformed version where code and data are clearly separated, e.g., inline code is moved into external files. The transformation protects against a large class of cross-site scripting attacks.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for categorizing a process using crowdsourcing are described. The methods include the action of receiving data indicating resources allocated upon execution of each of one or more processes. The methods further include the action of receiving data indicating a configuration of the client device. The methods further include receiving data indicating a user selection whether to execute each of the one or more processes. The methods further include the action of determining a risk score that reflects a likelihood that the process is a malicious process. The methods further include the action of identifying a particular process. The methods further include the action of performing additional processing on the particular process. The methods further include the action of determining an updated risk score for the particular process.

Abstract: In one implementation, a computer-implemented method includes receiving, at a process risk classifier running on a computer system, a request to determine a risk level for a particular process; accessing one or more signatures that provide one or more snapshots of characteristics of the particular process at one or more previous times; identifying one or more differences between the particular process in its current form and the one or more signatures; accessing information identifying previous usage of the computer system's resources by the particular process; determining a current risk score for the particular process based, at least in part, on (i) the one or more signatures for the particular process, (ii) the one or more differences between the particular process in its current form and the one or more signatures, and (iii) the previous usage of the resources; and providing the current risk score for the particular process.

Abstract: In a system with a policy server, a first device able to communicate with the policy server and a second device able to communicate with the first device and unable to communicate with the policy server, the first device is to act as a policy proxy. The policy server may push to the first device a policy for the second device, and the first device may push the policy to the second device.

Abstract: A method and apparatus for key management in a communication network. A Key Management Server (KMS) receives from a first device a request for a token associated with a user identity, the user identity being associated with a second device. The KMS then sends the requested token and a user key associated with the user to the first device. The KMS subsequently receives the token from the second device. A second device key is generated using the user key and a modifying parameter associated with the second device. The modifying parameter is available to the first device for generating the second device key. The second device key is then sent from the KMS to the second device. The second device key can be used by the second device to authenticate itself to the first device, or for the first device to secure communications to the second device.

Abstract: A method and apparatus for account intercommunication among APPs. The method comprises: acquiring account information entered by a user in a current APP; and, after using the account information to log in successfully, providing the account information to other APPs having intercommunication permissions with the current APP for the other APPs to log in. Via the disclosed method, account information entered in any APP may be shared among APPs having intercommunication permissions with the APP, so that other APPs may be logged into using an intercommunicated account after they are opened, without the need to manage account information about various APPs through a unified entrance, and thus the APP need not access the entrance in advance, and login can be realized without the need to exit the APP to open the entrance; obviously, the flexibility and independence of APP login are improved, and the complexity of operation is reduced.