Abstract: An electronic device includes at least one memory unit, a plurality of applications residing on at least one of the memory units and a database residing on at least one of the memory units. The database is configured to store a record specifying a subset of the plurality of applications that are to be inaccessible to a user when in a protected mode of operation. The protected mode is designed for a user (e.g., child or friend borrowing the device) who can potentially use the device with setting that are configured under the primary user's (e.g. parent, device administrator) supervision. The device also includes a user interface through which a primary user and not other users can specify the subset of the plurality of applications to be included in the record. A processor is operatively associated with the memory unit, the database and the user interface.

Abstract: Systems, methods, and technologies for configuring a conventional smart card and client machine, and for performing a smart card authorization using the configured smart card and client. Further, the combination of methods provides for mutual authentication—authentication of the client to the user, and authentication of the user to the client. The authentication methods include presenting a specified token to the user sufficient to authenticate the client to the user and thus protect the user-provided PIN. Security is strengthened by using an integrity key based on approved client system configurations. Security is further strengthened by calculating a PIN? value based on a user-specified PIN and a modifier and using the PIN? value for unlocking the smart card.

Abstract: A method and system for providing a user with digital content includes a user interface provided to a user for allowing the user to be presented with the digital content. The method and system includes receiving authentication information from the user and authenticating the user if the authentication method correctly corresponds with previously stored information of the user. As a result, the user has access to the digital content, wherein the digital content is information from a third party, e.g., a vendor of goods or services or information provider, based on a user profile which comprises user preferences. The digital content is then presented to the user interface.

Abstract: The present invention relates to a method and device for scanning of data for signatures prior to storage. First data are received at a storage device for storage therein. Upon receipt the first data are stored in a temporary storage medium for storing other than guaranteed previously scanned data. Using a processor of the storage device, the first data are compared with at least a predetermined signature and a comparison result is determined in dependence thereupon. In dependence upon the comparison result the first data are provided to the scanned data memory when the comparison result is indicative of other than a match or the first data are other than provided to the scanned data memory when the comparison result is indicative of a match. The method and the device according to the invention substantially reduce the risk that a file infected with a computer virus is transferred from one computer to another via a portable storage medium.

Abstract: A method performed in a processor of an intrusion detection/prevention system (IDS/IPS) checks for valid packets in an SMB named pipe in a communication network. In a processor configured as an IDS/IPS, a packet in a transmission is received and a kind of application of a target of the packet is determined. Also, the data in the packet is inspected by the IDS/IPS as part of the SMB named pipe on only one of a condition that: (a) the FID in an SMB command header of the packet is valid (i) for segments/fragments in the SMB named pipe and (ii) for the determined kind of application of the target of the packet, as indicated by a reassembly table, and (b) the determined kind of application of the target of the packet does not check the FID, as indicated by the reassembly table.

Abstract: Methods and systems are provided for providing access to a cloud-based logging service to a user without requiring user registration. Methods and systems are also provided for providing cloud-based logging service to users by integrating the cloud-based logging service within a network security gateway appliance, thereby enabling the users to use the cloud-based logging service by accessing the gateway appliance. The cloud-based logging service can be accessed via an Application Programming Interface (API) without requiring user registration and allows easy and efficient access to log files, viewing of log files, and data security to stored log files and generated reports.

Abstract: Methods and devices for protecting computing devices against the effects of surreptitiously loaded machine language programs from a malware source. The user defines a pattern of disruption of the sequence of bytes. The user then installs legitimate programs to be run on a particular computing device by loading the original program onto the local hard drive and replacing the program by one to which the pattern of disruption has been applied. Using the user-defined disruption pattern, the computing device can define the transforms necessary to reverse the application of the disruptive pattern. As part of the process the operating system for the computing device is modified to apply transforms that reverse the disruption pattern when executing a program file loaded into RAM.

Abstract: A system and method of managing security policies in an information technologies (IT) system are provided. In an example, the method includes receiving an input indicating a high-level security policy for the IT system, the received high-level security policy relating to non-functional system attributes for the IT system and received in a format that is not machine-enforceable at an enforcement entity of the IT system. A functional model for the IT system is determined, where the functional model indicates functional system attributes of the IT system. At least one pre-configured rule template is loaded, and at least one machine-enforceable rule is generated in a manner compliant with the received high-level security policy by iteratively filling the at least one pre-configured rule template with functional system attributes indicated by the functional model. After the generating step, the at least one machine-enforceable rule can be distributed (e.g.

Abstract: Arrangements described herein relate to accessing a cloud based service. Responsive to a user of a first communication device initiating access to the cloud based service via the first communication device, a prompt for a valid password to be entered to access the cloud based service can be received by the first communication device. Responsive to the valid password required to access the cloud based service not being stored on the first communication device, the first communication device can automatically retrieve the valid password from a second communication device via a peer-to-peer ad hoc communication link between the first communication device and the second communication device. The valid password can be automatically provided, by the first communication device, to a login service for the cloud based service to obtain access by the first communication device to the cloud based service.

Abstract: A server receives from a client at least one interest pseudonym produced by a double application of a pseudo random function to at least one interest of the client. The server encrypts an item. The server computes at least one intermediate topic pseudonym for at least one topic associated with the item by applying the function to each of the at least one topic associated with the item. The server transmits the at least one intermediate topic pseudonym, the at least one interest pseudonym, and the encrypted item to a third party. The third party may apply the function to the at least one intermediate topic pseudonym to produce at least one topic pseudonym associated with the item and transmit the encrypted item to the client for decryption when one of the at least one masked topic pseudonym is equal to one of the at least one interest pseudonym of the client.

Abstract: A method for mitigating denial of service attacks may include filtering out invalid packets from the received packets using a first filtering module, allowing the valid packets to pass through the first filtering module, and allowing some invalid packets to pass through the first filtering module. The method may also include passing the valid packets and the remaining invalid packets from the first filtering module to a second filtering module, filtering out more of the invalid packets using the second packet filtering module, allowing the valid packets to pass through the second filtering module, and allowing some invalid packets to pass through the second filtering module. The method may additionally include passing the valid packets and the remaining invalid packets to a protocol stack to filter the remaining invalid packets and pass the valid packets through to an application.

Abstract: A system for integrating modules of computer code may include a sandbox validator for receiving a first module and verifying that the first module complies with one or more sandbox constraints. A computing device may execute the first module within a runtime environment. A module integrator may operate within the runtime environment for receiving a request from the first module to access a service provided by a second module and only allowing the first module to access the service when the first module is authorized to access the service according to a service authorization table. The sandbox validator may ensure the first module correctly identifies itself when requesting a service provide by another module and that the first module includes runtime policing functions for non-deterministic operations. A service authorizer may generate an authorization policy for the first module, which is sent to the computing device along with the first module.

Abstract: The present disclosure provides methods and systems for secure logon. One or more method includes: determining, via authentication information provided by a user of an electronic device, that the user is authorized to access an online account provided by the online account provider; providing the user with a selectable option to enable an expedited logon process by which the user can access the online account by solely providing a particular authentication item of the user; receiving a verification credential in response to a next logon attempt using the expedited logon process; and verifying that the received verification credential matches an assigned verification credential provided to the user for use in conjunction with the next logon attempt using the expedited logon process.

Abstract: Methods and apparatus are provided for fraud detection and remediation in knowledge-based authentication (KBA). A knowledge-based authentication method is performed by a server for restricting access of a user to a restricted resource. The exemplary knowledge-based authentication method comprises challenging the user with one or more questions requiring knowledge by the user; receiving a response from the user to the one or more questions, wherein at least a portion of the response is encoded by the user using an encoding scheme defined between the server and the user to signal a fraudulent access attempt; and granting access to the restricted resource if one or more predefined response criteria are satisfied, wherein the one or more predefined response criteria comprises an assessment of whether the encoded portion of the response satisfies the encoding scheme. A number of exemplary encoding schemes are disclosed.

Abstract: Knowledge-based authentication (KBA) is provided using historically-aware questionnaires. The KBA can obtain a plurality of historically different answers from the user to at least one question; challenge the user with the question for a given period of time; receive a response from the user to the question; and grant access to the restricted resource if the response is accurate for the given period of time based on the historically different answers. Alternatively, the KBA can be based on historically aware answers to a set of inter-related questions. The user is challenged with the inter-related questions for a given period of time. Historically different answers can comprise answers with applicable dates, or correct answers to the question over time. Historically aware answers can comprise an answer that is accurate for an indicated date or period of time. An accurate response demonstrates knowledge of multiple related personal events.

Abstract: A method, apparatus and computer program product relating to software license tokens is presented. A client system requests launching of a software application and retrieves a first software license token associated with the software application. The client system determines whether the license token associated with the software application is valid, wherein when the license token is valid, the client system launches the software application. When the license token is not valid then the client system requests a replacement license token. The client system receives the replacement license token and stores the replacement license token. The client system then retrieves the stored license token and determines whether the license token is valid. When the license token is valid, then the software application is launched, when the software license token is not valid then the client system refrains from launching of the software application.

Abstract: A method and system for securely pairing wireless devices, includes deploying a master device in a network environment, and a new device to be securely integrated into the network environment executes an unauthenticated key exchange with the master device. The master device has a security association with a camera system that monitors an operational area where the new device is placed, based on the exchanged key, the master device and the new device each compute a key confirmation code. The camera system learns the key confirmation code from the master device. The camera system watches for devices transmitting the key confirmation code and provides images of such identified devices to the master device, based on an analysis of an image of a device identified by the camera system, an authorization decision is made with respect to accepting the identified device as new device of the network environment.

Abstract: Cross Site Request Forgery (CSRF) and other types of fraudulent submission can be mitigated using state information that typically is already maintained for various users. Each submission requiring authentication can include a state identifier (ID). The state ID can be compared to a corresponding secure state ID stored in a secure location, such as in a secure token or cookie or in a variable on a page that can only be accessed by code executing in the same security context as the site to which the request is made. If the received state ID is valid and matches the secure state ID, the submission is processed. Otherwise, an interstitial element is generated to prompt the user to confirm the prior submission. A subsequent confirmation submission confirming the prior submission and containing the proper state ID can be processed. If no such confirmation is received, the submission is not processed.

Abstract: Embodiments of multi-user web service sign-in client side components are presented herein. In an implementation, the currently authenticated user account of a first application of a client is transferred to another application of a client. In another implementation, a common credential store is used to share data for a plurality of user accounts associated with a client between a plurality of applications of the client, and for the applications to output multi-user interfaces having portions corresponding to the plurality of accounts.

Abstract: The present invention provides an execution method of a .NET program after encryption. An operating system allocates a process address space to a .NET program process and maps PE files into the process address space respectively. After the .NET program process runs, it is judged whether a currently running program module is encrypted. The .NET program process continues to run after the encrypted program module is decrypted. If the current program module calls a subroutine module, it is judged whether the subroutine module is encrypted. If the subroutine module is encrypted, a decryption operation is performed, and the .NET program process continues to run. With the method, encryption management can be performed on the .NET program based on modules, thereby providing diversified functions for protecting .NET software.