Abstract: A method and device for generating a monitoring policy for a device and selectively monitoring multiple tasks executed by the device is disclosed. The monitoring policy may relate to security monitoring or resource availability. A monitoring importance score for each of multiple tasks executing on the device may be generated and a monitoring resource availability within the device may be determined. The monitoring policy for the device may be generated based at least in part on the monitoring importance scores for the multiple tasks and the monitoring resource availability within the device. Fewer than all of the multiple tasks may be selectively monitored based on the monitoring policy for security threats to the device or resource availability for the device.

Abstract: Authorization technology queries a user of an authorizing computing device for permission to allow another user of a requesting computing device to have access to a protected resource of the user. A requesting computing device may access a protected resource of the user by requesting authorization information for accessing the protected resource from an authorization manager server. Requesting and authorizing computing devices have respective agents for communicating with an authorization manager server as well as users and applications. An authorization manager server may provide the authorization information (or limited authorization) to the requesting computing device after the authorization manager server queries the user of the authorizing computing device for permission and receives permission from the authorizing computing device (via user input).

Abstract: A content delivery server may provide content to a requesting client device using a streamlined HTTP enhancement proxy delivery technique. For example, an HTTP proxy server may receive a request for video content or a fragment of video content from a client device. The request may be associated with a timeout scheduled to occur if no content has been received after a specified amount of time. The server may then transmit a request for the content to a remote server, such as an upstream cache server in the proxy server's CDN. When the proxy server receives a portion of the requested content from the remote server, the proxy server begins transmitting the portion to the client device before the requested content has been completely received and buffered. The client device may then begin receiving data from the proxy server before timeout has occurred.

Abstract: A sending computer (sender) delivers private messages over a network via dynamically established encrypted channels where no copies of the message are persisted on third party computers. Private messages are routed dynamically based on membership status of the receiving computer (receiver) and direct addressability status of the sender and receiver. The system determines membership status of the receiver and provides a notification message and delivery link to the receiver when the receiver is not a member of the private network. When the receiver is a member, direct addressability of sender and receiver is determined, and the message is delivered directly to the receiver over an encrypted channel when the sender is directly addressable. When the sender is not directly addressable, the encrypted channel between the sender and receiver is established through a third party relay without persisting a copy of the private message on the third party relay.

Abstract: Apparatus and method for enacting data security in a data storage device, such as by protecting against a differential power analysis (DPA) attack. In some embodiments, a dithered clock signal is generated having a succession of clock pulse segments. Each of the clock pulse segments has a different respective frequency selected in response to a first random number and a different overall duration selected in response to a second random number. The different segment frequencies are selected by supplying the first random number to a lookup table, and the different segment durations are obtained by initializing a timer circuit using the second random number. The dithered clock signal is used to clock a programmable processor during execution of a cryptographic function.

Abstract: A content distribution method including: receiving, from a terminal, first information indicating an attribute of a user of the terminal, transmitting, to the terminal, second information relating to the attribute of the user of the terminal based on the first information, receiving, from the terminal, the second information and third information indicating a location of the terminal, and transmitting a content that is selected from among a plurality of contents based on the received second information and the received third information.

Abstract: Methods, computer-readable media and apparatuses for automatically redirecting a search are disclosed. A processor receives a search term, connects to a search server hosting a search site that displays a plurality of sites in response to the search term, receives a selection of a site from the plurality of sites, provides an option to associate the site with the search term and receives a confirmation to associate the site with the search term, where the search term automatically redirects a connection to a server hosting the site and by-passing a connection to the search server hosting the search site when the search term is received at a later time.

Abstract: An apparatus and method for securing a personal identification number (PIN) on a mobile device are provided. The method may include receiving a request for the PIN from a secure element on the mobile device, instantiating a trusted user interface (TUI), collecting the PIN via the TUI, and securely transmitting the PIN from a trusted execution environment (TEE) associated with the TUI to a secure element (SE).

Abstract: Techniques disclosed herein decouple a document's structure from its general content wherein the structure is retained in plaintext (both at a client device and in a server system) and the data is retained in cyphertext, and where the cloud-based server system is not tasked with the saving or management of the relevant cryptographic keys. Because the network- or cloud-based server system has “zero-knowledge” about the document's data content or the relevant cryptographic keys, an attack on the server system does not put the security of the document's data at risk. In addition, the network- or cloud-based server system may be used to perform the computationally intensive tasks of converting the document between a first format (often associated with a full-function document processing application not supported by the client device) and a second format (easily displayed and manipulated by a client device).

Abstract: Location data from one or more geolocation engines such as GPS, a system that determines location from relative signal strengths or transit times, etc., within and/or connected to a device, such as a mobile phone, vehicle, movable electronic device, computer, etc., is included in a digital record that submitted to obtain a digital signature such that the presence of the device at the particular location can later be proven. The digital record may include data that encodes a message, as well as other parameters such as time. The digital signature encodes recomputation parameters of a hash tree signature infrastructure to a highest level value, a function of which is submitted as a transaction in a blockchain.

Abstract: A security framework and methodology is provided which provides front-end security through authentication and authorization, and back-end security through a virtual private data-store created within an insecure environment using existing object-relational mapping (ORM) layers or database drivers. The front-end security utilizes numerous multi-factor authentication metrics and a distributed denial of service (DDoS) cryptographic boundary to proactively attack malicious users using a cryptographic puzzle, and the back-end security provides data encryption and decryption, data privacy, data integrity, key management, pattern monitoring, audit trails and security alerts while simultaneously hiding the complexity behind an identical or similar ORM or database drive application programming interface (API).

Abstract: A provider of a subscription-based online service provides use of the online service to an end-user of an organization. A tenant account request is received from an administrator of the organization to establish a tenant account and authorize the end-user to acquire a subscription for the end-user to use the online service directly from the provider thereof. A subscription request is then received from the end-user to acquire the subscription for the end-user to use the online service. An individual license to use the online service is then assigned to the end-user, where this license allows just the end-user to access and use the online service. This individual license is then provided to the end-user.

Abstract: In an embodiment, a password risk evaluator may receive a request including a user identifier (ID) and a password. The password risk evaluator may retrieve a password preference model associated with the user ID, and may determine a risk score indicating a likelihood that the password is associated with the user ID. For example, the password preference model may be based on previous passwords used by the user, and may identify one or more characteristics, formulas, rules, or other indicia typically employed by the user in creating passwords. If the password supplied in the request matches or is similar to one or more elements of the password preference model, it may be more likely that the password in the request is a password supplied by the user. That is, the risk score may be an authentication of the user, or part of the authentication of the user, in some embodiments.

Abstract: An information processing apparatus includes a first memory that stores a registered identification name of a user who is eligible to use the information processing apparatus and first publishable information indicating whether or not the registered identification name of the user is publishable, circuitry that determines whether the first publishable information indicates that the registered identification name of the user is publishable, and generates usage history information of the user using the registered identification name based on a determination indicating that the registered identification name of the user is publishable or using an anonymized identification name based on a determination indicating that the registered identification name of the user is not publishable, and a second memory that stores the generated usage history information.

Abstract: A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.

Abstract: Apparatus, method, and system for remotely affecting the functionality and lifetime of an integrated circuit are described herein. One embodiment of a method includes: tracking a plurality of operational metrics relating to a monitored device, sending one or more of the plurality of operational metrics to a remote monitor and responsively receiving a command generated by the remote monitor, generating a threat level based on the plurality of operational metrics and the command, and performing a derating action based on the threat level. The command from the remote monitor may be generated by the remote monitor based, at least in part, on the one or more of the plurality of operational metrics. Alternatively, the command may be generated based on information obtained independently by the remote monitor and not based on the one or more of the plurality of operational metrics.

Abstract: A communications terminal comprises an encoder configured to encode a digital data signal to generate an encoded signal, a scrambler configured to scramble the encoded signal based on a scrambling signature, and a modulator configured to modulate resulting data frames for transmission via a random access communications channel. Each frame comprises a data payload, including a block of the scrambled signal, and a header, including a start of frame (SOF) sequence associated with the scrambling signature. Use of the SOF sequence for each frame provides a synchronization reference and serves to designate the associated scrambling signature for decoding the respective data payload. Use of the SOF sequence for each frame further serves to distinguish between the data frame and data frame(s) originating from further communications terminal(s), transmitted via a common time slot of the channel, for which different scrambling signature(s) were used to scramble respective encoded signal(s) thereof.

Abstract: Techniques for network-based security for mobile devices based on device state are disclosed. In some embodiments, automatically configuring mobile devices and applying policies based on a Host Information Profile (HIP) report includes receiving a Host Information Profile (HIP) report for a mobile device; performing a policy match based on the HIP report for the mobile device; and performing an action based on the policy match based on the HIP report for the mobile device.

Abstract: A device controller interfaced between an electronic processing device and a sector-based data storage device, includes a processor connected to a clock, and a computer memory having a control list stored therein. A control list including a security feature entry including a target sector range, time data associated with the target sector range, and at least one security response associated with the target sector range. The processor determines, based at least in part on interrogation of the control list and a clock time, the time data of the entry conflicts with the clock time, and executes the at least one security response. Time data can represent an expiration date or a time window, with a conflict arising if the clock time is beyond the expiration date or within the time window, respectively.

Abstract: Code upgrades for computer components. After being powered on, a central processing unit (CPU) of a computer system loads a start-up authenticated code module (start-up ACM) to an authenticated code execution area (ACEA) within the CPU to be authenticated. When the start-up ACM passes authentication, the CPU executes the start-up ACM to connect to a server and receive a code upgrade file for a computer component of the computer system from the server.