Abstract: A method of verifying an identity of a user using a set of earpieces includes communicating a first sound toward a tympanic membrane of the left ear, communicating a second sound toward a tympanic membrane of the right ear, receiving reflected sounds from an ear canal of the left ear, receiving reflected sounds from an ear canal of the right ear, comparing acoustic properties of the reflected sounds with acoustic properties stored in a memory device, and verifying the identity of the user if the acoustic properties of the reflected sounds match the stored acoustic properties.

Abstract: A gateway having an architecture authorizing a bidirectional communication between applications located in different domains and presenting a high assurance level of protection. The gateway uses a virtualization platform and comprises a set of functional blocs configured to authorize secure bidirectional flow of data along two different paths between first and second domains, said set of functional blocs being decomposed into a plurality of elementarily evaluable components each one of which having a specified function and being adapted to communicate with other predefined elementarily evaluable components.

Abstract: A user is authenticated based on feature data of a target such as a body-part or other object obtained by a touchscreen of a computing device. When the user positions the target to interact with the touchscreen, interaction data is gathered. Feature data of the target is determined from the gathered interaction data. The feature data is used to identify one or more of the target and the user. Various actions are executed based on the identification and authentication of the user.

Abstract: An administration machine for a digital escrow server stores integer values each corresponding to a machine of a group of administration machines. An initialization function calls a polynomial function, unique to the administration machine, of a degree less than or equal to the number of administration machines, with each integer value, in order to obtain first secret values. The function constructs a message including, for each administration machine, the first secret value corresponding to the integer value of said machine. In response to a message having, for each administration machine, a second secret value obtained on calling the polynomial function of said machine on the integer value of the administration machine, the function constructs a resulting secret value from the first and second secret values. An overlay function processes a digital escrow using the resulting secret value unique to the administration machine and resulting secret values unique to similar administration machines.

Abstract: The content of each specific image file in a user's backup set (or other type of file set on an endpoint) is analyzed, for example during a backup of the endpoint. Each analyzed image file is categorized based on the results of analyzing its content. The analysis can be in the form identifying one or more objects graphically represented in given image files, and the categorization of image files can be based on these identified graphically represented object(s). Subsequently (for example during a subsequent backup of the endpoint), modifications made to specific ones of the image files in the file set are detected. In response to a quantification of the detected modifications exceeding a specific threshold level, it is adjudicated that a file corruption event has occurred on the endpoint, such as a cryptographic ransomware attack. In response to the adjudication, one or more security actions are taken.

Abstract: A device fingerprinting system provides an additional factor of authentication. A user device may be redirected, along with user ID parameters, to authentication system. The user device may be sent instructions to execute that collect and send back device characteristic information to the authentication system. The authentication can create a unique fingerprint of the device, and determine if the fingerprint has been seen before. If seen before, the authentication system may send back an authentication token indicating the additional factor of authentication was a success. If the fingerprint has not been seen previously, the authentication system may conduct a one-time password authentication as the additional factor. If successful, the fingerprint may be stored in association with the user device for future authentication as an additional factor.

Abstract: An apparatus for maintaining privacy when providing media content to a group includes at least one sensor coupled to a processor that is configured to observe, based on sensor data from the sensor(s), that more than one user is engaged with the apparatus, and to obtain user identities for at least a first user and a second user engaged with the apparatus. The processor looks-up a first privacy preference for the first user and a second privacy preference for the second user based on the user identities of both users. The processor determines restricted content based on the first privacy preference and the second privacy preference and determines and outputs for display suggested content for engagement by the first user and the second user, based on the restricted content, where the suggested content satisfies criterion for the first privacy preference and the second privacy preference.

Abstract: A network security system for wireless devices derives a fingerprint from the modulation imperfections of the analog circuitry of the wireless transceivers. These fingerprints may be compared to templates obtained when the wireless devices are initially commissioned in a secure setting and used to augment passwords or other security tools in detecting intruders on the network.

Abstract: Systems and methods for continued runtime authentication of Information Handling System (IHS) applications. In an illustrative, non-limiting embodiment, an IHS may include one or more processors and a memory coupled to the one or more processors, the memory including program instructions stored thereon that, upon execution by the one or more processors, cause the IHS to: receive a command to execute an application; initially verify a plurality of tokens, where a first token is provided by the application, a second token is provided by an application manager, and a third token is provided by a hardware component within the IHS; and execute the application in response the initial verification being successful.

Abstract: A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that supports a software virtualization architecture, including (i) a virtual machine operating in a guest environment and including a process that is configured to monitor behaviors of data under analysis within the virtual machine and (ii) a threat protection component operating in a host environment. The threat protection component is configured to classify the data under analysis as malicious or non-malicious based on the monitored behaviors.

Abstract: A method for message routing in a multi-tenant system includes encrypting an ID of a tenant with a public key that is generated for the tenant together with a corresponding private key; storing a set of the encrypted ID and the public key in both a device and a server of the multi-tenant system; transmitting from the device to the server a message comprising the set of the encrypted ID and the public key stored in the device; and detecting whether the message is directed toward a data store for the tenant by comparing the set comprised in the message and the set stored in the server.

Abstract: Methods, systems, and articles of manufacture are provided for oblivious order preserving encryption. A method may include: traversing, by a cloud service provider, an order preserving encryption (OPE) tree based on a result of an oblivious comparison performed by a data owner and a data client, the OPE tree having nodes that each correspond to a ciphertext of data associated with the data owner, the ciphertext of the data being stored at the cloud service provider, and a relative position of the nodes within the OPE tree corresponding to an order that is present in the data associated with the data owner; and determining, based on the traversing of the OPE tree, an OPE encoding for an input value from the data client, the OPE encoding for the input value indicative of a position of a node corresponding to the input value within the OPE tree.

Abstract: According to an example, security indicator linkage determination may include parsing input data that is used to determine a plurality of sequences of steps that are involved in attacks. A linkage selected from temporal, spatial, and/or behavioral linkages may be applied to the parsed input data to determine the plurality of sequences of steps. A security indicator that is related to a potential attack may be received. The plurality of sequences of steps may be used to determine whether the security indicator matches a step in one of the plurality of sequences of steps. In response to a determination that the security indicator matches a step in one of the plurality of sequences of steps, linkage between the security indicator and another security indicator from the one of the plurality of sequences of steps that are involved in the attacks may be identified.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: A technology is described for applying an encrypted customer security rule set to an application firewall. An example method may include obtaining an encrypted customer security rule from a shared data store for use by an application firewall that operates at an entry point to a computing service environment that utilizes security rules to monitor, filter, and manipulate network traffic. The customer encryption key used to decrypt the encrypted customer security rule in volatile computer memory may be obtained from a key data store and the encrypted customer security rule may be decrypted in the volatile computer memory using the customer encryption key, thereby forming a corresponding unencrypted customer security rule in the volatile computer memory. A volatile computer memory location containing the unencrypted customer security rule may be provided to the application firewall to enable the unencrypted customer security rule to be applied by the application firewall.

Abstract: A communication system is provided in which multiple terminal devices form a group and at least one base station device assigns a channel to each group, so that communication from a terminal device included in a group assigned a channel to the other terminal devices included in the group is performed. In the communication system, a transmitting unit transmits information about authentication to a base station device before communication is started. A receiving unit receives, from a base station device, information about authentication status of at least another terminal device within the group.

Abstract: A secure repository receives and stores user data, and shares the user data with trusted client devices. The user data may be shared individually or as part of bundled data relating to multiple users, but in either case, the secure repository associates specific data with specific users. This association is maintained by the trusted client devices, even after the data is altered by processing on the client device. If a user requests a purge of their data, the system deletes and/or disables that data on both the repository and the client devices, as well as deleting and/or disabling processed data derived from that user's data, unless a determination has been made that the processed data no longer contains confidential information.

Abstract: An authorized user obtains a packaging license that grants permission to use a particular recording device to generate multimedia content in accordance with specified license terms. The packaging license includes a content key that is used to encrypt the multimedia content at the point of capture on the recording device. The encrypted multimedia content can be transmitted via unsecure channels (for example, via electronic mail) to a networked content repository or an intended recipient. For playback, an authorized user obtains a playback license that grants permission to decrypt and playback the multimedia content using a particular playback device. An authorization server and a key management server are used to manage which users are entitled to receive a license, and to define the terms of the granted licenses. A record of the granted authorizations and licenses is maintained, thereby allowing access to a given content item to be audited.

Abstract: Systems and methods for detecting malicious content are provided. In an exemplary embodiment, a method for detecting malicious content is described that detects when a client device has access to a remote network server of a communication network. The client device includes one or more processors. Thereafter, a controller being a device separate from the client device, activates one or more security programs within the remote network server. The security programs enable the controller to analyze data stored within or transmitted from the remote network server. Lastly, the controller analyzing the data to determine whether the data includes malware.

Abstract: According to an embodiment, a network monitoring device that monitors a network includes a software storage and a controller. The software storage is configured to store software applied to a first electronic device connected to the network. The controller is configured to determine, in response to reception of verification result data indicating software verification failure from the first electronic device, whether a recovery condition determined in advance as a condition of recovering software in the first electronic device is satisfied, and perform a control of transmitting the software stored in the software storage to the first electronic device when it is determined that the recovery condition is satisfied.