Abstract: Techniques for sharing of items from online storage (e.g., cloud storage) are described herein. In at least some embodiments, sharing links can be configured as one-time sharing links that provide recipients with limited, one-time access to a shared item for the purpose of selecting or registering an account to use for subsequent access to the item. Recipients are able to select accounts they find most convenient for accessing a shared item without the owner/sharer of the item necessarily having contact information for those accounts or sending a link to the accounts. Selection of a one-time link initiates an authentication sequence that selectively provides an option to select a particular account. Once the one-time sharing link is redeemed, the one-time sharing link is invalidated for subsequent access to the item.

Abstract: Methods, systems and computer readable media for configuring secure storage on a computing device. A method comprises: storing, at a first application running on a first computing device, authentication data associated with an authenticated communications session conducted between the first application and a second application running on a second computing device different from the first computing device; receiving, at the first application, an activation command comprising encryption data from the second application; authenticating, by the first application, the activation command based on the stored authentication data; and configuring, by the first application, secure storage on the first device based at least in part on the activation command received from the second application, wherein configuring the secure storage comprises encrypting application data associated with execution of the first application based on the encryption data.

Abstract: A cloud-based broker service may be provided for computing devices in a distributed computing environment. The broker service may aggregate user accounts and user account credentials utilized for accessing online services by the computing devices. The broker service may monitor a context of the computing devices associated with the user accounts. The broker service may then utilize the context, data associated with the user accounts and data associated with the user account credentials to automate tasks and/or provide alerts associated with the data.

Abstract: Techniques for dynamic endpoint secure location awareness may include dynamically sending a location query in response to a change in location for a mobile device. A location response may be received. The platform security engine may determine whether the mobile device is located in a secure location based on the location response. Other embodiments are described and claimed.

Abstract: Methods and systems for securing code in a reprogrammable security system are provided and may comprise detecting when a prior version of code is copied over a subsequent version of code. Operations within the system may be controlled based upon detection of the prior version of code. A unique version identifier may be associated with each successive version of code. The system may compare instances of unique version identifier from varied storage mechanisms on a device which may include flash memory, latch memory and one time programmable memory. The same instances of unique version identifier may be compared with a unique version identifier instance independently received from an external entity. When a comparison reveals a prior version of code copied over a subsequent version of code the system may conduct operations specified for a security breach.

Abstract: Methods and systems according to the present disclosure improve upon known biometric security systems by not permanently storing (e.g., for later comparison as in known systems) the actual image of the biometric characteristic. Instead, an image of a biometric identifier (e.g., retina, fingerprint, etc.) may be used to form a key which may be used to secure and provide access to data. The key may be formed, in embodiments, using a neural network and/or a random input (e.g., a vector of random characters), for example. The image of the biometric identifier may be discarded, and thus may not be vulnerable to theft. In an embodiment, the key may be used in a key-based encryption system.

Abstract: An image processing apparatus includes a request determining unit receiving an operation event indicating a request to use an image processing function and determining whether the request is from a guest user based on the received operation event; a guest login processing unit generating guest login information including a guest user identifier and access right information of the guest user if the request is from the guest user and sending a login request to request a login process for the guest user based on the guest login information; an access control unit disabling access control on the image processing function in response to the login request based on the access right information in the guest login information; and a usage history recording unit recording a usage history of the image processing function in association with the guest user based on the guest user identifier in the guest login information.

Abstract: One embodiment provides a system that facilitates secure communication between computing entities. During operation, the system generates, by a content-consuming device, a first key based on a first consumer-share key and a previously received producer-share key. The system constructs a first interest packet that includes the first consumer-share key and a nonce token which is used as a pre-image of a previously generated first nonce, wherein the first interest has a name that includes a first prefix, and wherein the first nonce is used to establish a session between the content-consuming device and a content-producing device. In response to the nonce token being verified by the content-producing device, the system receives a first content-object packet with a payload that includes a first resumption indicator encrypted based on a second key. The system generates the second key based on a second consumer-share key and the first content-object packet.

Abstract: A security monitoring system for a Controller Area Network (CAN) comprises an Electronic Control Unit (ECU) operatively connected to the CAN bus. The ECU is programmed to classify a message read from the CAN bus as either normal or anomalous using an SVM-based classifier with a Radial Basis Function (RBF) kernel. The classifying includes computing a hyperplane curvature parameter ? of the RBF kernel as ?=ƒ(D) where ƒ( ) denotes a function and D denotes CAN bus message density as a function of time. In some such embodiments ?=ƒ(Var(D)) where Var(D) denotes the variance of the CAN bus message density as a function of time. The security monitoring system may be installed in a vehicle (e.g. automobile, truck, watercraft, aircraft) including a vehicle CAN bus, with the ECU operatively connected to the vehicle CAN bus to read messages communicated on the CAN bus.

Abstract: A data management service identifies sensitive data stored on enterprise databases according to record classification rules that classify a data record as having a sensitive data type if the data record includes fields matching at least one of the record classification rules. The data management service determines assessment scores for enterprise databases according to sensitive data records and protection policies on the enterprise databases. The data management service provides an interface that groups enterprise databases having common attributes or common sensitive data types and indicates aggregated assessment scores for the groups of enterprise databases. Through the interface with the grouped enterprise databases, an administrator apply protection policies to enterprise databases. To apply the protection policy, the data management service applies the protection policy to a source database from which dependent enterprise databases access the sensitive database.

Abstract: Method and systems for modeling user possession of a mobile device for a user authentication framework are provided. The method includes analyzing sensor data representing information captured from sensor(s) associated with at least one of a plurality of devices, the plurality including the user's mobile device. The method allows for determining, based on the analyzed sensor data, a probability that the user maintains possession of the user's mobile device; and configuring the probability for use in determining whether to require authentication. The determination may include configuring a probabilistic model that includes a first state indicating that the user possesses the mobile device and a second state indicating that the user does not; classifying motions of the mobile device by types, the motions being determined based on the sensor data; and updating probabilities of the two states in response to determining that at least one of the motions has occurred.

Abstract: Methods, systems, and computer program products are provided for enabling selective file system access by applications. An application is installed in a computing device. An application manifest associated with the application is received. The application manifest indicates one or more file types that the application is allowed to access. The indicated file type(s) are registered in a location accessible by a broker service. The application is launched as an application process. The application process is isolated in an application container. The application container prevents direct access by the application process to file system data. An access request related to first data of the file system data is received at the broker service from the application process. Access by the application process to the first data is enabled when the broker service determines that a file type of the first data is included in the registered file type(s).

Abstract: A management method for outpatient electrocardiography on a patient using an ECG recorder, an administration network, a first mobile device and at least one second mobile device is provided. In order to initialize outpatient electrocardiography on a patient, the first mobile device is connected to the ECG recorder and to the administration network and in the process an identification code assigned to the ECG recorder is transmitted from the ECG recorder to the administration network. After the verification of the authorizations of the mobile device, at least one certificate assigned to the ECG recorder is provided by the administration network and is transmitted to the ECG recorder for storage via the mobile device. The second mobile device is connected to the ECG recorder and to the administration network and in the process the identification code assigned to the ECG recorder is transmitted from the ECG recorder to the administration network.

Abstract: A system and method for opportunistic cryptographic key management includes generating a security capability assessment on a first electronic device based on security capabilities of the device, selecting a key management mode based on the security capability assessment, generating a cryptographic key based on the key management mode, and storing the cryptographic key based on the key management mode.

Abstract: In various embodiments, disclosed are a system and method for authenticating activity associated with a child account as controlled or managed by a parent account. A child-account user can enter a username, or other form of access information, in a child-account device. The username can contain a predetermined identifier in response to which, upon detecting the presence of the predetermined identifier, a third-party website can carry out authentication functions including sending a message to an authentication platform that carries out additional authentication functions, provided that a parent-account device authorizes doing so.

Abstract: A certified identification system for a subject is described. The system has a certification station configured to issue first identification means representing the subject, second identification means, suitable for identifying at least one identification station, and configured to be associated with the subject, wherein the identification station is configured to combine the identification means and the first code of the second identification means, issuing a unique identification code comprising first data, a second code and a first code, wherein the identification station (4) further includes an encapsulation module configured to encapsulate the identification data so that they are presented as compact data.

Abstract: This disclosure provides a network security architecture that permits installation of different software security products as virtual machines (VMs). By relying on a standardized data format and communication structure, a general architecture can be created and used to dynamically build and reconfigure interaction between both similar and dissimilar security products. Use of an integration scheme having defined message types and specified query response framework provides for real-time response and easy adaptation for cross-vendor communication. Examples are provided where an intrusion detection system (IDS) can be used to detect network threats based on distributed threat analytics, passing detected threats to other security products (e.g., products with different capabilities from different vendors) to trigger automatic, dynamically configured communication and reaction.

Abstract: A virtualization platform that provides a systematic, transparent and local testing of components hosted by the virtualization platform in their integrated context. The virtualization platform comprises integrated interceptor modules connected to the components via communication channels, each interceptor module being interposed in the communication channel connecting two components, and an integrated analyzing device connected to the interceptor modules and comprising a control device and a testing device. The control device is configured to put each interceptor module in an operational mode selected out of a set of predetermined operational modes including a testing mode. The testing device is configured to locally test the components connected to the interceptor modules being put in the testing mode.

Abstract: An apparatus may include a transceiver and a processor circuit coupled to the transceiver. The apparatus may also include a local packet data network access module operable on the processor circuit to schedule for transmission from the transceiver to a mobility management entity (MME) a request from a user equipment (UE) for access to a local network, to generate a request for authentication to be sent to the UE, and to receive authentication information sent in response to the request for authentication. Other embodiments are disclosed and claimed.

Abstract: Techniques are described for managing data storage. Users may create data storage volumes that may each be stored by a data storage service. In an embodiment, chunks that differ between related volumes may be encrypted with different encryption keys. One or more of the encryption keys may be deleted in response to a request to delete a volume or a data chunk, rendering the volume and/or the data chunk unusable. Other techniques are described in the drawings, claims, and text of the disclosure.