Abstract: A computing device operates in a secure operating mode in response to user selection. Computer hardware is initialized to verify a bootloader of an operating system, and the bootloader verifies the operating system kernel. The kernel then verifies operating-system level executable files. After verification, a limited set of the verified files is loaded into a portion of the memory that is subsequently marked by the kernel as read-only. These files are executed to provide a basic Internet browser session; all other files are identified as non-executable. When the user accesses an authorized website and conducts a transaction that requires a user to provide information, the information is encrypted during transmission of the network. In addition, such information cannot be accessed by other parties since the information provided is not persisted at the computing device.

Abstract: An automated system for signing up users invited to join a site based on their existing identity includes an invitation generator, an invite processor, a federated authentication module, a user information retrieval module, an account population and creation module, and a user interface module. The automated sign up module is responsive to an invite request. The automated sign up module sends an authorization request, receives the authorization response, verifies the response and retrieves user data. The automated sign up module uses the retrieved data to populate a sign up form and initialize an account. The automated sign up module sends new account information to a user for confirmation. Once confirmation has been received, the automated sign up module creates the new account and allows the user to access the system. The present disclosure includes a method for signing up users invited to join a site based on their existing identity.

Abstract: According to one embodiment, a method for providing scalable virtual appliance cloud (SVAC) services includes receiving incoming data traffic having multiple packets directed toward a SVAC using at least one switching distributed line card (DLC), determining that a packet satisfies a condition of an access control list (ACL), designating a destination port to send the packet based on the condition of the ACL being satisfied, fragmenting the packet into cells, wherein the designated destination port is stored in a cell header of the cells, sending the cells to the destination port via at least one switch fabric controller (SFC), receiving the cells at a fabric interface of an appliance DLC, reassembling the cells into a second packet, performing one or more services on the second packet using the appliance DLC, and sending the second packet to its intended port.

Abstract: A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.

Abstract: A computer-implemented method for replacing sensitive information stored within non-secure environments with secure references to the same may include (1) identifying sensitive information stored within a non-secure environment on a computing device, (2) removing the sensitive information from the non-secure environment, (3) storing the sensitive information within a secure environment, (4) replacing the sensitive information originally stored within the non-secure environment with a reference that identifies the sensitive information stored within the secure environment, (5) identifying a request to access at least a portion of the sensitive information identified in the reference, (6) determining that at least a portion of the request satisfies a data-loss-prevention policy, and then (7) providing access to at least a portion of the sensitive information via the secure environment. Various other systems, methods, and computer-readable media are also disclosed.

Abstract: A role based security infrastructure for data encryption that does not require a key management system is provided. For each defined role, a unique key pair is generated. To encrypt a data set, a random encryption key is generated on the fly, and used to encrypt the data. To allow a role access to an encrypted data set, the corresponding encryption key is encrypted with the public key of that role, and stored in association with the encrypted data set. To access an encrypted data set, a private key associated with a role allowed access is used to decrypt the copy of the associated encryption key, which has been encrypted using the corresponding public key and stored in association with the data set. The decrypted encryption key is then used to decrypt the encrypted data set.

Abstract: A computer system includes a first storage area accessible by an operating system and a second storage area accessible by authorized functions only. According to some embodiments of the invention at least one protected storage area is implemented into the second storage area, wherein the operating system installs at least one secret key and/or at least one customized processing function into regions of the at least one protected storage area, wherein the operating system transfers data and/or parameters to process into regions of the at least one protected storage area, wherein the operating system selects one of the customized processing functions to execute, wherein the selected customized processing function is executed and accesses storage regions of the at least one protected storage area to process the data and/or parameters, and wherein resulting process data is read from the at least one protected storage area.

Abstract: In an embodiment, the present invention includes a method for receiving a request for user authentication of a system, displaying an authentication image on a display of the system using a set of random coordinates, receiving a plurality of gesture input values from the user, and determining whether to authenticate the user based at least in part on the plurality of gesture input values. Other embodiments are described and claimed.

Abstract: Systems and methods for saving encoded media streamed using adaptive bitrate streaming in accordance with embodiments of the invention are disclosed. In one embodiment of the invention, a playback device configured to perform adaptive bitrate streaming of media includes a video decoder application and a processor, where the video decoder application configures the processor to select a download stream from a set of alternative streams of video data, measure streaming conditions and request a stream of video data from the alternative streams of video data, receive portions of video data from the requested stream of video data, decode the received video data, save the received video data to memory, when the received video data is from the download stream and separately download and save the corresponding portion of video data from the download stream to memory, when the received video data is not from the download stream.

Abstract: A system and computer-implemented method for providing an indication of a quality of a site to a user, the method comprising identifying a link associated with a destination site and being displayed at a source site, determining a reputation of the link based on one or more criteria and whether the determined reputation of the link meets or exceeds a specified threshold and providing a warning for display to a user at the source site when it is determined that the reputation of the link meets the specified threshold, wherein the warning display includes a warning message indicating that the link meets or exceeds the specified threshold and a thumbnail image of the destination site associated with the link.

Abstract: A major management apparatus, an authorized management apparatus, an electronic apparatus for delegated key management and key management methods thereof are provided. The major management apparatus generates a first delegation deployment message and a second delegation deployment message, which are transmitted to the authorized management apparatus and the electronic apparatus, respectively. The authorized management apparatus encrypts an original key management message into a key management message by an authorization key included in the first delegation deployment message. The original key management message includes an operation code and a key identity. The electronic apparatus decrypts the key management message into the original key management message by the authorization key included in the second delegation deployment message. The electronic apparatus selects an application key according to the key identity and operates the application key based on the operation code.

Abstract: Disclosed are methods of detecting a domain name server (DNS) flooding attack according to characteristics of a type of attack traffic. A method of detecting an attack by checking a DNS packet transmitted over a network in a computer device connected to the network, includes determining whether the number of DNS packets previously generated within a threshold time with the same type of message, the same specific address and the same field value as in the transmitted packet is greater than or equal to a given number, and determining the transmitted DNS packet as a packet related to the attack if the number of DNS packets previously generated within the threshold time is greater than or equal to the given number.

Abstract: A method of validating a user, comprises the steps of:—storing for a user data representative of a validation code for the user comprising a combination of symbols selected from a set of symbols; presenting a displayed image including a plurality of designatable areas in which said set of symbols is distributed between said designatable areas such that each designatable area contains a plurality of said symbols; varying the image between subsequent presentations such that the distribution of said symbols between said designatable areas changes between subsequent presentations, validating a user in an validation routine by detecting designation by a user of a combination of said designatable areas in a presented image, and determining whether the combination of designated designatable areas contains the combination of symbols making up the validation code for said user.

Abstract: A system for detecting file upload vulnerabilities in web applications is provided. The system may include a black-box tester configured to upload, via a file upload interface exposed by a web application, a file together with a signature associated with the file. An execution monitor may be configured to receive information provided by instrumentation instructions within the web application during the execution of the web application. The execution monitor may be configured to recognize the signature of the uploaded file as indicating that the uploaded file was uploaded by the black-box tester. The execution monitor may also be configured to use any of the information to make at least one predefined determination assessing the vulnerability of the web application to a file upload exploit.

Abstract: Systems and methods for authentication generate keys from secret credentials shared between authenticating parties and authenticators. Generation of the keys may involve utilizing specialized information in the form of parameters that are used to specialize keys. Keys and/or information derived from keys held by multiple authorities may be used to generate other keys such that signatures requiring such keys and/or information can be verified without access to the keys. Keys may also be derived to form a hierarchy of keys that are distributed such that a key holder's ability to decrypt data depends on the key's position in the hierarchy relative to the position of a key used to encrypt the data. Key hierarchies may also be used to distribute key sets to content processing devices to enable the devices to decrypt content such that sources or potential sources of unauthorized content are identifiable from the decrypted content.

Abstract: A first cryptographic device is configured to store a set of keys that is refreshed in each of a plurality of epochs. The first cryptographic device computes for each of at least a subset of the epochs at least one view based on at least a portion of the set of keys for that epoch, and transmits the views to a second cryptographic device in association with their respective epochs. At least one view computed for a current one of the epochs is configured for utilization in combination with one or more previous views computed for one or more previous ones of the epochs to permit the second cryptographic device to confirm authenticity of the set of keys for the current epoch. The first cryptographic device may include an authentication token and the second cryptographic device may include an authentication server.

Abstract: Method enabling a user to verify the operation of a personal cryptographic device, comprising the following steps: a) a user (2) enters an access request in a terminal (3) (100), d) a personal cryptographic device (1) of the user (2) calculates and displays a response (105), g) the user (2) verifies the operation of the personal cryptographic device (1) by requesting the terminal (3) to display the expected response to the challenge (110), i) the terminal (3) displays the expected response to the challenge (113), j) the user (2) compares the response displayed by the personal cryptographic device with the response displayed by the terminal.

Abstract: According to one embodiment, a system includes a scalable virtual appliance cloud (SVAC) comprising: at least one distributed line card (DLC); at least one switch fabric coupler (SFC) in communication with the at least one DLC; and at least one controller in communication with the at least one DLC, wherein one or more of the at least one DLC is an appliance DLC, wherein one or more of the at least one SFC is a central SFC, and wherein the SVAC appears to a device external of the SVAC as a single appliance device applying various services to a traffic flow.

Abstract: A gateway network device may establish secure connections to a plurality of remote network devices using tunneling protocols to distribute to the remote network devices multimedia content received from one or more content providers. The consumption of the multimedia content may originally be restricted to local network associated with the gateway network device. The secure connections may be set up using L2TP protocol, and the L2TP tunneling connections may be secured using IPSec protocol. Use of multimedia content may be restricted based on DRM policies of the content provider. DRM policies may be implemented using DTCP protocol, which may restrict use of the multimedia content based on roundtrip times and/or IP subnetting. Each content provider may use one or more VLAN identifiers during communication of the multimedia content to the gateway network device, and the gateway network device may associate an additional VLAN identifier with each secure connection.

Abstract: A computing device operates in a secure operating mode in response to user selection. Computer hardware is initialized to verify a bootloader of an operating system, and the bootloader verifies the operating system kernel. The kernel then verifies operating-system level executable files. After verification, a limited set of the verified files is loaded into a portion of the memory that is subsequently marked by the kernel as read-only. These files are executed to provide a basic Internet browser session; all other files are identified as non-executable. When the user accesses an authorized website and conducts a transaction that requires a user to provide information, the information is encrypted during transmission of the network. In addition, such information cannot be accessed by other parties since the information provided is not persisted at the computing device.