Abstract: A host computer supports a virtual guest system running thereon. The host system has a firewall that prevents it from communicating directly with the Internet, except with predetermined trusted sites. The virtual guest runs on a hypervisor, and the virtual guest comprises primarily a browser program that is allowed to contact the Internet freely via an Internet access connection that is completely separate from the host computer connection, such as a dedicated network termination point with its specific Internet IP address, or by tunneling through the host machine architecture to reach the Internet without exposing the host system. The virtual guest system is separated and completely isolated by an internal firewall from the host, and the guest cannot access any of the resources of the host computer, except that the guest can initiate cut, copy and paste operations that reach the host, and the guest can also request print of documents.

Abstract: Systems, methods, and computer-readable media for personalizing program credentials are provided. For example, a program credential (e.g., loyalty pass) associated with a program provider (e.g., an issuer) subsystem may be customized using personal data. The personal data can be collected from an electronic device before provisioning the customized program credential on the electronic device for use in a suitable transaction. However, such personal data may not be collected unless an administration entity subsystem is first able to validate the program provider subsystem. The administration entity subsystem can generate tracking data that may be used during the validation and/or provisioning in order to track when program credentials are personalized.

Abstract: A method, a proxy, a device, a system, and a computer program product for enabling authentication is provided. Authentication is enabled by receiving by a proxy a security token from an authentication provider, the security token including authentication information, receiving by the proxy an authentication request directed to the authentication provider or to the proxy, determining by the proxy whether the authentication information corresponds to the authentication request, and in case the authentication information corresponds to the authentication request, providing by the proxy the security token as a response to the authentication request.

Abstract: The invention is a method for managing a response from an application embedded in a secure token acting as an UICC, in response to a command requesting opening a proactive session. The command is sent by an applicative server to the secure token via an OTA server providing a security layer. The method comprises the steps of sending another command from the applicative server to the secure token using the security layer provided by the OTA server, and in response to this second command, the secure token send the response of the first command to the applicative server using the security layer provided by the OTA server.

Abstract: A method for attack detection includes: intercepting, by a runtime security agent, a request for a web resource; determining whether the intercepted request was triggered from an external website; determining whether the intercepted request was triggered from a current session; determining whether the intercepted request is requesting a static file type; and in response to a determination that the intercepted request was triggered from an external website and was not triggered from a current session, or a determination that the intercepted request was triggered from an external website and is not requesting a static file type, providing, by the runtime security agent, an indication of a potential attack.

Abstract: Femtocell access is provisioned based on social network, presence and/or user preference information. In particular, the disclosed system can include a femto access manager that can identify a list of ‘close friends’, to which the femtocell owner is likely to grant femtocell access, based on an analysis of access data (e.g., data from social networks, communication logs, calendars, address books, websites and/or blogs, transaction related data, and the like). Further, an access priority associated with each of the close friends can be determined based in part on location data, availability data, and/or predefined policies. Furthermore, the femto access control list, within the femto access point (FAP), can be populated, dynamically and/or automatically, with the highest priority friends from the close friends list.

Abstract: Methods and systems of testing for phishing security vulnerabilities are disclosed, including methods of penetration testing of a network node by a penetration testing system comprising a reconnaissance agent software module installed in the network node, and a penetration testing software module installed on a remote computing device. Penetration testing systems are provided so as to locally detect weaknesses that would expose network nodes to phishing-based attacks.

Abstract: Techniques to enforce policies with respect to managed files and/or endpoints are disclosed. A policy to be applied with respect to one or more files included in a synchronization set and/or an endpoint associated with the synchronization set is received. Compliance with the policy is ensured across a plurality of heterogeneous endpoints associated with the synchronization set.

Abstract: According to a first aspect of the present disclosure, a method for facilitating secure communication in a network is conceived, comprising: encrypting, by a source node in the network, a cryptographic key using a device key as an encryption key, wherein said device key is based on a device identifier that identifies a destination node in the network; transmitting, by said source node, the encrypted cryptographic key to the destination node. According to a second aspect of the present disclosure, a corresponding non-transitory, tangible computer program product is provided. According to a third aspect of the present disclosure, a corresponding system for facilitating secure communication in a network is provided.

Abstract: A method for analyzing code may include determining, using a dependency graph for the code, modules each including function definitions, and generating source points-to tuples and a call graph for a source function definition in a first module. The source points-to tuples may include a source tuple including a source variable and a source allocation site. The source allocation site may be a reference to a location in a memory of a computer system allocated when the source function definition is executed. The method may further include determining, using the call graph and until a fixedpoint condition is triggered, target function definitions reachable from the source function definition, determining that a target summary is stored for a first target function definition, and importing the target summary into a source summary for the source function definition. The source summary may include the source points-to tuples.

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

Abstract: A computing resource service receives a request to perform a change to a configuration of a service provider account. In response to the request, the computing resource service determines if the service provider account has been designated as being immutable. If the service provider account is designated as being immutable, the computing resource service causes an account security service to transmit a notification to administrators of the service provider account to determine whether the administrators authorize the change to the service provider account. If the administrators approve of the requested change, the computing resource service fulfills the request.

Abstract: Disclosed are a stamper, a terminal and an operation method thereof. The stamper includes: a transmission part configured to transmit a beacon signal related to stamp saving to a terminal; a contact tip contacting the terminal; and a control part configured to include a bit value in the beacon signal, wherein the bit value is generated to indicate contact of the contact tip with the terminal.

Abstract: A method for secure storage of data and retrieval of desired data from a cloud-based service environment includes receiving the data from a tenant having a unique tenant ID, dynamically extracting data to be indexed from the received data, and creating index information from the extracted data. The index information is encrypted with a tenant private key, the encrypted index information is uploaded into the cloud environment in the form of index files, and a last uploaded index file is queried for in the cloud environment. The encrypted index information of the index file is decrypted with the tenant private key, the decrypted index information is searched for a relevant patient record, and the corresponding desired data is retrieved from the cloud environment. The desired data is rendered onto a client application. The index files are created from the index information in chronological order of receipt of the data.

Abstract: Disclosed are various examples for enforcing enterprise requirements for client device deployment. One example includes receiving a device enrollment request that is part of an activation of a client device that is registered with a registration service. A whitelist including a management application is enforced on the client device by installing a first profile on the client device. The management application is executed in a kiosk mode. The management application obtains at least one enterprise requirement including a terms of service. A second profile is installed on the client device causing the client device to cease enforcing the whitelist and the kiosk mode.

Abstract: The subject matter of this specification generally relates to data security. In some implementations, a method includes receiving, from data owners, a first cryptographically secure representation of data to be monitored for data breaches. Each first cryptographically secure representation can include a cryptographically secure data structure that represents a plurality of first data records maintained by the data owner. One or more second cryptographically secure representations of second data records are received from a user. A number of the second cryptographically secure representations that match a corresponding portion of the first cryptographically secure representation received from a data owner is determined. A determination is made that a data breach occurred for the data owner based on the number of the second cryptographically secure representations that match the corresponding portion of the first cryptographically secure representation received from the data owner.

Abstract: Systems and methods for role-based access control to computing resources are presented. In an example embodiment, a request to perform a type of access of a computing resource is received via a communication network from a process executing on a client device. Using a data store storing process identifiers and associated access control information, access control information associated with the requesting process is identified based on a process identifier of the requesting process. Based on the access control information associated with the requesting process, a determination is made whether the requesting process is allowed to perform the requested type of access of the computing resource. The request is processed based on the requesting process being allowed to perform the requested type of access of the computing resource.

Abstract: A method is provided for providing a notary service for a file, the method includes the steps in which: (a) when a notary service request for a specific file is obtained, a server generates, by using a hash function, or supports the generation of, a message digest of the specific file; and (b) if a predetermined condition is satisfied, the server registers, in a database, or supports the registration of, a representative hash value or a value obtained by processing the representative hash value, the representative hash value being generated by calculating at least one neighboring hash value that matches a specific hash value, wherein the specific hash value is a hash value of the result of encrypting the message digest with a private key of a first user, a private key of a second user and a private key of the server.

Abstract: User events of a platform are processed to extract aggregate information about users of the platform at an event processing system. A query relating to the user events is received at the system and at least one query parameter is determined from the query. Various privacy controls are disclosed for ensuring that any information released in response to the query cannot be used to identify users individually or to infer information about individual users.

Abstract: Provided is a method according to the present invention comprising the steps of: (a) generating a message digest of a particular file when a request for authenticating same is obtained; (b) when a message digest encoded with a private key of a first user and a message digest encoded with a private key of a second user are obtained, and if the (i) (A) information for the message digest, which was encoded with the private key of the first user, decoded with a public key of the first user, (ii) (B) information for the message digest, which was encoded with the private key of the second user, decoded with a public key of the second user, and (C) the message digest generated in step (a) match, then registering, in a database, a hash value of the message digest encoded using the private key of the first user, private key of the second user and a private key of a server; and (c) obtaining a transaction ID reflecting location information of the registered hash value in the database.