Abstract: Methods, apparatus, and computer-accessible storage media for controlling export of snapshots to external networks in service provider environments. Methods are described that may be used to prevent customers of a service provider from downloading snapshots of volumes, such as boot images created by the service provider or provided by third parties, to which the customer does not have the appropriate rights. A request may be received from a user to access one or more snapshots, for example a request to export the snapshot or a request for a listing of snapshots. For each snapshot, the service provider may determine if the user has rights to the snapshot, for example by checking a manifest for the snapshot to see if entries in the snapshot manifest belong to an account other than the customer's. If the user has rights to the snapshot, the request is granted; otherwise, the request is not granted.

Abstract: Technology is described for protecting transactions. The technology may include a switching component that a user can employ to switch an associated mobile device into a secure mode so that a user can confirm the transaction. After initiating a transaction request, the user can confirm the transaction request by activating the switching component, which can cause the mobile device to switch into a secure mode. In the secure mode, the mobile device may prevent the mobile device from conducting various normal activities, such as executing applications, receiving input, providing output, and so forth. The switching component may disable other processing temporarily. Upon receiving the confirmation from the user, the switching component may send a confirmation communication to complete the transaction.

Abstract: A configuration scanning system is described herein that scans a system configuration database for malware-related information with less impact on other operations that access the system configuration database. The system employs techniques to reduce the impact on other operations that access the configuration database, including parsing a file-based stored version of the configuration database, accessing the configuration database using opportunistic locking, and caching configuration information obtained by scanning the configuration database. In this way, the system is able to respond to requests antimalware programs using cached information without impacting other programs using the configuration database. Thus, the configuration scanning system protects a computer system against malware while reducing the burden on the configuration database and on other programs that access the configuration database.

Abstract: Machine generated event log data which includes events occurring over a window of time is received where each event includes a first node, a second node, and a timestamp. The events are aggregated into a plurality of aggregated graph snapshots. Communities within the plurality of aggregated graph snapshots are identified and community tracking links are determined between communities in the plurality of aggregated graph snapshots. A community that has an anomalous evolution in the plurality of aggregated graph snapshots compared to the evolution of other communities is identified based at least in part on the community tracking links. The communities are displayed where the display includes the community tracking links and identifies the community that has the anomalous evolution.

Abstract: A device, system and method for aggregating resources, services or data across a network in which data and services from various source networks can be converted into an internal, aggregatable form (or vice versa) that can be sent to relevant properties or systems on request or through scheduling. The framework of the device, system and method permits scalability and potentially support any number of users, applications and services.

Abstract: A system is provided for inside-to-outside or outside-to-inside cryptographic coding that facilitates product authentication along a distribution channel. An association of authenticated, secured codes is generated between inner items (e.g., pharmaceutical doses such as pills, capsules, tablets) and outer items (e.g., packaging containing inner items). For instance, an inner code associated with a first item is used to generate (at least partially) an outer code associated with a second item that contains one or more first items. This process may be repeated multiple times with codes for outer items being a function of codes for inner items. The sequence of items may be authenticated by the dependent relationship between their codes.

Abstract: An object of the present invention is to provide a method, a device, programs, and storage media for solving a problem that it is impossible to losslessly compress a digital image while being encrypted, to transmit the digital image, and to expand the digital image at a receiving side to restore the digital image with no artifact. An image or video is subjected to discrete convolution with an encryption key image, to be defocused beyond recognition, thus being encrypted, is further subjected to entropy-coding lossless compression, and is transmitted over the Internet. The compressed image or video is expanded at a receiving side, and iterative operations are performed on the basis of a Bayse probabilistic formula by using the separately-delivered encryption key image, to restore the image or video before encryption.

Abstract: A data processing system (DPS) supports exchange of digital keys. The DPS comprises a communication module which, when executed by the DPS, is operable to receive, via multiple different network routes, multiple copies of a seed message from a second DPS, as part of a Diffie-Hellman key exchange process with the second DPS, wherein each copy of the seed message includes a seed value. The DPS also comprises a security module which, when executed by the DPS, is operable to perform operations comprising (a) determining a prevalent seed value, based on the multiple copies of the seed message; (b) computing a prevalence metric to indicate how many of the seed messages contained the prevalent seed value; and (c) determining whether a seed exchange portion of the Diffie-Hellman key exchange process has been successfully performed, based on the prevalence metric. Other embodiments are described and claimed.

Abstract: Physical security methods and equipment are applied to mobile devices that use multi-factor authentication mobile apps. Herein, a password management mobile app physically escrows each encrypted password that must be stored into two parts. These are then distributed between two separate, independent physical devices. Only one of those parts is kept only in a separate user gadget like a keyfob. Any reconstitution of each password after decryption requires that the user have on-hand both the mobile device and the separate user gadget. Such reconstitution is one password at a time, and only as needed, and released for use in remote authentication with a master user password entry.

Abstract: A computing facility, including a storage management system belonging to a first trust zone having a first privilege level, a metadata management system belonging to a second trust zone having a second privilege level higher than the first privilege level, and a security management system belonging to a third trust zone having a third privilege level higher than or equal to the second privilege level. The storage management system is and configured to store multiple content entities, and the metadata management system is configured to manage, for each of the multiple content entities, metadata including a respective content encryption key and a respective retention time, each of the content entities being encrypted by its respective content encryption key. The security management system is configured to manage a master encryption key used to create the respective content encryption keys, and to confirm expiration of the respective retention times.

Abstract: A method of implementing a cryptographic operation using a substitution box, comprising: specifying a set of self-equivalent functions for the substitution box; determining the minimum diversification number of the substitution box over the set of self-equivalent functions; comparing the minimum diversification number to a threshold value; including and implementing a cryptographic operation with selected substitution box when the minimum diversification number is greater or equal to a threshold value.

Abstract: Systems and methods for providing services are disclosed. One aspect comprises detecting a compromised state of a user device, determining a device identifier associated with the user device, locating a service identifier the device identifier, and transmitting the service identifier to the user device.

Abstract: A method and a device for setting up a session key between a source entity and a target entity in a communication network comprises a plurality of communicating entities. The method, which relies on the use of symmetrical cryptographic primitives, provides each entity in the session with protection against denial of service attacks by setting up a session in four or five message exchanges.

Abstract: Embodiments for preventing data loss and allowing selective access data include systems and methods that receive a data payload to be stored by the system; split the data payload into a plurality of payload components; secure each of the plurality of payload components; store at least a first of the plurality of payload components at a first repository and at least a second of the plurality of payload components at a second repository; receive a request for access to the data payload; and provide certification that the data payload has not been altered since storing.

Abstract: A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Abstract: A TCP communication scheme which ensures safe communication up to the communication path near a terminal and eliminates direct attacks from hackers, etc. A terminal (A) and terminal (B) are connected to a relay apparatus (X) and relay apparatus (Y), where the terminal (A) and the terminal (B) are the endpoint terminals positioned at the two ends of a TCP communication connection. The relay apparatuses (X, Y) are each connected to a network (NET). The relay apparatuses (X and Y) are provided so as to be between the terminals (A and B) which had been performing conventional TCP communication, and neither of the relay apparatuses (X and Y) have IP addresses. The relay apparatuses (X and Y) take over the TCP connection between the terminal (A) and the terminal (B), divide the connection into three TCP connections, and establish TCP communication.

Abstract: A background module in a multi-tiered encryption system verifies the integrity of keys used to encrypt and decrypt data. Each encryption tier in the system can include a node programmed to service encryption and/or decryption requests, a key store to store encryption keys, and an audit log to store key identifiers. Each computing node may include a background module that continuously or periodically verifies the integrity of keys. For example, the background module may retrieve an identifier in the audit log, retrieve the object stored at a location in the key data store identified by the identifier, decrypt the encrypted key in the object, and use the decrypted key to decrypt the encrypted identifier in the object. The identifier is compared with the decrypted identifier, and if the identifiers do not match, the background module generates an alert indicating that the key is not valid.

Abstract: Disclosed are various embodiments for replicating authentication data between computing devices. A computing device monitors a first certificate store located on a first client device for a change in a first state of the first certificate store. The computing device updates a record of the first state of the first certificate store with the change in the first state of the first certificate store, wherein the record is stored in a memory of the computing device. The computing device then determines that the first state of the first certificate store differs from a second state of a second certificate store located on a second client device. Finally, the computing device sends an update to the second client device, wherein the update comprises a change set representing a difference between the updated record and the second certificate store.

Abstract: In one example embodiment, the communication system disclosed herein includes an information processing apparatus that acquires address information from a memory device having a free area including the address information and a secure area including account information. The information processing apparatus connects to a resource of a server using the acquired address information. The information processing apparatus causes a security server to acquire the account information from the memory device and transmit the acquired account information to the server such that the server enables a user to access the resource of the server using the account information.

Abstract: Described herein are devices and techniques for remotely controlling user access to a restricted computer resource. The process includes obtaining an image from a communication device of a user. An individual and a landmark are identified within the image. Determinations are made that the individual is the user and that the landmark is a predetermined landmark. Access to a restricted computing resource is granted based on the determining that the individual is the user and that the landmark is the predetermined landmark. Other embodiments are disclosed.