Abstract: A system and method for encrypting and/or decrypting data with a Cryptomeria (C2) cipher may be provided that generates C2 round keys in parallel. Accordingly, data may be encrypted or decrypted at least twice as fast as without the system. A storage device may encrypt data written to the storage device and/or decrypt data read from the storage device with such a system.

Abstract: An information processing apparatus capable of communicating with a document management service and a terminal device, the apparatus comprises: acceptance means for accepting, from the terminal device, an instruction about a document stored in the document management service; and instruction means for, when the document file has not been encrypted according to a public key cryptosystem, transmitting an instruction to the document management service to execute processing corresponding to the instruction accepted by the acceptance means, and when the document file has been encrypted according to the public key cryptosystem, transmitting an instruction to the document management service to directly transmit the encrypted document to the terminal device.

Abstract: An apparatus comprising a memory, a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to receive an information centric network (ICN) name prefix announcement message comprising a message prefix specific to a publisher, a public key certificate specific to the content publisher, and a signature specific to the content publisher, verify the signature with a name registration service (NRS), and update internal data indicating that the content publisher is a trusted publisher, wherein the internal data comprises the prefix, the public key, and the signature.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: A computer-readable medium encoded with software for execution. When executed, the software may be operable to send to a remote server, from an agent application, a request for a first access credential. The software may also be operable to receive from the remote server, the first access credential. The software may further be operable to determine, by the agent application monitoring a managed application, that the managed application requires a second access credential. The software may additionally be operable to, in response to the determination that the managed application requires the second access credential, sending to the managed application, from the agent application, the second access credential.

Abstract: Search result poisoning attacks may be automatically detected by identifying groups of suspicious uniform resource locators (URLs) containing multiple keywords and exhibiting patterns that deviate from other URLs in the same domain without crawling and evaluating the actual contents of each web page. Suspicious websites are identified and lexical features are extracted for each such website. The websites are clustered based on their lexical features, and group analysis is performed on each group to identify at least one suspicious group. Other implementations are directed to detecting a search engine optimization (SEO) attack by processing a large population of URLs to identify suspicious URLs based on the presence of a subset of keywords in each URL and the relative newness of each URL.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Abstract: A shared data store may be accessible to a plurality of electronic devices and used to share files in a collaboration setting. A shared file is shared by a first electronic device with a second device via a connection between the first electronic device and the shared data store. A coordinating electronic device associated with the shared data store monitors the connection with the first electronic device. If a loss in the connection is detected, the coordinating electronic device may cause access to the shared file to become restricted to the second electronic device responsive to the loss of the connection.

Abstract: A system and method for verifying and/or geolocating network nodes in attenuated environments for cyber and network security applications are disclosed. The system involves an origination network node, a destination network node, and at least one router network node. The origination network node is configured for transmitting a data packet to the destination network node through at least one router network node. The data packet contains a security signature portion, a routing data portion, and a payload data portion. The security signature portion comprises a listing of at least one network node that the data packet travelled through from the origination network node to the destination network node. In addition, the security signature portion comprises geolocation information, identifier information, and timing information for at least one network node in the listing.

Abstract: Embodiments of the present application relate to a method for policy enforcement, a system for policy enforcement, and a computer program product for policy enforcement. A method for policy enforcement is provided. The method includes receiving a host information profile report from a client device, and enforcing a security policy for network access based on the host information profile report. The host information profile report includes device profile information associated with the client device.

Abstract: Embodiments of an invention for cryptographic key generation using a stored input value and a stored count value have been described. In one embodiment, a processor includes non-volatile storage storing an input value and a count value, and logic to generate a cryptographic key based on the stored input value and the stored count value.

Abstract: Methods, apparatuses and storage medium associated digital rights management (DRM) using DRM locker is disclosed herein. In embodiments, a DRM locker is provided to a client device. The DRM locker may be configured to store a number of DRM licenses or keys for a number of DRM protected contents. The DRM locker, on presentation of an associated locker key, may respond to a request for one or more of the stored DRM licenses or keys, to enable consumption of the corresponding DRM protected contents using the client device. Other embodiments may be disclosed or claimed.

Abstract: A method and access node for preventing spoofing while connecting subscribers to an Ethernet network. The access node includes a filter mechanism for filtering packets destined to subscribers attached to the access node. The filter mechanism includes a database of allocated IP destination addresses and MAC addresses. The filter mechanism blocks any packet directed to a subscriber but containing an incorrect IP or MAC address. The mechanism prevents users from changing their address information to illegally appropriate packets from other users or to disguise their identity.

Abstract: A system and method wherein an intermediary process provides access to a restricted object associated with a source process on behalf of a destination process. The intermediary process may be a trusted process that is available as a service to other processes on the computing platform. The intermediary process may assume one or more privileges associated with the source process whereby the restricted object may be accessed by the intermediary process on behalf of the destination process. Secure access to the restricted object and the risk of malicious exploitation are mitigated since the intermediary process is a trusted service that is known to provide specific functionality.

Abstract: Methods, systems, and machine-readable storage medium are described wherein, in one embodiment, identifiers, such as bookmarks, are used to allow access to files or folders in a sandboxed environment. One or more applications are restricted by an access control system, which can be, for example, a trusted software component of an operating system. In one embodiment, the bookmarks or other identifiers allow an application to have access to a file even if the file is renamed or moved by a user while the application has been terminated. In one embodiment, a resource manager, or other trusted access control system, can interact with an application to allow for the use of bookmarks in an environment in which a sandbox application controls access to the files such that each application must make a request to the sandbox application in order to obtain access to a particular file or folder.

Abstract: A method and apparatus for identity consolidation for a plurality of electronic identities is described. In one embodiment, the method includes receiving user identification data extracted from an electronic communication, the user identification data corresponding to an unknown identity of a sender of the electronic communication. The method further includes determining a known identity for the sender using the user identification data extracted from the electronic communication and associating the known identity with the unknown identity of the sender of the electronic communication. In one embodiment, an association between the known identity and the unknown identity is maintained to determine whether parties of subsequent information transfers are authorized to participate in the information transfers.

Abstract: There is provided a method to enable mobile devices to rendezvous on a shared communication service. The method includes steps for creating, via a device, a shared username and a shared password for a private channel in a communication network, determining a unique channel identification (ID) for the private channel based on the shared username and the shared password, and configuring the device with the shared username and the shared password. The method further includes steps for subscribing the device to the private channel using the unique channel ID, transmitting, in response to a discovery request, a self-identification discovery response over the private channel, and broadcasting data between the device and each additional device connected to the private channel.

Abstract: Embodiments described herein are generally directed to methods and devices in which computing devices, and mobile devices in particular, establish a shared encryption key for a device group comprising at least three mobile devices. In accordance with one example embodiment, a public key of a mobile device is computed using a shared password as performed in accordance with authentication acts of a password-authenticated key exchange protocol, and transmitted to at least one other mobile device of the group. A public value is computed as a function of a mobile device private key and of a public key of at least one other mobile device of the device group, in accordance with a group key establishment protocol. The public values of the mobile devices of the device group are used to compute a shared encryption key.

Abstract: Intrusion prevention system (IPS) mode is provided for a malware detection system. At least one staging server is provided for intercepting an incoming electronic message, making a copy of the intercepted incoming electronic message, and holding the intercepted incoming electronic message until an analysis of the copy of the intercepted incoming electronic message has been completed or until a timeout threshold has been exceeded. A malware detection system is coupled to the at least one staging server. The at least one malware detection system includes at least one decomposition server for receiving the copy of the intercepted incoming electronic message and processing the copy of the intercepted incoming electronic message to detect malware. Multiple mail queues, e.g., incoming, timeout, jail, decomposition, and outgoing, are used to manage message flows and delay messages while malware analysis is performed.

Abstract: A secure digital system including a number of ICs that exchange data among each other. Each of the ICs includes a key generator for generating a cipher key; a memory for securely storing the generated cipher key; an authenticating module for authenticating neighboring ICs of a respective IC; an encryption module for encrypting data communicated from the respective IC to the neighboring ICs; and a decryption module for decrypting data received from the neighboring ICs.