Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to measure compliance of a virtual computing environment. An example method disclosed herein includes determining, with a processor, a maximum surprisal value of a policy to be enforced on a computing resource in a computing environment, the maximum surprisal value corresponding to a probability of the computing resource being in-compliance with the policy without testing the computing resource with respect to the policy, determining a current surprisal value of the computing resource with respect to the policy based on knowledge of at least one condition of policy being at least one of satisfied by or inapplicable to the computing resource, and determining a compliance score of the computing resource with respect to the policy based on the maximum surprisal value of the policy and the current surprisal value of the computing resource with respect to the policy.

Abstract: An approach for multi-sensor multi-factor identity verification. An identity verification platform determines biometric data associated with a user from one or more sources. The one or more sources are associated with one or more respective network sessions. The platform generates one or more respective trust scores for the one or more sources, the one or more respective network sessions, or a combination thereof based on one or more contextual parameters associated with the user, the one or more sources, the one or more respective network sessions, or a combination thereof. Then the platform verifies an identity of the user based on the biometric data and the one or more respective trust scores.

Abstract: A system and method for securing processing devices includes a police bridge disposed in one or more data busses between a central processing and input/output peripherals, components or components. The police bridge is suitably disposed between northbridge logic and southbridge logic. Alternatively, or in addition to such placement, a police bridge is suitably place between southbridge logic and super I/O logic. A police bridge is suitably a system-on-chip or fixed or programmable hardware. The police bridge monitors or controls its associated bus to determine whether acceptable data, with an associated certificate in other embodiments, is being communicated and signaling is generated accordingly.

Abstract: A mechanism for automatically encrypting and decrypting virtual disk content using a single user sign-on is disclosed. A method of embodiments of the invention includes receiving credentials of a user of a virtual machine (VM) provided as part of a single sign-on process to access the VM, referencing a configuration database with the received credentials of the user, determining encryption and decryption policy settings for the VM from the configuration database, and at least one of encrypting or decrypting, by the VM, files of the VM based on the determined encryption and decryption policy settings.

Abstract: A customer support application provides screen sharing of the user's computing device with a remote customer support agent, thereby enabling the customer support agent to view the content displayed on the user's device. Sensitive information that is displayed on a user's computing device is obfuscated from the computing device of the remote customer support agent, and a notification of that obfuscation is displayed on the user's computing device. Information can be determined to be sensitive based on a sensitive indicator tag or a heuristic.

Abstract: A method is provided in one example embodiment and includes establishing a network connection to a central security system in a central network, receiving a message from the central security system, activating a grace window based on the message, and determining whether the grace window has expired. The method further includes deleting, when the grace window expires, one or more objects from the mobile device based on a sanitization policy. In specific embodiments, the network connection is terminated before the grace window expires, and the grace window expires unless the mobile device establishes another network connection with the central security system. In further embodiments, the method includes receiving the sanitization policy from the central security system. The sanitization policy identifies the one or more objects to be deleted from the mobile device when the grace window expires.

Abstract: Known malicious Android applications are collected and their functions are extracted. Similarity values are calculated between pairs of functions and those functions with a low similarity value are grouped together and assigned a unique similarity identifier. A common set of functions or common set of similarity identifiers are identified within the applications. If at least one function in the common set is determined to be malicious then the common set is added to a blacklist database either by adding functions or by adding similarity identifiers. To classify an unknown Android application, first the functions in the application are extracted. These functions are then compared to the set of functions identified in the blacklist database. If each function in the set of functions is present (either by matching or by similarity) in the group of extracted functions from the unknown application then the unknown application is classified as malicious.

Abstract: Systems and methods for user authentication within federated computing systems are provided. In a session, a user can be authenticated multiple times by different authentication methods for different servers of the federated system, however, once the user has been authenticated by any given authentication method, the user need not repeat that method. Systems of the present invention comprise a plurality of servers including an authentication server. The authentication server maintains authentication records for users, where each record includes which authentication methods apply to which servers. When a user first seeks access to a particular server, the server identifies the user and the server to the authentication server. If the user has already been authenticated elsewhere according to the authentication method required by the new server, the authentication server indicates to the new server that the user is authenticated, else the authentication server invokes the necessary authentication method.

Abstract: Systems and methods are provided for malware scanning and detection in a computing system. In one exemplary embodiment, the method includes launching, in a computing device of the computing system, a virtual machine, and launching, in the virtual machine of the computing device, an internet browser. The method also includes requesting, by the internet browser, data from a web page, and performing, using one or more analysis tools, analysis on the web page. In the method, performing analysis on the web page includes performing monitoring and recording of system application programming interface (API) calls, and creating software objects associated with the web page. The method also includes performing antivirus scanning of the software objects, de-obfuscating JavaScript associated with the software objects, and correlating data associated with the performed analysis to determine if the web page is a malicious web page.

Abstract: A broadband gateway may manage confidential data associated with users in a home network managed and/or serviced by the broadband gateway. The broadband gateway may store the user confidential data broadband gateway in a distributed manner, wherein the confidential data may be divided into a plurality of portions and stored separately in multiple storage locations or devices. When users authorize the transfer of the confidential data, all portions may be communicated to enable aggregating them such that the confidential data may be obtained. The user confidential data may be encrypted. The broadband gateway may securely communicate and/or share the user confidential user data. This may be achieved by tracking communication of the user confidential data, by using tags incorporated into the data. The broadband gateway may also ensure that communicated confidential data is rendered unusable under certain conditions, based on use for various timing tags for example.

Abstract: Systems and methods for providing access to a remote network via an external endpoint are provided. A client establishes a secure connection between an external endpoint and a remote network. Transmissions from clients to the external endpoint are supplemented with additional information regarding handling within the remote network, and then transmitted to an internal endpoint within the remote network. The internal endpoint processes the transmission based on the supplemental information and returns a response to the external endpoint. A response is then returned to the client. Access policies may be created by authorized users to establish processing of client transmissions. These policies may be stored and enforced by the internal endpoint or the external endpoint.

Abstract: A computer-implemented method for de-identifying data by creating tokens through a cascading algorithm includes the steps of processing at least one record comprising a plurality of data elements to identify a subset of data elements comprising data identifying at least one individual; generating, with at least one processor, a first hash by hashing at least one first data element with at least one second data element of the subset of data elements; generating, with at least one processor, a second hash by hashing the first hash with at least one third data element of the subset of data elements; creating at least one token based at least partially on the second hash or a subsequent hash derived from the second hash, wherein the token identifies the at least one individual; and associating at least a portion of a remainder of the data elements with the at least one token.

Abstract: Apparatuses, computer readable media, and methods establishing and maintaining trust between security devices for distributing media content are provided. Two security devices bind to establish an initial trust so that security information can be exchanged. Subsequently, trust is refreshed to verify the source of a message is valid. In an embodiment, the security devices may comprise a security processor and a system on a chip (SoC) in a downloadable conditional access system. Trust may be refreshed by a security device inserting authentication information in a message to another security device, where authentication information may assume different forms, including a digital signature (asymmetric key) or a hash message authentication code (HMAC). Trust may also be refreshed by extracting header information from the message, determining state information from at least one parameter contained in the header information, and acting on message content only when the state information is valid.

Abstract: A method and apparatus for providing a temporary identity module to a device (1) in a communication network. An RO Server (2) receives a request for an identity module (51) from the device (1). It then obtains an identity module and generates an encryption key (S4, S5). The encryption key is partitioned into a plurality of slices such that no slice comprises the whole encryption key (S6). Each slice is sent (S8, S9) to respective further devices (10, 11) accessible by the server (2) such that no single further device (10, 11) receives sufficient slices to reconstruct the encryption key. A location key is generated (S10) that identifies each slice and the further device (10, 11) to which each slice has been sent. The identity module is encrypted using the encryption key (S11) and sent to the device (1) along with the location key (S12). The device (1) can subsequently use the location key to obtain the slices and reconstruct the encryption key.

Abstract: A client executes processing for data encryption by adding an error vector to plaintext, the error vector being not larger than a predetermined criterion and processing for sending limitation information to a server, the limitation information being formed from a sublattice basis of a lattice generated by a secret key. The server executes processing for receiving the limitation information and storing it in a storage device and in the homomorphic computation processing on the encrypted data received from the client, processing for, when a bit length of ciphertext which is a result of the homomorphic computation processing is equal to or larger than a predetermined value, reducing the bit length of the ciphertext to a value not larger than a predetermined threshold by translating a vector of the ciphertext to an inside of a region formed from the sublattice basis corresponding to the stored limitation information.

Abstract: One feature pertains to a method for implementing a physically unclonable function (PUF). The method includes providing an array of magnetoresistive random access memory (MRAM) cells, where the MRAM cells are each configured to represent one of a first logical state and a second logical state. The array of MRAM cells are un-annealed and free from exposure to an external magnetic field oriented in a direction configured to initialize the MRAM cells to a single logical state of the first and second logical states. Consequently, each MRAM cell has a random initial logical state of the first and second logical states. The method further includes sending a challenge to the MRAM cell array that reads logical states of select MRAM cells of the array, and obtaining a response to the challenge from the MRAM cell array that includes the logical states of the selected MRAM cells of the array.

Abstract: In embodiments of mobile device child share, a mobile device can display a default device lock screen on an integrated display device, and receive an input effective to transition from the default device lock screen to display a child lock screen without receiving a PIN code entered on the default device lock screen. The mobile device can receive a second input effective to transition from the child lock screen to display a child space. The mobile device implements a device share service that activates a child share mode of the mobile device, and restricts functionality of device applications and access to device content based on designated restriction limits.

Abstract: One feature pertains to a method of implementing a physically unclonable function (PUF). The method includes exposing an array of magnetoresistive random access memory (MRAM) cells to an orthogonal external magnetic field. The MRAM cells are each configured to represent one of a first logical state and a second logical state, and the orthogonal external magnetic field is oriented in an orthogonal direction to an easy axis of a free layer of the MRAM cells to place the MRAM cells in a neutral logical state that is not the first logical state or the second logical state. The method further includes removing the orthogonal external magnetic field to place each of the MRAM cells of the array randomly in either the first logical state or the second logical state.

Abstract: An owner of sensitive data is provided with a notification that the sensitive data has been located. To achieve this, the sensitive data is first modified to include one or more data strings that may appear to be suspect but are otherwise benign. These data strings, which are referred to herein as benign pseudo virus signatures (BPVSs), preferably are embedded throughout a piece of sensitive data according to a frequency distribution. When the sensitive data is examined by virus checking software, the benign pseudo virus signatures are detected as potential computer viruses. By using information associated with the signatures, the owner is identified, preferably using the assistance of an intermediary entity that acts as a registry for the BPVSs. Once the owner is identified, a notification is provided to the owner that the sensitive data has been located. Appropriate remedial action can then be taken.

Abstract: Systems and methods for push button configuration of devices are provided. One system comprises one or more circuits configured to determine that a configuration button on the second device has been activated and determine whether a configuration button has been activated on a first device or a third device within a time interval from a time at which the button on the second device is activated. The circuits are configured to, in response to determining that the configuration button has been activated on either the first device or the third device within the time interval, allow the second device to be authenticated. The circuits are configured to, in response to determining that the configuration button has not been activated on either the first device or the third device within the time interval, prevent admission of the second device. The network may be a wired network, such as a MoCA network.