Abstract: An efficient symmetrical-cryptographic method for using a fast but insecure host to perform encryption/decryption based on a secret key in a secure, but slow hardware token, such as a smartcard or similar device, without revealing the secret key to the host, and such that the ciphertext and plaintext are exactly the same size. The present method is suitable for use in Digital Rights Management and Software Rights Management applications which require precise interchangeability of ciphertext and plaintext in pre-allocated areas of data storage.

Abstract: In one aspect, the present invention is directed to a method for detecting spyware activity, the method comprises the steps of: monitoring outgoing communication data sent from a user's computer; searching for predefined keywords within the communication data; indicating spyware activity in the user's computer by presence of at least one of the predefined keywords within the communication data, the keywords are selected from a group comprising: a signature of the spyware, personal information of the user, an addressee to where the communication data is sent. The method may further comprise: upon detecting a spyware activity in the user's computer, blocking communication from the computer. The method may further comprise removing the spyware. The blocking can be carried out at the user's computer, at the gateway to which the user's computer is connected, etc.

Abstract: A method and system for indicating an executable as Trojan Horse, based on the CRC values of the routines of an executable. The method comprising a preliminary stage in which the CRC values of the routines of known Trojan Horses are gathered in a database, and a stage in which indicating an executable as Trojan Horse is carried out by the correspondence of the CRC values of the routines of said executable to the CRC values of the known Trojan Horses, as gathered in said database. The system comprising means for calculating the CRC values of routines; means for identifying the borders of the routines of an executable; a database system, for storing the CRC values of routines of known Trojan Horses; and means for determining the correspondence between two groups of CRC values, thereby enabling detection of the correspondence of an executable to at least one known Trojan Horse.

Abstract: A method for inspecting a compressed archive file for virus infection without having to decompress the files contained therein. Data in the archive header is used to determine the probability that the compressed archive is infected. Default parameters used for the compression, the compression ratio, the number of files stored in the compressed archive, and the total size of the archive are factors utilized during inspection according to the present invention to detect archives with a high probability of infection, as well as to recognize archives with a low probability of infection. The method is especially beneficial when the archive has been encrypted or password-protected and the files contained therein cannot be decompressed, but is also advantageous when decompression is possible. In addition, use of the present invention avoids the danger of attempting to decompress a malicious archive containing an archive bomb.

Abstract: An efficient symmetrical-cryptographic method for using a fast but insecure host to perform encryption/decryption based on a secret key in a secure, but slow hardware token, such as a smartcard or similar device, without revealing the secret key to the host, and such that the ciphertext and plaintext are exactly the same size. The present method is suitable for use in Digital Rights Management and Software Rights Management applications which require precise interchangeability of ciphertext and plaintext in pre-allocated areas of data storage.

Abstract: A method and system for issuing and redeeming digital coupons for requesting and granting modifications of licensed computer data products. Modifications include versions and configurations of the licensed data product as well as licensing issues related thereto. A product licensor issues authenticated coupons to customer organizations which utilize the licensed data products. The coupons are not necessarily specific to any particular computer or device, data product, version, license or configuration. Coupons can thereby be easily distributed to users within the organization. A user fills out the coupon with a request for the desired modifications and sends the coupon to the licensor, who fulfills the request by sending modification installation code directly to the user, thereby avoiding unnecessary overhead burdens on the organization. Digital coupons may be used in conjunction with external hardware devices (“dongles”) or with internal software licensing modules.

Abstract: A network load-balancing cluster configured to function as a transparent bridge, by connecting the load-balancing nodes in series rather than in parallel, as is done in prior-art configurations. A load-balancing algorithm and method are disclosed, by which each node in the configuration independently determines whether to process a data packet or pass the data packet along for processing by another node. To support this, load-balancing nodes are equipped with both software and hardware data pass-through capabilities that allow the nodes to pass along data packets that are processed by a different nodes.

Abstract: A method and system of computer program modules for extending the cover time of protection for a licensed software product, by increasing the difficulty and time required for an attacker to produce a workable cracked version of the program. When an attack is detected, critical information about the effectiveness of the attack are withheld from the attacker by simulating the behavior of a cracked program, thereby inducing the attacker to prematurely consider the attack successful. Latent license enforcement features are provided, whose activation is suspended until predefined environmental conditions are met.

Abstract: A method for determining if a software program having a protective envelope has been cracked, and signaling an indication thereof. A direct determination is made of whether the protective envelope is intact or has been compromised by an attack, without requiring a license violation to occur. Executable code in the protective envelope generates an envelope confirmation which is validated by executable code in the program itself. Any disabling or separation of the envelope from the program will be detectable by the program at validation time. Provisions are made for a secure envelope confirmation, the use of arguments as input to the confirmation generation, and for incorporating information related to the computer and user to facilitate identifying the attacker. Signaled indications can include network messaging to alert the licensor that the program has been cracked.

Abstract: A method for issuing and updating a software program license for a computer, with a unique identifier data object embedded in the computer and referenced by the license. The unique identifier may also be used with a conventional computer fingerprint. The software program does not run on a computer without a license that references the unique identifier. The license is issued via a server over a network (such as the Internet) and must be regularly updated by the server. When updating, the present unique identifier is sent to the server, to verify that the unique identifier is the latest unique identifier issued for that license. If an unauthorized copy is made for operation on an unlicensed computer, such as by cloning the licensed computer, this is detected when the second computer is updated, because the unique identifier sent with the update request is no longer current.

Abstract: A method for preventing activating a malicious object passing through a checkpoint, and decreasing the overall inspection delay thereof, the method comprising the steps of: (a) at the checkpoint, creating an envelope file, being an executable file comprising: the object; code for extracting the object from the envelope file; and an indicator for indicating the integrity of the object; (b) forwarding the envelope file instead of the object toward its destination, while holding at least a part of the envelope file which comprises the indicator; (c) inspecting the object; and (d) setting the indicator on the envelope file to indicate the inspection result thereof, and releasing the rest of the envelope file.

Abstract: In one aspect, the present invention is directed to a communication interface such as a USB and a Firewire, for transferring data between a peripheral and a host, the interface comprising: a first connector, at the host side, through which the host communicates with the peripheral; a second connector, at the peripheral or at an extension cable connected to the peripheral, through which the peripheral communicates with the host upon mating between the first connector and the second connector; a switch coupled to the second connector, the switch operative for modifying a service provided by the peripheral to the host, and/or a modifying a connectivity between the host and the peripheral. According to a preferred embodiment of the invention, the switch does not harm waterproof characteristic of the peripheral.

Abstract: A method and system for preventing the exploitation of email messages in attacks on computer systems. Invalid formatting is often used by attackers to introduce undesirable content into email, because email handling applications and utilities are often insensitive to deviations from the standards, and invalid formatting can allow undesirable content to go undetected. According to the present invention, an original email message is decomposed into component parts, which are formatted according to email message standards. Format-compliant components are inspected for undesirable content and reassembled into a replacement email message that is sent to the destination of the original email message. Components with undesirable content are sanitized.

Abstract: A method and system for indicating an executable as Trojan Horse, based on the CRC values of the routines of an executable. The method comprising a preliminary stage in which the CRC values of the routines of known Trojan Horses are gathered in a database, and a stage in which indicating an executable as Trojan Horse is carried out by the correspondence of the CRC values of the routines of said executable to the CRC values of the known Trojan Horses, as gathered in said database. The system comprising means for calculating the CRC values of routines; means for identifying the borders of the routines of an executable; a database system, for storing the CRC values of routines of known Trojan Horses; and means for determining the correspondence between two groups of CRC values, thereby enabling detection of the correspondence of an executable to at least one known Trojan Horse.

Abstract: A method of assigning a predetermined IP address to a device for installation on a private network. This IP address can be assigned before installation into any private network without having to be reassigned and without creating addressing conflicts, thereby simplifying the installation process. A registered global IP address is obtained from an Internet Registry and assigned to a multiplicity of devices. Exactly one such device is installed on the private network. The device has an internal router that captures data packets associated with the global IP address, so that this traffic is not put onto a public network connected to the private network. Because the registered global IP address is unique and intended for public networks, no other device on the private network has this address. Thus, the device's assigned IP address is guaranteed not to conflict with existing IP address assignments on the private network.

Abstract: A method for selling a digital product (software, multimedia object, and so forth) having a plurality of modules to a customer, the method comprising the steps of: upon closing a deal with the customer where a first group of the modules have been purchased by the customer and a second group of the modules have not been purchased by the customer: installing the first group of the modules at the customer's site; installing the second group of the modules at the customer's site such that at least one of the modules of the second group is protected by a protection mechanism; monitoring the use of each of the protected modules for indicating the modules as valuable to the customer; upon indicating a module as valuable to the customer: employing an automatic salesman for selling the valued module to the customer.

Abstract: The present invention is directed to a method for serving a plurality of application programs by a security token, the method comprising the steps of: providing to each of said applications a credential for accessing a service provided by said security token, wherein the credential of one application differs from the credential of each of the other applications; upon requesting the service by one of the application programs, authenticating the user thereof; and upon positively authenticating the user by the token, providing the service to the application. The method may further comprise the step of: upon positively authenticating a user: providing to the application a marker; caching the marker; and upon requesting the service by the application program a subsequent time on the session, retrieving the cached user identity information, and presenting the information to the token. According to a preferred embodiment of the invention, the marker remains valid for a time period.

Abstract: A user-computer interaction method for use by a population of flexibly connectible computer systems and a population of mobile users, the method comprising storing information characterizing each mobile user on an FCCS plug to be borne by that mobile user; and accepting the FCCS plug from the mobile user for connection to one of the flexibly connectible computer systems and employing the information characterizing the mobile user to perform at least one computer operation.

Abstract: The present invention is directed to a method for increasing security of a machine as its user searches a web page using a search engine, the method comprising the steps of: classifying the web page by a security rank; and upon presenting a hyperlink to the web page, displaying its security rank along with the hyperlink. The method may further comprise the step of: inspecting the web page. The method may further comprise the step of: cleaning the web page of malicious content. The method may further comprise the step of: storing a cleaned copy of the web page in a cache of the search engine. The method may further comprise the step of: upon invoking the web page by the user's machine via the search engine, accessing the cleaned copy stored on the cache to the user's machine.

Abstract: The present invention is directed to a method for indicating if an executable file is malicious, the method comprising the steps of: indicating if the executable file is packed; and if the executable file is packed, determining the executable file as malicious if the executable file satisfies a maliciousness criterion, such as a size less than 200 KB. According to a preferred embodiment of the invention, indicating if the executable file is packed is carried out by the steps of: for at least one section of the file which is not a resource section: compressing at least a part of the section; and indicating that the executable is packed if the compression ratio as a result of the compressing is less than a threshold (e.g., about 10 percent).