Abstract: Embodiments of the invention provide for user permissions based control of pooled FoD activation keys. In an embodiment of the invention, a method for user permissions based control of pooled FoD activation keys is provided. The method includes pooling one or more authorization codes for access by different end users in activating different features of a set of hardware components using FoD. The method also includes responding to an FoD request to activate one of the features by a particular one of the end users by determining whether or not a pre-defined code usage policy permits the particular one of the end users to use a pooled one of the authorization codes and if permitted according to the pre-defined code usage policy, generating an FoD activation key with the pooled one of the authorization codes and activating the one of the features with the FoD activation key.

Abstract: A system for securely downloading and playing coherent digital content such as music and preventing its play by unauthorized users. The system may include mass server/storage devices for receiving and storing digital content having predetermined gaps; and client devices communicating with the server/storage devices, and providing authorization to proceed. During playing of the digital content by the client devices, the missing gaps may be filled into the appropriate places, to allow the play of the coherent digital content.

Abstract: An engine identifying segments or portions of one source material or source file common to or found in another source material or file. The engine may receive a first data stream in binary form as well as a second stream in binary form. The engine may include a data stream processor or pre-processor programmed to translate the first and second data streams to generate respective first and second processed data streams. The commonality between the first and second processed data streams may be greater than the commonality between the first and second data streams themselves. Also, a comparator may be programmed to compare the first and second process data streams and identify binary segments found in both the first and second processed data streams.

Abstract: A method of securely implementing functions in a secure software application, including: determining, by a processor, two functions to be implemented by the secure software application; generating a first function lookup table; encrypting the first function lookup table; sorting the first function lookup table by encrypted operand; generating a second function lookup table; encrypting the second function lookup table; sorting the second function lookup table by encrypted operand; generating a flattened lookup table from a combination of the encrypted first and second function lookup tables; permutating the flattened table indices e.g. by use of public key cryptography encryption; and sorting the flattened table by the permutated flattened table indices.

Abstract: A protection method for an electronic device includes generating a control command using a processor of the electronic device when it is determined to acquire information of a current user of the electronic device. The electronic device is controlled to acquire the information of the current user and to acquire data of the electronic device according to the control command. The acquired information is stored. The acquired information and the acquired data is transmitted to the server.

Abstract: An image processing apparatus transmits, after reception of a login notification of an authenticated user, the login notification to an identified application, and then changes displaying of a screen of a display unit to displaying of an initial screen corresponding to the identified application. After the displaying of the display unit has been changed to the displaying of the initial screen, the image processing apparatus transmits the login notification to, among applications belonging to a first group, an application to which the login notification has not been transmitted, and applications belonging to a second group.

Abstract: User sessions are authenticated based on locations associated with a user account used for sending a request for creating a session. Examples of locations of a source of a request include a geographical location, a network address, or a machine cookie associated with a device sending the request. Locations of the request are compared with stored safe locations associated with the user account and a suspiciousness index is determined for the session. The level of authentication required for the session is determined based on the suspiciousness index. Locations are associated with a reputation based on past history of sessions originating from the locations. A location associated with a history of creating suspicious session is considered an unsafe location. Reputation of the location originating the session is used to determine the level of authentication required for the session.

Abstract: A system, a medium, and a method involve a communication interface of a server device that receives first activity data associated with a first activity of an account and second activity data associated with a second activity of the account. A processor of the server device determines a first location of the first activity from the first activity data and a second location of the second activity from the second activity data. An authentication circuit of the server device determines a first authentication of the first activity based at least on the first activity data. The authentication circuit determines a second authentication of the second activity based on at least one of the first authentication, the first location, and the second location. A transmitter of the communication interface transmits an indication of the second authentication to a client device.

Abstract: An authentication system and method thereof capture an image of a user and extract biometric features of the user from the image to determine whether a stored biometric feature matches with the extracted biometric features. If there is a match, an interactive information is generated to invite the user to perform actions shown or specified or described by the interactive information. The user will be authenticated if an action of the user matches the required action in a timely fashion. An electronic device using the same is also provided.

Abstract: An electronic device comprises a CPU, and a touch-sensitive screen operable to display a plurality of keys. Each of the plurality of keys are associated with and exhibit a predetermined value, where the keys are arranged so that the predetermined values of the keys are displayed in a random manner. The predetermined values of the plurality of keys have different predetermined display characteristics associated therewith so that the plurality of keys have varied appearances.

Abstract: Methods for enabling pattern-based user authentication are described. During a registration phase for establishing user credentials, an end user of a computing device may select a matrix size for a matrix and select a shape of a shape size. The matrix of the matrix size may then be displayed and the shape of the shape size may be displayed such that the shape appears to overlay the matrix. The end user may move the shape over the matrix and as the shape is moved, the symbols of the matrix may be updated such that symbols arranged inside the boundary of the shape are not repeated, while one or more symbols arranged outside of the boundary of the shape are repeated. The order of symbols selected by the end user inside the boundary of the shape may be used to determine a pattern-based password.

Abstract: A method and system for using multi-level passwords is provided. The method includes receiving a request for access to a first level of access associated with secure components associated with a device of a user. In response, a portion of a passcode is received. The portion of the passcode does not include an entire portion. The portion of the passcode is compared to security group policy it is determined that the portion of the passcode meets requirements the security group policy. Access is enabled to a group of components of secure components based on the security requirements. The group of components is associated with the first level of security access.

Abstract: A method and apparatus for configuring identity federation configuration. The method includes: acquiring a set of identity federation configuration properties of a first computing system and a set of identity federation configuration properties of a second computing system; identifying one or more pairs of associated properties in the first and the second sets, where the pairs of associated properties include one property from each set of identity federation configuration; displaying, properties that need to be configured manually from the each sets of identity federation configuration properties, where the properties that need to be configured manually do not include the property in any pair of associated properties for which the value can be derived from the value of another property in the pair; automatically assigning a property that can be derived from the value of another property; and providing each computing systems with each set of identity federation properties.

Abstract: A template of a biometric attribute for use with a biometric recognition device includes a long term component and a short term component. The long term component can include a plurality of nodes that each represents at least a portion of the biometric attribute. The short term component may include one or more newly captured nodes that each represents at least a portion of the biometric attribute.

Abstract: Methods, media, and systems for detecting attack are provided. In some embodiments, the methods include: comparing at least part of a document to a static detection model; determining whether attacking code is included in the document based on the comparison of the document to the static detection model; executing at least part of the document; determining whether attacking code is included in the document based on the execution of the at least part of the document; and if attacking code is determined to be included in the document based on at least one of the comparison of the document to the static detection model and the execution of the at least part of the document, reporting the presence of an attack.

Abstract: Corruption of program stacks is detected by using guard words placed in the program stacks. A called routine executing on a processor checks a guard word in a stack frame of a calling routine. The checking determines whether the guard word has an expected value. Based on determining the guard word has an unexpected value, an indication of corruption of the stack frame is provided. Some routines, however, may not support use of guard words. Thus, routines that are interlinked may have differing protection capabilities. In this situation, a determination may be made as to whether a caller routine supports guard word protection. Based on determining that the caller routine supports guard word protection, the called routine verifies the guard word.

Abstract: Among other disclosed subject matter, a computer-implemented method includes changing access permission level associated with a descriptor table responsive to request to update the descriptor table. In some implementation, before receiving the request to update, the descriptor table is maintained in a read-only state; and changing the access permission level comprises: allowing write access to the descriptor table responsive to determining that the update request is authorized.

Abstract: In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.

Abstract: In one example, a management server is configured to provide malware protection for one or more client mobile platforms in communication with the management server via a mobile network. In the example, the management server includes a processor configured to detect malware in the mobile network, select a client mobile platform having a malware scanning agent, and, manage the malware scanning agent of the client mobile platform using a device independent secure management protocol based at least in part on the malware detected in the mobile network.

Abstract: The hash value for an entire system file partition for storing firmware of an information processing apparatus is calculated. Alteration of the firmware is detected based on the hash value.

Abstract: A device includes storage hardware to store a secret value and processing hardware coupled to the storage hardware. The processing hardware is to receive an encrypted data segment with a validator and derive a decryption key using the secret value and a plurality of entropy distribution operations. The processing hardware is further to verify, using the received validator, that the encrypted data segment has not been modified. The processing hardware is further to decrypt the encrypted data segment using the decryption key to produce a decrypted data segment responsive to verifying that the encrypted data segment has not been modified.

Abstract: The use of one or more device health values to indicate the health status of a computing device may enable operating system developers to directly manage the security configuration of the computing device. The generation of a device health value involves initializing hardware components of a computing device and loading the operating system according to configuration settings during boot up of the computing device. The device health value is then generated based on a state of the hardware component and/or a state of a software stack that includes the operating system at boot up. The device health value may be compared to a reference health value to determine whether the computing device is in a secured state.

Abstract: This disclosure describes systems and methods for profiling user behavior through biometric identifiers. A first biometric identifier associated with a first user of a user device may be captured. The first user may be identified based at least in part on the first biometric identifier. The first request for content and first information retrieved from the user profile may be transmitted. First data that corresponds to the first request for content may be received. A second biometric identifier associated with a second user of the user device may be captured during an active session associated with the first user profile. The second user may be identified based at least in part on the second biometric identifier. A second request for content and second information retrieved from the second user profile may be transmitted. A second data corresponding to the second request for content may be received.

Abstract: Methods and devices for providing a private page are provided. A method includes operations of entering a security mode based on a user input; extracting the private page that corresponds to the security mode; and providing both the private page and a normal page that is provided during a normal mode, wherein the private page includes at least one object that is selected by a user so as to be provided during the security mode. A device includes a user input configured to receive a user input; a controller configured to enter a security mode based on the received user input, and extracting a private page that corresponds to the security mode; and a display configured to provide both the private page and a normal page that is provided during a normal mode, wherein the private page comprises at least one object that is selected by a user so as to be provided during the security mode.

Abstract: A method for improving the functional security and increasing the availability of an electronic control system, particularly a motor vehicle control system, including hardware components and software components, wherein the hardware components are abstracted by at least one basis software component and/or a runtime environment, and in which an implemented security concept describes two or more software levels, wherein a first software level includes control functions of an application software and a second software level is designed as functional monitoring, for safeguarding against control function faults, wherein a data encryption, provided by at least one hardware component, and/or a data signature for securing the data of at least one communication channel of the hardware component is used with at least one first software component. The invention additionally describes an electronic control system for performing the method.

Abstract: Mitigating return-oriented programming attacks. From program code and associated components needed by the program code for execution, machine language instruction sequences that may be combined and executed as malicious code are selected. A predetermined number of additional copies of each of the selected machine language instruction sequences are made, and the additional copies are marked as non-executable. The machine language instruction sequences and the non-executable copies are distributed in memory. If a process attempts to execute a machine language instruction sequence that has been marked non-executable, the computer may initiate protective action.

Abstract: Techniques for implementing a secure graphics architecture are described. In one embodiment, for example, an apparatus may comprise a processor circuit and a graphics management module, and the graphics management module may be operative to receive graphics information from the processor circuit, generate graphics processing information based on the graphics information, and send the graphics processing information to a graphics processor circuit arranged to generate graphics display information based on the graphics processing information. In this manner, security threats such as screen capture attacks and/or theft of content protected media streams may be reduced. Other embodiments may be described and claimed.

Abstract: Systems and methods for enhancing security of single sign-on are described. These systems and methods can reduce the amount of sensitive information stored on a client device while still providing single sign-on access to shared resources such as virtual desktops or Terminal Servers. For example, storage of authentication information on client devices can be avoided while still allowing client devices to connect to the shared resources. Instead, such information can be stored at a broker server that brokers connections from client devices to the shared resources. The broker server can facilitate more secure single sign-on by providing a single-use ticket to a client device that authenticates with the broker server. The client device can use this single-use ticket to authenticate with a shared resource.

Abstract: Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

Abstract: A method is described to maintain (including generate) an inventory of a system of a plurality of containers accessible by a computer system. At least one container is considered to determine whether the container is executable in at least one of a plurality of execution environments characterizing the computer system. Each execution environment is in the group comprising a native binary execution environment configured to execute native machine language instructions and a non-native execution environment configured to execute at least one program to process non-native machine language instructions to yield native machine language instructions. The inventory is maintained based on a result of the considering step. The inventory may be used to exercise control over what executables are allowed to execute on the computer system.

Abstract: An information processing apparatus includes a determination unit, an operator change unit, and an image change unit. The determination unit determines whether or not an image displayed on a display unit of a portable information processing apparatus has been rotated. The operator change unit changes an operator of the information processing apparatus, when the determination unit determines that the image has been rotated. The image change unit changes the image displayed on the display unit of the information processing apparatus on the basis of the operator who has been changed by the operator change unit.

Abstract: Systems and methods for accessing data secured and encrypted using a file system manager are disclosed. One method includes determining whether a community of interest (COI) key obtained from a security appliance matches a COI key associated with a file structure managed by the file system manager that is the subject of a file system request issued by a caller. The method further includes identifying an entry included in a key bank associated with the COI key and the file structure that is the subject of the file system request, the key bank storing encrypted versions of a metadata key. The method also includes decrypting the metadata key using the COI key, decrypting at least one block encryption key using the metadata key, and decrypting a block of data associated with the at least one block encryption key.

Abstract: Methods and systems are presented of presenting false and/or decoy content to an intruder operating on a computer system by obfuscating critical files on a computer storage device with data that directs subsequent infiltration and propagation to designated decoy hosts and decoy applications. Method and systems are provided for selectively presenting different contents to different viewers/users of application resource files for the purpose of preventing the valuable content from being read, tampered with, exfiltrated, or used as a means to perform subsequent attacks on network resources.

Abstract: A system receives a request to store a document in a database, receives a user security token, analyzes the document to determine an adjudicated security level for the document, compares the user security token to the adjudicated security level, stores the document when the user security token is equal to the adjudicated security level, when the user security token is not equal to the adjudicated security level, queries the user as to whether the document should be stored with the adjudicated security level, receives a response to the query from the user, stores the document when the user agrees to store the document with the adjudicated security level, and when the user does not agree to store the document with the adjudicated security level, transmits a message to a security officer and quarantine the document.

Abstract: Techniques are described for applying data usage policies through data tagging. A metadata tag may be applied to data to indicate a type of the data. In some cases, the tag may be applied to the data when the data is decrypted, and the tag may propagate with the data as the data is passed between processes. A software module may include control logic that is configured to apply data usage policies based on the type tag of data. When the software module attempts an action on the data, such as storing or communicating the data, the control logic may access policy information. Based on the policy information, the control logic may allow the action, prevent the action, or allow the action to proceed on a modified version of the data.

Abstract: The invention relates to a method for a computer system storing electronic objects being defined by metadata items. The method comprises deriving access rights from one or more security components originating from respective metadata items of at least one object, and determining the effective access rights for the object by means of the security components. The invention also relates to a method for a computer system storing electronic objects being defined by metadata items, wherein access rights for an object are determined by means of one or more pseudo-users. The invention also relates to an apparatus, a computer system and a computer readable medium comprising a computer program stored therein for carrying out the methods.

Abstract: The described embodiments relate to methods, systems, and products for providing verification code recovery and remote authentication for a plurality of devices configured for electronic communication with a server. Specifically, in the methods, systems, and products, the user entrusts information about the user's verification code to the service provider, and only with cooperation between the user and the service provider can a lost verification code be recovered. The service provider can further authenticate the user before cooperating in the recovery process by way of a time-sensitive authentication sequence that involves the user device.

Abstract: In one example, a method for validating a user includes transmitting, to a management server, a request for a shared secret, and receiving, from the management server, the shared secret. Next, the shared secret received from the management server is compared to a secret identified in a user request for access to a backup of data associated with a computing device. The user is granted access to the backup when the shared secret identified by the user matches the shared secret obtained from the management server, and the user is denied access to the backup when the shared secret identified by the user does not match the shared secret obtained from the management server.

Abstract: According to one embodiment of the present invention, a system for protecting data determines a desired duplication rate based on a level of desired anonymity for the data and generates a threshold for data records within the data based on the desired duplication rate. The system produces a data record score for each data record based on comparisons of attributes for that data record, compares the data record scores to the threshold, and controls access to the data records based on the comparison. Embodiments of the present invention further include a method and computer program product for protecting data in substantially the same manners described above.

Abstract: According to one embodiment of the present invention, a system for protecting data determines a desired duplication rate based on a level of desired anonymity for the data and generates a threshold for data records within the data based on the desired duplication rate. The system produces a data record score for each data record based on comparisons of attributes for that data record, compares the data record scores to the threshold, and controls access to the data records based on the comparison. Embodiments of the present invention further include a method and computer program product for protecting data in substantially the same manners described above.

Abstract: An exemplary system that includes a computing device that stores an abstraction and unification module, the abstraction and unification module being executable by a processor of the computing device to receive from a frontend component a request for information located within a backend component of the computing device and validate that the frontend component is authorized to receive the information specified in the request. The abstraction and unification module may further pass the request to an abstraction engine that extracts the information from the backend component and provides the information extracted from the backend component to frontend component.

Abstract: An embodiment of a method of operating a storage system includes combining a password, a first number, and a number of iterations to produce a first key, encrypting the first key, receiving a second number, and encrypting the second number with the first key to produce an encrypted second key.

Abstract: A trusted computing host is described that provides various security computations and other functions in a distributed multitenant and/or virtualized computing environment. The trusted host computing device can communicate with one or more host computing devices that host virtual machines to provide a number of security-related functions, including but not limited to boot firmware measurement, cryptographic key management, remote attestation, as well as security and forensics management. The trusted computing host maintains an isolated partition for each host computing device in the environment and communicates with peripheral cards on host computing devices in order to provide one or more security functions.

Abstract: A download security system (100) includes a server (102) and an information processing apparatus (10). The information processing apparatus (10) includes a flash memory (64) for storing data downloaded from the server (102) and a memory controller (62). A transition command for a transition to a writable mode to the flash memory (64) is transmitted from the server (102), and in response to the transition command, a memory controller (62) makes a transition to the writable mode. The data downloaded from the server (102) is written to the flash memory (64) by the memory controller (62) in the writable mode.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.

Abstract: A decodable indicia reading terminal can comprise a multiple pixel image sensor, an imaging lens configured to focus an image of decodable indicia on the image sensor, an analog-to-digital (A/D) converter configured to convert an analog signal read out of the image sensor into a digital signal, a communication interface, and a microprocessor configured to output decoded message data corresponding to the decodable indicia by processing the digital signal. The decodable indicia reading terminal can be configured, responsive to a triggering event, to transmit via the communication interface a decoding result and an indicia readability rating. The triggering event can be provided by a failure to detect decodable indicia, the indicia readability rating being less than a pre-defined threshold, exceeding a pre-defined time period to decode decodable indicia, a user interface action, and a command received via said communication interface.

Abstract: Approaches provide for a mobile point-of-sale system configured to facilitate the transfer of funds between entities (e.g., customers and merchants). A card reader can include two different types of slots configured for conducting a financial transaction between entities. A first slot can allow for a magnetic stripe element of a card to be swiped. A second slot can include contact elements which allow the card to be “dipped in”. In this way, the device can receive a swipe and/or a “dipping” of a card into a respective slot for conducting a financial transaction.

Abstract: A card reader may include a card insertion part which is formed with an insertion port into which the card is inserted; and a magnetic sensor which is provided in the card insertion part and is structured to detect whether magnetic data are recorded on the card or not. The magnetic sensor may be disposed so as to secure a space between the card inserted into the insertion port and the magnetic sensor. The magnetic data may be arranged in a longitudinal direction of the card. When viewed in a thickness direction of the card which is inserted into the insertion port, a magnetism detection direction of the magnetic sensor may be inclined with respect to a direction perpendicular to the longitudinal direction.

Abstract: A card reader for use with a card incorporated with an IC chip may include an insertion port into which the card is inserted; a metal detection mechanism structured to detect an external connection terminal of the IC chip provided in the card; and a tip end detection mechanism structured to detect a tip end in an inserting direction of the card inserted into the insertion port. The metal detection mechanism and the tip end detection mechanism may be disposed so that, when the tip end detection mechanism detects the tip end in the inserting direction of the card inserted into the insertion port in a correct posture, the metal detection mechanism detects the external connection terminal.

Abstract: An information processing apparatus, including a reading apparatus which reads an electronic recording card, is disclosed. The apparatus includes a reading unit which reads the electronic recording card via the reading apparatus and obtains read information; a generating unit which generates user management information of a user who owns the electronic recording card based on the read information obtained by the reading unit; and a holding unit which holds the user management information generated by the generating unit in a predetermined storage area.