Abstract: A method and computer for assessing whether a password can be generated by using characteristics of a physical arrangement of keys of an input device. A received password includes characters corresponding to respective select keys in a sequence of select keys of the input device. For each select key, a final detection frequency is calculated as a sum of an initial detection frequency and an additive correction. A password determination value is calculated as a ratio of a total number of select keys having a final detection frequency equal to a minimum detection frequency and the total number of select keys in the sequence of select keys. A determination of whether the calculated password determination value is, or is not, less than a predetermined threshold value indicates that the password cannot, or can, respectively, be generated by using the characteristics of the physical arrangement of keys of the input device.

Abstract: According to one aspect, the subject matter described herein includes a method for efficient computer forensic analysis and data access control. The method includes steps occurring from within a virtualization layer separate from a guest operating system. The steps include monitoring disk accesses by the guest operating system to a region of interest on a disk from which data is copied into memory. The steps also include tracking subsequent accesses to the memory resident data where the memory resident data is copied from its initial location to other memory locations or over a network. The steps further include linking operations made by the guest operating system associated with the disk accesses with operations made by the guest operating system associated with the memory accessed.

Abstract: A system and method of efficiently inspecting content is provided. Embodiments of the invention may inspect files accessed by an application prior to an activation of the application. Selective inspection of files accessed by an application may be based on a previous inspection. Inspection of files accessed by an application may be postponed or performed concurrently with the access. A prioritized queue may include references to files, a priority may be related to a risk level and an inspection order may be according to a risk level.

Abstract: A system and method by which a host computer system can run executables on behalf of a virtual machine (VM) are disclosed. In accordance with one embodiment, an executable of a guest application of a virtual machine is received by a hypervisor and is run via the host operating system on behalf of the virtual machine.

Abstract: An application that runs in a process virtual machine is monitored by injecting listening code into a target class of the application. The listening code collects and forwards data to a monitoring agent. The target class is configured for monitoring according to alternative embodiments. In response to the process virtual machine providing notification of an event, such a loading the target class, the listening code may be injected into the target class. In another embodiment, the process virtual machine is configured to load a first mirror class containing a mirror entry point to the application. A mirror target class is loaded in response to a request to load the target class. The mirror target class contains a mirror entry point to the target class and the listening code. In another embodiment, listening code may be added to the target class before running the application.

Abstract: Systems, apparatuses and methods may provide for detecting a request to access a power management register and conducting, via a power management security interface, a runtime credential exchange with a source of the request. Additionally, the request may be denied if the runtime credential exchange is unsuccessful. In one example, a plug event is detected, via a dedicated side channel, with respect to a debug port. A noise analysis may be conducted of one or more power rails in response to the plug event, wherein policy based counter noise may be generated on at least one of the one or more power rails at runtime if the noise analysis identifies a potential security attack.

Abstract: Techniques for determining privacy leaks are described herein. The techniques may include (i) providing private data as input for an application, wherein the private data includes a signature identifying the private data; (ii) monitoring an output of the application for a presence of the signature; and (iii) determining that a private data leak has occurred in the application, wherein the determining is based, at least in part, on the presence of the signature in the output.

Abstract: Preventing re-patching by malware on a computer by detecting a request to modify a write-protection attribute of a memory location within a memory of a computer to allow the memory location to be written to, where the detecting is performed subsequent to the detection of activity identified as malware-related activity involving the memory location, and preventing modification of the write-protection attribute of the memory location.

Abstract: A device may identify a set of features associated with the unknown object. The device may determine, based on inputting the set of features into a threat prediction model associated with a set of security functions, a set of predicted threat scores. The device may determine, based on the set of predicted threat scores, a set of predicted utility values. The device may determine a set of costs corresponding to the set of security functions. The device may determine a set of predicted efficiencies, associated with the set of security functions, based on the set of predicted utility values and the set of costs. The device may identify, based on the set of predicted efficiencies, a particular security function, and may cause the particular security function to be executed on the unknown object. The device may determine whether another security function is to be executed on the unknown object.

Abstract: As part of an analysis of the likelihood that a given input (e.g. a file, etc.) includes malicious code, a convolutional neural network can be used to review a sequence of chunks into which an input is divided to assess how best to navigate through the input and to classify parts of the input in a most optimal manner. At least some of the sequence of chunks can be further examined using a recurrent neural network in series with the convolutional neural network to determine how to progress through the sequence of chunks. A state of the at least some of the chunks examined using the recurrent neural network summarized to form an output indicative of the likelihood that the input includes malicious code. Methods, systems, and articles of manufacture are also described.

Abstract: A method, system, and computer program product for detecting malicious code insertion in data are provided in the illustrative embodiments. At an application executing using a processor and a memory in a data processing system, a script that has been inserted in a mix of code and content is detected. A content-related portion is removed from the script to form a remaining script structure, the content-related portion referring to the content in the mix. From the remaining script structure, a code construct is selected and replaced with an alphanumeric string to form a normalized construct. Whether the normalized construct matches, within a tolerance, a second normalized construct in a corpus of normalized scripts is determined. Responsive to the normalized construct matching the second normalized construct within the tolerance, a conclusion is drawn that the script is malicious.

Abstract: Systems and methods are disclosed for identifying associations between binary samples, such as e-mail files and their attachments or a document and an executable program associated with the document. In one implementation, the method includes receiving a plurality of binary samples, and extracting metadata from the plurality of binary samples. The metadata for a binary sample from the plurality of binary samples includes a set of attributes of the binary sample. The method further includes identifying a set of associations between the plurality of binary samples based on the extracted metadata. Each association is characterized by at least one attribute the associated binary samples have in common, and each association has a confidence level indicative of a strength of the association. The method also includes identifying associations with a confidence level that exceeds a predefined threshold.

Abstract: Technologies for monitoring protected functionality of an integrated circuit device include an integrated circuit device having a protected function module. The protected function module includes a modifiable security device. When the protected function module is activated or powered up, an attribute of the modifiable security device is irreversibly modified. The integrated circuit device may be a processor, and the protected function module may be a debug module of the processor. The modifiable circuit device may be an oscillator. The frequency of the oscillator may change when the oscillator is powered due to oscillator aging. The integrated circuit device may be included in a computing device. The integrated circuit device may expose data indicative of the attribute of the modifiable security device to firmware or software of the computing device. The data may be exposed through a cryptographically signed, firmware-readable memory space. Other embodiments are described and claimed.

Abstract: A processing device searches executing at least one of a boot loader or a kernel for the operating system searches for an extensible firmware interface (EFI) binary object. Responsive to finding a first EFI binary object, the processing device verifies that a first signature associated with the first EFI binary object is valid using a platform key. Responsive to verifying that the first signature for the first EFI binary object is valid, the processing device performs the following operations: identifying a first public key encapsulated in the first EFI binary object, wherein the first public key is associated with a non-EFI certificate authority; extracting the first public key from the first EFI binary object; and performing at least one of a) passing the first public key to a kernel of an operating system (OS) or b) exposing the first public key to a user space of the OS.

Abstract: The present invention is notably directed to a user portable device (10), preferably a secure tamper-proof device, comprising: a connection interface (12) enabling connection (S2) with a computer (101); a persistent memory (14); and a bootloader (16) stored on said persistent memory (14), preferably on a secure memory (141) of the device, wherein the bootloader (16): is detectable (S3) by a firmware (122) of the computer (101) upon connection (S2) of the device (10) with said computer (101) via said connection interface; and comprises instructions for said firmware (122) to load (S4) the bootloader (16) into a memory (121) of the computer (101) for subsequent execution (S5); and to interact with the firmware, upon execution at the computer (101), to: determine, in a physical storage medium (120) of said computer (101) storing a first host operating system (111-1) and a second host operating system (111-2) respectively on a first portion (120-1) and a second portion (120-2) thereof, said second portion (120-2)

Abstract: A method, system and program product for performing a trusted boot of a virtual machine comprises the steps of executing, in turn, a series of components of the trusted boot, performing a function on each component prior to the execution of the respective component, storing the output of the functions in a virtual trusted platform module, detecting that the virtual trusted platform module has not responded to the storing of the output of a function in the virtual trusted platform module, and generating a request that the virtual trusted platform module be disabled.

Abstract: A measured boot process for an electronic device includes taking a measurement of the early system start up instructions of the electronic device upon a reboot or start-up of the device. A representation of the measurement is stored in a trusted platform module of the electronic device prior to initialization of the trusted platform module. Access is granted to the representation of the measurement stored in the trusted platform module prior to initialization of the trusted platform module thereby enabling the representation of the measurement to serve as the core root of trust for measurement.

Abstract: An approach is provided for generating privacy ratings for applications. A privacy ratings platform determines use information associated with one or more applications executing on one or more devices. By way of example, the use information is determined based, at least in part, on usage data associated with one or more input sources, one or more components, one or more categories of personal information, or a combination thereof associated with the one or more devices. The privacy ratings platform then processes and/or facilitates a processing of the use information to determine one or more privacy ratings for the one or more applications.

Abstract: A computer-implemented method for scanning a computer system for sensitive data. A scan manager manages a scan of files of a second computer. The scan manager receives a request to scan and identify files stored on the second computer based on at least one category of sensitive data. The scan manager receives scan report recipient information and generates a user profile based on the at least one category and the recipient information. The scan manager makes the user profile available to a category server for use in creating a scan profile defining the scan criteria and deploys a scan agent to a computer to conduct the scan based on the scan profile. When the scan is complete and upon creation of the scan report, the scan manager makes the scan report available to the intended recipients.

Abstract: Some embodiments provide an electronic device with a novel content redaction engine. The content redaction engine of some embodiments determines whether to redact content for output based on whether a user is biometrically verified. When the content redaction engine receives verification data indicating that the user is biometrically verified, the device displays content without any portion redacted. On the other hand, when the content redaction engine does not receive such verification data, the device displays the content with at least a portion redacted. The electronic device of some embodiments additionally includes a biometric reader and a biometric verification engine. The biometric reader reads a person's uniquely identifying biometric data (e.g., thumbprint/fingerprint, iris scan, voice, etc.). This biometric information is then read by the biometric verification engine for comparison to a stored set of verified user biometric data.

Abstract: Methods, systems, and products protect personally identifiable information. Many websites acquire the personally identifiable information without a user's knowledge or permission. Here, though, the user may control what personally identifiable information is shared with any website. For example, the personally identifiable information may be read from a header of a packet and compared to a requirement associated with a domain name.

Abstract: A system for privacy screen-based security comprises an input interface and a processor. The input interface is configured to receive authentication information. The processor is configured to, in the event authentication is determined to be successful, provide a privacy access screen, wherein the privacy access screen provides access to a set of applications or data, and determine whether to automatically transition to a new privacy screen, wherein the transition to the new privacy screen is automatic under a specific set of circumstances.

Abstract: Methods, systems, and devices secure content in memory. The content includes a lock that prohibits reading the content from memory. Prior to expiration of the lock the content cannot be read from memory. However, a preview option allows at least a portion of the content to be accessed. The preview option provides a preview of the content. At expiration, the content is readable.

Abstract: This invention is for a system capable of securing one or more fixed or mobile computing device and connected system. Each device is configured to change its operating posture by allowing, limiting, or disallowing access to applications, application features, devices features, data, and other information based on the current Tailored Trustworthy Space (TTS) definitions and rules which provided for various situationally dependent scenarios. Multiple TTS may be defined for a given deployment, each of which specifies one or more sensors and algorithms for combining sensor data from the device, other connected devices, and/or other data sources from which the current TTS is identified. The device further achieves security by loading digital credentials through a unidirectional multidimensional physical representation process which allows for the device to obtain said credentials without the risk of compromising the credential issuing system through the data transfer process.

Abstract: Disclosed are various embodiments for passive compliance violation notifications. In one embodiment, it is detected that that a policy violation with respect to use of a client device has occurred. It is then determined that the policy violation may be passive. A user notification of the policy violation is generated by the client device in response to determining that the policy violation may be passive. The frequency and/or intensity of this notification may depend upon an extent of the policy violation. If the policy violation is later determined to be active, additional actions may be performed, such as disabling access to or removing managed resources on the client device.

Abstract: A host controller that controls a storage device includes an encryption unit that is selectively configured in response to file encryption information and disk encryption information to encrypt data. The encryption unit encrypts the data using a file encryption operation based on the file encryption information and/or a disk encryption operation based on the disk encryption information.

Abstract: A method for automatic folder ownership assignment, including ascertaining which first folders, among a first multiplicity of folders, have at least one of modify and write permissions to non-IT administration entities, adding the first folders to a list of candidates for ownership assignment, defining a second multiplicity of folders which is a subset of the first multiplicity of folders and not including the first folders and descendents and ancestors thereof, ascertaining which second folders among the second multiplicity of folders, have permissions to non-IT administration entities, adding the second folders to the candidates, defining a third multiplicity of folders, which is a subset of the second multiplicity of folders and not including the second folders and descendents and ancestors thereof, ascertaining which third folders among the third multiplicity of folders are topmost folders, adding the third folders to the candidates, and recommending possible assignment of ownership of the candidates.

Abstract: A method for automatic folder ownership assignment, including ascertaining which first folders, among a first multiplicity of folders, have at least one of modify and write permissions to non-IT administration entities, adding the first folders to a list of candidates for ownership assignment, defining a second multiplicity of folders which is a subset of the first multiplicity of folders and not including the first folders and descendents and ancestors thereof, ascertaining which second folders among the second multiplicity of folders, have permissions to non-IT administration entities, adding the second folders to the candidates, defining a third multiplicity of folders, which is a subset of the second multiplicity of folders and not including the second folders and descendents and ancestors thereof, ascertaining which third folders among the third multiplicity of folders are topmost folders, adding the third folders to the candidates, and recommending possible assignment of ownership of the candidates.

Abstract: Methods and systems are directed to controlling access to data in a production environment. Production data may be stored in a production database and test data may be stored in a test database. A production application may have access only to the data in the production database while a test application may have access to both the production database and the test database. The test application may have read-only access to the production database and read-write access to the test database. Data in the test database may be handled differently than data in the production database. A type of data may be associated with a range of valid values. The values assigned to the elements may differ depending on whether the elements are stored in the production database or the test database.

Abstract: Techniques are disclosed for enabling tenant hierarchy information to be migrated directly between different multi-tenant system (e.g., from a shared IDM system to a Nimbula system, or vice versa). A corresponding new tenant is created in a Nimbula system based on a combination of the tenant information and the service information from the shared IDM system. The Nimbula system extracts the tenant name and the service name from a request and asks the shared IDM system to verify that the user actually is a member of the tenant identified by the extracted tenant name. Upon successful authentication of the user, the Nimbula system requests the IDM system for roles that are associated with both the user and the extracted service name. The Nimbula system enable access to the service upon determining whether the requested operation can be performed relative to the specified service based on the roles.

Abstract: A method, a system, a registry, a repository and a computer program product are disclosed for securely accessing sensitive medical data records stored in a repository. Before accessing security-critical data in the repository, a registration inquiry with a separate registry must be carried out in order to obtain a security token having limited temporary validity, for example in the form of a barcode. A data source and/or a data sink can then use the security token to access the security-critical data in that an index module indexes the data record inquired about on the repository.

Abstract: A system and method for secure use of messaging systems. A mediator may receive an original message, process the original message to produce a processed message, and may forward the processed message to a server or a messaging system. A mediator may receive a processed message from a server or a messaging system, process the received processed message to produce an unprocessed message that may be substantially identical to the original message and may forward the unprocessed message to a destination.

Abstract: An obfuscated program can be configured to resist attacks in which an attacker directly calls a non-entry function by verifying that an execution path to the function is an authorized execution path. To detect an unauthorized execution order, a secret value is embedded in each function along an authorized execution path. At runtime, the secrets are combined to generate a runtime representation of the execution path, and the runtime representation is verified against an expected value. To perform the verification, a verification polynomial is evaluated using the runtime representation as input. A verification value result of zero means the execution path is an authorized execution path.

Abstract: Certain embodiments employ an “out-of-band” mechanism to remove the physical controls for activating input peripherals from a portable device operating system and instead controlled by a separate peripheral control domain, isolated from the operating system domain by a machine virtualization/isolation technology. No additional hardware may be required. An adjunct I/O virtualization mechanism may also be included to abstract the guarded input peripheral interfaces, such that all attempts to turn them on from within the operating system are automatically redirected by the I/O virtualization mechanism to the peripheral control domain. The peripheral control domain may then conduct a policy-driven decision process to either allow, disallow, or request manual/explicit authorization of an access attempts. Physical access may be performed within the peripheral control domain.

Abstract: The present disclosure relates to a method and a system for performing secure read/write operations in the pluggable flash storage device. In one embodiment, a request for at least writing and reading of data in/from the pluggable flash storage device is received. Upon receiving the request for writing data, the storage device is authenticated based on a predetermined signature of the pluggable flash storage device. Upon authenticating the storage device, the at least one of user and the storage controller who made the request is also authenticated and write operation is performed based on successful authentication of the at least one of the user and the storage controller. By way of establishing secure communication between the storage device and the user or the storage controller during the read/write operation the hacking of the data in the storage device or use of the storage device with wrong intent is avoided.

Abstract: A payment object reader configured to delay reading data of an integrated circuit payment object in the payment object slot of the payment object reader until the rest of the payment object reader is ready to read data off of the integrated circuit payment object. The payment object reader can be configured to include a microcontroller configured to monitor and manage the payment object contact switch and the integrated circuit payment object interface of the payment object slot of the payment object reader.

Abstract: A magnetic stripe reader including a base element defining a first spring seat, a magnetic module support element arranged for limited pivotable motion relative to the base element and defining a second spring seat, a generally truncated conical spring having a first, relatively large diameter end seated in the first spring seat and a second, relatively small diameter end seated in the second spring seat and a magnetic module fixedly mounted onto the magnetic module support element.

Abstract: An enclosure for an electronic device includes a device opening and a device window. The enclosure typically includes a door that may be rotated about an axis to provide access to the device opening while remaining connected to the enclosure. Exemplary enclosures include a slot for a magnetic card reading system that facilitates the alignment and insertion of a magnetic card.

Abstract: Disclosed are a magnetic bar code chip and a reading method thereof. The magnetic bar code chip comprises binary information bits formed by N rows and M columns of permanent magnet bars and/or null bits, and information identification bits that are peripheral to the binary information bits. The information identification bits are composed of permanent magnet bar identifiers and used for representing a position and a state of the magnetic bar code chip. The permanent magnet bars and the null bits represent 1 and 0 or 0 and 1 respectively.

Abstract: Systems and methods for a material handling vehicle include a controller and a near field communication reader adapted to communicate with the controller. The controller is configured to activate at least one of a software option and a hardware option when a near field communication device encoded with option information is placed within an operable range to the near field communication reader.

Abstract: A radio tag capable of indicating to a reader, via a wireless link, that a variation in energy has crossed a predetermined threshold, this variation in energy being chosen from the group made up of a variation in the temperature of the radio tag and a variation in the magnetic field in which the radio tag is immersed. This radio tag includes transducer material chosen from a group made up of a thermal shape-memory material, a magnetostrictive material and a magnetic shape-memory material. This transducer material is deposited and affixed without any degree of freedom onto a substrate or an antenna of the radio tag to form, with the substrate or the antenna, a multilayer structure which flexurally deforms the antenna between a bent conformation and a less bent conformation when the energy variation crosses the predetermined threshold.

Abstract: Methods and systems for smart handling of warehouse items. An embodiment takes the form of a wearable accessory that is configured to (a) identify an object, (b) detect an attachment-triggering event, (c) responsive to detecting the attachment-triggering event, attach to the object, (d) determine at least one handling constraint associated with the object, where the at least one handling constraint includes an acceptable pressure range, (e) measure a pressure exerted on the object via the accessory, (f) provide an indication, via a user interface, based on the measured pressure and the acceptable pressure range; and (g) detect a release-triggering event, and responsively release the object.

Abstract: An article management system according to the present invention includes: a reader antenna (102) including an open-type transmission line terminated in an impedance matched state; an RF tag (104) that is placed at a location that is electromagnetically coupled to the reader antenna (102) and is visible from the reader antenna (102) in a state where a management target article (105) is placed in the vicinity of the RF tag; a management target article arrangement region in which the management target article (105) is placed, the management target article arrangement region being set in a location where the management target article (105) is electromagnetically coupled to a tag antenna of the RF tag (104); and an RFID reader (103) that sends a transmitted signal to the reader antenna (102) and receives a response signal output from the tag antenna via the reader antenna (102).

Abstract: This patent specification describes a barcode-reading enhancement accessory for a mobile device having a barcode-reading capability. The accessory may include an outer case and an inner carriage. A mobile device is encased in the inner carriage, and the combination of the inner carriage and the mobile device is accommodated in the outer case. The inner carriage is configured to accommodate a mobile device of a particular size such that a mobile device of a different size may be accommodated in the outer case using a different inner carriage. The accessory may also include an optic system to fold an optical path of a field of illumination of a light source of the mobile device and/or a field of view of a camera of the mobile device.

Abstract: A reconfigurable sled for a mobile device with camera is provided. The reconfigurable sled may be moved into different configurations in order to facilitate either normal or specialized use. For example, in a first configuration, the mobile device's camera is unobstructed and imaging may proceed normally. In a second configuration, on the other hand, the camera's imaging direction may be repositioned by a reflective element in the camera's optical path. The reflective element provides feedback to the mobile device via visible markings that may be imaged by the camera and detected by the mobile device. If the mobile device determines that the mirror is in the optical path, then the mobile device may respond to accommodate the mirror and enable a function, like reading an indicium.

Abstract: An imaging barcode scanner and method are provided. The scanner includes a housing defining a work surface, a window supported by the housing, a first array of photosensitive elements having a first field of view traversing the window and intersecting the work surface at a first angle, and a second array of photosensitive elements having a second field of view traversing the window and intersecting the work surface at a second angle. The scanner also includes a processor connected to the first and second arrays of photosensitive elements, and configured to: receive a first image of the work surface from the first array of photosensitive elements, and a second image of the work surface from the second array of photosensitive elements; register the first image with the second image; and generate an enhanced image of the work surface based on the registered first image and second image, the enhanced image having a greater pixel density than the first image and the second image.

Abstract: Systems and methods for use with a handheld mark reader that reduce the time between activation of the reader's trigger and the reader returning a successful decode response. Image processing may be performed prior to the user actuating the trigger and thus obtaining a decodable image with reduced delay. Separate pre-trigger and post-trigger parameters may be used for image decoding. A feedback loop may be incorporated for repeated parameter updates. An adjustable lens may be utilized either with illumination OFF or ON.

Abstract: An indicia reading terminal has a three-dimensional depth sensor, a two dimensional image sensor, an autofocus lens assembly, and a processor. The three dimensional depth sensor captures a depth image of a field of view and create a depth map from the depth image, the depth map having one or more surface distances. The two dimensional image sensor receives incident light and capture an image therefrom. The autofocusing lens assembly is positioned proximate to the two dimensional image sensor such that the incident light passes through the autofocusing lens before reaching the two dimensional image sensor. The processor is communicatively coupled to the two dimensional image sensor, the three dimensional depth sensor, and the autofocusing lens assembly.

Abstract: An image correction apparatus includes a correction amount calculating unit which calculates, in response to a position of a hand on an image, a correction amount for placing the hand to face an imaging unit included in an image acquiring unit for generating the image; and a correcting unit which corrects an estimated coordinate representing a position of a point in a real space corresponding to each pixel included in a region in which the hand is captured in the image in accordance with the correction amount, and projects each of the points after the correction on a corrected image to generate the corrected image.

Abstract: An apparatus and method for obtaining a biometric image is disclosed, which may comprise: providing a biometric image sensor which may comprise one of a one dimensional swiped sensor array, a two dimensional swiped sensor array and a two dimensional placement sensor array, each of which may comprise a capacitive gap sensor measuring a change in a transmitted signal received as a received signal, based upon changes in the transmitted signal passing through a biometric, the biometric image sensor may be one of mounted on a host device or cooperating with the host device; providing a biometric placement positioning prompt on a display on the host device, which prompt may indicate whether a current positioning of the biometric is proper for initiating biometric imaging by the biometric image sensor, e.g., indicating a current positioning of the biometric and the desired positioning of the biometric.