Abstract: A verified method of high-value, person-to-person communication is provided. The method comprises creating a unique dynamic messaging link recognizable to a selected intended recipient; creating a transmissible personal hypermedia message to which the link is assigned; and storing the hypermedia message on a device accessible to a network. The link comprises a recognizable proprietary domain name and a random hash code. The individual is sent a direct message and the device is monitored for transmission thereto of the link, analyzing and storing accompanying metadata. The direct message contains an invitation to click on the link over the imprimatur of a person known to the recipient. The invitation contains descriptive material relating to the hypermedia message. Upon activation of the link, without redirection, the hypermedia message is transmitted to the recipient and the sender is notified. The sender is alerted if the link has not been activated within a predetermined period.

Abstract: Control of message delivery from publisher devices to a subscriber application of a messaging system is provided. The subscriber application has a subscription registered with a broker application of the messaging system and is only permitted to receive messages relating to a topic of the subscription from a predetermined set of one or more publisher devices. The method includes: altering a topic identifier of a message from a publisher device to a modified topic identifier, and altering a subscription identifier from a subscriber application to a modified subscription identifier; analyzing the modified topic identifier and the modified subscription identifier to determine if the message is to be communicated to the subscriber application, and if so, information is removed from the modified topic identifier to form a reverted topic identifier, and the message and reverted topic identifier are communicated to the subscriber application.

Abstract: Mediums, apparatus, computer program code, and means may be provided to launch electronic messages via a distributed communication network by an automated back-end application computer server. According to some embodiments, a database import table associated with a set of electronic destination communication addresses may be created. The set of electronic destination communication addresses may be automatically and dynamically split into multivariate segments, including at least: a current message content subset, a first modified message content subset, and a second modified message content subset. Current message content, first modified message content, and second modified message content may then be automatically launched to electronic destination communication addresses as appropriate in accordance with the multivariate segments.

Abstract: Examples disclosed herein relate to providing a message to a user device. As per an example, a user device, from among a plurality of user devices, being in closest proximity or having least distance to a user, is identified. The message is subsequently provided to the identified user device.

Abstract: An apparatus, a system, and a method in which a message notification application such as an e-mail notification application resident in a first memory on a wearable electronic device is configured to provide messaging actions; where the message notification application has a user interface to present content of a message originating from an message application resident on a mobile computing device; where the message notification application is configured to analyze a notification of the message to obtain an incomplete data set; and where the message notification application is configured to work with a server configured to integrate with one or more application programming interfaces of one or more messaging service providers, where the server has a server module configured to receive the incomplete data set and use all or a portion of the incomplete data set as search query terms to retrieve an instance of the message in its full-message format.

Abstract: Techniques for ascribing social attributes to content items and for selecting content to display in a content feed are described. According to various embodiments, accessing one or more content items accessible via a network are accessed, each of the content items having received one or more social activity signals. Thereafter, members of an online social network service that submitted the social activity signals may be identified. Member profile data identifying member profile attributes of the members cemented the social activity signals may then be accessed. Thereafter, social attribute information may be generated and associated with each of the content items, the social attribute information identifying the member profile attributes of the members that submitted the social activity signals associated with each of the content items.

Abstract: Disclosed are systems, apparatus, methods and computer-readable media for communicating feed information to one or more recipients. In some implementations, an instruction to communicate an information update to one or more identified first recipients is received. In some instances, an additional recipient indicator is identified and an identification of one or more second recipients based on the additional recipient indicator is generated. In some instances, the one or more second recipients are provided access to the information update.

Abstract: A method includes receiving, at a network component of a first carrier network from a source device, a telephone number of a destination device configured to communicate via a second carrier network. The method further includes in response to a query message sent to a telephone number mapping device of an internetwork packet exchange network, receiving a name server record at the network component, the name server record indicating a domain name associated with a second telephone number mapping device of the second carrier network. The method also includes in response to the network component sending the domain name to a domain name server of the internetwork packet exchange network, receiving an Internet protocol address of the second telephone number mapping device. The method includes sending, from the network component to the second telephone number device, a second query message based on the Internet protocol address.

Abstract: A method can include receiving a string of characters. The method can include determining one or more possible word boundaries for words in the string of characters based at least partially on a segmentation process. The method can also include determining, for each character in the string of characters, an amount of time between entry of each character on an input device. The method can include determining, based at least partially on the amount of time and the one or more possible word boundaries, one or more actual word boundaries for the words in the string of characters. The method can also include outputting one or more determined words in the string of characters based at least partially on the one or more actual word boundaries.

Abstract: A tool that allows a CDN customer, partner, or other authorized entity to create a DNS canonical name (CNAME) on the content delivery network without having to contact the content delivery network service provider directly.

Abstract: A remote communication device for controlling at least one building control system, the remote communication device comprising a processor arranged to: determine that there is no communication between a remote communication device network address of the remote communication device and a building control system network address of a network communication module in communication with the building control system, and, upon a positive determination, send an electronic communication comprising the remote communication device network address to an electronic communication receiving module accessible by the building control system to enable the building control system to obtain the remote communication device network address for reinitiating communications with the remote communication device wherein each of the remote communication device, network communication module and electronic communication receiving module have different network addresses.

Abstract: Implementations described and claimed herein provide systems and methods for serving content over a network. In one implementation, a method of serving content is provided. The method includes maintaining a first address record associated with serving a resource and a second address record associated with serving the same resource. The first address record is further associated with a first protocol for a first device capable of serving the resource. Similarly, the second address record is associated with a second protocol, different from the first protocol, for a second device, distinct from the first device, capable of serving the resource. The method further includes providing, in response to at least one resolution request for the resource, the first address record and the second address record.

Abstract: Embodiments relate to systems, devices, and computing-implemented methods for dynamically allocating domain name acquisition resources by receiving indications of available domain name acquisition resources and available time windows from registrars, receiving, from devices, requests for available domain name acquisition resources during requested time windows, determining lists of domain name acquisition resources available during the requested time window, transmitting, to the devices, the lists of available domain name acquisition resources, receiving, from the devices, selections of the available domain name acquisition resources, specified time windows, and indications of domain names to request during the specified time windows, generating and transmitting communications to the registrars, where the communications result in the registrars sending a plurality of requests for the domain names to a domain name registry during the specified time windows.

Abstract: A method of determining an address corresponding to a most probable physical location of an electronic device associated with a user is executable on a computer device and comprises receiving geolocation data from the electronic device. Based on received geolocation data, at least two probable physical locations of the electronic device will be found, with each of the at least two probable physical locations corresponding to a physical entity. Each physical entity is selected from a predetermined list and is associated with a physical entity type. A user interaction history is established, with respect to the at least two physical entities.

Abstract: Concepts and technologies disclosed herein are directed to behavior-based filters for signaling system number 7 (“SS7”) networks. According to one embodiment disclosed herein, a behavior-based SS7 filter executed by a processor can receive SS7 traffic. The behavior-based SS7 filter can determine a behavioral characteristic from the SS7 traffic and can compare a behavior of the SS7 traffic, based upon the behavior characteristic, to a behavior profile. The behavior-based SS7 filter also can determine whether the behavior of the SS7 traffic fits within a tolerance threshold of the behavior profile. If the SS7 traffic fits within the tolerance threshold, the behavior-based SS7 filter can instruct a signal transfer point (“STP”) to which the SS7 traffic is directed to allow routing of the SS7 traffic. If, however, the SS7 traffic does not fit within the tolerance threshold, the behavior-based SS7 filter can instruct the STP to deny routing of the SS7 traffic.

Abstract: A method includes generating firewall port access rules between a first cloud system a second cloud system for each tenant of a plurality of tenants. A unique IP address range is generated for each tenant. The firewall port access rules are applied to each IP address.

Abstract: A token tunnel server (TTS) within an enterprise network receives packets from a source address directed to a destination address (both of the enterprise network) that were caused to be originated by an attacker. The packets carry data including a token that was placed upon an end station of the enterprise and that appears to be useful for accessing an enterprise server, despite the apparent enterprise server not actually being deployed within the enterprise network. The TTS transmits packets carrying the data (that do not include the source address) across a public network outside of the enterprise network to a tunnel gateway server (TGS). The TGS sends the data to a trap server that acts as the apparent enterprise server. Actions of the attacker with regard to the trap server can be monitored while the source address is not provided to the TGS.

Abstract: Example methods are provided for a destination host to implement a firewall in a virtualized computing environment that includes the destination host and a source host. The method may comprise receiving, via a physical network interface controller (PNIC) of the destination host, an ingress packet sent by the source host. The ingress packet may be destined for a destination virtualized computing instance that is supported by the destination host and associated with a destination virtual network interface controller (VNIC). The method may further comprise retrieving a PNIC-level firewall rule associated with the destination virtualized computing instance, the PNIC-level firewall rule being applicable at the PNIC and generated by based on a VNIC-level firewall rule applicable at the destination VNIC. In response to determination that the PNIC-level firewall rule blocks the ingress packet from passing through, the ingress packet may be dropped such that the ingress packet is not sent to the destination VNIC.

Abstract: Example methods are provided for a firewall controller to implement a distributed firewall in a virtualized computing environment that includes a source host and a destination host. The method may comprise retrieving a first firewall rule that is applicable at the destination host to an ingress packet destined for a destination virtualized computing instance supported by the destination host; and based on the first firewall rule, generating a second firewall rule that is applicable at the source host to an egress packet destined for the destination virtualized computing instance. The method may further comprise instructing the source host to apply the second firewall rule to, in response to determination that the egress packet is blocked by the second firewall rule, drop the egress packet such that the egress packet is not sent from the source host to the destination host.

Abstract: Techniques for coercing users to encrypt synchronized content stored at their personal computing devices. In some aspects, one or more computing devices receive, from a personal computing device, an indication of whether data stored in at least a portion of a storage device of the personal computing device is protected by disk encryption. In response to determining, based on the indication, that the portion of the storage device is not protected by encryption, synchronization data for synchronizing a copy of one or more synchronized content items stored in the portion of the storage device with another copy of the synchronized content items stored at one or more server computing devices is withheld from the personal computing device until disk encryption on the personal computing device is enabled so as to coerce the user to enable disk encryption on the personal computing device.

Abstract: Described herein is a method of authentication between a mobile device and a service provider server. The method enables a session to be established between a computing device and the service provider server without a user having to enter any user account data on either the computing device or the mobile device. To establish a session, the session identifier is presented in machine readable form by the computing device to the mobile device and then, in response to a user authenticating with the mobile device, a credential embodying an anonymised user identifier is sent in a tamper-proof manner to the service provider service along with the session identifier. The service provider server can extract the anonymised user identifier from the credential and use it to identify the user's data and authorise the session. A method of obtaining the credential is also described.

Abstract: Provided are an operation method and a secure terminal for performing the method. The operation method may include receiving, from a user terminal, a plain text on which an external encoding operation is to be performed, performing the external encoding operation on the plain text, and transmitting the external encoding operated plain text to the user terminal, and the operation method may include receiving, from a user terminal, a cryptogram in which a white-box cryptography operation is performed on an external encoding operated plain text; performing an external decoding operation on the cryptogram; and transmitting the external decoding operated cryptogram to the user terminal.

Abstract: Methods are provided for authenticating user authentication data, associated with a user ID, at an authentication system. The authentication system comprises an authentication server connected to a network, and a secure cryptoprocessor operatively coupled to the authentication server. A first token for the user ID is provided in data storage operatively coupled to the authentication server. The first token is produced by the secure cryptoprocessor by encoding the user authentication data associated with the user ID via an encoding process dependent on a secret key of the secure cryptoprocessor. The authentication server receives an authentication request for the user ID from a remote computer via the network. The authentication request comprises a ciphertext encrypting user authentication data under a public key of a first public-private key pair, the private key of which is secret to the secure cryptoprocessor.

Abstract: A symmetric key that is stored at a device may be received. A public key from a remote entity may also be received at the device. Furthermore, a derived key may be generated based on a one way function between the symmetric key that is stored at the device and the public key that is received from the remote entity. The derived key may be encrypted with the public key and transmitted to the remote entity. The encryption of the derived key with the public key may provide secure transmission of the derived key to an authorized remote entity with a private key that may be used to decrypt the encrypted derived key.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.

Abstract: A technique to cache content securely within edge network environments, even within portions of that network that might be considered less secure than what a customer desires, while still providing the acceleration and off-loading benefits of the edge network. The approach ensures that customer confidential data (whether content, keys, etc.) are not exposed either in transit or at rest. In this approach, only encrypted copies of the customer's content objects are maintained within the portion of the edge network, but without any need to manage the encryption keys. To take full advantage of the secure content caching technique, preferably the encrypted content (or portions thereof) are pre-positioned within the edge network portion to improve performance of secure content delivery from the environment.

Abstract: Systems and methods are provided for accessing a user account by a user with a first password, and then changing the first password to a second password in response to a request from the user without compromising the second password. The system may include a database in a server storing the first password and the second password. The server may provide the user access to the user account over a network connection in response to receiving the first password from the user. In response to the server receiving a request by the user, the server may disable the first password and activate the second password without requiring the user to provide the second password over the network connection at the time of the request.

Abstract: Generally, this disclosure describes technologies for securely storing and using biometric authentication information, such as biometric reference templates. In some embodiments, the technologies include a client device that stores one or more biometric reference templates in a memory thereof. The client device may transfer such templates to an authentication device. The transfer may be conditioned on verification that the authentication device includes a suitable protected environment for the templates and will execute an acceptable temporary storage policy. The technologies may also include an authentication device that is configured to temporarily store biometric reference templates received from a client device in a protected environment thereof. Upon completion of biometric authentication or the occurrence of a termination event, the authentication devices may delete the biometric reference templates from the protected environment.

Abstract: An encryption application splits a data payload into multiple segments. Each of the segments is encoded using one of multiple encryption keys. The encryption keys may be selected from a pool of encryption keys tied to a user account. The encrypted segments are transmitted to a network destination using multiple parallel network paths.

Abstract: A method, system and computer program product providing port scrambling for securing communications in internal computer networks are disclosed. A transformation function is applied on an identifier of a first port at which an outgoing communication is designated to be received, whereby an identifier of a second port the outgoing communication is directed to be received at is obtained. The transformation function depends on at least one parameter shared among a plurality of devices in a computer network, whereby a device receiving the communication at the second port is enabled to apply an inverse transformation function on the identifier of the second port to obtain the identifier of the first port and redirect the communication thereto. The transformation function is applied in condition that transmittal of the outgoing communication was requested by an application program listed in a list of authorized application programs for the plurality of devices.

Abstract: Techniques for confidential delivery of entropy and random data over a network are disclosed. In some embodiments, a client device may receive a first set of random numbers from a server and transform the first set using a second set of random numbers to generate a third set of random numbers. The client device may update a client secret key based on a first subset of the third set of random numbers and determine a re-key interval based on a second subset of the third set of random numbers. Also in some embodiments, the server may encrypt random numbers using a first key before sending to the client, and the client may decrypt the random numbers using a second, different and unrelated key to derive a different set of random numbers. By using mismatched keys, the client may preserve the confidentiality of the random numbers it ultimately uses.

Abstract: In an authentication method according to an embodiment, an electronic device receives an authentication request message based on identification information from a server apparatus. In response to the authentication request message, the electronic device receives at least one of an input for authentication approval of a specific device and an input for authentication approval of a service offered through the specific device. Then, in response to the input, the electronic device transmits authentication approval information to the server apparatus.

Abstract: A method for identifying a shared credential within a networked computing environment. The method includes a computer processor accessing information corresponding to an aggregated plurality of authentication events within a networked computing environment. The method further includes identifying one or more credentials that are associated with the aggregated plurality of authentication events. The method further includes analyzing a frequency of usage of a first credential that is included in the identified one or more credentials. The method further includes determining that the first credential is shared, based at least in part, on the analysis of the frequency of usage of the first credential in authentication events by one or more hosts, and information related to authentication events corresponding to the one or more hosts that utilize the credential in authentication events. The method further includes generating a report that identifies that the first credential is shared.

Abstract: A computer-implemented method of and a first web service system for anonymously authenticating a service user having an account associated with a first web service system are disclosed. The method is executable by a processor and comprises receiving an authentication request originating from a device of the service user, the authentication request comprising data identifying the account of the service user; generating, based on data relating to the account of the service user, a token comprising first data anonymously authenticating the service user and second data identifying an action that a second web service system is authorized to perform for the service user; storing, in a memory, at least one of the first and second data of the token; and transmitting the generated token to the second web service system. A computer-implemented method executable by a second web service system and a second web service system are also disclosed.

Abstract: The invention is a method for managing a response from an application embedded in a secure token acting as an UICC, in response to a command requesting opening a proactive session. The command is sent by an applicative server to the secure token via an OTA server providing a security layer. The method comprises the steps of sending another command from the applicative server to the secure token using the security layer provided by the OTA server, and in response to this second command, the secure token send the response of the first command to the applicative server using the security layer provided by the OTA server.

Abstract: A mechanism for using a mobile device connected to a security device to authenticate a user to a service provider using a security device operating according to an applet without storing keys or user interface text on the security device or the mobile device. Registration and authentication messages to the mobile device are routed to a security device. These messages include a nonce. The security device encrypts responses from the user using the nonce and transmits an encrypted response message including the encrypted response to the authentication server, wherein the nonce is unique for each communication between the authentication server and the security device. Other systems and methods are disclosed.

Abstract: Systems and methods are provided for encrypting data at a customer for storage at a hosted service provider. In addition to the data being encrypted by the client, the secret encryption key used to encrypt the data is also encrypted. Both the encrypted data and the encrypted secret encryption key are transmitted to the service provider who may further encrypt the data with another encryption key and who stores the further encrypted data, the encrypted secret encryption key and the another encryption key.

Abstract: The management of credentials subject to a lockout policy can include dynamically determining appropriate lockout thresholds and other such values appropriate for a current situation. For example, the number of incorrect password attempts allowed before an account lockout can be based at least in part upon the amount of time that has passed since a most recent password change. There might be an unlimited number of attempts allowed for a short period after a password change, followed by a decreasing number of permissible attempts over a subsequent period of time. In some embodiments the number of correct attempts received after a password change can affect the number of incorrect attempts allowed. Further, if an incorrect attempt matches a previously correct password then that attempt might not count toward the number of incorrect attempts compared against the threshold, at least for a determined period of time after a password change.

Abstract: Delegating authorizations sufficient to access services is contemplate. The authorization may be delegated in the form of a token or other transmissible construct relied upon to authenticate access to services, such as but not necessarily limited to conferring a user identity established via authenticated device for the purposes of enabling an unauthenticated or unsecured device to access a service associated with the user identity.

Abstract: Delegating authorizations sufficient to access services is contemplate. The authorization may be delegated in the form of a token or other transmissible construct relied upon to authenticate access to services, such as but not necessarily limited to conferring a user identity established via authenticated device for the purposes of enabling an unauthenticated or unsecured device to access a service associated with the user identity.

Abstract: A mobile device sends a network attach request to a network node, and receives an authentication challenge from the network node, where the authentication challenge includes an authentication token, a random number, and a time variable associated with a current time at the network node. A microprocessor smart card of the mobile device retrieves the time variable from the authentication challenge, and starts a clock counter based on the retrieved time variable. The microprocessor smart card uses a current time represented by the clock counter to perform time expiration validation tests on certificates during Public Key Infrastructure (PKI) authentication or on authentication tokens during token-based authentication.

Abstract: Authentication processing for a plurality of self-encrypting storage devices, e.g. SEDs) of a computer system is provided. The authentication processing for the SEDs includes obtaining authentication information for one SED of the plurality of SEDs, performing authentication processing for the one SED based on the obtained authentication information for the one SED; and based on the authentication processing for the one SED, performing authentication processing for each additional SED of one or more additional SEDs of the plurality of SEDs. A pre-boot configuration environment (PBA) to facilitate the authentication processing, and methods for installing the PBA are provided.

Abstract: There is provided a system comprising a first device of a user and a second device of a user, in which a user carries out a secure transaction utilising a user interface of the second device, wherein the secure transaction process sends a request to a user interface of the first device, and authorises or authenticates the transaction in dependence on a response to the request which is not transmitted from a user interface of the second device.

Abstract: A method of validating a user for accessing a secure system comprising selecting a picture that is prompted to the user, generating, through the user, an intelligent voice print in regards to the selected picture, matching the intelligent voice print associated with the selected picture to a stored authentication voice print and picture pair, authenticating the user when the intelligent voice print is matched to within a predetermined voice tolerance, verifying a textual component of the intelligent voice print to within a predetermined textual tolerance, validating the authenticating and the verifying of the user, and receiving access to the secure system based on the validating of the user against the stored intelligent voice print and picture pair.

Abstract: The present invention discloses a voiceprint verification method, apparatus, storage medium and device.

Abstract: According to various example embodiments of the present disclosure, an electronic device and an operating method thereof may include receiving an access request for the electronic device from an external electronic device, activating the authentication module in response to the access request, transmitting, to the external electronic device, an authentication information request for the authentication module, receiving, from the external electronic device, authentication information corresponding to a user of the external electronic device in response to the authentication information request, performing authentication on the user based on the authentication information using the authentication module, and deactivating the authentication module if the authentication is complete.

Abstract: A method and an apparatus for providing a connection between electronic devices using authentication based on biometric information are provided. The electronic device includes: a first communication circuit to support NFC; a second communication circuit to support non-NFC; a biometric sensor; a memory to store first authentication information corresponding to an external device; and a processor.

Abstract: Embodiments are directed to a computing device having execution hardware including at least one processor core, and non-volatile memory that stores verification module and a private symmetric key unique to the computing device. The verification module, when executed on the execution hardware, causes the execution hardware to perform pre-execution local authenticity verification of externally-supplied code in response to a command to launch that code. The local authenticity verification includes computation of a cryptographic message authentication code (MAC) of the externally-supplied code based on the private symmetric key, and verification of the MAC against a stored local authenticity verification value previously written to the non-volatile memory. In response to a positive verification of the of the MAC, execution of the externally-supplied code is permitted.

Abstract: A method of using a converged core network service, a universal control entity (UCE), and a converged core network system. The method includes establishing, by a terminal, a signaling connection with a converged core network supporting a plurality of access networks through a first access network, and after establishing the signaling connection, using, by the terminal, a data service through a second access network by reusing at least one of authentication information authenticated and resource information allocated upon establishing the signaling connection through the first access network.