Abstract: A client platform supports digital rights management. The client platform comprises a digital rights management (DRM) engine which, when executed, enables the client platform to monitor download operations performed by the client platform and to obtain a shadow image for a digital content item from a DRM blockchain, in response to an operation to download the digital content item from a remote source. The shadow image comprises a hash of the digital content item and copyright policy settings to indicate security constraints for the digital content item. The client platform may automatically determine whether the copyright policy settings for the digital content item allow modification of the digital content item. A user may be allowed to create a modified version of the digital content item only if the copyright policy settings allow modification of the digital content item. Other embodiments are described and claimed.

Abstract: A system and method for analyzing a device are disclosed. In an aspect, a method can comprise determining a parameter of a device at a kernel level of a software stack associated with the device, analyzing the parameter to determine an event state, comparing the event state to a white list to determine a state of an alert trigger, and generating an alert in response to the determined state of the alert trigger.

Abstract: Embodiments of a portable data storage device and a method of protecting data stored in the portable data storage device are provided. In one embodiment, the portable data storage device includes a device identification unique to the portable data storage device, a rights object containing information indicative of access rights and a verification identification, a memory to store the device identification and the verification identification, and controller logic. The memory is partitioned into a plurality of areas of memory, including: a first area as a protection area to store an instruction code, a second area as a partition table area to store a partition table, and a third area as a file area to store data files. In response to a request from a client external to the portable data storage device, the controller logic compares the verification identification with the device identification to allow the client to access of the data files if the verification identification matches the device identification.

Abstract: In some embodiments, systems, apparatuses, and methods are provided herein useful to automatically authorizing digital rights access. In some embodiments, the system comprises a content creator server, wherein the content creator server is configured to create a block, wherein the block includes the content, publish, to a public ledger, the block, wherein the public ledger comprises a blockchain, generate, for a user device, a key, wherein the key provides digital rights access to the block, and transmit, to the user device, the key, the user device configured to store a local copy of the public ledger, update the local copy of the public ledger to include the block, receive, from the content creator server, the key, and access, via the local copy of the public ledger with the key, the block, wherein access to the block allows the user device to make use of the content.

Abstract: A wireless device enterprise management system and a method for operating the management system in a controlled environment is disclosed. The enterprise management system includes implementing a container-based file system on wireless devices within the controlled environment. Enterprise management system manages and controls the organization of files into one or more containers on each wireless device. Each container is associated with one or more execution rules that allow or restrict execution of files that are located in the container.

Abstract: An information protection method and device based on a plurality of sub-areas for an MCU chip, the MCU chip comprises an instruction bus, a data bus, a flash controller and a user area of a flash memory, the method comprises: determining a preceding sub-area when the instruction bus accesses the user area; entering corresponding preceding sub-area working state; determining the current sub-area when the instruction bus accesses the user area; when the preceding sub-area is inconsistent with the current sub-area, entering the transition state; determining whether the duration of the transition state reaches the preset waiting time; if yes, entering the corresponding current sub-area working state. The information protection method and device prevent the cooperative companies which develop the program together from stealing program from each other.

Abstract: A method for online authentication includes receiving membership authenticating information specific to members of a particular affiliation from the members and from one or more remote databases. The information is aggregated and stored in an aggregate database. An individual is authenticated, via a widget at least one of integrated into, and accessible by, at least one of a mobile application and a website of a provider of at least one of a particular program and a particular service, as a member of the particular affiliation based on a comparison of authenticating indicia provided online by the individual and the information stored in at least one of the aggregate database and the remote databases. Digital credentials are provided to the individual for access to the at least one of the particular program and the particular service when the individual is authenticated. The credentials include a unique identifier, a login and password.

Abstract: There is proposed a user authentication method that uses a time-based password (TP) having a relatively long update cycle instead of a TOTP having a conventional short update cycle (e.g., 60 seconds). The present invention is a user authentication method executed by an authentication system that performs authentication of a user who performs access from an information communication terminal device in order to use a usage target system by using a reference terminal device that includes a security token capable of generating a TP. The authentication method includes setting an update cycle of the TP to a first update cycle of 30 days, 1 month, or a time period longer than 1 month, receiving a user authentication request that includes a time-based password generated by the security token according to the set first update cycle, and performing the authentication based on the TP contained in the received user authentication request.

Abstract: A method for dynamically authenticating and granting access to a computing system may be provided. The method comprises receiving text data identifying a fact comprised in the text data, storing the identified fact in a knowledge base relating to a user profile, deriving at least one authentication question from the stored fact, and conducting a textual authentication dialog The dialog comprises presenting the at least one authentication question, receiving a response, analyzing the response using natural language processing, and determining, based on the analysis, whether the response comprises the stored fact from which the authentication question has been derived. Additionally, the method comprises granting access to the computing system, and presenting an enrichment question and receiving a related answer.

Abstract: A consent receipt management system may include one or more consent validity scoring systems. In various embodiments, a consent validity scoring system may be configured to detect a likelihood that a user is correctly consenting via a web form. The system may be configured to determine such a likelihood based at least in part on one or more data subject behaviors while the data subject is completing the web form in order to provide consent. In various embodiments, the system is configured to monitor the data subject behavior based on, for example: mouse speed; mouse hovering; mouse position; keyboard inputs; an amount of time spent completing the web form; etc. The system may be further configured to calculate a consent validity score for each generated consent receipt based at least in part on an analysis of the data subject's behavior.

Abstract: A computerize method for voice authentication of a customer in a self-service system is provided. A request for authentication of the customer is received and the customer is enrolled in the self-service system with a text-independent voice print. A passphrase from a plurality of passphrases to transmit to the customer is determined based on comparing each of the plurality of passphrases to a text-dependent or text-independent voice biometric model. The passphrase is transmitted to the customer, and when the customer responds, an audio stream of the passphrase is received. The customer is authenticated by comparing the audio stream of the passphrase against the text-independent voice print. If the customer is authenticated, then storing the audio stream of the passphrase and the topic of the passphrase.

Abstract: Some embodiments include a method of providing security and privacy for a message sender. The method can include a messaging application determining that a messaging interface of the computing device is active and is revealing or about to reveal the electronic message. The messaging application can identify a recipient account of a messaging server system that is associated with the electronic message according to the electronic message or the messaging server system. The messaging application can then monitor a data feed from a sensor of the computing device to detect a biometric pattern that matches against a biometric profile model associated with the recipient account utilizing a biometric recognition process. In response to determining that the detected biometric pattern does not match the biometric profile model associated with the recipient account, the messaging application can activate a privacy shield to prevent content of the electronic message from being revealed.

Abstract: Methods and systems described herein perform a secure transaction. A display presents images that are difficult for malware to recognize but a person can recognize. In at least one embodiment, a person communicates transaction information using visual images received from the service provider system. In at least one embodiment, a universal identifier is represented by images recognizable by a person, but difficult for malware to recognize. In some embodiments, methods and systems are provided for determining whether to grant access, by generating and displaying visual images on a screen that the user can recognize. In an embodiment, a person presses ones finger(s) on the screen to select images as a method for authenticating and protecting communication from malware. In at least one embodiment, quantum randomness helps unpredictably vary the image location, generate noise in the image, or change the shape or texture of the image.

Abstract: A mobile communication terminal (400) has a controller (410), a touch display (430) and a proximity sensor (420). The touch display has an inactive mode (610; FIG. 5A) essentially without user interaction ability, a lock screen mode (620; FIG. 5B) with limited user interaction ability, and an operational mode (650; FIG. 5C). The lock screen mode generally prevents a user from accessing functionality (560) provided by the mobile communication terminal in the operational mode.

Abstract: The invention provides a solution for secure input of a user's input into an electronic device. The invention comprises methods and apparatus for secure input of a user's identifier e.g. password or other code. An image of a keyboard is superimposed over a scrambled, operable keyboard within a display zone of a screen associated with an electronic device. The keyboard image depicts a non-scrambled keyboard, in that the keys depicted in the image are in an expected or standardised format or order eg QWERTY keyboard arrangement. The difference in positions of the keys depicted in the image, and those in the operable keyboard, provides a mapping which enables an encoded form of the identifier to be generated, such that the un-encoded version is never stored in the device's memory. Preferably, the image depicts a keyboard which is standard for the device which it is being displayed on.

Abstract: Determining a group of figures for use in a vision test to distinguish computers from humans. An image is obtained and segmented into a plurality of parts. Based on the plurality of parts, a group of figures is determined to enable the group of figures to be displayed at a certain rate for a user to recognize the image.

Abstract: Determining a group of figures for use in a vision test to distinguish computers from humans. An image is obtained and segmented into a plurality of parts. Based on the plurality of parts, a group of figures is determined to enable the group of figures to be displayed at a certain rate for a user to recognize the image.

Abstract: A client transmits a user identifier and a password to a server via an application programming interface (API). The client establishes an authenticated session with the server in which the client has a first set of permissions for operations associated with the API. The client receives, responsive to a verification of the user identifier and password by the server, a logon response and a shared secret. The client generates a one time passcode (OTP) based upon the shared secret. The client sends the OTP to the server via the API. Responsive to the server validating the OTP against the shared secret, the server grants a second set of permissions for operations associated with the API.

Abstract: Techniques of implementing automated secure disposal of hardware components in computing systems are disclosed herein. In one embodiment, a method includes receiving data representing a command instructing removal of a hardware component from a server in a datacenter upon verification. In response to receiving the maintenance command, the method includes autonomously navigating from a current location to the destination location corresponding to the server, verifying an identity of the hardware component at the destination location, and removing the hardware component from the server. The method further includes upon successful removal of the hardware component, generating and transmitting telemetry data indicating verification of the hardware component at the destination location and successful removal of the verified hardware component from the server.

Abstract: A password recovery technique for access to a system includes receiving a request from a first party to recover the first party's password to access the system, receiving a selection of a second party from the first party, sending a message to the second party requesting that the second party authorize the request to recover the first party's password, receiving authorization from the second party for the request to recover the first party's password, and resetting the first party's password responsive to receiving authorization from the second party.

Abstract: After first installation of an application program on a computing device, the computing devices monitors a behavior of the application program for a period of time and then builds a behavior profile of the application program from the behavior. After the period of time has elapsed, such as specified period of time, the computing device may prevent the application program from deviating from the behavior profile. After the period of time has elapsed, such as when an update or patch to the application program has been applied or installed, the computing device may continue to monitor the behavior of the application program, and in response to determining that the behavior of the application program after the period of time deviates from the behavior profile, perform an action with respect to the application program.

Abstract: Various systems and methods for capability access management are disclosed herein. In one example, a system includes a memory and a processor to send a signed custom capability description (SCCD) received from a first vendor to the memory for storage. The system may send an application received from a second vendor to the memory for storage. The system attempts to match the application to an authorization listing of the SCCD, where the application can be modified to allow access to a previously inaccessible custom capability in response to the application matching the authorization listing of the SCCD.

Abstract: In various examples, there is a computer-implemented method for providing packages for processing on a computer system. The method creates a secure connection to an enclave and retrieves a quote to verify that the enclave is genuine and that it contains a predetermined process. The predetermined process is configured to create an enclave for itself and determine that an initial state of the computer system is equivalent to a predetermined state based on a quote retrieved from a security module. The predetermined process is further configured to receive a package to be processed by the computer system and cause the processor to process the package outside of the enclave. In response to verifying the enclave, the method provides a package to be processed by the computer system.

Abstract: The disclosed computer-implemented method for altering time data may include (i) identifying an untrusted executable that is capable of making queries to an operating system of the computing device, (ii) intercepting a request by the untrusted executable to query a system clock of the operating system of the computing device for a current time, (iii) calculating an offset value for the current time that is within a predetermined margin of the current time, and (iv) providing, in response to the request, the untrusted executable with the offset value for the current time instead of the current time. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Technologies for USB controller state integrity protection are disclosed. A computing device reserves an isolated memory region in system memory and programs a base address register of a USB controller with the address of the isolated memory region. The computing device locks the base address register from further chances. The USB controller may store controller state data in a scratchpad buffer located within the isolated memory region. Software executed by a processor may read controller state data from the scratchpad buffer. Secure routing hardware of the computing device controls access to the isolated memory region. The secure routing hardware may allow read and write access by the USB controller and read-only access by software executed by the processor. After storing the controller state data, the computing device may power down the I/O controller. Other embodiments are described and claimed.

Abstract: A plurality of pages of code executing via a container host operating system are monitored. The plurality of pages of code include pages of code from a plurality of container applications configured to utilize the container host operating system. A determination is made that a page of code of the plurality of pages of code violates a security policy configured to apply security within the container host operating system. A container application of the plurality of container applications is identified as a source of the page of code of the plurality of pages of code. The security policy is applied to the container application of the plurality of container applications in response to identifying the container application of the plurality of container applications as the source of the page of code.

Abstract: An apparatus having a carrier with circuit structures including a complex impedance has a measurement unit implemented to measure the complex impedance of the circuit structures at a first time to get a first result and at a later second time to get a second result. Further, either a control implemented to enable operation of a component or to judge whether unauthorized to the component has taken place in dependence on whether the first result matches the second result, or an interface implemented to transmit the first result and the second result in a wireless or wired manner to such a control are provided. In that way, specifically embedded systems without integrated security functions can be upgraded with cryptographic routines in a simple and cost effective manner.

Abstract: In some examples, a system extracts features from event data representing events in a computing environment, trains ensembles of machine-learning models for respective analytics modules of a plurality of different types of analytics modules, and detects, by the different types of analytics modules using the respective trained ensembles of machine-learning models, an anomalous entity in response to further event data.

Abstract: An apparatus can include a processor that can extract, from an input binary file, an image data structure, and can scale the image data structure to a predetermined size, and/or modify the image data structure to represent a grayscale image. The processor can calculate a modified pixel value for each pixel in the image data structure, and can define a binary vector based on the modified pixel value for each pixel in the image data structure. The processor can also identify a set of nearest neighbor binary vectors for the binary vector based on a comparison between the binary vector and a set of reference binary vectors stored in a malware detection database. The processor can then determine a malware status of the input binary file based on the set of nearest neighbor binary vectors satisfying a similarity criterion associated with a known malware image from a known malware file.

Abstract: A redundant and diverse secondary control system mirrors a primary control system but has some fundamental structural difference as compared to the primary control system to prevent a spread of a security breach from the primary control system to the secondary control system. The secondary control system may operate on different hardware built on different software written with different programming language as compared to the primary control system while performing the same function as that of the primary system. By hardware coding the algorithm to produce actuation signals, software based viruses and worms cannot interfere with the secondary control system's operation. A monitor device receives actuation signals from both the primary and secondary controls signals to determine whether an error occurred and to provide correct actuation signals to the controlled system.

Abstract: A computer system is securely booted by executing a boot firmware to locate a boot loader and verify the boot loader using a first key that is associated with the boot firmware. Upon verifying the boot loader, computer system executes the boot loader to verify a system software kernel and a secure boot verifier using a second key that is associated with the boot loader. The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key that is associated with the secure boot verifier. During boot, state data files of the computer system are mounted in a namespace that is isolated from the namespaces in which the executable software modules are mounted.

Abstract: Technologies for configuring a launch enclave include a computing device having a processor with secure enclave support. A trusted execution environment (TEE) of the computing device stores a launch enclave hash in a launch enclave hash table in secure storage and provisions the launch enclave hash to platform firmware at runtime. The TEE may receive the launch enclave hash via trusted I/O. The platform firmware sets a configure enclave launch bit and resets the computing device. On reset, the TEE determines whether the launch enclave hash is allowed for launch. The TEE may evaluate one or more launch configuration policies and may select a launch enclave hash based on the launch configuration policies. If allowed, the platform firmware writes the launch enclave hash to a model-specific register of the processor, and the launch enclave may be loaded and verified with the launch enclave hash. Other embodiments are described and claimed.

Abstract: The subject disclosure is directed towards protecting code in memory from being modified after boot, such as code used in a dedicated microprocessor or microcontroller. Hardware, such as in logic or in a memory protection unit, allows a range of memory to be made non-writeable after being loaded, e.g., via a secure boot load operation. Further, startup code that is used to configure the hardware/memory may be made non-executable after having run once, so that no further execution may occur in that space, e.g., as a result of an attack. A function in the runtime code may allow for a limited, attack-protected reconfiguration of sub-regions of memory regions during the runtime execution.

Abstract: The disclosed embodiments provide a system that facilitates testing of an insecure computing environment. During operation, the system obtains a real data set comprising a set of data strings. Next, the system determines a set of frequency distributions associated with the set of data strings. The system then generates a test data set from the real data set, wherein the test data set comprises a set of random data strings that conforms to the set of frequency distributions. Finally, the system tests the insecure computing environment using the test data set.

Abstract: Device, system, and method of managing trustworthiness of electronic device. For example, an Internet of Things (IoT) device is able to transmit data to a recipient device. The recipient device operates as a querying device, and utilizes a query agent to query a trust-management server with regard to the trustworthiness of the IoT device. The trust-management server receives from the IoT device a set of values indicating various parameters of the IoT device. The trust-management server generates a trustworthiness report pertaining to the IoT device, and sends the report as a response to the trustworthiness query. Optionally, a caching agent caches copies of trustworthiness reports and provides to querying devices such previous reports, together with an indication of their freshness level.

Abstract: Digital obsolescence avoidance systems and methods may determine an obsolescence vulnerability for a digital object. A digital obsolescence avoidance system may include a validation system and an obsolescence vulnerabilities system. The validation system may be configured to receive metadata for the digital object and to determine a digital object kind for the received metadata. The obsolescence vulnerabilities system may be configured to determine one or more dependencies for the determined object kind, to determine an obsolescence vulnerability based on the determined one or more dependencies, and to provide output related to the determined obsolescence vulnerability.

Abstract: In one aspect, a computerized method for assessing and managing information security risks in a computer system includes the step of receiving a customer security assessment. The method includes the step of obtaining a set of already-answered security assessment questions. The method includes the step of applying one or more machine learning methods to generate a strength of one or more similarities scores. The method includes the step of automatically populating one or more direct mappings between the set of already-answered security assessment questions with the other set of questions in a customer security assessment. The method includes the step of setting a baseline score for the one or more direct mappings to already-answered security assessment questions to a set of answered questions in the customer security assessment by using the strength of one or more similarities scores.

Abstract: Techniques to facilitate security for a software application are disclosed herein. In at least one implementation, static analysis is performed on code resources associated with the software application to generate static analysis results. Dynamic analysis is performed on a running instance of the software application to generate dynamic analysis results. An application information model of the software application is generated based on the static analysis results and the dynamic analysis results. Security policies for the software application are determined based on the application information model.

Abstract: Techniques are disclosed for patching applications having software components with vulnerabilities. Upon receipt of a notification that a version of a software component has a vulnerability, a database of metadata is accessed to identify software applications which include the version of the software component. The identified software applications are cloned, and the version of the software component is replaced with a newer version which is free from the vulnerability to patch the application. The patched software application is then tested on a cloud computing test environment, and upon a successful test, deployed to a cloud computing production environment.

Abstract: The embodiments herein are directed to a technique for providing secure communication between nodes of a network environment or within a node of the network using a verified virtual trusted platform module (TPM) of each node. The verified virtual TPM illustratively emulates a hardware TPM device to provide software key management of cryptographic keys used to provide the secure communication over a computer network of the network environment. Illustratively, the verified virtual TPM is configured to enforce a security policy of a trusted code base (TCB) that includes the virtual TPM. Trustedness denotes a predetermined level of confidence that the security property is demonstrated by the verified virtual TPM. The predetermined level of confidence is based on an assurance (i.e., grounds) that the verified virtual TPM demonstrates the security property.

Abstract: Representative embodiments set forth herein disclose techniques for modifying encryption classes of files. According to some embodiments, a technique can include receiving a request to update an encryption configuration of a file from a current encryption class to an updated encryption class. In response, the technique involves obtaining (i) a first class key associated with the current encryption class, and (ii) a second class key associated with the updated encryption class. Next, the technique involves identifying file extents of the file, where each file extent is encrypted by a respective extent key that is encrypted by the first class key. Finally, the technique involves, for each file extent of the file: (i) decrypting the respective extent key using the first class key to produce a decrypted respective extent key, and (ii) encrypting the decrypted respective extent key using the second class key to produce an updated respective extent key.

Abstract: A computer implemented method and apparatus for controlling the accessibility of data on a data storage 9 comprises obtaining an identifier, and determining dependent on the identifier, in a secure context 5 of a computer processor 1, whether to make data accessible in a user context 3. In the event that data is to be made accessible, access is provided to the data in the user context 3.

Abstract: A method for sharing data in a multi-tenant database includes generating a share object in a first account comprising a share role. The method includes associating one or more access rights with the share role, wherein the one or more access rights indicate which objects in the first account are accessible based on the share object. The method includes granting, to a second account, cross-account access rights to the share role or share object in the first account. The method includes receiving a request from the second account to access data or services of the first account. The method further includes providing a response to the second account based on the data or services of the first account.

Abstract: An encrypted data receiving unit (201) receives encrypted data which has been encrypted, in which a decryption condition to define a user attribute of a decryption-permission user who is permitted to decrypt the encrypted data is embedded. A data storage unit (202) stores the encrypted data received by the encrypted data receiving unit (201) in an encrypted state. A revocation processing unit (209) adds revocation information in which a user attribute of a revoked user who is no longer the decryption-permission user is indicated, to an embedded decryption condition that is embedded in the encrypted data, while the encrypted data remains in an encrypted state.

Abstract: A technique and system provide protection to information or documents via an authorization policy that is applied to multiple application programs and authorization requests are submitted through a REST API over HTTP or HTTPS. Methods, techniques, and systems control access to protected information or documents and use of content in protected information or documents to support information management policies.

Abstract: Systems and methods are provided for automatic operation detection on protected fields. A data model configuration can be used to specify which attributes of a data model used by a cloud-based application are protected by a data security provider monitoring communications between the application and a client device. A determination can be made automatically which operations of the cloud-based application are supported for protected fields. The cloud-based application can be configured to enable/disable certain features, such as validators, auto complete, search operators, etc. according to whether the attributes are protected fields.

Abstract: A method for sharing read access to a document stored on memory hardware. The method includes receiving a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, and receiving a shared read access request from the sharee. The shared read access command includes an encrypted value and a first cryptographic share value based on a write key, a read key, a document identifier, and a sharee identifier. The method also includes multiplying the first and second cryptographic share values to determine a cryptographic read access value. The cryptographic read access value authorizes read access to the sharee for the document. The method also includes storing a read access token for the sharee including the cryptographic read access value and the encrypted value in a user read set of the memory hardware.

Abstract: Implementations of the present specification include receiving a request to perform a private transaction associated with at least one account; in response to receiving the request, performing, by a workflow node, the private transaction; in response to performing the private transaction, generating, by the workflow node, a representation of the private transaction configured to be accessible only to entities that are authorized to access the private transaction; storing, in a private blockchain, the representation of the private transaction; generating, by the workflow node, an account record for the at least one account associated with the private transaction based at least in part on the private transaction, wherein the account record is configured to be accessible to at least one entity that is not authorized to access the representation of the private transaction in the private blockchain; and storing, in a public blockchain, the account record.

Abstract: A method and device for classifying collected images. The method and device include instructions to compare a captured image to a known set of images to determine the location depicted therein; and applying a classification upon the image based upon the determined location depicted therein and whether the determined location indicates that the image has the potential to depict privacy sensitive information.

Abstract: A system and method of providing dynamic and customizable medical forms is disclosed. In certain specific embodiments, these dynamic and customizable medical forms may be automatically presented to users based on a predefined series of rules which allow multiple users having different roles in the clinical process to collaborate and contribute to a medical examination report, while at the same time maintaining an independent record of what was contributed and by whom it was contributed.