Abstract: The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.

Abstract: Embodiments of the present disclosure relate to a data analysis system that may automatically analyze a suspected malware file, or group of files. Automatic analysis of the suspected malware file(s) may include one or more automatic analysis techniques. Automatic analysis of may include production and gathering of various items of information related to the suspected malware file(s) including, for example, calculated hashes, file properties, academic analysis information, file execution information, third-party analysis information, and/or the like. The analysis information may be automatically associated with the suspected malware file(s), and a user interface may be generated in which the various analysis information items are presented to a human analyst such that the analyst may quickly and efficiently evaluate the suspected malware file(s).

Abstract: A system and method for realizing specific security features for a mobile device that may store sensitive and private data by providing secured communications to a paired remote device. In this respect, both the mobile device (which may be a mobile phone, for example) and the paired remote device (which may be a keychain, for example) include a SIM card that may have identification data stored therein. Once paired, the two devices may communicate encrypted security messages back and forth in order to implement various security measures to protect data and wireless communications. Such messages may be generated from initial information known only to each respective device such as a randomly generated offset number and a common time reference.

Abstract: A device for transcoding during an encryption-based access check of a client device to a databank, which provides a data set in an encrypted area, has: a unit for assigning a specific access level of the client device and for providing a corresponding first group key of the client device as a function of a registration parameter, wherein the client device is allowed access to a first area, which is encrypted using the first group key, and all areas of the database subordinate to the first area as a function of the assigned access level; a unit for providing a classification result depending on a classification of the data set of the particular area by one of the client devices allowed to access the particular area; and a unit for transcoding the data set and/or a data set key for the data set as a function of the classification result.

Abstract: A client terminal is provided with a column encryption unit that, from an encryption key, a table identifier, and a column identifier, generates a column private key, a column public key, and a comparison value, from which the unit generates a concealed comparison value and a ciphertext, encrypting a particular column; and an encrypted table natural joining request unit that issues a natural joining request text that requests natural joining with regards to columns encrypted from the encryption key, the table identifier, and the column identifier. The natural joining request text contains as a table joining key the column private key generated by a group of generating elements and the encryption key from the table identifier of a first and second table and the column identifier of an a-th column and a b-th column. An encrypted database server executes natural joining using the table joining key, and returns the results.

Abstract: Techniques for providing data preview before recalling large data files are disclosed. In one aspect, a data file is made accessible while being offline by converting the data file from a native format to a preview format, storing the data file in the preview format in a primary storage that is locally available and moving, after the conversion to the preview format, the data file in the native format to a secondary storage. When a viewing request is received for the data file, the data file in the preview format is displayed to fulfill the viewing request.

Abstract: In one embodiment, a first instruction prescribing a setting for a feature is defined. A second instruction prescribing a first action is defined. A third instruction prescribing a second action is defined. It is determined whether the feature is present in a computing device, and if present, whether the feature is set to the setting. The first action is initiated if the feature is present and not set to the setting. The second action is initiated if the feature is not present.

Abstract: This invention discloses a novel system and method for displaying electronic documents on remote devices and enabling collaborative editing in conjunction with a content management system where the documents that are shared are securely encrypted on the system in a manner that avoids a single point of failure in the security.

Abstract: Systems and methods for marking electronic messages to indicate human origination are provided. According to one embodiment, an electronic message and information verifying the electronic message is human originated are received. Then, the fact that the electronic message is human originated is conveyed to one or more recipients of the electronic message by associating with the electronic message a human origination indication.

Abstract: This discloses a video file encryption and decryption method, device, and mobile terminal. The encryption method can include: obtaining a to-be-encrypted video file and an encryption key, encrypting the video file using the encryption key to obtain an encrypted video file, obtaining scanned non-hidden partitions of a mobile terminal and an extended memory of the mobile terminal for storing user data, determining a partition storing the to-be-encrypted video file among the non-hidden partitions, and moving the encrypted video file to a folder in the partition storing the to-be-encrypted video file. The decryption method can include: obtaining a to-be-decrypted video file and a decryption key, decrypting the to-be-decrypted video file using the decryption key to obtain a decrypted video file, and determining a pre-encryption storage location of the to-be-decrypted video file and moving the decrypted video file to the pre-encryption storage location of the to-be-decrypted video file.

Abstract: Techniques for web application vulnerability scanning are disclosed. In one particular embodiment, the techniques may be realized as a method for web application vulnerability scanning comprising crawling a web application for content associated with the web application, generating a client security policy based on the content associated with the web application, and scanning the web application for vulnerabilities based on the client security policy.

Abstract: Seamless, secure, private, collaborative file synchronization across trust boundaries, typically as a companion to a store and sync file service. Information needed to recover a file is stored within the file itself, without giving away secret data. User specific personal keys are preferably only stored on the users' device(s). A unique ID is also created for each protected file; a password is generated that depends on (a) a key value that can either be (i) the user's personal key in the case of a file that is to be private or (ii) a shared key in the case of a file that is to be shared with other users, and (b) the unique file ID. The password is then encrypted using a recovery key and also stored in the file itself. The file is secured using a format that supports password-based content encryption.

Abstract: A mobile platform security apparatus and method is provided. The apparatus may perform a security setting by generating a first authentication key, a second authentication key, and a third authentication key for each function called by an application program. The apparatus may store the first authentication key and an identifier for identifying the application program in a first storage unit, the second authentication key and the identifier in a secret domain of a second storage unit, and register the third authentication key and the identifier as a function parameter in the application program. Subsequently, if the function is called by the application program, the apparatus may determine values for the first authentication key, the second authentication key, and the third authentication key corresponding to the called function, and may perform authentication processing using the three authentication key values.

Abstract: Methods, systems, and computer program are provided for managing access to computer resources by receiving a request, from a client, for performing one or more operations on a computer resource; determining functions of a resource manager that are required to perform the requested one or more operations on the resource; obtaining metadata of the resource, security policies for the client to perform the requested one or more operations on the resource, and data about other operations requested by other clients on the resource; and performing the requested one or more operations on the resource when the requested one or more operations do not result in altering the metadata or violating the isolation of the resource by the requested one or more operations, do not result in violating the rights of the client, and do not result in distorting the results of the other operations requested by the other clients.

Abstract: A method of managing policy information in a mobile terminal by requesting an external policy management server for information about whether a change has been made to policy information and updating the policy information in a smart card web server of the mobile terminal to control access to resources based on the updated policy information.

Abstract: The invention relates to a client computer for querying a database stored on a server via a network, the server being coupled to the client computer via the network, wherein the database comprises first data items and suffix items, wherein each suffix item describes a suffix of at least one first data item of the first data items, wherein for each suffix item a first referential connection exists in the database assigning said suffix item to the at least one first data item comprising the suffix of said suffix item, wherein each suffix item is encrypted with a suffix cryptographic key in the database, wherein each first data item is encrypted with a first cryptographic key in the database, wherein the client computer has installed thereon an application program, the application program being operational to: receiving a search request, the search request specifying an infix search expression, said expression comprising a first wildcard term on the left side of a search criterion and a second wildcard term o

Abstract: In one embodiment, a computer-implemented method comprises determining, by a controller, whether a first data store is in an initialization mode. The first data store stores client data. A second data store stores credential data of the first user and credential data of a second user. An application server includes a first secret key store. An in-memory database server includes a second secret key store. The method further comprises, if the first data store is in the initialization mode, receiving, by the controller, from the second user a secret key for encrypting the client data stored in the first data store; and storing, in the first key store, the secret key. The method further comprises, in an operational mode, authenticating the first user based on the credential data of the first user; if the first user is authenticated, processing, in the application server, a user request from the first user.

Abstract: A system is disclosed comprising multiple sets of client computers each client computer having installed thereon an application program The application program comprising client computer specific log-in information, a database system coupled to the set of client computers via a network. The database system having a log-in component for logging-in the client computers, and being partitioned into multiple relational databases each one of which is assigned to one set of the sets of client computers. Each database further storing encrypted data items, each data item being encrypted with one of the user or user-group specific cryptographic keys, the key identifier of the cryptographic key with which one of the data items is encrypted being stored in the database as an attribute of the one of the encrypted data items. The log-in component comprising assignment information indicative of the assignment of the databases to the set of client computers.

Abstract: Systems and methods for providing sensitive data protection in a virtual computing environment. The systems and methods utilize a sensitive data control monitor on a virtual appliance machine administering guest virtual machines in a virtual computing environment, wherein each of the guest virtual machines may include a local sensitive data control agent. The sensitive data control monitor generates encryption keys for each guest virtual machine which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine. In this manner the data itself on the virtual (or physical) disc associated with the guest virtual machine is encrypted while access attempts are gated by a combination of the local agent and the environment-based monitor, providing for secure yet administrable sensitive data protection.

Abstract: The gathering of content (such as a file) from a variety of different sources. Rather than provide the whole content, a given one of the sources instead provides only a portion of the information represented by the content. The source also provides a share of, but not the entirety of, the shared secret that will be used to decode. For instance, in one embodiment, the source might encode only a portion of the content using the shared key, and then transmit the encoded portion. As an alternative, the source might encode the entire content, and then transmit a portion of that encoded content.

Abstract: A virtual storage system in data communication with a user computing device via a communication network and file encryption methods for encrypting electronic documents to be uploaded into a virtual storage system where the virtual storage system includes at least one processor which captures a data stream corresponding to an electronic document retrieved from an external system, to be uploaded to the virtual storage system, and creates at least one encryption parameter and encrypts the data stream captured using the at least one encryption parameter created. The virtual storage system further includes a plurality of redundant physical storage devices in data communication with the at least one processor and each configured to store the encrypted data stream corresponding to the electronic document.

Abstract: Architecture that provides a secure environment in which data (e.g., code, instructions, files, images, etc.) can be opened and run by a client application. Once opened the data can be viewed (in a “protected view”) by the user without incurring risk to other client processing and systems. Accordingly, the architecture mitigates malicious attacks by enabling users to preview untrusted and potentially harmful data (e.g., files) in a low risk manner. Files opened in the protected view are isolated from accessing key resources on the client computer and provides the user a safer way to read files that can contain dangerous content. The protected view also provides a seamless user experience. The user is unaware that the client is operating on data in a different mode and allows for the reduction of security prompts.

Abstract: In a method for protecting software of a computing device, a hypertext preprocessor (PHP) software program of the computing device is encrypted using an encryption rule to obtain an encrypted file. When the encrypted file needs to be decrypted, the method determines whether a predetermined hardware lock is connected to the computing device. When the predetermined hardware lock is not connected to the computing device, the method displays a prompt that indicates the predetermined hardware lock is not connected to the computing device. When the predetermined hardware lock is connected to the computing device, the method decrypts the encrypted file with a decryption rule corresponding to the encryption rule.

Abstract: A device may identify an image to be encrypted, and may convert the image to a first string in a first format. The first string may represent the image. The device may receive information that identifies a key for encrypting the first string, and may generate a first encrypted string by encrypting the first string using the key. The device may convert the first encrypted string, in the first format, to a second encrypted string in a second format. The device may provide the second encrypted string to a storage device without providing the key or the image to the storage device. The storage device may be unable to recover the image using the second encrypted string.

Abstract: An encryption sentinel system and method protects sensitive data stored on a storage device and includes sentinel software that runs on a client machine, sentinel software that runs on a server machine, and a data storage device. When a client machine requests sensitive data from the data storage device, the data storage device interrogates the sentinel software on the server machine to determine if this client machine has previously been deemed to have proper encryption procedures and authentication. If the sentinel server software has this information stored, it provides an approval or denial to the storage device that releases the data if appropriate. If the sentinel server software does not have this information at hand or the previous information is too old, the sentinel server interrogates the sentinel software that resides on the client machine which scans the client machine and provides an encryption update to the sentinel server software, following which data will be released if appropriate.

Abstract: An image forming apparatus performs a direct printing function. A selecting section selects at least two files from a plurality of files stored in at least one of an internal storage medium and an external storage medium. A human interface receives passwords form a user. A password determining section determines whether the selected files are protected by passwords. A file extracting section extracts the selected files from an internal storage medium or external storage medium. A password verifying section determines whether passwords contained in the selected files and the passwords inputted through the human interface coincide. A printer prints the selected files. A printing controller controls the printer, causing the printer to print at least one of selected files if the password verifying section has determined that the password contained in the at least one selected file and the password inputted by the user coincide.

Abstract: The invention discloses a contactless seed programming method, belonging to information security field. In the method, a seed programming device obtains a token ID of a dynamic token, obtains corresponding first seed data according to the token ID, communicates with the dynamic token contactlessly, obtains first seed data from the dynamic token, decrypts the first seed data so as to obtain second seed data, encrypts the second seed data with the first data so as to obtain third seed data and sends the third seed data to the dynamic token; and the dynamic token decrypts the seed and updates seed stored in itself. By the invention, programming operation is simplified and programming efficiency is improved by communicating with the dynamic token contactlessly and security is ensured by transferring the encrypted seed during communication between the programming device and the token.

Abstract: Systems and methods for providing privacy of file synchronization with sharing functionality are presented. In embodiments, a file synchronization system comprises one or more folders associated with one or more non-shared encryption keys, which may be a managed key shared across an organization, and/or a personal key that is not shared or has limited third-party sharing. The one or more non-shared encryption keys are not known to the data storage service. The file synchronization system may also include one or more folders associated with a shared encryption key that is shared with the data storage service, and in embodiments, with a set of users of the service. The system may include a mapping correlating folders to encryption type so items in each folder can be handled appropriately. The system may have additional folders, such as one or more public folders that may be available with limited or no restrictions.

Abstract: A modifiable server is utilized to reliably seal and unseal data according to a measurement of the server, by structuring the server to have a modifiable sandbox component for sealing, unsealing the data, and a non-modifiable checker component for enabling or disabling said sandbox component. The checker component determines whether the sandbox component complies with pre-determined standards. If the sandbox component is compliant, the checker component enables the sandbox component to seal and unseal the data using a measurement of the checker component. Otherwise, the checker component disables the sandbox component.

Abstract: A method begins with a processing module receiving a data retrieval request and obtaining a real-time indicator corresponding to when the data retrieval request was received. The method continues with the processing module determining a time-based data access policy based on the data retrieval request and the real-time indicator and accessing a plurality of dispersed storage (DS) units in accordance with the time-based data access policy to retrieve encoded data slices. The method continues with the processing module decoding the threshold number of encoded data slices in accordance with an error coding dispersal storage function when a threshold number of the encoded data slices have been retrieved.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.

Abstract: The method and system for secure data (information) inside a cloud computing system, allow data to be encrypted everywhere in the cloud on storage devices and in communication lines so that only the information owner has the encryption key and may decrypt the data. The main idea is using software filter technology inside the cloud virtual machine for encrypting and decrypting data and keeping the encryption key(s) only in the hand of the owner of the information outside the cloud. The encryption key is loaded into the appropriate filter only by permission of the information owner or an allowed user. The method allows combination of data encryption with application control and user control.

Abstract: Embodiments of the present invention provide for a method, system, and apparatus for creating a policy compliant environment on a computer. In an embodiment of the invention, an encrypted file can be loaded into memory of a computing. The encrypted file can define a security policy for the computing device. The method can further include validating the encrypted file to ensure an authenticity of the encrypted file and updating the security policy of a target computing device in response to a successful validation of the encrypted file according to the validated encrypted file.

Abstract: A method and apparatus submitting information to be protected before permitting an outbound data transfer with the information is described. A DLP agent, incorporating a DLP submission tool, receives information of an outbound data transfer by the client computing system. The DLP agent can temporarily block the outbound data transfer and send a request to update a DLP policy to protect the information before permitting the outbound data transfer. The DLP agent subsequently receives receiving an indication that the DLP policy is updated to protect the information. After receiving the indication, the DLP agent permits the outbound data transfer.

Abstract: A method and apparatus are provided for mediating access to a shared object in a naive computer system having a shared-nothing operating system layered on a shared file system. At least one primary token is utilized as a tool to mediate ownership of one or more shared objects in the naive system. A secondary token is created and utilized to mediate ownership of one or more shared objects. The secondary token created and utilized in limited circumstances, such as when the owner of the primary token ceases communicating with one or more requesters of the primary token.

Abstract: Method and apparatus for secure processing. The method includes detecting communication among secure and non-secure data entities, prohibiting execution of non-secure executable instructions on secure data entities unless the non-secure executable instructions are recorded in a permitted instruction record, and prohibiting execution of non-secure executable instructions if the non-secure executable instructions are recorded in a prohibited instruction record.

Abstract: A storage system in which a storage control apparatus writes data in each of divided areas defined by division of one or more storage areas in one or more storage devices, after encryption of the data with an encryption key unique to each divided area. When the storage control apparatus receives, from a management apparatus, designation of one or more of the divided areas allocated as one or more physical storage areas for a virtual storage area to be invalidated and an instruction to invalidate data stored in the one or more of the divided areas, the storage control apparatus invalidates one or more encryption keys associated with the designated one or more of the divided areas. In addition, the storage control apparatus may further overwrite at least part of the designated one or more of the divided areas with initialization data for data erasion.

Abstract: A video storage system includes a security mechanism between a CVR unit and a CVR manager. The security mechanism provides public and private keys according to asymmetric cryptography. The public key is sent to the CVR manager. The CVR manager produces a plaintext of a video footage from an IP camera. The CVR manager produces and uses a random key according to symmetric cryptography to turn the plaintext of the video footage into an encrypted text, uses the public key to turn the random key into an encrypted text, and respectively sends the encrypted texts into video and key databases in the CVR unit. The encrypted texts can be received from the databases. The private key turns the encrypted text of the random key into the random key. The random key turns the encrypted text of the video footage into the plaintext.

Abstract: In an apparatus and method for protecting resources of a computing system from a malicious code by selective virtualization, at least a part of the resources is classified as compulsory resources for executing a program on the computing system. When a vulnerable program executed in a separate space attempts to access one of the compulsory resources, an operating system level virtualization is performed. Further, when the vulnerable program attempts to access one of the resources of the computing system which is other than the compulsory resources, the vulnerable program is permitted to access a modified resource which is generated by modifying content of the resource.

Abstract: A device including a communication interface and processing logic is provided. The communication interface may receive digital rights management security information and content from a source device, the digital rights management information having been deactivated in the source device. The processing logic may reactivate the digital rights management security information and may render the content according to the digital rights management security information.

Abstract: An input content data managing system, includes a first electronic storing apparatus that stores encoded content data generated by encoding content data with a cryptographic key; a electronic second storing apparatus that stores the cryptographic key with corresponding digest-value data of the encoded content data capable of identifying sameness of the encoded content data; a matching unit that determines a matched cryptographic key stored in the second storing apparatus for the encoded content data stored in the first storing apparatus, the matching using, as a matching key, at a predetermined time, digest-value data of the encoded content data obtained from the encoded content data stored in the first storing apparatus to match with the digest-value data of the encoded content data stored in the second storing apparatus, in order to obtain the content data by decoding the encoded content data using the matched cryptographic key.

Abstract: Asset management systems and methods are presented. In one embodiment, a system includes a computing resource associated with a project member. A project container is stored on the computing resource, wherein the project container comprises encrypted objects related to a project. The encrypted objects includes project metadata and one or more working objects associated with one or more sub-projects of which the project member is granted permissioned access. An encryption/decryption engine is included for encrypting and decrypting the encrypted objects. The system includes an archive file system for storing the encrypted objects and previous versions of the objects, and a façade file system for viewing and accessing and interacting with the one or more working objects. Other computing resources associated with other project members are similarly configured, wherein a plurality of project containers store distributed objects that are grouped within the project.

Abstract: A system and method are provided for identifying inappropriate content in websites on a network. Unrecognized uniform resource locators (URLs) or other web content are accessed by workstations and are identified as possibly having malicious content. The URLs or web content may be preprocessed within a gateway server module or some other software module to collect additional information related to the URLs. The URLs may be scanned for known attack signatures, and if any are found, they may be tagged as candidate URLs in need of further analysis by a classification module.

Abstract: Methods and systems are disclosed for providing indirect and temporary access to a company's IT infrastructure and business applications. The methods/systems involve establishing an access control center (ACC) to control the access that technical support personnel may have to the company's IT infrastructure and business applications. Thin client terminals with limited functionality may then be set up in the ACC for use by the technical support personnel. The thin client terminals connect the technical support personnel to workstations outside the ACC that operate as virtual desktops. The virtual desktops in turn connect the technical support personnel to the IT infrastructure and business applications. An ACC application may be used to control the connection between the thin client terminals and the virtual desktops and the virtual desktops and the IT infrastructure and business applications.

Abstract: A method, device and system for service presentation, which includes: receiving a presentation request message; acquiring presentation information from the presentation request message; storing the presentation information; when the presentee accesses the presented content, receiving an authentication and rating request message transmitted from the service enabling component; performing authenticating and rating according to the authentication and rating request message and the stored presentation information. The present invention is applicable to presenting content type services and so on.

Abstract: Greater network utilization is implemented through dynamic network reconfiguration and allocation of network services and resources based on the data to be transferred and the consumer transferring it. A hierarchical system is utilized whereby requests from lower layers are aggregated before being provided to upper layers, and allocations received from upper layers are distributed to lower layers. To maximize network utilization, paths through the network are reconfigured by identifying specific types of packets that are to be flagged in a specific manner, and then by further identifying specific routing rules to be applied in the transmission of such packets. Network reconfiguration is performed on an incremental basis to avoid overloading a path, and capacity can be reserved along one or more paths to prevent such overloading. Background data is agnostic as to specific transmission times and is utilized to prevent overloading due to reconfiguration.

Abstract: Apparatus, systems, and methods provide a mechanism to enhance the management of data security in a system for users of the systems. Various embodiments include apparatus and methods to manage security of data in an electronic system on an application-by-application basis. Managing security of data may include an apparatus, system, or method structured to determine that a status of a feature in the electronic device satisfies a specified criterion, and to automatically activate a portion of a security mechanism in the electronic device to lock down an application that is open in the electronic device after determining that the status has satisfied the specified criterion. Such application-by-application basis can be applied in addition to managing data security globally in the electronic system. Additional apparatus, systems, and methods are disclosed.

Abstract: Files are protected against intrusion. A first embodiment protects certain files against changes. A second embodiment encrypts the files that are stored using user's personal information.

Abstract: A parallel data processing system based on location control and a method thereof can divide a data into smaller data and store and manage the divided data using a location control technique which divides a file, distributes the divided files, and stores and manages information on corresponding areas. The parallel data processing system includes an encryption and decryption server, a location control server and a storage device. Further, the system may reduce the time required for storing and reading a data and improve the speed of controlling encryption and decryption of the data as a result, by distributing the data in a plurality of storage devices and processing the data in parallel in encrypting, storing and restoring a data which requires security. In addition, performance of a plurality of storage devices and efficiency of the storage may be enhanced.

Abstract: Based on the detailed reproduction control information defining the reproduction control state of data to be transmitted, the CPU 12 of the data transmission apparatus creates a simplified reproduction control information roughly defining the reproduction control state of the data, stores the simplified reproduction control information of the data in the packet header of a data packet carrying the data, stores the detailed reproduction control information in the data, and transmits the simplified reproduction control information and the detailed reproduction control information as well as the data to the data receiving apparatus 20 through the transmission channel 30 from the input-output interface 16.