Abstract: A method for security risk mapping of attack vectors of target assets of an organization at risk of being attacked, wherein each of the attack vectors is defined by target dimensions, each target dimension characterized by a combination of a technology layer and an attack method, the method comprising using at least one hardware processor for: receiving an identification of the target assets at risk of being attacked and of the technology layers of the organization, wherein each of the target assets may instantiate in multiple ones of the technology layers; constructing multiple attack vectors for each of at least a portion of said target assets, by determining for each attack vector three target dimensions, each of a category of: method of achieving a malicious objective, method of attack enablement and method of initial penetration; and estimating the security risk of each of said multiple attack vectors, wherein the estimating of the security risk of an attack vector of said multiple attack vectors is base

Abstract: The techniques and systems described herein present various implementations of a model for authenticating processes for execution and specifying and enforcing permission restrictions on system resources for processes and users. In some implementations, a binary file for an application, program, or process may be augmented to include a digital signature encrypted with a key such that an operating system may subsequently authenticate the digital signature. Once the binary file has been authenticated, the operating system may create a process and tag the process with metadata indicating the type of permissions that are allowed for the process. The metadata may correspond to a particular access level for specifying resource permissions.

Abstract: Provided is an electronic equipment, where divided display is performed and different user operates each screen, to protect privacy of showing contents. Accordingly, a permission user to whom access to privacy information made into a privacy protection object and its privacy information is permitted is set to privacy setup information. As for a privacy protection processing part, the divided display of the display screen of an operation part is performed, in case that a login user of a divided screen of one side differs from a login user of another divided screen of another side, when showing on one screen privacy information set as privacy setup information, an operation part is controlled to reduce a visibility of one screen.

Abstract: A secure network enabled device has a distinct security module and lacks a human user input interface. The security module is formed in an integrated circuit. The security module is initialized. Data is electronically communicated to and from the secure network enabled device via at least one transceiver. The security module is configured to test the integrity of a subset of the data communicated to the secure network enabled device, and the security module is configured to test the integrity of a transaction protocol, which governs the stream of data bits of the data communicated to the secure network enabled device.

Abstract: Processing a downgrader specification by constructing a set of candidate downgrader placement locations found within a computer software application, where each of the candidate downgrader placement locations corresponds to a transition between a different pair of instructions within the computer software application, and where each of the transitions participates in any of a plurality of data flows in a set of security-sensitive data flows within the computer software application, applying a downgrader specification to the set of candidate downgrader placement locations, and determining that the downgrader specification provides full coverage of the set of security-sensitive data flows within the computer software application if at least one candidate downgrader placement location within each of the security-sensitive data flows is a member of the set of candidate downgrader placement locations.

Abstract: A method for indicating the security level of a selected element on a multi-level security display includes determining a security level of a selected element and modifying the visual representation of the selected element to indicate the security level and/or providing an audible tone. Visual distinction may include a security tag, color variation or flashing pattern.

Abstract: Disclosed are methods, systems, and articles of manufacture for implementing adaptive levels of authentication assurance according to sensitivity or criticality of information accessed or actions performed in a financial management system to enhance user experience and usability of the financial management system while providing adequate security to safeguard sensitive data. Various flow nodes are associated with one or more levels of assurance which are further associated with some authentication tokens of different authentication strengths. Users are usually first authenticated with a lower authentication strength token. Risk profiles may also be accessed to examine the users' requests for access for fraud detection or prevention purposes.

Abstract: In accordance embodiments of the present disclosure, a method may include, during execution of an operating system on an information handling system and responsive to a user input indicating a desire to invoke a basic input/output system (BIOS) setup program for configuring a BIOS, prompting for and receiving user-provided credentials via a user interface communicatively coupled to the processor. The method may also include, during execution of the operating system, passing BIOS credentials to the BIOS based on the user-provided credentials. The method may additionally include, during execution of the operating system determining, by the BIOS, if the BIOS credentials are valid. The method may further include, responsive to determining that the BIOS credentials are valid, setting a flag to a value indicating that the BIOS setup program is to be invoked on a subsequent boot of the information handling system.

Abstract: Systems and methods for restricting application binary interfaces. An example method may comprise: initializing, by a process spawned by a kernel of an operating system running on a computer system, a system call filter inhibiting at least one type of application binary interface (ABI) calls; receiving a system call issued by a user space program executed by the computer system; intercepting the system call by the system call filter; determining that the system call is disabled by the system call filter; and performing a pre-determined action with respect to the system call.

Abstract: According to one aspect, a dynamic binary instrumentation (DBI) framework is used to identify rootkits and disable their malicious functionality. A user-mode or kernel-mode anti-rootkit (ARK) engine monitors the execution of a program running on a host machine in user more or kernel mode. Upon encountering calls to certain functions that may be used by rootkits to subvert system functionality (e.g. system calls used to manage the system registry, storage/disk, processes/threads, and/or network communications), the anti-rootkit engine executes translated versions of the functions in an isolated environment and continues execution of the program under analysis using the results of the translated code execution. The translated code execution replaces the execution of original code which may or may not have been subverted by a rootkit. Isolating the stack and registers of the isolated environment impedes detection of the monitoring process by rootkits.

Abstract: The method includes identifying an instance of software installed. The method further includes determining a fingerprint corresponding to the instance of software installed. The method further includes determining a security risk associated with the instance of software installed. The method further includes identifying a software management policy for the instance of software based upon the fingerprint, security risk, and designated purpose of the computing device. In one embodiment, the method further includes in response to identifying the software management policy, enforcing, by one or more computer processors, the software management policy on the instance of software installed on the computing device.

Abstract: Systems and methods for providing identification tests. In some embodiments, a system and a method are provided for generating and serving to a user an animated challenge graphic comprising a challenge character set whose appearance may change over time. In some embodiments, marketing content may be incorporated into a challenge message for use in an identification test. The marketing content may be accompanied by randomly selected content to increase a level of security of the identification test, hi some embodiments, a challenge message for use in an identification test may be provided based on information regarding a transaction for which the identification test is administered. For example, the transaction information may include a user identifier such as an IP address. In some embodiments, identification test results may be tracked and analyzed to identify a pattern of behavior associated with a user identifier. A score indicative of a level of trustworthiness may be computed for the user identifier.

Abstract: A vulnerability countermeasure device stores configuration information associating multiple computers connected via a network and software possessed by each computer, vulnerability information associating the software with information related to the vulnerability of the software, and countermeasure policy information associating the software with a countermeasure policy to be executed if there is a vulnerability in the software; calculates the computer that data will reach based on information related to a route of the data included in the data received from a used terminal; acquires software existing in the computer based on the calculated computer and configuration information; assesses whether or not there is a vulnerability in the acquired software based on the acquired software and the vulnerability information; and is provided with countermeasure unit for executing a countermeasure to a vulnerability in accordance with a countermeasure policy with respect to the software assessed to have the vulnerabili

Abstract: A system architecture is disclosed that includes a privacy management system. In particular, the privacy management system provides a policy hub for maintaining and managing customer privacy information. The privacy management system maintains a master data database for customer information and customer privacy preferences, and a rules database for privacy rules. The privacy management system captures, synchronizes, and stores customer privacy data. Privacy rules may be authored using a privacy management vocabulary, and can be customized for an enterprise's privacy policies.

Abstract: Devices, systems, and methods are provided for managing personal information by providing a centralized source or database for a user's information and enabling the user to regulate privacy levels for each information item or category of information. Templates are provided as a table of hierarchies or an onion layers model. Private information may be stored in an inner layer while public information may be stored in an outer layer, and multiple layers and categories can be defined and customized within the template. A requesting entity requests information via a disseminating server that acts as a gateway for authenticating, authorizing, and providing access to the requesting entity. The user may therefore control and regulate their online presence simply by monitoring who requests their information and adjusting privacy levels accordingly.

Abstract: A client device communicates with a target entity server and one or more third party devices. The client device has a client credential that includes a client public key and a client certificate chain. The client certificate chain includes a chain of human-readable names. The client device delegates a third party device access to a service on the server by creating a delegate certificate chain for the third party device. The delegate certificate chain is bound to a public key for the third party device and includes a human-readable name with an extension selected for the third party device. The delegate certificate chain also may include a section of the human-readable name that identifies the client device. The client device transmits or otherwise presents the delegate certificate chain to the third party device.

Abstract: A data storage device using a FLASH memory with replay-protected blocks. The storage space of the FLASH memory is divided into blocks and each block is further divided into pages. A controller is provided in the data storage device to couple to the FLASH memory. The controller manages at least one replay-protected memory block of the FLASH memory. The controller programs two pages into the at least one replay-protected memory block and each page is programmed with a write count of the at least one replay-protected memory block.

Abstract: An electronic microcontroller system including: plural processors; at least one interface for exchange with at least one peripheral, the peripheral being user master of the electronic microcontroller system; a mechanism for access to a shared memory space; an interconnection matrix for interconnecting the exchange interface, the processors and the mechanism for access to a shared memory space; a mechanism managing applications involving a guaranteed level of security and integrity and of applications exhibiting a nonguaranteed level of security and integrity. The exchange interface cooperates with a secure isolation cell of the memory situated between the user master peripheral and the interconnection matrix.

Abstract: A wireless device may receive from a source device an instruction to present program content. The wireless device may determine device types missing from an entertainment system based on supporting playback of the program content. A device type missing from the entertainment system may be registered. An instruction may be transmitted to an active source device to increment or decrement a counter. The counter may represent a total number of zones that receives data from the active source device.

Abstract: The method includes identifying an instance of software installed. The method further includes determining a fingerprint corresponding to the instance of software installed. The method further includes determining a security risk associated with the instance of software installed. The method further includes identifying a software management policy for the instance of software based upon the fingerprint, security risk, and designated purpose of the computing device. In one embodiment, the method further includes in response to identifying the software management policy, enforcing, by one or more computer processors, the software management policy on the instance of software installed on the computing device.

Abstract: Systems and methods according to the present invention provide sign on systems for devices, e.g., televisions, which balance ease of use with security and access control that is amenable to, e.g., household usage.

Abstract: A method includes receiving a packet having a VLAN ID at a first physical overlay switch located at an edge of an IP network, encapsulating the packet with an overlay header, and tunneling the encapsulated packet to a second physical overlay switch via IP network.

Abstract: A data protection method for an electronic device is disclosed. The data protection method includes setting a log-in password for a private file stored in a public folder, creating a private folder having a same folder name as the public folder to store the private file in the private folder, and comparing an input password with the log-in password for the private folder to determine to display the private folder or the public folder.

Abstract: A cloud computing method and a computing apparatus and server using the same are provided. The cloud computing method includes a server generating a virtual disc for executing one or more applications when a computing apparatus is connected to the server, requesting execution of an application included in the virtual disc, and downloading and executing an execution file corresponding to the requested application. Therefore, it is possible for a user to remove time delay caused in a downloading and executing process when an application is initially executed.

Abstract: The invention refers to technical methods and systems to easily provide existing software applications, for example Android applications built for In-App Billing with Google Play application programming interface (“API”), with compatibility with other alternative payment platforms, preferably direct carrier billing, with no additional development effort.

Abstract: A method, mobile device, application server, and computer program product, for requesting a geospatial-location-specific application associated with a geospatial-location-specific service that are both specific to a geospatial location corresponding to a current geospatial location of the mobile device. The mobile device determines a current geospatial location of the mobile device and sends a request message to an application server. The request message includes the current geospatial location of the mobile device and a request to receive a geospatial-location-specific application associated with a geospatial-location-specific service. The mobile device receives a response message including identification of a candidate geospatial-location-specific application associated with a geospatial-location-specific service, specific to a geospatial location within a defined nearby vicinity area of the current geospatial location of the mobile device.

Abstract: An authentication system registers, in a service provision device, identification information for an information processing device that cooperates with the authentication system, associates the identification information for the information processing device with authorization information in accordance with an issuance of the authorization information corresponding to the information processing device, and saves them in the authorization service device, queries the authorization service device for the identification information for the information processing device associated with the authorization information in response to a request for obtaining the service and the issued authorization information from the information processing device, and provides, according to the request, the service with the information processing device in response to a correspondence between the identification information for the information processing device acquired as a result of the query and the identification information for t

Abstract: The graphical characteristics of 3D graphical objects encrypted using format-preserving encryption makes rendering of such objects quite inefficient by non-authorized devices. To optimize the rendering of a three-dimensional graphical object represented by a list of points and a list of surfaces defined by points in the list of points, a device receives the graphical object; encrypts the graphical object using a format-preserving encryption method to obtain an encrypted graphical object; encapsulates the encrypted graphical object to obtain an encapsulated graphical object by adding at least one encapsulation by adding for each encapsulation, to the list of surfaces, a plurality of surfaces that together enclose the encrypted graphical object and, in an embodiment, at least one point to the list of points; and outputs the encapsulated graphical object. Decryption is performed by essentially reversing the encryption.

Abstract: Disclosed is a system and method for retrofitting defensive technology that transforms potentially dangerous computer programs into safe programs. The present disclosure involves applying software rewriting and/or randomization algorithms to monitored application launches and/or API calls. The present disclosure provides systems and methods for understanding and manipulating how untrusted software will behave upon execution, thereby thwarting any chance the untrusted software could launch and/or institute a weaponized malicious software attack. The present disclosure can apply a light-weight binary rewriting and in-lining system to tame and secure untrusted binary programs. The disclosed systems and methods can also implement binary stirring by imbuing native code of software with the ability to self-randomize its instruction addresses each time it is launched.

Abstract: A secure and scalable data storage system that includes a server and a plurality of clients. The server maintains an access permission file that includes a file-group name, a plurality of client access blocks, a first and second public key, and a signature that is based on a first private key. The signature ensures that only clients who have a certain level of access can modify the contents of the access blocks. Each client access block includes at least one of a first access key, a second access key and a third access key. The access keys are encapsulated within biometric information of the client. The server grants one of a first level of access based on a successful verification of a signed request with the first public key and a second level of access based on a successful verification of the signed request with the second public key.

Abstract: The present invention pertains to improved communication quality and security of transmission in cellular communication networks. A customer has the option to pay different fees for different tiers of service relating to voice quality, bandwidth access, and different tiers of service relating to communications security. Higher tiers may guarantee a specific vocoder or bit rate is used, or guarantee a specific encryption protocol is use to ensure secure communications. Different tiers may be associated with customers' records for billing purposes. The network may afford high end devices higher voice quality and/or security via a lookup table indicating what level of service is associated with a given device. Calling or receiving devices may negotiate with each other to change to a more robust vocoder or bit rate to ensure a higher quality and/or security. Furthermore, the user may opt to change the quality and/or security level before or during a call.

Abstract: A computer-implemented method for protecting organizations against spear phishing attacks may include (1) searching a plurality of websites for user profiles belonging users who are affiliated with an organization and who have access to at least one privileged computing resource controlled by the organization, (2) retrieving, from the user profiles, personal information describing the users, (3) determining, based on the personal information, that a portion of the user profiles belongs to an individual user with access to the privileged computing resource, (4) identifying at least one phishing attack risk factor in the user profiles that belong to the individual user, and (5) assessing, based at least in part on the phishing attack risk factor, a risk of a phishing attack targeting the individual user to illegitimately gain access to the privileged computing resource. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The invention relates to a method for optimizing the transfer of secure data streams via an autonomic network between multiple information-producing users Pi and multiple information-consuming users Cj, in which, for each secure session between an information-producing user Pi and an information-consuming user Cj, non-persistent security settings are exchanged between an optimization module and an autonomic agent via a secure control channel to apply between the autonomic agent and the optimization module the previously negotiated security procedure, such that during an exchange of streams between the information-producing user Pi and the information-consuming user Cj, the optimization module having non-persistent security settings appears as a client for a server during the said session.

Abstract: A method for ensuring compliance with organizational policies is described herein. The method can include the step of monitoring one or more parameters of a managed computing device for compliance with one or more policies of an organization in which the organizational policies may include limitations on the managed computing device. The method can also include the step of detecting a non-conformance event at the managed computing device with respect to at least one organizational policy. In response to the detection of the non-conformance event, the operation of the managed computing device may be restricted with respect to features or data associated with the organization.

Abstract: An apparatus and method connect an Access Point (AP) in a portable terminal. More particularly, an apparatus and method designate a group of searched peripheral APs, and attempt an access to an AP corresponding to a group selected by a user in a portable terminal. The apparatus includes a group set unit and an AP search unit. The group set unit sets items of peripheral APs to a group according to user's selection. After searching the peripheral APs at the time of AP connection, the AP search unit classifies an AP belonging to a selected item and connects to the classified AP.

Abstract: In one embodiment, a method for electronic enablement of features at a communication device that includes receiving a feature token, validating the feature token, and changing the enablement state of one or more features at the communication device in accordance with a valid feature token.

Abstract: Disclosed are a clipboard protection system in a DRM environment and a recording medium in which a program for executing the method in a computer is recorded. An identification information management unit changes first identification information of data, which is to be stored in a clipboard, into second identification information when data stored in the clipboard is requested by a reliable object, and outputs the second identification information corresponding to identification information of the reading target data if the reliable object requests extraction of the data stored in the clipboard. A data protection unit encodes the data, which is to be stored in the clipboard, and decodes the encoded data which is read from the clipboard.

Abstract: A method is used in managing knowledge-based authentication systems. Organization based information is analyzed for information that is suitable for creating a set of responses for a question. The question is used for authenticating a user. A set of responses is created for the question based on a set of parameters. The set of responses includes incorrect responses to the question along with a correct response. The incorrect responses helps in identifying an unauthorized user.

Abstract: In one embodiment, a system and associated processes for transparent client-side cryptography are provided. In this system, some or all of a user's private data can be encrypted at a client device operated by the user. The client can transmit the encrypted user data to a content site that hosts a network application, such as a social networking application, financial application, or the like. The content site can store the private data in its encrypted form instead of the actual private data. When the content site receives a request for the private data from the user or optionally from other users (such as social networking friends), the server can send the encrypted user data to a client associated with the requesting user. This client, if operated by an authorized user, can decrypt the private data and present it to the authorized user.

Abstract: Tools and methods in which user interaction via a common user interface enables the assessing of network security prior to implementation of the network, as well as assessing the security of existing networks, portions of existing networks, or modifications to existing networks. A network security model useful in realizing the tools and methods is also disclosed.

Abstract: In a personal authentication apparatus that compares input feature information with feature information stored in advance as dictionary data, thereby calculating a similarity and recognition a person, when additionally storing feature information in the dictionary data, the feature information is compared with the feature information of the same person already stored in the dictionary data. Pieces of feature information are put into groups for the same person based on the similarities and stored in the dictionary data.

Abstract: Method of securing exchanges between two electronic devices, by using an imprint of at least one of the two devices. This imprint is obtained on the basis of all or part of the electronic components of which this device is composed. This imprint will serve, either to protect the confidentiality of the data exchanged, or to attest to the identity of the device issuing the data.

Abstract: A terminal (1) for use with a cellular or mobile telecommunications network (3) includes authentication means (15) such as a SIM, USIM, UICC etc. for authenticating the terminal with the network. The terminal further includes a normal execution environment (30) and a secure execution environment (34). An interface controller (46) is provided in the secure execution environment and intercepts all communications directed to the authentication means to control access to the authentication means by these communications.

Abstract: A display device is disclosed. The display device comprising: a display unit; a sensor unit; a storage unit; and a processor configured to: provide feedback for indicating a security on state of selected first information when selection input for selecting the first information in the security on state is detected, when a security off input for clearing security is detected in response to the feedback, obtain the fingerprint using the display unit, and convert the first information in the security on state into a security off state when the obtained fingerprint is matched with a pre-stored fingerprint, when a security maintenance input for maintaining security is detected in response to the feedback, maintain the security on state of the first information.

Abstract: The variable domain data access control system and method described herein use the same variable domain to describe a data security model and a variable domain data model, such as a product configuration model. A variable domain is a set of resource data that can be described using a logical relationship data structure. The variable domain utilizes logical relationship expressions, such as a Boolean logic language, to define resource data in terms of parts, rules and/or attributes, and any other property that can be accessed for viewing, manipulation, or other purposes. The data security model represents an access control list (ACL) that includes security attributes as resource data and uses the same data structure and logical relationship expressions as an associated variable domain data model. An application, such as a configuration engine, can be used to create controlled access to the variable domain data model using the data security model.

Abstract: A mechanism for applying security category labels to multi-tenant applications of a node in a PaaS environment is disclosed. A method of embodiments includes generating, by a virtual machine (VM), a unique security category label (SCL) for each local user identification (UID) maintained by the VM, assigning, for each local UID maintained by the VM, the unique SCL associated with the local UID to one or more Internet Protocol (IP) addresses mapped to the local UID, receiving a request to initialize an application on the VM, assigning a local UID of the local UIDs maintained by the VM to the application, assigning files of the application the unique SCL associated with the local UID of the application, and assigning the unique SCL associated with the local UID of the application to a running process of the application.

Abstract: A three-way trust relationship is established between a mobile device, Internet-connected vehicle system, and a cloud-based service. Access rights are granted to the mobile device from the vehicle system, such that the mobile device can securely connect to, and obtain status information and/or control the Internet-connected vehicle system, through the cloud-based service.

Abstract: A processor determines whether a first program is under execution when a second program is executed, and changes a setting of a memory management unit based on access prohibition information so that a fault occurs when the second program makes an access to a memory when the first program is under execution. Then, the processor determines whether an access from the second program to a memory area used by the first program is permitted based on memory restriction information when the fault occurs while the first program and the second program are under execution, and changes the setting of the memory management unit so that the fault does not occur when the access to the memory area is permitted.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.

Abstract: A data storage system includes a storage device and a data handler that receives an object, creates metadata for the object that includes a key and an authorization, stores the object on the storage device, receives a request for the object, determines if the request includes the key, and, if the request has authorization information, permits access to the object. The data handler receives another request for the object, determines if the request includes the key, and, if the request does not have the authorization information, denies access to the object.