Abstract: Techniques are disclosed for implementing a CAPTCHA access control system based on graphical representations of a watch or other timekeeping device. More particularly, the disclosed CAPTCHA system's request/challenge mechanism employs a graphical representation of a watch whose perturbation from a baseline visual presentation is controlled by a large number of attributes, each of which may assume a number of different values. The use of a large number of display attributes (e.g., 20 or more) and a relatively small number of difficulty levels allows each difficulty level to have an enormous number of possible graphical representation. Such a large number of potential challenge images essentially precludes the likelihood that any automated search for a matching image—providing the ability to correctly respond with certainty to the challenge query—will be successful.

Abstract: A first device transmits data as encrypted portions that are communicated to one or more second devices as one or more of: a graphical animation rendered to a screen on a display of the first device and audio played out a speaker of the first device.

Abstract: Entity group behavior profiling. An entity group is created that includes multiple entities, where each entity represents one of a user, a machine, and a service. A behavior profile is created for each one of the entities of the entity group. The behavior of each of one of the entities of the entity group is monitored to detect behavior change. An indicator of compromise is detected based on multiple ones of the entities experiencing substantially a same behavior change.

Abstract: In one embodiment, a computing device determines a Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA). The CAPTCHA includes a first static image that has image sections that are arranged in a first order. Each of the image sections corresponds to a unique identifier. The CAPTCHA further includes a second static image that includes each of the image sections of the first static image that are arranged in a second order. The computing device generates web-browser-executable code for converting the second static image to the first static image based on the first static image, the first order, and the unique identifiers. The computing device sends the second static image and the web-browser-executable code to a client device.

Abstract: Systems and methods for determining a pictograph password sequence and association phrase are provided. In some example embodiments, an assigned pictograph sequence request is received from a client device, with the request causing the system to generate a template pictograph sequence, generate an association phrase based on the template pictograph sequence, store the template pictograph sequence and associated phrase on a memory, and transmit instructions to cause a display of the template pictograph sequence and the association phrase. In some example embodiments, the system requires an input of a pictograph sequence that matches the template pictograph sequence in order for a user to view content. In some example embodiments, the template pictograph sequence may be replaced by a user pictograph sequence.

Abstract: Aspects of the subject matter described herein relate to disclosing recovery keys. In aspects, when a recovery key is disclosed, data is updated to indicate that the recovery key has been disclosed. A machine that has locked data may determine whether a recovery key for the locked data has been disclosed and whether a new key needs to be generated for the locked data. If a new key needs to be generated for the locked data, the machine may generate the new key and send it to a recovery store for storage. In addition, old keys that protect the locked data may be deleted after the new key has been generated and stored.

Abstract: A technique controls access to a resource. The technique includes deriving, by processing circuitry, a password based on a phrase/thought provided by a user. The technique further includes confirming with the user that the password is to control access to the resource. The technique further includes, after confirming with the user that the password is to control access to the resource, imposing a requirement that the user provide the password before obtaining access to the resource. Such a password may be formed by concatenating multiple words (e.g., four words) that may be unrelated to each other. Such a password may be relatively strong since the resulting concatenation would not be found in any dictionary, and since it would be an extremely difficult and time consuming endeavor to predict such a password by attempting to combine words from a dictionary to form the concatenations.

Abstract: A numerical control apparatus which enables a numerical control apparatus for a machine tool suitable for executing a particular machining program to selectively execute the machining program. The numerical control apparatus includes a storage that stores unique information; a receiving part that receives a machining program including incidental information; a determination part that checks the incidental information included in the machining program received by the receiving part with the unique information stored in the storage, and determines whether information matching the unique information is included in the incidental information; and a machine controller that executes the machining program received by the receiving part to control the machine tool only when it is determined that information matching the unique information is included in the incidental information.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for detecting malicious activities. One of the methods includes obtaining a collection of user event logs or receiving user events through real-time feeds; using data from the user event logs/feeds to determine IP address properties for individual IP addresses and IP address ranges; and for each incoming event, updating the IP address properties for the corresponding IP address and IP prefix properties.

Abstract: A method and device for uploading data to a social platform. The method includes a plugin set into an application program. The plugin integrates at least one Application Program Interface (API) possessing publishing function provided by at least one social platform. A request for uploading data to a social platform is received and data to be uploaded is obtained according to the request. The data is uploaded to the corresponding social platform through an API possessing publishing function integrated by the plugin. Date may be uploaded through the plugin to one or more social platforms simultaneously without launching a client terminal of the corresponding social platforms.

Abstract: A system for entering a secure Personal Identification Number (PIN) into a mobile computing device includes a mobile computing device and a peripheral device that are connected via a data communication link. The mobile computing device includes a mobile application and a display and the mobile application runs on the mobile computing device and displays a grid on the mobile computing device display. The peripheral device includes a display and an encryption engine, and the peripheral device display displays a grid corresponding to the grid displayed on the mobile computing device display. Positional inputs on the mobile computing device grid are sent to the peripheral device and the peripheral device decodes the positional inputs into PIN digits and generates an encrypted PIN and then sends the encrypted PIN back to the mobile computing device.

Abstract: A method for user passcode authentication. The method includes accessing a user information database with predefined user input option parameters and generating a random arrangement of input options from the predefined user input option parameters. The method includes manifesting the random arrangement of input options on an interactive display interface and receiving a selection of the interactive display interface input options. The method also includes comparing the received selection of interactive display interface options to the predefined user input option parameters.

Abstract: According to a general aspect, a method can include receiving a request, triggered via a consumer account, to access, using a social media application, a plurality of sharer content. The sharer content can be associated with a sharer account using the social media application. The method can include retrieving, in response to the request, a consumer value and a relationship value. The consumer value can represent an interaction with the social media application via the consumer account and the relationship value can characterize a relationship between a consumer identifier of the consumer account and a sharer identifier of the sharer account. The method can include selecting a subset of sharer content from the plurality of sharer content based on a combination of the consumer value and the relationship value, and can include defining a portion of a presentation customized for the consumer account using the selected subset of sharer content.

Abstract: One embodiment provides a system that facilitates efficient key retrieval by using key catalogs in a content centric network. During operation, the system generates, by a client computing device, a first interest for a key indicated in a signed key catalog. In response to receiving the key, the system verifies the received key by determining that a hash of the received key matches a hash of the key as indicated in the catalog based on a name for the received key. The system generates a second interest for a content object, wherein a name for the second interest includes a name prefix associated with the key as indicated in the catalog, wherein the first interest is transmitted before or concurrent with transmitting the second interest. In response to receiving the content object, the system verifies the received content object based on the key.

Abstract: A method and computer for assessing whether a password can be generated by using characteristics of a physical arrangement of keys of an input device. A received password includes characters corresponding to respective select keys in a sequence of select keys of the input device. For each select key, a final detection frequency is calculated as a sum of an initial detection frequency and an additive correction. A password determination value is calculated as a ratio of a total number of select keys having a final detection frequency equal to a minimum detection frequency and the total number of select keys in the sequence of select keys. A determination of whether the calculated password determination value is, or is not, less than a predetermined threshold value indicates that the password cannot, or can, respectively, be generated by using the characteristics of the physical arrangement of keys of the input device.

Abstract: A user authentication method and terminal, where the method includes acquiring an authentication interaction object and an interference interaction object where the authentication interaction object is a real interaction object stored in a terminal, the interference interaction object is a virtual interaction object constructed by the terminal, and the interference interaction object has a similar feature with the authentication interaction object to cause interference to a user when the user is selecting the authentication interaction object, displaying the authentication interaction object and the interference interaction object in an authentication interface for the user to select from, receiving a selection result and determining whether the selection result is the authentication interaction object, and determining, when the selection result is the authentication interaction object, that authentication succeeds.

Abstract: Systems and methods are provided for online transactions using pattern recognition. A user of a payment provider may create and register patterns drawn by the user on a pattern entry image. The user may register the patterns by associating transaction options with each drawn pattern. Each pattern may be used to execute a particular transaction such as a purchase transaction, a payment of a specific amount, a payment to a specific recipient, or a sales transaction. When the user wishes to execute a transaction such as an online payment to a particular recipient for a particular amount, the user can redraw the registered pattern associated with payments to that recipient for that amount. A pattern can be drawn at a particular location on the pattern entry image. Different transactions can be associated with patterns drawn at different locations.

Abstract: A conference setting method includes: displaying a first setting screen on a particular terminal configured to perform a setting operation of a teleconference, the first setting screen being switchable between: a first setting method having a plurality of password setting fields in which a password is set to each of at least three authorities having different numbers of executable functions; and a second setting method having a common authority setting field in which one of the at least three authorities is set as a common authority and having a common authority password setting field in which a password is set to the common authority; and storing, in a storage, passwords set in the password setting fields in association with respective ones of the at least three authorities; and storing, in the storage, a common authority password set in the common authority password setting field in association with the common authority.

Abstract: Mechanisms and techniques for customized user validation. A login attempt is received from a remote electronic device with one or more computing devices that provide access to one or more resources. The login attempt is analyzed to determine a profile from a plurality of profiles corresponding to the login attempt. The one or more computing devices support the plurality profiles with each profile having a corresponding flow. The flow corresponding to the profile is performed prior to allowing continuation of the login attempt. The login attempt is continued, via the one or more computing devices, after the flow corresponding to the profile is completed. Access is granted to the one or more resources, via the one or more computing devices, in response to a successful completion of the login attempt.

Abstract: The proliferation of personal computing devices in recent years, especially mobile personal computing devices, combined with a growth in the number of widely-used communications formats has led to increased concerns regarding the safety and security of documents and messages that are sent over networks. Users desire a system that provides for the setting of custom access permissions at a file-level or sub-file-level. Such a system may allow the user to apply customized privacy settings (and, optionally, encryption keys) differently to particular portions of a document—even if the document is of a ‘lossy’ file type, e.g., a JPEG image. According to some embodiments, the custom access permission settings may be implemented by obfuscating portions of the original file and then embedding “secret,” e.g., hidden and/or encrypted, versions of the obfuscated portions in parts of the data structure of the original lossy file before transmitting the file to the desired recipients.

Abstract: Methods of performing operations on a processor of an electronic device include establishing a programmatic association in a one-to-one relationship between mathematical operators and directions of movement that a user can make when selecting number keys among an arrangement of number keys. A first number is received from a user selection of a first number key, and a second number is received from a user selection of a second number key. A first direction of user movement from the first number key to the second number key is determined, and a first mathematical operator is selected among the mathematical operators that is programmatically associated with the first direction. The first and second numbers are combined using the first mathematical operator to generate an output number, and the output number is provided to a secure program to control user access to a protected operation of the secure program.

Abstract: A method comprising includes detecting, in response to a user access attempt on an electronic access device, a one-time passcode authentication event; receiving, at an electronic authenticating device, notification of the one-time passcode authentication event; retrieving, in response to the notification, a one-time passcode from the authenticating device; transmitting the one-time passcode from the authenticating device to a facilitator software instance operating on the access device; and enabling population, using the facilitator software instance, of a one-time passcode entry form with the one-time passcode.

Abstract: A format-preserving cipher including an encryption and a decryption scheme supporting non-linear access to input data by allowing the selection of portions of data from a potentially larger dataset to be encrypted, thus avoiding a necessarily sequential access into the input plaintext data. The cipher first defines a forward mapping from the allowable ciphertext values to an integer set of the number of such allowable ciphertext values, and a corresponding reverse mapping. It also supports exclusion of a certain set of characters from the ciphering process. An encryption algorithm is provided that encrypts the input plaintext data while preserving its original format and length, and a corresponding decryption algorithm is provided. The cipher advantageously embodies the encryption and decryption of multi-byte values, composite datasets, and credit card numbers, thus fitting a variety of industrial needs.

Abstract: Embodiments described herein relate to apparatuses and methods for enabling applied key management operations at a client including establishing a data connection with a file kernel driver of the client to enable the applied key management operation, receiving a request pertaining to encryption key data, relaying the request pertaining to the encryption key data to an applied key management system, and receiving a response regarding the request from the applied key management system based on at least one policy of the applied key management system.

Abstract: Methods and systems are provided for verifying reset of credentials for user accounts. The methods and systems receive a request to change a credential associated with a user account. The user account has account privileges associated with a network service. The methods and systems set the user account to a cool-down status and send a reset notification to one or more trusted access points associated with the user account to inform a valid owner or user of the account that a credential has been reset. The methods and systems manage availability of at least a restricted subset of the account privileges for a cool-down time period or until a reset verification is received from a valid owner or user.

Abstract: Systems and methods for providing additional control over user equipment (UE) using standardized features of a subscriber identity module (SIM) is provided. The UE can impose SIMLocking criteria based on subscriber related attributes (such as rate plan, prepay, postpay, etc.). The SIM module can comprise multiple unique entries and one value for each entry. One or more entries on the SIM can be subdivided to provide additional values with each value made up of a subset of bits from a particular entry. Thus, a single entry can provide a plurality of values to make up a SIM configuration. The SIM configuration can be compared to a UE SIMLock configuration with the same, or similar, entries to determine if the SIM is compatible for use with the UE. The SIM configuration can be updated dynamically to reflect changes in the account associated with the UE or the SIM.

Abstract: A method for phishing detection, performed by a mobile device, is provided. The method includes receiving a first OTP (one-time password), from a remote caller purporting to be from a trusted organization, into the mobile device. The method includes generating a second OTP, using an OTP generation system provided by the trusted organization, and comparing, in the mobile device, the first OTP and the second OTP, wherein the first OTP matching the second OTP indicates legitimacy of the remote caller, and the first OTP mismatching the second OTP indicates illegitimacy of the remote caller. A mobile device and a computer readable media are also provided.

Abstract: Disclosed are systems, methods, and computer-readable storage media for Bluetooth low energy (BLE) double authentication between a mobile device and server nodes. A system using BLE authentication can receive at a mobile device, an identifier of a dongle attached to a server that enables wireless communication and can establish a wireless low energy connection with the dongle without paring. The system can receive a server identifier and can determine whether the server has previously been authenticated to yield a determination. When the determination is that the server has not previously been authenticated, the system can receive a baseband management controller username and a password. When the determination is that the server has previously been authenticated, the system can determine whether to perform a double authentication to yield a second determination. The system can perform the double authentication when the second determination indicates that the double authentication should be performed.

Abstract: A personal base station (PBS) having wireless video capability. The PBS authenticates a mobile device within range for cellular services, and authenticates the user for a level of service for cable television. The PBS operates in accordance with a dual-purpose subscriber identity system (SIS) includes a subscriber mobile identity component (SMIC) and a video security component (VSC) such that the cellular and television services can be authenticated. Mobile devices incorporating the disclosed innovations, as well as the PBS, can access video content from a cable television provider through any available broadband link, regardless of the mobile device's physical location.

Abstract: In one embodiment, a user password is received in relation to a user identifier, wherein the user identifier and user password are associated with a user account. A request to opt-in to use of system-generated passwords instead of the user password is received. A substitute password for the user account is generated and provided.

Abstract: An access control system utilizes authorized users' mobile electronic devices for transmitting biometric identifiers in combination with using an access card, for authenticating the user's access privileges for unlocking a secure door. The system may further verify proximity of the user's device to the access control reader, which verifies correspondence of the access card with the transmitted biometric characteristics. The system may further require entry of a PIN into the user's device, for its transmission to the access control system for access confirmation. A scanner scans the area around its geographic location for signals emitted by mobile electronic devices, and identifies a position, a type, and an address of each device, using characteristics of the signals. Audio analytics detect/identify a position of sudden sound fluctuations indicating a gunshot/fight incident, and correlates the incident location to a device location. Video analytics correlate imaged people with detected electronic devices.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for providing content management features in a messaging service. A messaging client receives a reference to a content item stored on a content management system and receives, from the content management system, a set of sharing options for the content item. The set of sharing options is presented to the user via the messaging client and a user selection of sharing options is received. The messaging client sends the user selection of sharing options to the content management system, wherein the content management system is configured to apply the user selection of sharing options to the content item.

Abstract: A function performing apparatus includes a function performing unit performing a specific function, a processor, and memory storing computer-readable instructions therein, the computer-readable instructions, when executed by the processor, causing the function performing apparatus to perform, in response to receiving a user authentication information when the user authentication information has been registered in an authentication memory, transitioning a state of the apparatus from a non-permission state to a permission state, registering, in the authentication memory, a device authentication information in association with the user authentication information upon establishing a first connection with a portable device, and transitioning the state of the apparatus from the non-permission state to the permission state when a second connection with the portable device is established and the device authentication information is obtained from the portable device.

Abstract: A method of operating a server comprises receiving an authorization request comprising a password, accessing an expiry date for the password, transmitting a response comprising the expiry date, ascertaining whether the password has expired, and receiving a new password, if the password has expired. Optionally, the transmitted response further comprises a date representing the last use of the password and/or an integer value representing a retry parameter.

Abstract: A method and information handling system (IHS) that optimizes boot time. The method includes a basic input output system (BIOS) performing an authentication check of drivers during an initial boot process. The results of the authentication check are stored along with an unified extensible firmware interface (UEFI) image for each driver in an authentication results data structure (ARDS). In response to receipt of a subsequent request to enable a secure boot of the IHS, when the initial boot process was performed with the secure boot disabled, the ARDS is accessed to determine if any of the drivers failed the authentication check. When none of the drivers have failed the authentication check, the boot process is continued using the UEFI images of the drivers. When at least one of the drivers has failed its authentication check, a notification is output indicating a failure of the authentication check.

Abstract: The accessibility of a hyperlinked files is displayed. A hyperlink that references a resource is extracted from a target file. An attempt to acquire the resource is made by performing a first authentication operation. A first object is received in response to performing the authentication operation. A second object is acquired by performing a second authentication operation using pre-determined authentication information. The first object and the second object are compared to determine if the first object is the same as the second object. Information indicating the accessibility of the resource is presented via a display apparatus.

Abstract: Provided is a network system which improves a security and prevents illegal use when providing services such as Internet banking services. A random graphic table (RMT) is issued to a user, and having text characters which a user inputs and figures which corresponds to the text characters, respectively, and which is unrelated to the text characters such as a photograph. A banking organization server (30) manages random graphic table data corresponding to the random graphic table (RMT), distributes data for input including a portion of the random graphic table data to a communication terminal device (10) when information is inputted, and executing a specification of information to be specified while comparing the data for input with the random graphic table (RMT).

Abstract: A method and system are provided for authenticating a user to an application back-end using a key pair and one or more bearer tokens such as a password, a biometric code, or a biometric key, while protecting the bearer tokens against back-end security breaches. In one embodiment, an application front-end authenticates the user by sending the bearer tokens and a public key to the application back-end, and demonstrating knowledge of a private key. The application back-end compares an authentication-phase tag derived from a joint hash of the public key and the bearer tokens against a registration-phase tag stored in a device record within a back-end database. The public key is not stored in the database, thereby depriving an adversary who breaches back-end security of information needed to test guesses of the bearer tokens.

Abstract: Techniques related to view-based expiration of shared content are described. An online content management system receives a view access request from a client device. The view access request includes a shared link to a server-stored content item. A view access counter associated with the shared link is used to determine that the view access request is authorized. The shared link is resolved to the server-stored content item, and at least a portion of the server-stored content item is sent to the client device. Optionally, instructions that cause the client device to send an acknowledgement can also be sent to the client device. The acknowledgement indicates that one or more presentation conditions have been satisfied. The one or more presentation conditions can include presenting at least the portion of the server-stored content item at the client device. The online content management system receives the acknowledgement and increments the view access counter.

Abstract: An information processing system establishes connection between an information storage apparatus and an application installed in a terminal including a storage device for storing authentication information. The information processing system includes a setting information acquisition unit configured to acquire setting information from the information storage apparatus when the terminal receives an execution request to execute the application, the setting information indicating whether to prompt input of the authentication information.

Abstract: Techniques for bridging a honey network to a suspicious device in a network (e.g., an enterprise network) are disclosed. In some embodiments, a system for bridging a honey network to a suspicious device in an enterprise network includes a device profile data store that includes a plurality of attributes of each of a plurality of devices in the target network environment; a virtual clone manager executed on a processor that instantiates a virtual clone of one or more devices in the target network environment based on one or more attributes for a target device in the device profile data store; and a honey network policy that is configured to route an internal network communication from a suspicious device in the target network environment to the virtual clone for the target device in the honey network.

Abstract: An authentication scheme in which an instance of a designated element is shifted to proximity with a designated target to gain access a device may be enhanced by creating conditions that allow for either the designated element or the designated target to be different for each instance of authentication. In one embodiment, a secondary display portion may be used to provide an indication of a dynamic designated element. In another embodiment, a secondary display portion, in combination with a tertiary display portion, may be used to provide an indication of a dynamic designated target.

Abstract: Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

Abstract: A network access service operates as an intermediary between client applications and network services. The network access service is configured to perform one or more authentication processes required by the network services on behalf of the client applications. This includes the network access service obtaining and managing access tokens on behalf of the client applications. The network access service reuses access tokens and automatically acquires new access tokens upon expiration. The network access service is also configured to format data from a client application into a format required by a network service and to provide application program interface and language support required by a network service.

Abstract: Systems and methods for configuring user equipment (UE) for use with compatible subscriber identity modules (SIMs) is disclosed. The UE can include a UE SIMLock configuration containing one or more UE parameters and a value for each category. A compatible SIM can include a SIM configuration with compatible SIM values. The UE can request a UE SIMLock configuration from one or more telecommunications network devices using secure communications. The UE can receive a UE SIMLock configuration from the telecommunications network device. The UE SIMLock configuration can be applied to the UE modem governing SIMLock engine behavior. The UE SIMLock configuration can be updated dynamically with subsequent messages from the telecommunications network device to reflect changes in the account associated with the UE, such as the fulfillment of a contract or theft of the UE.

Abstract: An apparatus includes a memory, and a processor coupled to the memory and configured to specify a communication source device that performs a plurality of traffic confirmations of communications with a plurality of first devices, and control to discard a plurality of first authentication requests for the plurality of first devices generated by the communication source device after performing the plurality of traffic confirmations of communications.

Abstract: A Privacy Controlled Social Network including a first device that shares content with a second device through at least one network, where content is “encoded” or “locked” at the first device by applying a locking code. In embodiments, the locked content that is shared may include media that is locked by applying the locking code at the first device. The locked content may be shared with the second device and include a message or caption that is not locked and viewable by the recipient user of the second device. The locked content may be unlocked by providing the appropriate code to a user interface to unlock the content for the user of the second device. A lock/unlock scheme using input related to a display of an item associated with the content to lock/unlock the content may utilize gestures on a touch screen displaying the item as the lock/unlock code.

Abstract: A method, and a system are provided for implementing cloud based malware container protection. A container is provisioned for a user. The container is monitored, and when an abnormal activity is detected based upon historical metric data, a unikernel is provisioned and a user application is migrated to the unikernel while inspection occurs.

Abstract: An access control system utilizes authorized users' mobile electronic devices for transmitting biometric identifiers in combination with using a key card, for authenticating the user's access privileges for unlocking a secure door. The system may further verify proximity of the user's device to the access control reader, which verifies correspondence of the key card with the transmitted biometric characteristics. The system may further require entry of a PIN into the user's device, for its transmission to the access control system for access confirmation. A scanner scans the area around its geographic location for search signals emitted by mobile electronic devices, and identifies a position, a type, and an address of each device, using characteristics of the search signals. Audio analytics detect/identify a position of sudden sound fluctuations indicating a gunshot/fight incident, and correlates the incident location to a device location.

Abstract: Disclosed is a method, apparatus, and system to control the unlocking of an entry for a guest having a wireless device by an owner access point. A virtual key for a wireless device and an access control rule associated with the virtual key may be stored at the owner access point. The owner access point may determine whether a virtual key received from a wireless device matches the stored virtual key and whether the access control rule for the stored virtual key is satisfied. If the virtual key matches, and the access control rule for the stored virtual key is satisfied, the owner access point may transmit an open command to the entry.