Abstract: A login control method and apparatus is provided for facilitating usage right authentication of a mobile terminal, when the user unlocks the mobile terminal. The login control method includes determining, when a lock image is displayed on a screen, a posture of a mobile terminal, detecting unlock information, comparing the unlock information with a pre-registered unlock information, selecting, when the unlock information and the pre-registered unlock information are identical, an operation mode corresponding to the matched unlock information, from a plurality of operation modes, as the current operation mode, and displaying an image representing the current operation mode.

Abstract: An apparatus comprises a plurality of processor cores, each comprising a computation unit and a memory. The apparatus further comprises an interconnection network to transmit data among the processor cores. At least some of the memories are configured as a cache for memory external to the processor cores, and at least some of the processor cores are configured to transmit a message over the interconnection network to access a cache of another processor core.

Abstract: A control system includes a control device, a controller, a plurality of user mobile devices, and a manager mobile device. Initial first identification information picked up by each user mobile device is sent to the manager mobile device, is authenticated, and is encoded. Every time a user mobile device is connected to the controller for opening the control device, a holder of the user mobile device is requested to input an instant first identification information. After decoding by a decoding key, the controller identifies whether the instant first identification information is identical to the authenticated initial first identification information. The identification result is used to decide whether the control device should be set to be an open state.

Abstract: A system, method, and computer program product are provided for a pre-deactivation grace period on a processing device (e.g., mobile device). In operation, a deactivation request is detected for a deactivation event. Further, the commencement of the deactivation event is delayed for a predetermined time period, in response to the deactivation request. Additionally, the deactivation event is commenced, after the predetermined time period. To return to full functionality of the processing device while in the deactivation grace period all that may be required is entry of a authentication information (e.g., password) that is weaker than a stronger authentication information initially used to log into the processing device.

Abstract: In some implementations, a method of managing access to resources in a single device including receiving, from a first resource assigned to a first perimeter, a request to access a second resource assigned to a second perimeter different from the first perimeter. The single device includes the first perimeter and the second perimeter. Whether access to the second resource is prohibited is determined based on a management policy for the first perimeter. The management policy defining one or more rules for accessing resources assigned to the second perimeter including the second resource.

Abstract: There is provided a method and apparatus for communications using short range communications such as Near Field Communications (NFC). A mobile device comprising an NFC subsystem provides a dynamic credential for use to login to a network requiring two factor authentication. A terminal used for logging in to the network is associated with an NFC reader, and bringing the NFC device in proximity to the NFC reader provides the terminal with the dynamic credential required for two factor authentication.

Abstract: A method for configuring an application for an end device having a predefined end-device configuration with a predefined security level. A query about the predefined end-device configuration is directed by means of the application to a central place in which a multiplicity of security levels of end-device configurations have respective application configurations associated therewith. In response to the query, the central place ascertains the predefined security level of the predefined end-device configuration from the multiplicity of security levels, and outputs it to the application together with the associated application configuration. In dependence on the output security level, one or several functions of the application are configured by means of the application on the basis of the output application configuration for the end device.

Abstract: A computer system for dumping a confidential image on a trusted computer system. A trusted computer system loads an encrypted client dumper image key. The trusted computer system decrypts, with a private host key, the encrypted client dumper image key to generate a client dumper image key. The trusted computer system loads an encrypted dumper including a client dump key, in response to determining that the client dumper image key matches a client image key which encrypts a boot image of a current operating system. The trusted computer system decrypts, with the client dumper image key, the encrypted dumper to generate a dumper including the client dump key. The trusted computer system starts the dumper. The dumper generates an encrypted dump by encrypting, with the client dump key, an image to be dumped in the secure logical partition, and the dumper writes the encrypted dump on a client dump device.

Abstract: In some implementations, a method of managing access to resources in a single device including receiving, from a first resource assigned to a first perimeter, a request to access a second resource assigned to a second perimeter different from the first perimeter. The single device includes the first perimeter and the second perimeter. Whether access to the second resource is prohibited is determined based on a management policy for the first perimeter. The management policy defining one or more rules for accessing resources assigned to the second perimeter including the second resource.

Abstract: A method comprises receiving an additional user provided access token requesting application at a device already having a user provided access token requesting application. The method also comprises requesting information from a user of said device if an access token of one of said applications is to be changed to that of the other of said applications and accepting verification by one of said applications as verification of another of said applications.

Abstract: A control system includes a control device, a controller, a plurality of user mobile devices, a manager mobile device, and a manager server. An initial first identification information of each user mobile device obtained by the manager mobile device is sent to the manager server, is authenticated, and is encoded. Every time a user mobile device is connected to the controller for opening the control device, a holder of the user mobile device is requested to input an instant first identification information. After decoding by a decoding key, the controller identifies whether the instant first identification information is identical to the authenticated initial first identification information. The identification result is used to decide whether the control device should be set to be an open state.

Abstract: A method for dumping a confidential image on a trusted computer system. A trusted computer system loads an encrypted client dumper image key. The trusted computer system decrypts, with a private host key, the encrypted client dumper image key to generate a client dumper image key. The trusted computer system loads an encrypted dumper including a client dump key, in response to determining that the client dumper image key matches a client image key which encrypts a boot image of a current operating system. The trusted computer system decrypts, with the client dumper image key, the encrypted dumper to generate a dumper including the client dump key. The trusted computer system starts the dumper. The dumper generates an encrypted dump by encrypting, with the client dump key, an image to be dumped in the secure logical partition, and the dumper writes the encrypted dump on a client dump device.

Abstract: An apparatus and a method for protection of data stored in a data storage unit that comprises a plurality of storage areas. A data interface connects to a computer system and transfer of a data signal from the computer system to the apparatus requests access to the data storage unit. A main control unit is configured to receive the data signal and is connected to the data storage unit. A user control unit is connected to the main control unit and is arranged to be set in different modes and generates a mode selection signal indicating the selected mode. The main control unit is configured to receive the mode selection signal, and depending on the selected mode, control connection of the apparatus to a plurality of networks, and direct the request to a storage area of the plurality of storage areas of the data storage unit.

Abstract: Systems and methods for passporting credentials provide a mechanism by which a native app on a client device can invoke a service provider's core web site web addresses (URL) while keeping the existing session active and shared between the two experiences (native app and web flow) so that the end user does not need to re-login at each context switch. The mechanism can include a unique way for the web flow context to communicate conditions and pass control back to the native app context of the shared session.

Abstract: A secure lock procedure for mobile devices is disclosed. The secure lock process generally includes detecting a device access attempt at a telecommunication device during a security-enabled boot sequence. The device access attempt may include a cryptographic key, which when detected, initiates a cryptographic authentication operation. The cryptographic authentication operation results in access to one or more resource of the telecommunication device being enabled, when the cryptographic key is determined to be valid, or denied, when the cryptographic key is determined to be invalid. The device access attempt may be associated with a root-level device access attempt or software flash attempt, and the secure lock procedure can be implemented in conjunction with a boot loader stored within a memory of the telecommunication device.

Abstract: An image forming apparatus is connectable to an external storage device and includes an authentication data generating section and a writing section. Upon occurrence of a prescribed event, the authentication data generating section generates authentication data and transmits the generated authentication data to a server. Once the external storage device is connected, the writing section obtains first data relating the event according to whether or not the authentication data transmitted to the server is stored in the external storage device and writes the obtained first data into the external storage device.

Abstract: A secure computing environment that prevents malicious code from “illegitimately” interacting with programs and data residing on the computing platform. While the various embodiments restrict certain programs to operate in a virtualized environment, such operation is transparent to the user from the operational point of view. Moreover, any program operating in the virtualized environment is made to believe that it has full access to all of the computing resources. To prevent a user from unknowingly or inadvertently allowing the program to adversely affect the computer, the user is also presented with “feel” that the program is able to perform all operations in the computing environment.

Abstract: A method of accepting a remote access at a target machine from a source machine may include receiving a login request at the target machine from the source machine, wherein the login request includes a user identification for the target machine. Responsive to accepting the login request, a session may be provided between the source and target machines using the user identification for the target machine. In addition, a user identification for the source machine may be received, and the user identification for the source machine may be locked at the target machine so that the user identification for the source machine is associated with target machine actions relating to the session between the source and target machines. For example, the user identification for the source machine may be received as an environment variable.

Abstract: A wearable emergency cellular device for use in a medical emergency alert situation includes an application containing synoptic medical information and other user data, a call module for mobile communication with a call center and a display for selectively controlling information displayed on the cellular device. Only the call center is able to input the synoptic medical and selected other information to the device. The cellular device is usable for emergency situations other than medical, such as for personal security at home or for mobile use. Various access methods are described using panel displays for medical or other emergency personnel to access the stored cellular device information. Initiation of user communication with the call center can be activated manually or by the user's voice. Also described are an electronic emergency call system and methods for handling an emergency alert using the emergency cellular device.

Abstract: A shared data managing device is provided which manages shared data by setting an access right on a first user account basis. The first user account has a first identifier and first user information on a first user receiving a first service. The device includes an obtaining portion for obtaining, from a service providing system for a second service, a second identifier of a second user account used for the second service and second user information on a second user; a pairing portion for making a pair of the first identifier and the second identifier of the first user account and the second user account that are common in the first user information and the second user information; and a transmission portion for sending, to the service providing system, the shared data, the pair made, and the access right on a first user account basis.

Abstract: An improved system and method for controlling access of components to industrial automation system resources by reference to the various operational states of the industrial automation system. A central access control system includes a processing circuitry, interface circuitry configured to receive information pertaining to the operational state of an automation system, memory circuitry, and a display and user interface. In operation, access to automation components are either allowed or denied based on the designation of an operational state of an automation system.

Abstract: A wearable emergency cellular device for use in a medical emergency alert situation includes an application containing synoptic medical information and other user data, a call module for mobile communication with a call center and a display for selectively controlling information displayed on the cellular device. Only the call center is able to input the synoptic medical and selected other information to the device. The cellular device is usable for emergency situations other than medical, such as for personal security at home or for mobile use. Various access methods are described using panel displays for medical or other emergency personnel to access the stored cellular device information. Initiation of user communication with the call center can be activated manually or by the user's voice. Also described are an electronic emergency call system and methods for handling an emergency alert using the emergency cellular device.

Abstract: An analytics module may be embedded into an application developed, published, or used by an entity in addition to the owner of the data under analysis. An access token may be submitted by the analytics module to a provider of hosted services. The access token may correspond to an n-dimensional cube containing data at a level of granularity permitted to the application. The access token may incorporate additional policies controlling access to the corresponding n-dimensional cube.

Abstract: A method of executing a trusted application on a trusted security zone enabled electronic device. The method comprises responsive to a trusted security subzone not being provisioned on the electronic device, generating, by a server, a temporary trust token, transmitting the temporary trust token to the electronic device, and comparing the temporary trust token with a plurality of trust tokens stored in the electronic device to determine the trustworthiness of the temporary trust token.

Abstract: In accordance with some embodiments, data may be automatically provided on preordained conditions for specific types of data. Thus specific types of data or specific requestors may be treated differently. The system may be programmed to respond appropriately to requests for certain types of data from certain types of requestors. This offloads the need to review specific requests in many cases and enables an automated system for providing requested data as appropriate.

Abstract: An example processor-implemented method for placing a graphical element on a display surface in accordance with the present disclosure is receiving an image of at least part of a display surface, detecting in the received image a token placed by a user on the display surface to specify an area on the display surface, and placing the graphical element within the area specified by the placement of the token.

Abstract: The presently disclosed invention provides for the security of a computing device in the context of a test taking environment. By securing a computing device, an individual (or group of individuals) may more effectively proctor a large examination without worrying about a test taker illicitly accessing information on their computer or via a remote source of data. Securing a computing device includes locking out or preventing access to any application not deemed necessary or appropriate by the test administrator.

Abstract: In an information processing apparatus, if the number of specific items of a plurality of setting items included in pre-registration information selected by a selection portion is equal to or less than a threshold, a change portion changes a setting content of the specific item to a content within a range of use authority. A setting screen display portion displays a setting screen for setting the specific item whose setting content has been changed by the change portion. A second display control portion displays an authentication screen if the setting content of the specific item is set on the setting screen so as to be outside the range of the use authority.

Abstract: Approaches for securing resources of a virtual machine. An application executes on a host operating system. A user instructs the application to display a file. In response, a host module executing on the host operating system instructs a guest module, executing within a virtual machine, to render the file within the virtual machine. The application displays the file using screen data which was created within the virtual machine and defines a rendered representation of the file. The user is prevented from accessing any resource of the virtual machine unrelated to the file. The virtual machine may consult policy data to determine how to perform certain user-initiated actions within the virtual machine. Examples of the file include image, a document, an email, and a web page.

Abstract: A printing control terminal apparatus, an image forming apparatus, and a method of controlling the same. The printing control terminal apparatus includes a communication interface to receive job log data from the image forming apparatus, a storage device to store the received job log data, and a controller to extract job accumulation amounts and job quantities, which belong to the same job type, from the job log data in a time order, and to determine whether the job log data has been lost based on the extracted job accumulation amounts and job quantities.

Abstract: A system, method and computer program product for providing access to private digital content are disclosed. The private digital content is owned by an owner and installed on a content server and access is provided to a first client which is capable of rendering said digital content. Predetermined information required for gaining authorized access to said content server by said first client is generated by a second client. The predetermined information is transferred from said second client to said first client then used by said first client to get access to said private digital content.

Abstract: A method for access control of an application feature to resources on a mobile computing device. An application is prepared for installation on the mobile computing device via a processor. An application permission associated with the application is identified. The application permission relates to access of resources of the mobile computing device. Restrictions associated with the application permission are determined. A set of mandatory access control rules are defined for the application permission based on the restrictions. The set of mandatory access control rules and the application permission are combined in a loadable mandatory access control policy module. The loadable mandatory access control policy module is stored in a memory of the mobile computing device, the loadable mandatory access control policy module capable of being enforced by an operating system of the mobile computing device.

Abstract: In one embodiment, a method comprises providing an apparatus having exclusive access to each of one or more central processing units (CPUs) of a computing system and exclusive access to host resources of the computing system; and controlling, by the apparatus, execution of a virtual machine in the computing system based on the apparatus controlling access to any one of the CPUs or any one of the host resources according to prescribed policies for the virtual machine, the prescribed policies maintained exclusively by the apparatus.

Abstract: Systems and methods for the sharing of information between organizations are disclosed. Policies that govern the permissions for the sharing of information are represented as Boolean functions such as Binary Decision Diagrams.

Abstract: A method and system of providing conditional access to encrypted content includes receiving unsolicited multiply encrypted video content and first decryption data over a broadcast network. Partially decrypted video content is obtained by decrypting a first layer of encryption of the encrypted video content using the first decryption data. The partially decrypted video content is stored. A request for viewing the encrypted video content is transmitted and second decryption data is received. A second layer of encryption of the encrypted video content is decrypted using the second decryption data.

Abstract: The variable domain data access control system and method described herein use the same variable domain to describe a data security model and a variable domain data model, such as a product configuration model. A variable domain is a set of resource data that can be described using a logical relationship data structure. The variable domain utilizes logical relationship expressions, such as a Boolean logic language, to define resource data in terms of parts, rules and/or attributes, and any other property that can be accessed for viewing, manipulation, or other purposes. The data security model represents an access control list (ACL) that includes security attributes as resource data and uses the same data structure and logical relationship expressions as an associated variable domain data model. An application, such as a configuration engine, can be used to create controlled access to the variable domain data model using the data security model.

Abstract: An access rights management system is presented in which a mobile device may be allowed to access corporately held data in a flexible manner but in which the security and integrity of the data is maintained. The mobile device is provided with a rights adjustment module which modifies the access rights for locally stored corporate data in dependence on the connectivity of the mobile device with a corporate server.

Abstract: A web browser that includes a network policy enforcement unit, a storage policy enforcement unit, and an ancillary policy enforcement unit is disclosed. The network policy enforcement unit controls communications between application logic of a web application and data communication APIs. The storage policy enforcement unit controls access between the web application logic and persistent storage APIs. The ancillary policy enforcement unit controls user authentication of the web application logic.

Abstract: Real-time access by a requestor to surveillance video is conditionally pre-authorized dependent on the existence of at least one pre-specified automatically detectable condition, and recorded in a data processing system. A requestor subsequently requests real-time access to the surveillance video (e.g., as a result of an alarm), and if the pre-specified automatically detectable condition is met, access is automatically granted, i.e., without the need for manual intervention. An automatically detectable condition could, e.g., be an alarm condition detected by a sensor at the site of the video surveillance. Alternatively, it could be a locational proximity of the requestor to the site of the video surveillance. Alternatively, it could be a previously defined time interval.

Abstract: Various embodiments described herein relate to apparatus for executing software in a secure computing environment. A secure processor can be used and configured to request a context swap from a first context to a second context when switching execution from a first portion of software to a second portion of software. A context manager, which can be in communication with the secure processor, can be configured to receive and initiate a requested context swap. A trust vector verifier, which can be in communication with the secure processor and the context manager, can be configured to load a trust vector descriptor upon command from a context manager.

Abstract: In an information processing apparatus and a method of controlling the same, settings for prohibiting an access to a removable medium is performed, and even if the setting is set, the access to the removable medium is permitted in a case where the information processing apparatus is activated in the maintenance mode.

Abstract: Embodiments of the subject invention relate to systems and methods for presenting and managing user information. Specific embodiments allow creating, editing, presenting, and storing user information. In a more specific embodiment, the systems and methods can be used to provide a digital safe deposit box (DSDB) that allows users to save, maintain, update, and/or share information about themselves and/or their organization. Specific embodiments provide a personal financial solution that is designed for customers interacting with professional institutions, such as accounting firms, banks, and insurance agencies, and/or interacting with family members and people that may need to access certain documents. Embodiments of the invention provide individuals, based on permission granted/allocated to them, access to specific information, while providing safety from fraud.

Abstract: An electronic device includes: display controller; user presence determination module; user authentication module; and controller. The user presence determination module determines presence of a user based on image data received from the camera while dominating access to a camera. The user authentication module dominates access to the camera, if the display is put in a screen lock state and to perform a user authentication based on the image data. The controller turns off the display if the user present determination module determines that the user is absent and while the display has not been put in the screen lock state, and to cause the user presence determination module to release the access to the camera and to put the display in the screen lock state before turning on the display if it is determined after the display is turned off that the user is present.

Abstract: An image forming includes a predetermined-act acquisition unit, an output control unit, and an image forming unit. The predetermined-act acquisition unit is configured to obtain a predetermined act by a user. The output control unit is configured to: output a page of print data where a security has not been set up among pages of the print data where the security has been set up in page units, and permit output of a page of the print data where the security has been set up if the predetermined act has been obtained by the predetermined act acquisition unit within a predetermined standby time. The image forming unit is configured to print a page for which the output has been permitted by the output control unit.

Abstract: A method and computer program product for managing and controlling direct access of an administrator to a computer system. At least one computer program on the computer system receives from the administrator a request for the direct access to the managed computer system directly from the system console and requests a service management system to search open tickets. In response to that the open tickets are found, the at least one computer program requests the administrator to choose at least one ticket from the open tickets and grants the administrator the direct access to the computer system in response to determining that the at least one ticket is valid.

Abstract: According to an embodiment, there is provided is an information processing apparatus including: a storage unit that stores therein information, which is set for a screen to be displayed on an information display unit, as to whether or not to permit an external input device to enter data to the information processing apparatus, and information as to whether or not to permit data entered from an external input device; an external-input-unit control unit that controls data entry to the screen from an external input device by utilizing information about a type of the external input unit and the information as to whether or not to permit the external input unit to enter data; and an input-key control unit that controls the data entry permitted by the external-input-unit control unit by consulting the information as to whether or not to permit data entered from the external input unit.

Abstract: Employment role data, trust data, and special permissions data, associated with a party is automatically obtained and/or monitored. The employment role data associated with the party, the trust data associated with the party, and the special permissions data associated with the party, is then analyzed to determine a set of allowed access permissions data to be associated with the party, the set of allowed access permissions data providing the party access to one or more resources. It is then either recommended that the set of allowed access permissions data be provided to the party, or the set of allowed access permissions data is automatically provided to the party.

Abstract: The disclosure relates to an electric tool, particularly a hand-held power tool, comprising a control unit which has control software with control parameters, and is provided for the purpose of controlling a drive unit. According to the disclosure, said electric tool comprises an interface unit that is provided to fundamentally update and/or modify the control software and/or the control parameters.

Abstract: In order that even a wireless terminal whose an unique ID is not registered in the filter list can use simply the access point without a prior setting task by user, a communication device includes access point means, filtering disabling means, unique ID registration means and filtering enabling means. The access point means connects a wireless terminal with at least one of a lower network and an upper network. The filtering disabling means disables a filtering which prevents connecting with an unregistered wireless terminal whose an unique ID is not registered in a filter list. The unique ID registration means acquires the unique ID of the wireless terminal and registers the acquired unique ID in the filter list, upon a state where the filtering is disabling, if a connection request is received from the wireless terminal. The filtering enabling means enables the filtering after the unique ID of the wireless terminal is registered in the filter list.

Abstract: The invention is directed to systems and methods for detecting the loss, theft or unauthorized use of a device and/or altering the functionality of the device in response. In one embodiment, a device monitors its use, its local environment, and/or its operating context to determine that the device is no longer within the control of an authorized user. The device may receive communications or generate an internal signal altering its functionality, such as instructing the device to enter a restricted use mode, a surveillance mode, to provide instructions to return the device and/or to prevent unauthorized use or unauthorized access to data. Additional embodiments also address methods and systems for gathering forensic data regarding an unauthorized user to assist in locating the unauthorized user and/or the device.