Abstract: Systems and methods of authentication according to the invention are provided comprising a user, a service client, a service server, a portable communications device and an authentication server, wherein the method comprises use of one time passwords and out-of-band outbound communication channels. This system gives access to authentication seekers based on OTP out of band outbound authentication mechanism. The authentication seeker or system user scans a multi-dimensional barcode or another like encoding mechanism and validates the client and triggers the out of band outbound mechanism. The portable mobile device invokes the client server to request authentication. The client server authenticates the user based on a shared secret key and the user is automatically traversed to the next page.

Abstract: Methods and systems are provided for turning on and off features at run time. The method includes providing a unique enabling predicate (e.g., an “if enabled” statement) for one or more executable features (blocks of code), configuring a permissions library, and caching the configured permissions library. The method further includes interrogating the cache with the first “if enabled” predicate, executing the block of code (feature) if the cache yields “true” for the requesting user, and not executing the code block if the cache yields “false” for the requesting user.

Abstract: A method performed on a device includes receiving, from a user, a finger-touch-initiated request for access to a layer of a multi-layer application on the device, the multi-layer application having a plurality of user interface layers. The method may also include identifying a finger of the user used to provide the finger-touch-initiated request, the finger associated with one of the layers of the multi-layer application. The layer associated with the identified finger of the user may be operated on. Each finger of the user can be associated with a different layer of the multi-layer application. Fingerprints can be used to differentiate each finger and/or to identify the user by fingerprint recognition techniques. Fingerprints can be used to vary the access parameters of a layer of the application and/or to provide security levels for accessing the layers of the multi-layer application.

Abstract: A hybrid system is provided. The system includes a computing device implementing a first application execution environment (AEE) and a second AEE. The first AEE is configured to be isolated from the second AEE. The first software application associated with the first AEE is configured to be processed on the first AEE such that the first software application is denied direct access to the second AEE. A second software application associated with the second AEE is configured to be processed on the second AEE such that the second software application is denied direct access to the first AEE.

Abstract: In an embodiment of the invention, wherein users must be able to access a computer system to perform respective functions, initial data is acquired from data sources, some of the initial data pertaining to previously granted system access rights. The initial data is used to create a crowdsourcing task, which is executed to acquire crowdsourced data from SMEs in an SME population, wherein the crowdsourced data comprises additional data pertaining to previously granted system access. The crowdsourced data is used to create a set of role definitions, wherein the role definitions determine which of the users are assigned to be members of a particular role associated with the system, and further determine the access rights that are granted to each member of the particular role.

Abstract: A speaker-verification digital signature system is disclosed that provides greater confidence in communications having digital signatures because a signing party may be prompted to speak a text-phrase that may be different for each digital signature, thus making it difficult for anyone other than the legitimate signing party to provide a valid signature.

Abstract: Various methods and systems include exemplary implementations for a security-activated operational component. Possible embodiments include but are not limited to obtaining access to an object data file configured to implement various functional operation regarding one or more objects; verifying validity of an authorization code associated with the object data file; and controlling operation of the operational component to enable or prevent its activation pursuant to the authorization code in accordance with one or more predetermined conditions.

Abstract: A method for authorizing a program sequence provides, despite centralization and the associated high latency and optionally faulty communication, an undisturbed program sequence accompanied by protection of base functionalities. Data of the program sequence may be maintained in various provided states, and at least one instruction of the program sequence which accesses the data is maintained in different, functionally equivalent implementations. The set of the state indices of the provided states and the multiset form a directed acyclic (multi)graph, wherein the provided states form the nodes, and the implementations of the instruction form the edges and/or multiple edges, of the graph.

Abstract: A method and system for providing recording device privileges through biometric assessment are disclosed herein. An embodiment of the method includes monitoring information associated with a recording device. The information includes a recording device location, dynamic biometric data, knowledge data, and recording device identification data. From the monitored information, an identity of a then-current user of the recording device is determined. An authorization level for the then-current user is determined, and recording device access privileges are dynamically adjusted based on the determined authorization level.

Abstract: Provided is a non-transitory computer readable medium storing an access rights update program causing a computer to be executed as: an acquisition unit that acquires access rights update information, which includes information specifying an object of personnel changes, a type of personnel changes, a changed organization, a delegate of access rights for a storage unit that stores a document, and an effective period of the access rights, before the personnel changes; a search unit that searches for the storage unit, for which access rights information including the effective period of the access rights is set and which needs to be updated, on the basis of the acquired access rights update information; and an update unit that updates the access rights information, which is set for the searched storage unit, before the personnel changes on the basis of the acquired access rights update information.

Abstract: A content management device, includes: a folder level access control information storage unit configured to store folder level access control information indicating access rights of a user to a folder where content is stored; an access control unit configured to acquire content level access control information indicating access rights of a user to content, from a predetermined content level access control unit; and a user interface configured to output display data for displaying a hierarchical structure between at least one folder and at least one content stored in the at least one folder, along with information indicating whether or not an inconsistency has occurred in access rights between the folder level access control information of the at least one folder and the content level access control information of the content stored in the at least one folder.

Abstract: As individuals increasingly engage in different types of transactions they face a growing threat from, possibly among other things, identity theft, financial fraud, information misuse, etc. and the serious consequences or repercussions of same. Leveraging the ubiquitous nature of wireless devices and the popularity of (SMS, MMS, etc.) messaging, an infrastructure that enhances the security of the different types of transactions within which a wireless device user may participate. The infrastructure may optionally leverage the capabilities of a centrally-located Messaging Inter-Carrier Vendor.

Abstract: A method and apparatus for generating provisioning data to provision a device are described. A provisioning bundle is validated according to a relationship between a configuration and a bundle sequence number identifying the provisioning bundle. A provisioning request includes a device hardware identifier identifying the device. An authorization for the provisioning request is determined for generating provisioning data including the provisioning bundle personalized by the device hardware identifier for the device.

Abstract: Spammers, and other abusers of web services, may be deterred in their attempts to sign up for these services at large scale by making changes to the service registration procedure, where the changes are designed to break the spammer's infrastructure. In one example, a procedure to register for a web service involves presenting a Human Interaction Proof (HIP, or “captcha”) to the user, and gating access to the service upon receipt of a correct solution. If spammers use botnets and/or image capture techniques to initiate registration processes and to transport the HIPs to human or automated solvers, then the registration procedure can be changed in a way that is incompatible with capturing these images, or in a way that is incompatible with receiving HIP solutions from someplace other than the location at which registration was initiated.

Abstract: Techniques are provided for securely storing data files in, or retrieving data files from, cloud storage. A data file transmitted to cloud storage from a client in an enterprise computing environment is intercepted by at least one network device. Using security information received from a management server, the data file is converted into an encrypted object configured to remain encrypted while at rest in the cloud storage.

Abstract: A networked computer device can be customized to contain provisioning and/or authorization logic in its firmware or the firmware of one of its subcomponents. The computer device is thus configured to provision itself from a provisioning server that is identified within the firmware, and to periodically query an operations authority for continued authorization to operate with the received provisioning. Upon failure to receive authorization, the firmware may implement various security measures, such as storage protection, boot protection, communications protection, and so forth. The firmware may also implement remote reporting, to assist an investigator when a device has been lost or stolen.

Abstract: Trusted user accounts of an application provider are determined. Graphs, such as trees, are created with each node corresponding to a trusted account. Each of the nodes is associated with a vouching quota, or the nodes may share a vouching quota. Untrusted user accounts are determined. For each of these untrusted accounts, a trusted user account that has a social networking relationship is determined. If the node corresponding to the trusted user account has enough vouching quota to vouch for the untrusted user account, then the quota is debited, a node is added for the untrusted user account to the graph, and the untrusted user account is vouched for. If not, available vouching quota may be borrowed from other nodes in the graph.

Abstract: The mock tool can be configured to create a mock execution environment for supporting software development processes. The mock execution environment is isolated from resources of the computing system supporting the mock execution environment and other mock execution environments. Further, the mock execution environment can be created to simulate disabling on any features of the operating system supporting the mock execution environment that could cause problems in the software development process.

Abstract: Distributed Management Task Force (DMTF) management profiles, based on the Common Information Model (CIM) protocol, may be utilized to perform access authentication during opaque management data profile operations based on DMTF/CIM Role Based Authorization (RBA) profile and/or Simple Identity Management (SIM) profiles. Instances of CIM_Identity class may be utilized to enable validation of ownership and/or access rights, via instances of CIM_Role class and/or instances of CIM_Privilege class for a plurality of common users and/or applications. Quota related operations may be performed via “QuotaAffectsElement” associations between instances of CIM_Identity class and instances of the CIM_OpaqueManagementDataService class. The “QuotaAffectsElement” association may comprise “AllocationQuota” and/or “AllocatedBytes” properties to enable tracking and/or validating of quota related information within the opaque management data profile.

Abstract: An electronic module that includes means for determining an operating system targeted by a message received by a transmitter-receiver of an electronic device, from among at least a Rich-OS operating system and a trusted operating system executed on a chipset of the electronic device, so that the message becomes accessible to the targeted operating system. The determining means may be set in operation in response to receipt of the message by the transmitter-receiver.

Abstract: Methods and apparatus enabling a wireless network to provide differentiated services to a machine-to-machine (M2M) client. In one embodiment, the wireless network comprises a UMTS network, and the Home Location Register (HLR) entity identifies subscriptions as machine-to-machine (M2M) enabled devices based on flags or other descriptors associated with each M2M device, and imposes one or more rule sets (e.g., service restrictions) based on this identification. The classification of M2M devices within the HLR may optionally include additional capability or profile data for the M2M device (e.g. static, low mobility, low data activity, etc.). Various other network entities may use the M2M identification to modify the delivered data service, so as to optimize network resources. Furthermore, monitoring of M2M client behavior can be used to detect and notify the network operator of abnormal, fraudulent, or malicious activity. Business methods utilizing the aforementioned methods and apparatus are also disclosed.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: A browser is requested to display a text file having a description of a screen structure. The state information on a current state of the embedded device is acquired. An access request for requesting the browser to update, with the acquired state information, a value of at least one node in a document object model (DOM) tree generated from the text file by the browser, is submitted by a state display control program. The at least one node is recorded in an access history list. At a subsequent time, it is determined whether to permit a subsequent access request. If the source of the subsequent access request is not the state display control program, and the at least one node is recorded in the access history list, the subsequent access request is denied.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A machine implemented method includes storing a first data representing a prior exception to a first trust failure (e.g., expired certificate). The prior exception may be stored as part of establishing a first communication with a data processing system (e.g., a handheld device). The first communication may not be trustworthy. The method may determine, as part of establishing a second communication with the data processing system, that a second trust failure has occurred. The second trust failure (e.g., revoked certificate) indicates that the second communication may not be trustworthy. The method may determine whether the prior exception applies to the second trust failure. If the prior exception does not apply, the data processing system determines, automatically, whether to create a new exception for the second trust failure.

Abstract: The methods and systems of the present disclosure provide a high assurance means for multiple legacy communication (e.g., Mil-Std-1553 communications protocol) system users and/or devices and multiple IP based network users and/or devices to seamlessly, and in real time, share information across various security domains. Specifically, the system enables multiple legacy communication system protocols and interfaces to communicate with existing IP interfaces and protocols with a high degree of trust. The system includes a configurable filtering capability to allow for the data to be inspected prior to being passed from one security domain to another security domain.

Abstract: Methods and apparatuses for enforcing terms of a licensing agreement between a plurality of parties involved in a particular hardware design through the use of hardware technologies. According to one embodiment, a hardware sub-design includes a license verification sub-design that is protected from user modification by encryption. In one embodiment, a license is generated based on a trusted host identifier within an external hardware device. In one embodiment, each trusted host identifier is unique, and no two integrated circuits share the same trusted host identifier. In another embodiment, the integrated circuit is a field programmable gate array or an application specific integrated circuit. In one embodiment, a license determines how long the hardware sub-design will operate when the hardware sub-design is implemented within an integrated circuit having a trusted host identifier.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: Systems and methods are described that relate to authentication and/or binding of multiple devices with varying security profiles. In one aspect, a first device with a higher security profile may vouch for the authenticity of a second device with a lower security profile when the second device requests access for content from a content provider. The vouching process may be implemented by allowing the first device to overlay its digital signature on a registration request that has been signed and transmitted by the second device. The second device with the lower security profile may access content from the content provider or source for a predetermined time period, even when the second device does not access content through the first device.

Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.

Abstract: A computer-implemented authentication method is described. The method includes the steps of (a) receiving an authentication request at an authentication computing system, the request including a resource identifier, (b) identifying one or more authentication pools associated with the resource identifier, each authentication pool including at least one authentication method implementation, (c) executing a pool authentication process for the one or more identified authentication pools, and (d) transmitting a response to the identification authentication request based on the execution of the pool authentication process for the one or more identified authentication pools.

Abstract: A computer-implemented method and system identifies whether web content stored in a repository deviates from authentic web content being web content that is approved by authorized personnel of the web content prior to serving to a client requesting the web content. Web communications to the repository are monitored and web content is intercepted and analyzed in a safe environment for establishing that the web content conforms to a predetermined standard. If not, a web host serving the web content is alerted. In one embodiment, the web content is intercepted and analyzed prior to serving to the client and is served to the client only if either authenticated or after suitable modification to render it acceptable.

Abstract: A nondestructive testing apparatus includes a display section and a storage section which stores predetermined executable functions. Each of the predetermined functions is initially set to one of a permitted state and a disabled state, and one of a display state and a non-display state on the display section. In an initial state, at least one of the predetermined functions is set to the disabled state and the non-display state. The nondestructive testing apparatus can receive permission information which unlocks at least one of the predetermined functions initially set to the disabled state so as to be set to the permitted state, and unlocks at least one of the predetermined functions initially set in the non-display state so as to be in the display state. The apparatus displays an operation icon only with respect to all of the predetermined functions set to the display state.

Abstract: A single system image is provided for a parallel data warehouse system by exposing a shell database within a database management system comprising metadata and statistics regarding externally stored data. Further, functionality of the database management system can be exploited to perform pre-execution tasks. In one instance, one or more execution plans can be generated by the database management system for an input command and subsequently employed to generate a distributed execution plan.

Abstract: In a communication system in which two communication entities seek to have a private or confidential communication session, a trust relationship needs first be established. The trust relationship is based on the determination of a shared secret which in turn is generated from contextual information. The contextual information can be derived from the circumstances surrounding the communication session. For example, the contextual information can include topological information, time-based information, and transactional information. The shared secret may be self-generated or received from a third party. In either event, the shared secret may be used as key material for any cryptographic protocol used between the communication entities.

Abstract: Rather than defining roles in terms of those resources and/or actions pertaining to the resources that are permitted to subjects having that role, it has been found that by instead defining a role by negative permissions, i.e. those resources and/or actions related thereto that are not permitted to subjects in that role, the evolution of a system is more convenient to manage. In this way, the system is only required to track and update the denied resources for particular roles. It has also been recognized that by defining a role in terms of negative permissions, i.e. what subjects in that role cannot do, malicious users can be thwarted from creating false user accounts since selecting functions associated with the resources takes permissions away rather than adds them.

Abstract: A system and method encrypt a license file associated with computer software using a private key. The license file includes one or more license keys, and each license key is associated with a feature of the computer software. The license file associated with the computer software is decrypted at runtime using a public key. A module determines whether a user is permitted to execute the computer software. The module is authenticated by one or more of a determination of whether a hash code included within the module matches a hash code generated by a user of the computer software at run time of the computer software, and an encryption of the module prior to run time of the computer software using the private key and a decryption of the module at run time of the computer software using the public key.

Abstract: A communication is initiated between a first user and a second user via a collaboration channel. Thereafter, an identification of the second user relating to the collaboration channel is associated with a business entity (also referred to sometimes as a business partner). A service is automatically initiated that retrieves contextual information associated with the business entity in response to the initiation of the communication. A scope of the retrieved contextual information is based on a business partner type for the business entity. Subsequently, the first user is presented with at least a portion of the retrieved contextual information concurrently with the communication between the first user and the second user via the collaboration channel. Related apparatus, systems, techniques and articles are also described.

Abstract: According to one embodiment, an apparatus may store at least one subject token associated with a user and a device, at least one resource token associated with the resource, and at least one network token associated with a network. The apparatus may determine various access values associated with these stored tokens. The apparatus may then determine the value of a first access value based on the values of these various access values. The apparatus may determine that the value of the first access value is insufficient to grant access to the resource and determine that access by at least one of the user and the device to the resource over the network should be denied.

Abstract: According to one embodiment, an apparatus may store a plurality of tokens associated with a session. The session may facilitate access to a resource by a user. The session may be identified by a session token. The apparatus may determine, based on a token-based rule, a second plurality of tokens required to facilitate determination of a risk token. The risk token may be used to facilitate determination of an access decision to the resource. The apparatus may determine that the plurality of tokens comprises the second plurality of tokens and generate a dataset token that represents the plurality of tokens. The apparatus may then communicate the dataset token to facilitate the generation of the risk token. The apparatus may receive the risk token and correlate it with the session token to facilitate determination of the access decision.

Abstract: A computationally implemented method includes, but is not limited to: determining which of a plurality of users detected in proximate vicinity of a computing device has primary control of the computing device, the computing device designed for presenting one or more items; ascertaining one or more particular formats for formatting the one or more items based, at least in part, on said determining; and presenting, via the computing device, the one or more items in the one or more particular formats. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Methods, apparatuses and storage medium associated with securely provisioning a digital content protection scheme are disclosed. In various embodiments, a method may include forming a trust relationship between a media application within an application execution environment of a device and a security controller of the device. The application execution environment may include an operating system, and the operating system may control resources within the application execution environment. Additionally, the security controller may be outside the application execution environment, enabling components of the security controller to be secured from components of the operating system. Further, the method may include the security controller in enabling a digital content protection scheme for the media application to provide digital content to a digital content protection enabled transmitter within the application execution environment for provision to a digital content protection enabled receiver.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resources' security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: An improved system and method for controlling access of components to industrial automation system resources by reference to the various operational states of the industrial automation system. A central access control system includes a processing circuitry, interface circuitry configured to receive information pertaining to the operational state of an automation system, memory circuitry, and a display and user interface. In operation, access to automation components are either allowed or denied based on the designation of an operational state of an automation system.

Abstract: A mobile terminal apparatus includes a detection unit, a transmission unit, an acquisition unit, and a permission unit. The detection unit detects current position information at a predetermined timing. The transmission unit transmits the current position information, user information that specifies a user, and file specification information that specifies a file that is to be acquired. The acquisition unit acquires a limited-access file, which includes the file and access permission area information that defines an area from which the mobile terminal apparatus is allowed to access the file in accordance with the current position information, in a case where the user is a registered user with a right to download the file. The permission unit gives permission to access the file in a case where accessing of the file is commanded and a position specified by the current position information is included in the area.

Abstract: Systems and methods for weak authentication data reinforcement are described. In some embodiments, authentication data is received in a request to authenticate a user. In response to detecting weak authentication data, the systems and methods determine whether the user was previously authenticated as a human user. An example embodiment may include initiating an authentication process based on determining that the user was previously authenticated as a human user.

Abstract: A system and method of adding programming to a Symbian operating system. A binary component for use by the operating system, with the binary component including both a capability level and a trust level. The trust level is either equal to or higher than the capability level. If the trust level of the binary component is equal to or higher than the capability of a calling process the calling process automatically loads the binary component.

Abstract: A computationally implemented method includes, but is not limited to: determining which of a plurality of users detected in proximate vicinity of a computing device has primary control of the computing device, the computing device designed for presenting one or more items; ascertaining one or more particular formats for formatting the one or more items based, at least in part, on said determining; and presenting, via the computing device, the one or more items in the one or more particular formats. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: Techniques for facilitating an online transaction session with an end-of-session authentication are provided. The techniques include performing a start-of-session authentication to enable an online transaction session, and performing an end-of-session authentication to end the online transaction session, wherein the end-of-session authentication comprises a scope comprising each pre-defined critical transaction from the transaction session.