Abstract: According to an embodiment, a data distribution apparatus is connected with electronic apparatuses through a network. The data distribution apparatus includes a storage, a transmitter, a receiver, and an output unit. The storage is configured to store management information in which predetermined data is associated with number specification information for specifying number of electronic apparatuses belonging to the group. The transmitter is configured to transmit a sharing start instruction including the predetermined data. The receiver is configured to receive one or more distribution requests transmitted from one or more electronic apparatuses in response to the instruction. The output unit is configured to output an error signal indicating that an unauthorized electronic apparatus is connected when the number of received distribution requests exceeds the number specified.

Abstract: Embodiments of an application gateway architecture may include an application gateway server computer communicatively connected to backend systems and client devices operating on different platforms. The application gateway server computer may include application programming interfaces and services configured for communicating with the backend systems and managed containers operating on the client devices. The application gateway server computer may provide applications that can be centrally managed and may extend the capabilities of the client devices, including the ability to authenticate across backend systems. A managed container may include a managed cache and may provide a secure shell for applications received from the application gateway server computer. The managed container may store the applications in the managed cache and control access to the managed cache according to rules propagated from at least one of the backend systems via the application gateway server computer.

Abstract: Techniques are presented herein for classifying a variety of enterprise computing resources based on asset characteristics. In particular, a computing asset, e.g., a server, may be classified based on any digital certificates provisioned on that server. That is, the properties of a digital certificate may be used to determine a measure of business value or importance of a server (or data hosted on that server). Once the computing asset has been classified, a monitoring system may use the assigned classifications to prioritize security incidents for review.

Abstract: Methods and systems that implement enhanced user interactions with a grid are described. A method may include generating a grid of cells arranged in a number of rows and columns. Each row may correspond to a data record of a database. The grid may be displayed to a user while identifying one or more cells as editable cells. Input data may be received from the user for each of the editable cells. The input data may be validated using predefined criteria to identify incorrect input data and errors associated with the incorrect input data may be displayed to the user. Additional methods and systems are disclosed.

Abstract: A method for creating a list of display devices that are available to receive a video signal from an image generator via network video streaming. One version of the method includes transmitting a display availability packet indicating one or more of the display devices that are available for connection, updating a network display listing module with the information stored in the display availability packet, and transmitting an availability request packet requesting a list of the display devices that are available to receive the video signal. In response to receiving an availability request packet, a display resource list, indicating the display devices available to receive the video signal, is generated from the metadata contained in the availability request packet.

Abstract: Knowledge of a module's behavior when the module's reputation is formed is obtained. If the module's behavior changes, this change is detected. In one embodiment, upon a determination that the module's behavior has changed, the module's original reputation is lost. In this manner, malicious trusted modules are detected and defeated.

Abstract: One particular example implementation of an apparatus for mitigating unauthorized access to data traffic, comprises: an operating system stack to allocate unprotected kernel transfer buffers; a hypervisor to allocate protected memory data buffers, where data is to be stored in the protected memory data buffers before being copied to the unprotected kernel transfer buffers; and an encoder module to encrypt the data stored in the protected memory data buffers, where the unprotected kernel transfer buffers receive a copy the encrypted data.

Abstract: In one implementation, a computer-implemented method includes receiving, at a process risk classifier running on a computer system, a request to determine a risk level for a particular process; accessing one or more signatures that provide one or more snapshots of characteristics of the particular process at one or more previous times; identifying one or more differences between the particular process in its current form and the one or more signatures; accessing information identifying previous usage of the computer system's resources by the particular process; determining a current risk score for the particular process based, at least in part, on (i) the one or more signatures for the particular process, (ii) the one or more differences between the particular process in its current form and the one or more signatures, and (iii) the previous usage of the resources; and providing the current risk score for the particular process.

Abstract: A certification provenance tree (CPT) structure may provide information concerning a layered certification of a device that comprises a hierarchy of components. The CPT structure may include a hierarchy of secure certification provenance document (SCPD) structures. Each SCPD structure in the hierarchy may represent a given component at a given level of the hierarchy of components of the device. Each SCPD structure may include a field that stores a certification proof indicating that security properties of the given component have been certified by a certification authority. An SCPD structure may further include accreditation information fields that store a pointer to an SCPD structure of a component at a next layer of the hierarchy of components of the device. The pointer may provide an indication of assurance that the component at that next layer will perform securely within this component at said given layer.

Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: Disclosed is a print apparatus including: a memory configured to store the print job; a print unit configured to execute a print based on the print job; a first detector configured to detect the print allowed user; a second detector configured to detect a print disallowed user; and a hardware processor configured to: obtain the print job, change a danger distance according to a first distance from the print apparatus to the print allowed user, compare the danger distance with a second distance from the print apparatus to the nearest print disallowed user when the first distance is not more than a predetermined print start distance, and instruct the print unit to start the print based on the print job in accordance with a result of the comparison.

Abstract: A user gesture is detected based on received data from one or more motion sensors. User gesture attributes are identified including at least one of hand vectoring, wrist articulation, and finger articulation from the gesture including respective movements of each of a plurality of a user's fingers. Based on the gesture attributes, a user and an action to be performed in a vehicle are identified. The action is performed in the vehicle to control at least one vehicle component based on the gesture.

Abstract: An accessory can communicate wirelessly with a host device such as a portable electronic device. Existing accessory protocols developed for wired communication can be used without modification, and a wireless network connecting the two devices can provide a transport or channel connecting the two devices. Establishing a wireless channel can involve the active participation of both devices. For instance, the host device can create and identify virtual port to be used by the accessory, after which the accessory can initiate communication on that virtual port. A host device can be configured to automatically connect to certain accessories upon detection of that accessory on a wireless network under various specific conditions. Encryption of accessory-protocol communications between an accessory and a host device is also provided.

Abstract: Secure computer architectures, systems, and applications are provided herein. An exemplary computing system may include a trusted environment having a trusted processor and memory that provides a trusted computing environment that performs computing functions that could expose the computing device to a security risk, and a legacy environment having a secondary processor and memory for providing a legacy computing environment that manages computing functions exposed to unsecure environments.

Abstract: A method, system, and one or more computer-readable storage media for behavior based authentication for touch screen devices are provided herein. The method includes acquiring a number of training samples corresponding to a first action performed on a touch screen of a touch screen device, wherein the first action includes an input of a signature or a gesture by a legitimate user. The method also includes generating a user behavior model based on the training samples and acquiring a test sample corresponding to a second action performed on the touch screen, wherein the second action includes an input of the signature or the gesture by a user. The method further includes classifying the test sample based on the user behavior model, wherein classifying the test sample includes determining whether the user is the legitimate user or an imposter.

Abstract: Systems, methods, and devices for predicting entitlements to computing resources are described. An entitlement associated with a user of a computer system may be identified. The entitlement may indicate a computing resource of the computer system that is accessible to the user. A set of attributes associated with the user may be selected, and an entitlement probability value may be obtained. The entitlement probability value may be based on the set of attributes and indicate a probability that the user is authorized to have the entitlement. The entitlement probability value may be used to determine whether to include the entitlement in an access review. Depending on the entitlement probability value the entitlement may be included in the access review or excluded from the access review.

Abstract: Described is a technology by which a transient storage device or secure execution environment-based (e.g., including an embedded processor) device validates a host computer system. The device compares hashes of host system data against valid hashes maintained in protected storage of the device. The host data may be a file, data block, and/or memory contents. The device takes action when the host system data does not match the information in protected storage, such as to log information about the mismatch and/or provide an indication of validation failure, e.g., via an LED and/or display screen output. Further, the comparison may be part of a boot process validation, and the action may prevent the boot process from continuing, or replace an invalid file. Alternatively, the validation may take place at anytime.

Abstract: A computer-implemented method for validating login attempts based on user location may include (1) detecting a login attempt by a user to log into a user account, where the login attempt originates from an atypical location, (2) determining that the atypical location is inconsistent with a pattern of past login locations for the user, (3) retrieving location information that indicates a current location of the user from at least one third-party Internet resource, (4) determining, based on the location information, that the atypical location of the login attempt matches the current location of the user, and (5) trusting that the login attempt legitimately originates from the user based at least in part on the atypical location matching the current location of the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In response to a local Advanced Persistent Threat (APT) agent identifying a potential data exfiltration attack, the binary identified in the attack is sent to a static analysis tool for further analysis. The agent also identifies a source and a sink involved in the potential data exfiltration. The static analysis tool decompiles the binary, and then runs the de-compiled code through a static analysis to identify data flows between the source and the sink, e.g., a data flow from the source that is the method used to read sensitive information, and a data flow to the sink that is the method used to write to the remote system. If there are such data flows, the activity reported by the agent is likely a true exfiltration attack. Based on this flow determination, the static analysis tool returns a response to the agent validating that the activity is an attack.

Abstract: A system allowing a user to efficiently locate and contact those individuals the user would like to communicate with and for collection of data about users to determine the best contact point to use at a particular time. The system monitors the data and may determine an individual's usage patterns in order to select or suggest contact points that are the best to contact a particular user at a particular time. The system may also allow for the routing of communications to particular contact points based on how the user receiving the communication would prefer to be contacted. The system allows for the single selection of an icon by an individual and automatically determines the contact point to contact the particular user. If further allows for the particular user to push out to others updated contact information.

Abstract: Methods and apparatus related to identifying authorship of Internet content. Some implementations are directed to methods and apparatus for identifying a content submission form on a webpage, recognizing submission of content by a user via the content submission form, and transmitting verification data in response to submission of the content by the user. The verification data may include content data indicative of at least some of the content submitted for publication via the content submission form.

Abstract: A social media computer system and method for transmission of data between a first mobile phone and a second mobile phone includes a database that is configured to be in network communication with the first mobile phone and the second mobile phone. The database is configured to receive a first set of data input by the first mobile phone and a second set of data input by the second mobile phone. The database is configured to allow the second mobile phone to access at least a portion of the first set of data only after the second mobile phone authorizes the first mobile phone via the database to access the second set of data. The database can include a plurality of privacy levels that are alternately selectable by the first mobile phone to control the amount of the first set of data that is accessible by the second mobile phone.

Abstract: Various embodiments are provided in which intra-application permissions may be granted on an electronic device. An application may access data from another application if the application has the proper permission signed by a permissions server. In one embodiment, a request is received by a first application that is installed on a device. The request is from a second application for permission to access data associated with the first application. A permissions record for the second application may be stored in an application package of the second application. The first application may access the permissions record to determine whether the second application has permission to access the data associated with the first application. The first application may provide the second application with access to the data associated with the first application based, at least in part, on the permissions record stored in the application package of the second application.

Abstract: A device having: an application program that assists the device in accessing a data service over a wireless access network, an application credential associated with the application program, and a policy to be applied when the application program initiates or attempts to initiate communication over the wireless access network. The device also has one or more agents that detect an attempted installation of update software on the device, the update software purporting to be a modification, update, or replacement of the application program; obtain an update-software credential associated with the update software; obtain the application credential; allow the update software to be installed if the update-software credential matches the application credential; and interact with the application program to arrange a setting of the application program, the setting configured to assist in applying the policy when the application program initiates or attempts to initiate communication over the wireless access network.

Abstract: In one or more embodiments described herein, there is provided an apparatus comprising at least one processor; and at least one memory having computer program code stored thereon, the at least one memory and computer program code being configured to, when run on the at least one processor, cause the apparatus to provide an application switcher to a first device, the application switcher providing an indication of content available to the first device from one or more open applications on a second device, wherein at least part of the content of the one or more open applications of the second device is shareable in real time with an application on the first device; and provide, in response to user-selection of content from the application switcher, the user-selected shareable content of the open application of the second device for use on the first device using a first device application.

Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.

Abstract: A request is received at an authorization framework via an authorization application programming interface (API) from a trusted application for authorizing a client application, where the client application requests a service provided by the trusted application. In response to the request, the client application is authorized in view of one or more authorization policies associated with the client application to determine whether the client application is authorized to access the requested service. A user associated with the client application is authenticated to determine whether the user is allowed to access the requested service. Thereafter, a value is returned from the authorization framework via the authorization API to the trusted application indicating whether the client application can access the requested service provided by the trusted application, based on results of the authorization and authentication.

Abstract: Techniques are disclosed for generating, utilizing, and validating traceable image CAPTCHAs. In certain embodiments, a traceable image is displayed, and a trace of the image is analyzed to determine whether a user providing the trace is human. In certain embodiments, a computing device receives a request for an image, and in response, creates a traceable image based upon a plurality of image elements. The computing device transmits data representing the traceable image to cause a second computing device to display the traceable image via a touch-enabled display. The computing device receives a user trace input data generated responsive to a trace made at the second computing device, and determines whether the trace is within an error tolerance range of the set of coordinates associated with the traceable image. The computing device then sends a result of the determination.

Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for messaging in an on-demand database service. These mechanisms and methods for messaging in an on-demand database service can enable embodiments to more flexibly message in on-demand database environments. The ability of embodiments to provide such feature may lead to enhanced messaging features which may be used for providing more effective ways of messaging in the context of on-demand databases.

Abstract: Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity.

Abstract: A system and method for enabling users to run remote applications on access control readers located throughout office buildings. A system administrator creates different remote applications groups such as admin, engineer or cardholder and then assigns users to one of the remote application groups. Users are then able to run the remote applications assigned to their remote application group from any of the access control readers located throughout the office building.

Abstract: Methods, systems, and computer readable mediums for utilizing geographical location information to manage applications in a computer network system are disclosed. According to one example, a method includes receiving, by a global positioning system (GPS) service entity, a request for geographical location information associated with an infrastructure enclosure device from a location request entity, wherein the location request entity is hosted by the infrastructure enclosure device. The method further includes acquiring, by the GPS service entity, the geographical location information from a location enablement device included in the infrastructure enclosure device and sending, by the GPS service module, the acquired geographical location information to the location request entity, wherein the location request entity enforces a policy based on the acquired geographical location information.

Abstract: Systems and methods, including computer software adapted to perform certain operations, can be implemented for preventing content received from non-trusted sources from accessing protected data. A sequence of instructions and multiple permission indicators associated with the sequence of instructions are received. One or more of permission indicators are associated with a protected activity. An instruction within the sequence of instructions associated with the protected activity is identified. A determination is made whether execution of the identified instruction is permitted based, at least in part, on the one or more permission indicators, and the protected activity is performed if execution of the identified instruction is permitted.

Abstract: An electronic apparatus including: a display control unit configured to cause a display unit to display a screen based on screen information, obtained via a network, for executing a function of the electronic apparatus, wherein the display control unit stores, in a storing unit, identification information of a program corresponding to the screen information according to execution of the function of the electronic apparatus based on definition of the screen information.

Abstract: Some aspects of what is described here relate to managing the use of network resources on a mobile device. User input received at the device indicates whether to allow an application associated with a first perimeter on the device to access a network resource associated with a second perimeter on the device. For example, in some instances user input may indicate whether to allow data from applications associated with a personal perimeter on the device to be transmitted over an enterprise communication system. When outbound data associated with the first perimeter are received, the device determines, according to the indication from the user input, whether to route the outbound data to the network resource associated with the second perimeter.

Abstract: An information processing apparatus includes: a control-permission/denial storage unit that stores therein permission/denial information as to whether or not execution of respective control actions in response to a predetermined motions made by users is permitted to roles of the users; a motion detecting unit that detects a predetermined motion from images captured by an image capturing device; and a control-permission/denial determining unit that determines whether or not execution of a control action in response to a predetermined motion made by a user and detected by the motion detecting unit is permitted to a role of the user based on the control-permission/denial storage unit.

Abstract: A method and apparatus for location authentication of the user are disclosed. In the method and apparatus, the location of the user is authenticated if one or more conditions for geographic proximity associated with two or more devices of the user are satisfied. Upon the location of the user being authenticated, the user may be granted access to a service.

Abstract: A lightweight throttling mechanism allows for dynamic control of access to resources in a distributed environment. Each request received by a server of a server group is parsed to determine tokens in the request, which are compared with designated rules to determine whether to process or reject the request based on usage data associated with an aspect of the request, the token values, and the rule(s) specified for the request. The receiving of each request can be broadcast to throttling components for each server such that the global state of the system is known to each server. The system then can monitor usage and dynamically throttle requests based on real time data in a distributed environment.

Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: A computer-based system, method and computer program product for controlling access to protected personal information is disclosed. Protected personal information that is accessible by an information management application program is stored in a computer memory. In response to a request from an authenticated user for information, which includes protected personal information, information is displayed indicating that user has requested protected personal information, but the protected personal information is not displayed. In response to receiving user input requesting access to the protected personal information, a determination is made as to whether the user is authorized to access the requested protected personal information. If so, requested protected personal information is displayed to the user and information is stored relating to the user's access to protected personal information.

Abstract: The present disclosure provides techniques for authenticating a password. These techniques may enable a user terminal to retrieve a diagram using a computing device. The diagram is inputted by a user in a terminal and is displayed in form of a diagram in connection to a password. The computing device may then transfer operand points passed through by the diagram to a server terminal for password authentication, and then receive a result of the password authentication from the server terminal. These techniques improve password authentication security.

Abstract: An apparatus and method for enabling effective use of a contactless payment device in a transit system. The invention may be implemented in a manner that separates the authentication process from the pre-authorization process, thereby permitting a transit system patron to access and begin use of the transit system prior to authorization of the transaction by the issuer of the device.

Abstract: A computer security threat sharing technology is described. A computer security threat is recognized at an organization. A partner network graph is queried for security nodes connected to a first security node representing the organization. The first security node is connected to at least a second security node representing a trusted security partner of the organization. The second security node is associated with identification information. The computer security threat recognized by the organization is communicated to the trusted security partner using the identification information associated with the second security node.

Abstract: Example methods and apparatus for authenticating a user login are disclosed herein. An example method includes displaying an image and dynamically presenting symbols adjacent the image. The example method includes receiving a code, the code formed by an arrangement of one or more of the symbols on the image. The example method includes authenticating a user based on the code.

Abstract: Disclosed is a system and method for launching a web browser in a safe mode. An example method includes intercepting a request from the web browser to access data from a server; determining whether the browser is required to operate in a safe mode when displaying data from the server; when the browser is required to operate in the safe mode, analyzing the data received from the server; when the received data includes a webpage, generating a temporary webpage containing a script for evaluating at least one criterion for determining whether to display the webpage received from the server by the browser; executing the script contained in the temporary webpage by the browser; and based on an evaluation result of the at least one criterion by the script, launching the browser in the safe mode to display the webpage received from the server.

Abstract: A method and an apparatus for specifying a time-varying, intelligent service-oriented model are provided. A method implemented in a computer infrastructure having computer executable code embodied on a computer readable storage medium having programming instructions, includes defining information of a service which is to be provided to one or more users having access to a system storing the defined information. The method further includes defining policies associated with the defined information to allow and deny access to selected portions of the defined information, and exposing to a user of the one or more users the selected portions of the defined information based on the defined policies allowing access to the selected portions of the defined information.

Abstract: A system includes a multi-node chassis including a chassis management module, a plurality of compute nodes, and a physical presence manual actuator for transmitting a physical presence signal to each compute node in response to manual actuation. Each server has a firmware interface, a trusted platform module, and an AND gate. The firmware interface has a general purpose input output pin for providing an enabling signal in response to a user instruction to a firmware interface setup program that communicates with the firmware interface. The AND gate has a first input receiving the enabling signal, a second input receiving the physical presence signal, and an output coupled to the trusted platform module, wherein the AND gate for a selected compute node asserts physical presence to the trusted platform module of the selected compute node in response to receiving both the enabling signal and the physical presence signal.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: Provided is electronic paper that includes an imaging sheet for displaying content, a memory for storing the content, a mode switch unit for manually setting an operation mode of the electronic paper, and a controller for performing at least one operation from a plurality of operations including encryption of the content stored in the memory, deletion of the content stored in the memory, deletion of content displayed on the imaging sheet from a screen, and display of a lock screen that requires input of a password on the imaging sheet, according to an operation mode that is set by a user using the mode switch unit.