Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: Techniques are disclosed for generating, utilizing, and validating traceable image CAPTCHAs. In certain embodiments, a traceable image is displayed, and a trace of the image is analyzed to determine whether a user providing the trace is human. In certain embodiments, a computing device receives a request for an image, and in response, creates a traceable image based upon a plurality of image elements. The computing device transmits data representing the traceable image to cause a second computing device to display the traceable image via a touch-enabled display. The computing device receives a user trace input data generated responsive to a trace made at the second computing device, and determines whether the trace is within an error tolerance range of the set of coordinates associated with the traceable image. The computing device then sends a result of the determination.

Abstract: In accordance with embodiments, there are provided mechanisms and methods for messaging in an on-demand database service. These mechanisms and methods for messaging in an on-demand database service can enable embodiments to more flexibly message in on-demand database environments. The ability of embodiments to provide such feature may lead to enhanced messaging features which may be used for providing more effective ways of messaging in the context of on-demand databases.

Abstract: Architecture that utilizes logical combinations (e.g., of Boolean logic) of authorizations as a logical authorization expression that is computed through a proofing process to a single proof value which equates to authorizing access to an intended entity. The authorizations are accumulated and processed incrementally according to an evaluation order defined in the authorization expression. The logical combinations can include Boolean operations that evaluate to a proof value associated with a sum of products expression (e.g., combinations of AND, OR, etc.). The incremental evaluations output corresponding hash values as statistically unique identifiers used in a secure hash algorithm that when evaluated in order allow execution of a specific command to access the entity. The architecture, employed in a trust module, uses minimal internal trust module state, and can be employed as part of a device system that handles trust processing to obtain authorization to access the intended entity.

Abstract: A system and method for enabling users to run remote applications on access control readers located throughout office buildings. A system administrator creates different remote applications groups such as admin, engineer or cardholder and then assigns users to one of the remote application groups. Users are then able to run the remote applications assigned to their remote application group from any of the access control readers located throughout the office building.

Abstract: Systems and methods, including computer software adapted to perform certain operations, can be implemented for preventing content received from non-trusted sources from accessing protected data. A sequence of instructions and multiple permission indicators associated with the sequence of instructions are received. One or more of permission indicators are associated with a protected activity. An instruction within the sequence of instructions associated with the protected activity is identified. A determination is made whether execution of the identified instruction is permitted based, at least in part, on the one or more permission indicators, and the protected activity is performed if execution of the identified instruction is permitted.

Abstract: Methods, systems, and computer readable mediums for utilizing geographical location information to manage applications in a computer network system are disclosed. According to one example, a method includes receiving, by a global positioning system (GPS) service entity, a request for geographical location information associated with an infrastructure enclosure device from a location request entity, wherein the location request entity is hosted by the infrastructure enclosure device. The method further includes acquiring, by the GPS service entity, the geographical location information from a location enablement device included in the infrastructure enclosure device and sending, by the GPS service module, the acquired geographical location information to the location request entity, wherein the location request entity enforces a policy based on the acquired geographical location information.

Abstract: An electronic apparatus including: a display control unit configured to cause a display unit to display a screen based on screen information, obtained via a network, for executing a function of the electronic apparatus, wherein the display control unit stores, in a storing unit, identification information of a program corresponding to the screen information according to execution of the function of the electronic apparatus based on definition of the screen information.

Abstract: Some aspects of what is described here relate to managing the use of network resources on a mobile device. User input received at the device indicates whether to allow an application associated with a first perimeter on the device to access a network resource associated with a second perimeter on the device. For example, in some instances user input may indicate whether to allow data from applications associated with a personal perimeter on the device to be transmitted over an enterprise communication system. When outbound data associated with the first perimeter are received, the device determines, according to the indication from the user input, whether to route the outbound data to the network resource associated with the second perimeter.

Abstract: An information processing apparatus includes: a control-permission/denial storage unit that stores therein permission/denial information as to whether or not execution of respective control actions in response to a predetermined motions made by users is permitted to roles of the users; a motion detecting unit that detects a predetermined motion from images captured by an image capturing device; and a control-permission/denial determining unit that determines whether or not execution of a control action in response to a predetermined motion made by a user and detected by the motion detecting unit is permitted to a role of the user based on the control-permission/denial storage unit.

Abstract: A method and apparatus for location authentication of the user are disclosed. In the method and apparatus, the location of the user is authenticated if one or more conditions for geographic proximity associated with two or more devices of the user are satisfied. Upon the location of the user being authenticated, the user may be granted access to a service.

Abstract: A lightweight throttling mechanism allows for dynamic control of access to resources in a distributed environment. Each request received by a server of a server group is parsed to determine tokens in the request, which are compared with designated rules to determine whether to process or reject the request based on usage data associated with an aspect of the request, the token values, and the rule(s) specified for the request. The receiving of each request can be broadcast to throttling components for each server such that the global state of the system is known to each server. The system then can monitor usage and dynamically throttle requests based on real time data in a distributed environment.

Abstract: A proposed password is decomposed into basic components to determine and score transitions between the basic components and create a password score that measures the strength of the proposed password based on rules, such as concatenation, insertion, and replacement. The proposed password is scored against all known words, such as when a user is first asked to create a password for an account or access. The proposed password can also be scored against one or more previous passwords for the user, such as when the user is asked to change the user's previous password, to determine similarity between the two passwords.

Abstract: A computer-based system, method and computer program product for controlling access to protected personal information is disclosed. Protected personal information that is accessible by an information management application program is stored in a computer memory. In response to a request from an authenticated user for information, which includes protected personal information, information is displayed indicating that user has requested protected personal information, but the protected personal information is not displayed. In response to receiving user input requesting access to the protected personal information, a determination is made as to whether the user is authorized to access the requested protected personal information. If so, requested protected personal information is displayed to the user and information is stored relating to the user's access to protected personal information.

Abstract: A computer security threat sharing technology is described. A computer security threat is recognized at an organization. A partner network graph is queried for security nodes connected to a first security node representing the organization. The first security node is connected to at least a second security node representing a trusted security partner of the organization. The second security node is associated with identification information. The computer security threat recognized by the organization is communicated to the trusted security partner using the identification information associated with the second security node.

Abstract: The present disclosure provides techniques for authenticating a password. These techniques may enable a user terminal to retrieve a diagram using a computing device. The diagram is inputted by a user in a terminal and is displayed in form of a diagram in connection to a password. The computing device may then transfer operand points passed through by the diagram to a server terminal for password authentication, and then receive a result of the password authentication from the server terminal. These techniques improve password authentication security.

Abstract: An apparatus and method for enabling effective use of a contactless payment device in a transit system. The invention may be implemented in a manner that separates the authentication process from the pre-authorization process, thereby permitting a transit system patron to access and begin use of the transit system prior to authorization of the transaction by the issuer of the device.

Abstract: Example methods and apparatus for authenticating a user login are disclosed herein. An example method includes displaying an image and dynamically presenting symbols adjacent the image. The example method includes receiving a code, the code formed by an arrangement of one or more of the symbols on the image. The example method includes authenticating a user based on the code.

Abstract: Disclosed is a system and method for launching a web browser in a safe mode. An example method includes intercepting a request from the web browser to access data from a server; determining whether the browser is required to operate in a safe mode when displaying data from the server; when the browser is required to operate in the safe mode, analyzing the data received from the server; when the received data includes a webpage, generating a temporary webpage containing a script for evaluating at least one criterion for determining whether to display the webpage received from the server by the browser; executing the script contained in the temporary webpage by the browser; and based on an evaluation result of the at least one criterion by the script, launching the browser in the safe mode to display the webpage received from the server.

Abstract: A system includes a multi-node chassis including a chassis management module, a plurality of compute nodes, and a physical presence manual actuator for transmitting a physical presence signal to each compute node in response to manual actuation. Each server has a firmware interface, a trusted platform module, and an AND gate. The firmware interface has a general purpose input output pin for providing an enabling signal in response to a user instruction to a firmware interface setup program that communicates with the firmware interface. The AND gate has a first input receiving the enabling signal, a second input receiving the physical presence signal, and an output coupled to the trusted platform module, wherein the AND gate for a selected compute node asserts physical presence to the trusted platform module of the selected compute node in response to receiving both the enabling signal and the physical presence signal.

Abstract: A method and an apparatus for specifying a time-varying, intelligent service-oriented model are provided. A method implemented in a computer infrastructure having computer executable code embodied on a computer readable storage medium having programming instructions, includes defining information of a service which is to be provided to one or more users having access to a system storing the defined information. The method further includes defining policies associated with the defined information to allow and deny access to selected portions of the defined information, and exposing to a user of the one or more users the selected portions of the defined information based on the defined policies allowing access to the selected portions of the defined information.

Abstract: A multi-tenant identity management (IDM) system enables IDM functions to be performed relative to various different customers' domains within a shared cloud computing environment and without replicating a separate IDM system for each separate domain. The IDM system can provide IDM functionality to service instances located within various different customers' domains while enforcing isolation between those domains. A cloud-wide identity store can contain identity information for multiple customers' domains, and a cloud-wide policy store can contain security policy information for multiple customers' domains. The multi-tenant IDM system can provide a delegation model in which a domain administrator can be appointed for each domain, and in which each domain administrator can delegate certain roles to other user identities belong to his domain. Service instance-specific administrators can be appointed by a domain administrator to administer to specific service instances within a domain.

Abstract: Provided is electronic paper that includes an imaging sheet for displaying content, a memory for storing the content, a mode switch unit for manually setting an operation mode of the electronic paper, and a controller for performing at least one operation from a plurality of operations including encryption of the content stored in the memory, deletion of the content stored in the memory, deletion of content displayed on the imaging sheet from a screen, and display of a lock screen that requires input of a password on the imaging sheet, according to an operation mode that is set by a user using the mode switch unit.

Abstract: Approaches for using the historical party reputation data to calculate an access decision rating are provided. Specifically, one or more approaches provide a method, including: collecting reputation information of a first user that is requesting access to one or more assets, the reputation information based on at least an association of the first user with an organization and an association of the first user with one or more other users associated with one or more other organizations; storing the requester's reputation information; determining a change in the requester's reputation information, wherein the change comprises at least one of: the first user forming a new association with another organization, and the first user forming a new association with a second user, wherein the second user is affiliated with another organization; and causing an access decision rating to be calculated based upon the determined change in the requester's reputation information.

Abstract: In the field of computer and data security, the identifier (ID) of a computing device is protected by providing a secure signature used to verify the ID. The signature is computed from the ID using a “White Box” cryptographic process and a hash function. This provides a signature that is computationally easy to verify but difficult or impossible to generate by a hacker (unauthorized user). This method of first creating the signature and later verifying the identifier using the signature and the associated computing apparatus are thereby useful for protection against hacking of such identifiers of computing devices.

Abstract: A first service in a system in which a plurality of services cooperatively perform processing, comprises: a generation unit which generates authorization information to use a function provided by the first service and link information to call an input window of the authorization information; a holding unit which holds the link information and the authorization information in association with each other; a providing unit which provides the link information to a second service; a notification unit which notifies a user of the authorization information; a displaying unit which displays the input window corresponding to the link information when the user has designated the link information obtained from the second service; and a permission unit which permits use of the function provided by the first service when the user has input the notified authorization information to the displayed input window.

Abstract: A method authenticates a group driving service of a moving object. The method includes authenticating the moving object when an authentication request for the registration of the group driving service is received from the moving object, generating a certain group having group driving service registration information based on group driving registration information when a registration request for the group driving service is received from the moving object, the registration request including the group driving registration information, and transmitting the group driving service registration information of the certain group to the moving object.

Abstract: A source device for systems and methods of verifying an authentication based on dynamic scoring is disclosed, wherein the source device is configured to receive at least one identification feature from a user, and to communicate the identification feature to a verification unit. The verification unit is configured to generate a base verification score associated with the user based on at least one identification input, the identification input comprising the identification feature, a feature validity rating, and a source device validity rating, to receive a request to access a service, wherein the verification unit compares the base verification score with a service authorization threshold associated with the service, and to grant access to the service when the base verification score meets the service authorization threshold.

Abstract: Embodiments of the present invention are directed to managing access to protected computer resources. More particularly, embodiments of the present invention provide systems and methods for modifying a user's ability to access a protected computer resource while the user is currently using the resource. If the privileges granted to a user for accessing the protected resource are altered, these alterations take effect in substantially real time. In an exemplary embodiment, a user data repository will initiate the process of altering the user's access privileges upon changes of data in the repository. In this way, it does not matter how or by whom the data in the repository is changed, but the change itself is sufficient to initiate a re-computation of a user's access privileges to the protected resource.

Abstract: A data processing apparatus includes an auxiliary storage device having target verification data stored therein, a program memory having a validity verification program stored therein, a first RAM (Random Access Memory), a second RAM, and an execution unit configured to execute a validity verification process in accordance with the validity verification program stored in the program memory. The execution unit is configured to copy the target verification data from the auxiliary storage device into the first RAM, execute the validity verification process on the copied target verification data in the first RAM, and use the second RAM as a work area in a case of executing the validity verification process.

Abstract: A method and apparatus for securely executing a plurality of actions requiring elevated privilege using less than a corresponding plurality of prompts for privilege elevation, and in some embodiments, only a single prompt for privilege elevation, comprising: receiving a request to perform a first action requiring an elevated privilege; acquiring the elevated privilege to perform the first action; executing the first action, wherein the first action is executed based on the elevated privilege; receiving a request to perform a second action requiring an elevated privilege; and executing the second action using the elevated privilege acquired for the first action.

Abstract: A verification method includes configuring a reference system, running on a computer, to have the same set of executables and customizations as an e-business system to be verified. The reference system is configured with one or more roles that have permissions to execute all transactions in a scope of a planned verification. One or more business processes that are implemented in the e-business system and are in the scope of the planned verification are mapped and are executed using the reference system. Reference data is created by merging records from logs of the permission checks with respect to at least one role in the scope of the verification. Permission settings for roles in the e-business system are compared with corresponding permission values in the reference data. Based on comparing the permission settings, an indication is displayed to a user of whether the permission settings match the corresponding permission values.

Abstract: A trust level of an account is determined at least partly based on a degree of the memorability of an email address associated with the account. Additional features such as those based on the domain of the email address and those from the additional information such as name, phone number, and address associated with the account may also be used to determine the trust level of the account. A machine learning process may be used to learn a classification model based on one or more features that distinguish a malicious account from a benign account from training data. The classification model is used to determine a trust level of the account, and/or if the account is malicious or benign, and may be continuously improved by incrementally adapting or improving the model with new accounts.

Abstract: An embodiment may include a storage processor that may be comprised, at least in part, in a host. The host may include at least one host central processing unit (CPU) to execute at least one host operating system (OS). The storage processor may execute at least one operation in isolation from interference from and control by the at least one host CPU and the at least one host OS. The at least one operation may facilitate, at least in part: (1) prevention, at least in part, of unauthorized access to storage, (2) prevention, at least in part, of execution by the at least one host CPU of at least one unauthorized instruction, (3) detection, at least in part, of the at least one unauthorized instruction, and/or (4) remediation, at least in part, of at least one condition associated, at least in part, with the at least unauthorized instruction.

Abstract: In various embodiments, security may be provided for application to application (A2A) and application to database (A2DB) implementations. In some embodiments, a method comprises receiving a registration request at a first digital device for a first application, receiving a first program factor associated with the first application, confirming the first program factor, generating a first password for a second application based, at least, on the confirmation of the first program factor, and providing the first password to a second digital.

Abstract: A method for managing a transcoder pipeline includes partitioning a memory with a numbered region; receiving an incoming media stream to be transcoded; and atomically loading, using a security central processing unit (SCPU), a decryption key, a counterpart encryption key and an associated region number of the memory into a slot of a key table, the key table providing selection of decryption and encryption keys during transcoding. The atomically loading the decryption and encryption keys and the associated numbered region ensures that the encryption key is selected to encrypt a transcoded version of the media stream when the media stream has been decrypted with the decryption key and the transcoded media stream is retrieved from the associated numbered region of the memory.

Abstract: A method and apparatus is provided for switching from a regular desktop screen to a password input screen for a user to input a password. An apparatus may comprise a first screen display as the password input screen, a second screen display as the regular desktop screen, and a switching system. The switching system may be configured to switch a screen item position between the first screen display and the second screen display. The switching system may receive a user selection of a sequence of screen items as a password input and may switch operation of the apparatus between the first screen display to the second screen display.

Abstract: A method for notifying a first device of a status of an application includes transmitting an application state transition notification message from a second device to the first device when a state transition of the application has occurred, wherein the application state transition notification message comprises information regarding at least a current state of the application and a reason of the state transition; and transmitting an application state transition response message from the first device to the second device in response to the application state transition notification message.

Abstract: In accordance with one embodiment of the disclosed technology, inconsistencies are detected between various records relating to data that has been associated with an identification tag. Data packages associated with the inconsistencies may then be removed. In accordance with another aspect of the disclosed technology, requests relating to data packages associated with inconsistencies in the various stored records are identified and removed. The disclosed technology may be implemented in data warehouses.

Abstract: A method and system for enforcing access control to system resources and assets. Security attributes associated with devices that initiate transactions in the system are automatically generated and forwarded with transaction messages. The security attributes convey access privileges assigned to each initiator. One or more security enforcement mechanisms are implemented in the system to evaluate the security attributes against access policy requirements to access various system assets and resources, such as memory, registers, address ranges, etc. If the privileges identified by the security attributes indicate the access request is permitted, the transaction is allowed to proceed. The security attributes of the initiator scheme provides a modular, consistent secure access enforcement scheme across system designs.

Abstract: A method includes receiving packaged custom data transform element parameters at an information handling system wherein the information handling system hosts an automated development system platform for creating an integrated business process application. The method also includes registering a custom data transform element described by the custom data transform element parameters with the automated development system platform, and updating the automated development system platform with the custom data transform element.

Abstract: A computer-implemented method for validating login attempts based on user location may include (1) detecting a login attempt by a user to log into a user account, where the login attempt originates from an atypical location, (2) determining that the atypical location is inconsistent with a pattern of past login locations for the user, (3) retrieving location information that indicates a current location of the user from at least one third-party Internet resource, (4) determining, based on the location information, that the atypical location of the login attempt matches the current location of the user, and (5) trusting that the login attempt legitimately originates from the user based at least in part on the atypical location matching the current location of the user. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The subject disclosure is directed towards securing a computing device using content-based isolation. When the computing device requests content data having different ownership, a monitor component identifies and groups trusted portions of the content data into one or more isolation containers such that only trusted programs are permitted access. Other programs are, therefore, untrusted and can be denied access in order to prevent malicious activity, unless access is approved by the content owner.

Abstract: Embodiments of the invention relate to a system and computer program product to intelligently provide consent to access a record in a shared pool of resources. Tools are provided to support policies to address and maintain restrictive access of a designated record, both with respect to local and non-local rules and regulations, as well as personal restrictions pertaining to personal and discretionary sharing decisions.

Abstract: A resource stack managed by a resource stack provider is created based on a resource stack template that integrates a custom resource from a second provider into the resource stack using a notification system with the second provider. For example, a customer may create a template that defines a resource stack that comprises resources available from the resource stack provider and one or more custom resources provided by a second provider. When a resource stack is created, resources available from the resource stack provider may be provisioned. Custom resources may be initialized by notifying the provider of the custom resource of the requested integration of the custom resource with the resource stack and requested configuration details. The custom resource provider may respond with an indication of successful integration when the custom resource has been successfully initialized. After initializing the resources, the resource stack may be enabled for use.

Abstract: A method implemented by a processor and a system develop a software project targeting one or more remote systems. The method includes generating a project on a local system, which includes receiving user input through a user interface. The project includes one or more source files. The method also includes generating one or more remote contexts corresponding to the one or more remote systems.

Abstract: A system and method is provided for selecting an appropriate user account for accessing an application, the system, the method including receiving a request to launch an application while in a first user account, identifying a plurality of user accounts including the first user account, selecting one of the plurality of identified user accounts for launching the application, wherein the selected one of the plurality of user accounts provides functionality for launching the application and providing the user with access to the selected one of the plurality of identified user accounts.

Abstract: A disclosed image forming apparatus includes an authentication information reception unit configured to receive first authentication information input to the image forming apparatus, an authentication control unit configured to send the first authentication information to a first authentication apparatus connected to the image forming apparatus via a network and cause the first authentication apparatus to carry out a first authentication based on the first authentication information, and an authentication information recording unit configured to record, when the first authentication based on the first authentication information has succeeded, the first authentication information therein as second authentication information.

Abstract: Policy enforcement in an environment that includes virtualized systems is disclosed. Virtual machine information associated with a first virtual machine instance executing on a host machine is received. The information can be received from a variety of sources, including an agent, a log server, and a management infrastructure associated with the host machine. A policy is applied based at least in part on the received virtual machine information.

Abstract: Systems and methods for dynamic development and deployment of computing applications including a development framework, a visual design subsystem, and a deployment subsystem, where at runtime the deployment subsystem is operable to dynamically deploy a computing application realized by a blueprint by sending a request at runtime for graphs and components instantiated by the blueprint.