Abstract: A method includes: generating object information that indicates an object designated from among a header item, text, and attached information of a received email, or feature amount information based on the object information and a predetermined function, when a source is an address in an internal network, decrypting verification information added to the received email using secret key information shared in the internal network, when the source is an address over an external network, decrypting the verification information using public key information shared with the source, and verifying whether or not the received email is a spoofed mail based on the object information or the feature amount information, and the decrypted verification information.

Abstract: A system and method of encrypting digital content in a digital container and securely locking the encrypted content to a particular user and/or computer or other computing device is provided. The system uses a token-based authentication and authorization procedure and involves the use of an authentication/authorization server. This system provides a high level of encryption security equivalent to that provided by public key/asymmetric cryptography without the complexity and expense of the associated PKI infrastructure. The system enjoys the simplicity and ease of use of single key/symmetric cryptography without the risk inherent in passing unsecured hidden keys. The secured digital container when locked to a user or user's device may not open or permit access to the contents if the digital container is transferred to another user's device. The digital container provides a secure technique of distributing electronic content such as videos, text, data, photos, financial data, sales solicitations, or the like.

Abstract: Content analysis is performed on documents that have been scanned or converted into a digital format. Based on the content analysis of a document, a security policy is selected and assigned or attached to the document. The security policy prevents the document from being improperly accessed. In a specific implementation, the documents include patient medical records.

Abstract: According to one embodiment of the present invention, a system analyzes data in response to detecting occurrence of an event, and includes a computer system including at least one processor. The system maps fields between the data and a fingerprint definition identifying relevant fields of the data to produce a fingerprint for the data. The data is deleted after occurrence of the event. The produced fingerprint is stored in a data repository, and retrieved in response to detection of the event occurrence after the data has been deleted. The system analyzes the retrieved fingerprint to evaluate an impact of the event on corresponding deleted data. Embodiments of the present invention further include a method and computer program product for analyzing data in response to detecting occurrence of an event in substantially the same manner described above.

Abstract: Systems and methods disclosed allow a permitting party to share personal information with a receiving party. The receiving party may use the information to authenticate the permitting party, assess the permitting party, determine if the permitting party is compatible with one or more other users associated with the receiving party, or validate the permitting party. The permitting party may define how much of the permitting party's personal information is shared, and/or limit the use of the information for one or more specific purposes. A requesting party may also set up criteria for the types of information it wants to review along with the intended use of the information. The systems and methods disclosed also enables permitting parties the ability to grant requesting parties access to requested information.

Abstract: Techniques, including systems and methods, take frequent captures of data sets for the purpose of forensic analysis. The data set captures are taken at the block level in various embodiments. Data set captures are used to instantiate forensic storage volumes that are attached to computing instances. The computing instances can access data in the forensic storage volumes at a state corresponding to a specified capture time. A user can select different capture times to re-instantiate the forensic storage volume to see how the forensic storage volume changed between captures.

Abstract: This invention creates separation between personal applications and corporate applications on a data processing device, so that both types of applications can run simultaneously while complying with all required policies. This enables employees to use their personal devices for work purposes, or work devices for personal purposes. The separation is created by dividing the data processing device into two or more “domains”, each with its own policies. These policies may be configured by the device owner, an IT department, or other data or application owner.

Abstract: A method and system for controlling the execution of a function protected by authentication of a user and which is provided for example for the access to a resource. The method includes inputting, by the user, of personal data using an input device, authenticating the user with the input personal data for authorizing or not authorizing the execution of the function; in a secure card connected to the input device, storing limited validity authentication data dependant on the input data; when the card is connected to a processing device by which the user generates a message whose processing implements the function, using the stored data, taking into account the limited validity, to authorize or not authorize the execution of that function.

Abstract: Described herein are devices and techniques related to implementation of a trustworthy electronic processing module. During fabrication, a manufacturer is provided with partial technical specifications that intentionally exclude at least one critical design feature. Fabrication of the electronic processing module is monitored from a trusted remote location; wherefrom, the intentionally excluded at least one critical design feature is implemented, thereby completing manufacture of the trustworthy electronic processing module. At least one of the acts of monitoring and implementing can be accomplished by instantiating executable software remotely from a trusted remote location and immediately prior to execution. It is the executable software that enables at least one of the acts of monitoring and implementing. Further, the instantiated executable software is removed or otherwise rendered inoperable immediately subsequent to execution.

Abstract: A processor-implemented method, system, and/or computer program product securely accesses a specific data store. A non-contextual data object is associated with a context object to define a first synthetic context-based object. The non-contextual data object ambiguously describes multiple types of persons, and the context object provides a circumstantial context that identifies a specific type of person from the multiple types of persons. The first synthetic context-based object is associated with at least one specific data store in a data structure. A string of binary data that describes a requester of data is received by a security module for generating a new synthetic context-based object. If there is a match between the new synthetic context-based object and the first synthetic context-based object, then the data is returned to the requester.

Abstract: A method for securing a first program with a second program, a third program and a fourth program, each program comprising constitutive elements having a finite number of program points and evolution rules associated with the program points and defining the passage from one program point to another program point, and each program comprising a definition of a set of properties each property being associated with one or more of the constitutive elements of the program. The fourth program constructed by defining at least one relation between at least one constitutive element of the second program and at least one constitutive element of the third program, said relation being named a correspondence relation, and at least one property of the third program being proven, propagate the proof of said property to at least one property of the first program by exploitation of the correspondence relation.

Abstract: A Secure Non-autonomous Peering (SNAP) system includes a hierarchical digital watermarking scheme, a central licensing authority, licensed fabricators and assemblers.

Abstract: A system and method for non-retained electronic messaging is described. In one embodiment, the system includes a message receiver module, a message storing and identifier generation module, a message retrieval module and an expunging module. The message receiver module receives a message. The message storing and identifier generation module stores the message in a non-transitory, non-persistent memory of one or more computing devices, generates a message identifier and sends the message identifier to a recipient device. The message retrieval module receives a selection of the message identifier from the recipient device, retrieves the message from the non-transitory, non-persistent memory, and sends the message to the recipient device for presentation. The expunging module expunges the message from the one or more devices responsive to sending the message to the recipient device for presentation.

Abstract: A method is provided to verify that a memory device has been erased and that the device is the originally intended item. Physically uncloneable features of the memory are revealed after erase and form the data for a fingerprint that verifies that the memory has not been exchanged for another memory. A PUF inherent in multiple memory devices included in the memory is revealed upon erase and the PUF is used to create and ID. This ID is compared to the ID for the original unit.

Abstract: A system and computer-implemented method for securely managing enterprise related applications and associated data on one or more portable communication devices is provided. The system comprises one or more appboxes, residing on the one or more portable communication devices, configured to secure, monitor and collect information related to at least one of: one or more applications and associated data and the one or more portable communication devices. The system further comprises a server configured to facilitate one or more administrators to monitor and manage overall functionality of at least one of: the one or more applications and associated data and the one or more portable communication devices using the collected information.

Abstract: A method, system, and computer-readable storage media for providing user based licensing of an application are provided herein. The method includes receiving user log-in information from a computing device at a licensing service in response to an input by a user and providing a license for an application to the computing device, wherein the license includes device specific information associated with the user. The method also includes activating the application on the computing device using the device specific information.

Abstract: In one embodiment, a security method for making secure a computer application being executed on a terminal is disclosed. In one embodiment the security method comprises obtaining information to the effect that the application is about to invite a user of the terminal to input data, accessing a binary file representative of a secret image known to the user of the terminal, the binary file being stored in a secure element of the terminal, constituting a complex image in the secure element, the complex image being obtained from the secret image and from dynamic data that is inaccessible to said terminal, and displaying the complex image on a screen of the terminal.

Abstract: A computing system and/or network environment in which users can transfer (or initiate transfer of) digital content items to other users in accordance with a variety of transaction parameters that are specified by the user.

Abstract: A method for using a location-based service while preserving anonymity includes receiving a location associated with a mobile node, receiving an anonymity level associated with the mobile node, computing a region containing the location of the mobile node and a number of footprints based on the anonymity level, wherein each of the footprints from a different user, and providing the region to a location-based service to thereby preserve anonymity of the mobile node. A method also allow a mobile device or its user to specify the anonymity level by selecting a public region consistent with a user's feelings towards desired privacy.

Abstract: Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Abstract: A shortcut management device capable of improving user-friendliness of a portal application. The shortcut management device is capable of executing shortcuts which use functions of an electronic apparatus, and manages at least part of the functions used by the shortcuts. A storage unit registers shortcuts. An invalidation detecting unit detects that the license is invalidated. A retrieval unit retrieves a shortcut made inexecutable in association with the license of which the invalidation is detected. An invalidation unit invalidates the retrieved shortcut.

Abstract: There are provided a method, system and service for computerized managing a plurality of data protection (DP) resources. The method comprises: accommodating data related to at least part of the DP resources among said plurality of DP resources in a memory thus giving rise to accommodated data, wherein at least part of the accommodated data is obtained by automated collecting; processing by a processor operatively coupled to the memory the accommodated data, said processing resulting in identifying at least one data protection (DP) scheme characterized, at least, by a data protection technique implemented with regard to at least one DP resource related to said DP scheme; identifying by the processor one or more data protection (DP) gaps affected the at least one DP resource; and using the identified one or more DP gaps for assessing, by the processor, DP risk score to the at least one DP resource.

Abstract: Embodiments of the present disclosure describe an apparatus, method, and computer readable medium for processing a secure transaction. One embodiment describes an apparatus comprising: a processor; a secure element coupled to the processor; and a connectivity device coupled to the secure element, and configured to exchange communications with a device that is external to the apparatus, and receive and execute one or more unsolicited commands from the secure element.

Abstract: The present invention relates to an information processing method, apparatus, and system. The method includes: receiving text information; performing calculation on the text information by using a first model to obtain a public sensitivity weight value corresponding to the text information; determining whether the public sensitivity weight value is greater than a first preset threshold; and if yes, displaying first processing prompt information indicating that the text information includes sensitive information; if no, performing calculation on the text information by using a second model to obtain an individual sensitivity weight value corresponding to the text information; and determining whether the individual sensitivity weight value is greater than a second preset threshold; and if yes, displaying second processing prompt information indicating that the text information includes sensitive information.

Abstract: Techniques for privacy scoring are disclosed. In some embodiments, privacy scoring includes collecting information associated with an entity; and generating a privacy score based on the private information that was collected that is associated with the entity. In some embodiments, privacy scoring further includes outputting the privacy score. In some embodiments, privacy scoring further includes determining private information that was collected that is associated with the entity.

Abstract: Technologies for labeling diverse content are described. In some embodiments, a content creation device generates a data structure that may include encrypted diverse content and metadata including at least one rights management (RM) label applying to the diverse content. The RM label may attribute all or a portion of the diverse content to one or more authors. The metadata may also be signed using an independently verifiable electronic signature. A consumption device receiving such a data structure may verify the authenticity of the electronic signature and, if verification succeeds, decrypt the encrypted diverse content in the data structure. Because the metadata is encapsulated with the diverse content in the data structure, it may accompany the diverse content upon its transfer or incorporation into other diverse content.

Abstract: An anti-malware system dynamically loads and unloads additional malware detection signatures based on a collection of data sources that indicate what signatures are relevant to a host machine in its current environment. A signature selector component determines what relevant signatures should be loaded. The signature selector component uses a variety of data sources either individually, or in combination, to determine relevancy of the available malware detection signatures. The anti-malware system dynamically determines which of the available malware detection signatures and classes of signatures are relevant and should be provided to a machine based on available information. The malware detection signatures are obtained and loaded automatically from one or more sources when a threat becomes relevant. A program or application may be blocked from accessing files until the relevant malware detection signatures have been loaded onto the machine.

Abstract: In a method for enabling support for backwards compatibility in a User Domain, in one of a Rights Issuer (RI) and a Local Rights Manager (LRM), a Rights Object Encryption Key (REK) and encrypted REK are received from an entity that generated a User Domain Authorization for the one of the RI and the LRM and the REK is used to generate a User Domain Rights Object (RO) that includes the User Domain Authorization and the encrypted REK.

Abstract: A data protection system selectively deletes data from an electronic device when the device is reported as lost or stolen, or when another data protection triggering event occurs. Different data files may, for example, be treated differently depending on when such files were created. For example, data files that were created while the computing device was known to be in the owner's possession may be deleted, while data files created after the electronic device left the owner's possession may be left intact (since they may have been created by an innocent user). Data files created between these two points in time may be quarantined so that they later be restored, if appropriate.

Abstract: Systems and methods for providing services are disclosed. One aspect comprises authenticating a user associated with a first service, receiving a selection of a second service, generating an opaque identifier associated with the user and the first service, wherein the opaque identifier facilitates the anonymous collection of data relating to the second service. Another aspect can comprise transmitting the opaque identifier to the second service, and receiving data relating to the second service.

Abstract: A method, system, and computer-readable storage media for licensing an application using sync providers are provided herein. The method includes receiving a request for a license for an application from a client sync provider at a licensing service and receiving information relating to the license from a commerce partner offering the application via a commerce partner sync provider. The method also includes returning the license for the application to a client computing device, receiving information relating to a state of the license from the client sync provider, and adjusting conditions of the license according to the state of the license.

Abstract: A method for encrypting print jobs that includes receiving output data, encrypting the output data with a randomly-generated symmetric session key, generating a session key header by encrypting the randomly-generated symmetric session key using an asymmetric user public key, and encrypting the session key header using a server public key.

Abstract: A system and method are provided for employing a hand-held wireless device to assess a vulnerability of a wirelessly-accessible target network to intrusion and/or cyber-attack. The system and method are directed at providing discrete, covert and fully-automated wireless access to the target network via one or more wireless access points and to assessing characteristic of the one or more wireless access points and the target network in support of a vulnerability assessment. The hand-held wireless device is configured to collect appropriate data regarding the wirelessly-accessible network, including network and portal scans, and higher-level programmed data collection. The hand-held wireless device is further configured to analyze the collected data and to produce at least a first level vulnerability assessment of the target network without interaction by the user.

Abstract: A memory device includes but is not limited to a substrate, a non-volatile memory array integrated on the substrate, and data security logic integrated with the non-volatile memory array on the substrate. The data security logic is operable to perform at least one data security function associated with the non-volatile memory array.

Abstract: A computer-implemented method for enforcing data-loss-prevention policies using mobile sensors may include (1) detecting an attempt by a user to access sensitive data on a mobile computing device, (2) collecting, via at least one sensor of the mobile computing device, sensor data that indicates an environment in which the user is attempting to access the sensitive data, (3) determining, based at least in part on the sensor data, a privacy level of the environment, and (4) restricting, based at least in part on the privacy level of the environment, the attempt by the user to access the sensitive data according to a DLP policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A derivative work is encrypted using master keys generated from source data extracted from digital sources used to create the derivative work. A software application permits a mix artist to encrypt and stream a derivative work to a worldwide web server, where it is made available to consumers. A software application permits the consumers to acquire and decrypt an encrypted derivative work if the consumer has possession of a corresponding digital source for each of the digital sources used to encrypt the derivative work.

Abstract: One or more file sharing computers receives a client request including an IP address and port number used by the client (computer). The one or more computers respond by creating an enhanced file handle from a hash on a combination of the IP address, port number, restricted key, and a standard file handle, and concatenating the hash with the standard file handle. The enhanced file handle is sent to the client and used by the client in a second request. The one or more computers uncouple the standard file handle and hash combination. Using the client IP address, port number, restricted key and standard file handle from the client second request, the one or more computers create a second combination. The second combination hash is compared to the first combination hash and in response to determining a match, the second request is accepted, and otherwise denied.

Abstract: A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key.

Abstract: Completely automated tests that exploit capabilities of human vision to tell humans apart from automated entities are disclosed herein. Persistence of vision and simultaneous contrasts are some of the properties of human vision that can be used in these tests. A video of an image is generated in colors that are distinguishable to the human eye but are not easily distinguished numerically. The image includes text manipulated such that positive image data and negative whitespace data occur at equal rates along with a noise component included in each of the video frames. Thus, raw data is made ambiguous while qualities of human visual interpretation are relied upon for extracting relevant meaning from the video.

Abstract: A system for detecting and halting execution of malicious code includes a kernel-based system call interposition mechanism and a libc function interception mechanism. The kernel-based system call interposition mechanism detects a system call request from an application, determines a memory region from which the system call request emanates, and halts execution of the code responsible for the call request if the memory region from which the system call request emanates is a data memory region. The libc function interception mechanism maintains an alternative wrapper function for each of the relevant standard libc routines, intercepts a call from an application to one or more libc routines and redirects the call into the corresponding alternative wrapper function.

Abstract: A method for protection of cloud computing includes homomorphic encryption of data. Partially or fully homomorphic encryption allows for data within the cloud to be processed without decryption. A partially or fully homomorphic encryption is provided. The proposed scheme can be used with both an algebraic and analytical approaches. A cloud service is implemented on a server. A client encrypts data using fully homomorphic encryption and sends it to the server. The cloud server performs computations without decryption of the data and returns the encrypted calculation result to the client. The client decrypts the result, and the result coincides with the result of the same calculation performed on the initial plaintext data.

Abstract: Exemplary embodiments include methods of handling stored electronic original information objects that have been created by electronically signing information objects by respective authorized users and transfer agents, submitting signed information objects to a trusted repository system, validating the submitted signed information objects by at least testing the integrity of the contents of each signed information object and the validity of the signature of the respective transfer agent, and applying to each validated information object a date-time stamp and a digital signature and authentication certificate of the trusted repository system that is an electronic vault. One method includes the remote signing of electronic documents without the trusted repository ever releasing the electronic original documents and other information objects that are controlled and protected by the trusted repository system.

Abstract: A content reception equipment for accessing an in-home content transmission equipment from a remote place executes a first authentication process with the content transmission equipment in advance, executes the remote access information sharing process required for access from a remote place, and causes the information on the content reception equipment and the remote access information to be registered in an equipment information table of the content transmission equipment.

Abstract: A device, method, and system for secure mobile data storage includes a mobile data storage device having a short-range communication circuit, a long-range communication circuit, and a data storage for storing data. The mobile data storage device is used to store data used by a paired mobile communication device. The mobile data storage device and the mobile communication device communicate control signals over a wireless control link established using the short-range communication circuit and data over a wireless data link, different from the wireless control link, established using the long-range communication circuit. The mobile data storage device and/or mobile communication device may monitor a distance between the devices and perform a security function in response the devices being separated from each other. The mobile data storage device may backup data on a remote data server and/or repopulate data from the remote data server using the mobile communication device.

Abstract: A third party facilitates exchange of customer data between first and second entities while maintaining customer privacy. Personally identifiable information (PII) and first entity customer attributes of a first set of customers are received from a first entity. PIT for a second set of customers is received from a second entity. First and second set common customers are identified using the PII of the first and the second set of customers. Subsequently, a list of third set of customers is sent to the second entity. The list of third set of customers includes the common customers and a plurality of other customers from the second set of customers. Second entity customer attributes are received for each customer in the list of third set of customers. Further, the first entity customer attributes of the common customers and the second entity customer attributes of the common customers are linked.

Abstract: Techniques are provided for converting a node-locked licensing scheme to a cloud-based management of licenses to use computer products. In one example, a license manager device of a vendor receives a request to upgrade a computer product that is associated with a node-locked certificate that configures the computer product to be node-locked to a particular device. The request includes an identifier of the computer product. The license manager device registers the product identifier to a license pool of a customer account associated with the computer product. The license pool includes entitlements to use the computer product. The license manager device searches for node-locked entitlements that are associated with the node-locked certificate. The license manager device moves the node-locked entitlements to the license pool.

Abstract: A method includes a computer detecting an element from a data flow for at least one endpoint device; the computer using the detected element and a protection engine to assess security requirements for the flow of data for the at least one endpoint device; and the computer causing the protection engine to issue additional security controls for the at least one endpoint device.

Abstract: A system and method for dynamic anonymization of a dataset includes decomposing, at at least one processor, the dataset into a plurality of subsets and applying an anonymization strategy on each subset of the plurality of subsets. The system and method further includes aggregating, at the at least one processor, the individually anonymized subsets to provide an anonymized dataset.

Abstract: A method and an apparatus for controlling contents security in an electronic device are provided. The method includes determining at least one region for security setting in contents, and setting security to the region for security setting.

Abstract: A driver related data storage system comprising: a data generation module adapted to generate driver related data; an encryption module adapted to encrypt driver related data, a storage module adapted to store the encrypted driver related data, a code generation module adapted to generate a machine readable code based on the stored encrypted driver related data and an output module adapted to output the generated machine readable code.