Abstract: Upon receiving an account creation request from a client, the server determines a count of new account requests, each having a respective password, received during a predefined time period, that satisfy a requirement that the respective password is a function of the password in the received account creation request, and determines a popularity value associated with the password. The server associates a spam score, based at least in part on the count and the popularity value, with the account creation request, and compares the spam score with certain predefined thresholds. If the spam score is above a first threshold, the server may refuse the account creation request. If the spam score is within a certain range, the server may limit the access to the account associated with the account creation request. If the spam score is below a second threshold, the server may enable normal use of the account.

Abstract: An encrypted resource is stored in association with an access control list. A request to retrieve the resource is received. The wrapped key and the authentication credentials are sent, from the application server system, to a key server system. An unencrypted version of the resource encryption key is received from the key server system if the key server system determines that the authentication credentials correspond to a user in the group of users identified by the group identifier. The stored encrypted resource is decrypted using the received unencrypted version of the resource encryption key to generate an unencrypted version of the resource. The unencrypted version of the resource is sent, from the application server system, to the client application.

Abstract: Apparatus, methods, and computer program products for providing portable communication identity services are provided. A request is received to access a portable communication identity from a communications device. User information is received that is input by a user of the communications device, and the user information is authenticated. Capabilities of the communications device are accessed, and the portable communication identity is transmitted in accordance with the capabilities of the communications device.

Abstract: Provided are a method for authenticating a user terminal in an interface server, and an interface server and a user terminal using the same. The method includes receiving authentication request information from an application service providing server in order to request the interface server to authenticate the user terminal receiving an application service provided from the application service providing server, authenticating the user terminal according to the authenticating request information using an authentication method selected by the interface server or a user of the user terminal, and transmitting authentication response information including an authentication result of performing the authentication method to the application service providing server. The interface server provides an interface for a network to the application service providing server.

Abstract: Architecture for secure transmission of data from a sender to a receiver can include multiple network server nodes and a processor that contains computer instructions stored therein for causing the processor to accomplish the methods for secure transmission. The methods can include the initial step of generating a nonce at a server node. A copy of the nonce can be securely transmitted to the intended recipient of the information. The nonce can then be encrypted at the server node using an encryption means that is remotely located from the server node. The actual information is then transmitted from the sender to the server node. The server node decrypts the nonce at the server node using the encryption means, and encodes the information using the decrypted nonce, which is then deleted. The receiver then accesses the server node and decodes the information using its last remaining copy of the nonce.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for performing multi-factor authentication. In one aspect, a method includes determining that the identity of a user has been successfully proven using a first of two or more authentication factors, allowing updates or requests for updates to be initiated after the identity of the user has been successfully proven using the first authentication factor, logging the updates or requests for updates that are initiated after the identity of the user has been successfully proven using the first authentication factor, determining that the identity of the user has not been successfully proven using a second of the two or more authentication factors, and reverting the updates, or discarding the requests for updates, based on determining that the identity of the user has not been successfully proven using the second authentication factor.

Abstract: Methods, apparatuses, and computer program products are provided for controlling access to a resource. A method may include determining one or more request attributes associated with a request for access to the resource. The method may further include accessing an access control list associated with the resource. The access control list may include one or more access control attributes associated with the resource. The method may additionally include determining a permission defining one or more access abilities for the resource at least in part by comparing the request attributes to the access control attributes and, for any access control attribute corresponding to a request attribute, including an ability associated with the corresponding access control attribute in the permission. The method may also include determining whether to grant the request based at least in part on the determined permission. Corresponding apparatuses and computer program products are also provided.

Abstract: An electronic device includes a requesting application and a hosting application. When the requesting application requests permission from the hosting application to access a category of data, the device identifies the requesting application and the permission request. The device awaits a user input to determine whether the user will permit the requesting application's request to be granted.

Abstract: A novel architecture for a data sharing system (DSS) is disclosed and seeks to ensure the privacy and security of users' personal information. In this type of network, a user's personally identifiable information is stored and transmitted in an encrypted form, with few exceptions. The only key with which that encrypted data can be decrypted, and thus viewed, remains in the sole possession of the user and the user's friends/contacts within the system. This arrangement ensures that a user's personally identifiable information cannot be examined by anyone other than the user or his friends/contacts. This arrangement also makes it more difficult for the web site or service hosting the DSS to exploit its users' personally identifiable information. Such a system facilitates the encryption, storage, exchange and decryption of personal, confidential and/or proprietary data.

Abstract: A method, a system, and a device for implementing device addition in a Wireless Fidelity (Wi-Fi) Device to Device (D2D) network are provided, which belong to the field of communication. The method includes: receiving, by a first D2D client device, a first add request message forwarded by a D2D master device, in which the first add request message carries an identifier of a new device to be added to the D2D network; receiving a first Personal Identification Number (PIN) code of the new device; and forwarding the received first PIN code to the D2D master device, in which the first PIN code of the new device is used for implementing that the D2D master device performs Wi-Fi Protected Setup (WPS) security configuration of the new device according to the first PIN code.

Abstract: A method, performed by a computer device, may include receiving personal data from a user device associated with personas, where each of the personas corresponds to at least one classification of requesters, associating the received personal data with at least one of the personas, and identifying any of the classifications that correspond to the personas associated with received personal data. The method may further include receiving, from a data requester, a query including a request for the personal data; associating the data requester with a classification; and comparing the classification associated with the data requester to the classifications associated with personal data. The method may further include sending, to the data requester, a message containing the personal data in response to the classification of the data requester corresponding to the classifications of the personal data.

Abstract: An apparatus and method for installing a software package are provided. The apparatus includes a storage unit which stores a software package used to operate the apparatus by a digital device and authentication information used for an authentication by the digital device, a receiving unit which receives the result of authentication about the authentication information from the digital device, and a transmitting unit which uploads the software package to the digital device according to the received result of the authentication.

Abstract: A reputation server is coupled to multiple clients via a network. A security module in each client monitors client encounters with entities such as files, programs, and websites, and then computes a hygiene score based on the monitoring. The hygiene scores are then provided to the reputation server, which computes reputation scores for the entities based on the clients' hygiene scores and the interactions between the clients and the entity. When a particular client encounters an entity, the security module obtains a reputation score for the entity from the reputation server. The reputation score may comprises a statistical measure based on a number of other trustworthy or “good hygiene” clients that have a hygiene score above a threshold. The client communicates this reputation score to a user with a message indicating that the reputation score is based on other clients deemed trustworthy.

Abstract: A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Abstract: A system controlling online access to a study course verifies the identity of an individual taking a study course over a global computer network from a first computer at a node of the network. The first computer has a biometric identification program and communicates over the network with a second computer that is at a network node other than a node of the first computer. The second computer includes study program material. The first computer operates a biometric reader, which obtains a first set of biometric data from the individual and a second set of biometric data from the individual while access is granted to course material. The biometric identification program compares the first set of data with the second set of data to make a verification of the identity of the individual and communicates the verification to the second computer.

Abstract: Enabling discretionary data access control in a cloud computing environment can begin with the obtainment of a data request and response message by an access manager service. The response message can be generated by a data storage service in response to the data request. The access manager service can identify owner-specified access rules and/or access exceptions applicable to the data request. An access response can be determined using the applicable owner-specified access rules and/or access exceptions. Both the response message and the access response can indicate the allowance or denial of access to the requested data artifact. The access response can be compared to the response message. If the access response does not match the response message, the response message can be overridden to express the access response. If the access response matches the response message, the response message can be conveyed to the originating entity of the data request.

Abstract: In one embodiment, a system processes access decisions for individuals where the system includes a portable handheld housing for the processor, display, internal memory, and card reader of the system.

Abstract: A system (101) for implementing redaction rules in compliance with an organization's privacy policy, where the system intercepts messages between an information source (103) and an information destination (102), modifies the message contents based on redaction rules (106) and forwards the redacted contents over to the client. The system also maintains a record of the redacted information and updates the contents of any message submitted by the client (102) in order to maintain database integrity.

Abstract: An embodiment of the invention is a program for dynamically managing files to comply with security requirements. In one embodiment, changing security requirements require that the computer system identifies the current storage locations of files along with the files' respective security levels. Files containing changed security levels due to the changed security requirements are relocated to storage locations clustered with storage locations containing files of the same security level. In another embodiment, the computer system receives a file having a certain security level, identifies current storage locations of files with the files' respective security levels, and finally allocates the new file to a storage location clustered with storage locations containing files of the same security level.

Abstract: A server may receive encryption key requests that each identify a sender of the encryption key request and at least one recipient of information that is to be encrypted with the requested encryption key. In response, an encryption key may be sent to the sender of the encryption key request. Information identifying the sender and the at least one recipient may be stored. The server may receive decryption key requests that each identify a sender of the decryption key request and a sender of encrypted information. In response, a decryption key may be sent to the sender of the decryption key request if and only if the sender of encrypted information and the sender of the decryption key request, as both identified by the information in the decryption key request, match, respectively, a sender of an encryption key request and an associated recipient, as both identified by the stored information.

Abstract: Generally, aspects of this disclosure are directed to copy protection techniques. Areas in memory may be secured to establish a secure memory area in the memory that is not accessible by unauthorized clients. A request to decode video content stored in the secure memory area may be received. If the video content to be decoded is stored in the secure memory area, a first MMU associated with the hardware decoder may enforce a rule that the video content is to be decoded into one or more output buffers in the secure memory area. A request to display the decoded video content stored in the secure memory area may be received. If the decoded video content is stored in the secure memory area, a second MMU associated with a hardware display processor may enforce a rule that a secure link be established between the hardware display processor and an output device.

Abstract: A method relates to authority checks governing user access to business object attachments in a store of business object attachments. The business object attachments are semantically associated with business objects of one or more remote computer systems. The method includes, at a content management interface layer that is communicatively coupled to the store of business object attachments, sending a request for user authority checks on a parent business object of a business object attachment to an originating computer system and receiving results of the user authority checks from the originating computer system.

Abstract: In a method for configuring access rights, a UPnP (Universal Plug and Play) device receives CPID information sent by a first CP without administrator rights, wherein the CPID information comprises an ID of another CP obtained by the first CP. Then the UPnP device sends a CPID list that carries the CPID information to a second CP with administrator rights. And the UPnP device receives a CP right configuration command sent by the second CP, and configures access rights for at least one CP corresponding to a CPID in the CPID list.

Abstract: Devices, system, and methods of secure entry and handling of passwords and Personal Identification Numbers (PINs), as well as for secure local storage, secure user authentication, and secure payment via mobile devices and via payment terminals. A computing device includes: a secure storage unit to securely store a confidential data item; a non-secure execution environment to execute program code, the program code to transport to a remote server a message; a secure execution environment (SEE) to securely execute code, the SEE including: a rewriter module to securely obtain the confidential data item from the secure storage, and to securely write the confidential data item into one or more fields in said message prior to its encrypted transport to the remote server.

Abstract: An example apparatus includes a non-certified computing platform, a certified computing platform and a user interface. The non-certified computing platform includes first hardware and configured to host non-certified software. The certified computing platform is separate and distinct from the non-certified computing platform, and it includes second hardware and configured to host certified software in a partitioned environment. The user interface is coupled to both platforms and includes a display coupled to both the first hardware and second hardware via a controllable switch. According to this example, the non-certified computing platform and certified computing platform are configured to host the non-certified software and certified software such that both are capable of operating concurrently.

Abstract: External network connectivity of an internal host can be measured by giving an external computer a payload identifying the internal host and instructions to deliver the payload to an external host. The external host may receive the payload and contact the internal host. The internal host's response and receipt of the payload may then determine the Internet connectivity of the internal host. The path from the computer through the trusted host to the internal server shows external network connectivity without exposing the internal host to the external network directly.

Abstract: There is provided an identifier authenticating system in which information requesting users can share all predetermined information held in a plurality of information providing servers. In the identifier authenticating system, when an identifier holding user 18 presents an identifier to an information requesting server 16, the information requesting server 16 asks a location managing server 14 about a location of an information providing server 15; the location managing server 14 returns a confirmed IP address of the information providing server 15 to the information requesting server 16 based on the location information; and the information requesting server 16 uses the confirmed IP address to access the information providing server 15 corresponding to the confirmed IP address and receives predetermined information specified by multiplying n pieces of identification information from the accessed information providing server.

Abstract: A technique for providing message authenticity includes accepting transaction information, accepting a first data item used for authenticating an originating user, cryptographically processing the transaction information using only a second data item, wherein the entropy of the first data item is less than the entropy of the second data item, and authenticating the originating user using the first data item. The first data item can be a sequence of digits corresponding to those displayed on an external device, such as, for example, an RSA authorization token, credit card, etc.

Abstract: A method of providing access to downloadable protected video content includes providing parental controls. The parental controls include a parental control password. Purchase controls are also provided and include a purchase control password. The purchase control password is different from the parental control password. Further, protected video content is downloaded and stored to a memory within a set top box when both the parental controls and the purchase controls are satisfied. A number of attempts to correctly input the parental control password or the purchase control password are monitored. When the number of attempts for either password exceeds a predetermined threshold, a user is prevented from further attempts to input the respective password. Moreover, the attempt to download protected video content is canceled, and further downloads of protected video content are prevented for a predetermined time period.

Abstract: A Multilevel Security (MLS) server provides MLS functionality to single-level applications running on a remote Multiple Independent Level Security (MILS) or MLS client device. More specifically, the MLS server provides a plurality of different security domains in which applications can execute. The client device executes a single-level application in a first security domain, the single-level application not natively capable of communicating with other domains. The single-level application in the first security domain sends a request to the MLS server. The MLS server receives the request, passing it to all applicable domains, including a second security domain, where it is duly executed. The MLS server then provides the results of the request execution—if any—back to an appropriate application on the client device.

Abstract: Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

Abstract: An audio-video display device can download from a third party server a licensable component on which a royalty is to be paid. Various methods are disclosed for accounting for royalties associated with downloading the licensable component to the client device between the third party server and a client device manufacturer server.

Abstract: A device supports the processing of multiple active applications in a processor through a mapping system that securely identifies and differentiates commands issued by clients. An entity selection signal is generated by the mapping system to signal the processor to process an algorithm and provide services for a specific client using the commands identified for that client and data permitted by a client tracking system for that client. Other data accesses and commands identified for other clients are restricted when processing the algorithm.

Abstract: Near field communication (NFC) device including a processor and a front end unit (FEU) to communicate with an external reader/writer device. The FEU stores, by first memory, a first number of sets of application parameters, each set including first and second identifiers. The processor stores, by second memory, the application and a second number of the sets. The FEU receives a communication request from the external device, including a certain first identifier. The FEU checks, when the request is received, whether the certain first identifier is stored in the first memory. If yes, a response is sent to the external device, including a respective second identifier, which is in the same set of parameters as the certain first identifier. The FEU sends, each time a request is received, a response to the processor. The processor controls which sets of parameters are stored in the first memory based on the response.

Abstract: In at least one implementation a method includes receiving an identifier associated with a device, entering the identifier into a network controller device, inviting the device associated with the identifier to join a network, admitting the device associated with the identifier to the network, sending the device associated with the identifier a name of the network, and confirming that the device has joined the network as a device recognized by the network controller device.

Abstract: A log message collection system selects a configured host and fetches a log message. The log message collection system examines the fetched message to identify one or more DLLs necessary to translating the log message and determines whether the necessary DLL(s) have been loaded into a cache. If so, the log message is translated. If the DLLs are not in the cache, the log message collection system fetches from the log message host only the DLLs necessary to translate that fetched message. After the message is translated, the log message collection system fetches the next log message, identifies the necessary DLLs for that log message, and fetches the DLLs necessary to translate that message.

Abstract: One embodiment of the present invention provides a system that facilitates the transfer of a software license from a first client to a second client. The system operates by receiving a request at the first client to deactivate the software license for an associated application installed on the first client. The system then receives a deactivation request that includes an identifier for the license at a license activation server from the first client. Next, the system validates the identifier on the license activation server to determine if the identifier is a valid identifier. If so, the system sends a deactivation message to the first client, receives a deactivation response from the first client, and increments a count of license instances available for the identifier on the license activation server.

Abstract: There is provided a method and system for allocating an entitlement to digital media content. In one implementation, the system includes a media server accessible over a communications network and configured to utilize a processor to issue the entitlement including a transferable authorization to access the digital media content to a first user, and to store an entitlement record identified with the first user and authorizing access to the digital media content by the first user in a memory of the media server. The media server is further configured to receive a communication including a data corresponding to the transferable authorization to access the digital media content from a second user and to update the entitlement record to authorize access to the digital media content by the second user.

Abstract: A method, apparatus and computer program product for providing challenge protected user queries on a local system is presented. A query is presented to a user. A response to the query is received and a determination is made whether the response is administratively less desirable than a threshold. When the response is administratively less desirable than said threshold, then a challenge is provided to the user. The response is accepted when the user responds correctly to the challenge and the response is not accepted when the user fails to correctly respond to the challenge.

Abstract: A system for in-person identity verification comprises a computing device, an identity broker, a verifier system and a network. The user computing device sends a request for identity verification to the identity broker and it responds with a verification ticket including a unique identification number. The user presents the ticket to a clerk using the verifier system. The clerk inputs the unique identification number to the verifier system, the verifier system sends it to the identity broker and the identity broker sends user information that the verifier system presents to the clerk. The clerk compares the information to a photo government ID of the user and inputs whether the information presented by the user matches the information presented by the verifier, and whether the person is the person in the photo ID. Based on the clerk's input, the identity broker sends to the user computing device a message indicating whether the verification was confirmed or declined.

Abstract: The present invention provides a method, system, and program product for preventing unauthorized changes to an electronic document (or a portion thereof). Specifically, under the present invention, an electronic document having a user interface control (UIC) is obtained. It is then determined whether a portion of the electronic document for which the user interaction is being attempted is protected by examining at least one of: a signature status of data associated with the UIC, or an archival status of the UIC. Based on this determination, the user interaction will be denied if it affects at least one of: the data, or a presentation property that affects an interpretation of the data is prevented. A notice indicating the denial of the user interaction can then be communicated to a user/party attempting the user interaction.

Abstract: An embodiment includes a computer-implemented method of managing access control policies on a computer system having two high-level programming language environments. The method includes managing, by the computer system, a structured language environment. The method further includes managing, by the computer system, a dynamic language environment within the structured language environment. The method further includes receiving a policy. The policy is written in a dynamic language. The method further includes storing the policy in the dynamic language environment. The method further includes converting the policy from the dynamic language environment to the structured language environment. The method further includes generating a runtime in the structured language environment that includes the policy.

Abstract: A method for selectively controlling access to electronic media disposed on a media storage device according to one embodiment is described. The method comprises creating a first list comprising a plurality of process identification values. Each of the plurality of process identification values of the first list is associated with a software application that is accessing the media disposed upon the media storage device. The method further includes creating a second list comprising a second plurality of process identification values. Each of the second plurality of process identification values is associated with a software application that is storing data. The method further includes determining that a particular software application is creating an unauthorized copy of the media disposed upon the media storage device. The method further includes preventing the particular software application from storing a usable copy of said electronic media.

Abstract: A communication management system includes: a normal signature list which stores a list of signatures of normal communication; a search circuit which acquires communication data and searches the normal signature list to check if the signature of the communication data appears in the list; and a warning unit which issues a warning when communication data does not match any signature in the normal signature list. An operator terminal includes: a determination result acquisition unit which indicates whether or not communication data against which a warning has been issued is normal; and a normal signature list update unit which, when communication data against which a warning has been issued is found to be normal, adds the signature of the communication data to the normal signature list.

Abstract: Described are methods and apparatuses, including computer program products, for dynamic integration and linear presentation of advertising content and media content. The method includes receiving a request for media content; combining the requested media content and advertising content to provide an interactive advertising unit; and transmitting the interactive advertising unit for presentation on the remote computing device, wherein the advertising content is presented before the requested media content. The interactive advertising unit includes a first content layer including the requested media content and a media player, a second content layer including the advertising content, and an integration module for coordinating interaction between the layers.

Abstract: Users of mobile terminals in a communication network are provided controlled access to files in a file system through the steps of configuring the files as a file body containing a file content and a file header containing content profile information; providing a security identity module and a secure agent; storing in the security identity module user profile information identifying a set of content profiles allowed for access to the file system; extracting, via the secure agent, the content profile information from the headers of the files; retrieving, via the secure agent, the user profile information stored in the security identity module; checking the user profile information and the content profile information; and providing the user with access to those files in the file system for which the user profile information and the content profile information are found to match.

Abstract: The present invention provides a remote operation system, a relay device, a communication device, and a remote operation method which are capable of executing collective remote operations. The remote operation system according to the present invention includes communication devices (10); an external device (50) that specifies at least one communication device as a target of a remote operation among the communication devices (10), and accepts an input of a remote operation content to be executed for the specified communication device; and relay means for relaying communication between the specified communication devices (10) and the external device (50). The relay means includes storage means for storing the remote operation content accepted by the external device (50), and notification means for notifying the specified communication device of the remote operation content.

Abstract: An information security apparatus and a security system, which prevent eavesdropping on input information input by an input device and identify eavesdroppers, includes a key input interface unit inputting secret information returns a decoy key input value when receiving a read access from unprotected domain 1011. Further, a payment-processing company, which judges whether it is possible or not to use a service such as electronic payment-processing, provides the information security apparatus with an immediate value to be used as the decoy key input value when performing an authentication. Accordingly, a person who attempts to eavesdrop on the input from a key input unit acquires the decoy key input value. If the decoy key input value is used when requesting payment-processing company to perform an authentication, the payment-processing company recognizes the person who requests the authentication as an eavesdropper.

Abstract: A named object view of a report is generated from an electronic data file. Objects in the file to be published are identified in the file. A named object view of the report associated with the file is generated by displaying published identified objects according to associated viewing rights. A viewer at a client is presented with the named object view of the report, according to the viewing rights, such that the viewer's attention is focused on the published objects.

Abstract: A method for authorizing an off-line image device to play contents in use of a recording medium, including recording an encrypted key on a recording medium; recording contents on the recording medium using the encrypted key; and recording information as to a play right to play the contents recorded on the recording medium. Thus, the off-line image device can be authorized to play contents in use of the recording medium. As a result, the off-line image device can play contents that are recorded on the recording medium and must be authorized to play the contents.