Portable computing device access

According to an example of providing access to a portable computing device, a connection is established with a docking station. A request from the docking station to perform an action related to a portable computing device is received, and a rule associated with the portable computing device from a policy database is fetched. A determination is made whether to perform the action, and in the event that an action is to be performed, an instruction is transmitted to perform the action on the docking station.

УПРАВЛЕНИЕ ДОСТУПОМ НА ОСНОВЕ ДАННЫХ ОБ ИСТЕЧЕНИИ СРОКА ДЛЯ ДЕЙСТВИЯ

IDPS ACCESS-CONTROLLED AND ENCRYPTED FILE SYSTEM DESIGN

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

СПОСОБ, СИСТЕМА И УСТРОЙСТВО ДЛЯ ЗАЩИТЫ ОТ ОБРАТНОГО ИНЖИНИРИНГА И/ИЛИ ВМЕШАТЕЛЬСТВА В ПРОГРАММЫ

... 1. Способ конфигурирования процессора (12), содержащий этапы, на которых:принимают битовую строку (B) и программу (P),конфигурируют процессор (12) так, что процессор (12) исполняет программу (P), когда процессор (12) использует битовую строку (B) в качестве источника по меньшей мере двух машинных команд, одна за другой, при этом процессор (12) конфигурируют не исполнять программу (P), когда процессор (12) не использует битовую строку (B) в качестве источника машинных команд.2. Способ по п. 1, в котором этап конфигурирования содержит этапы, на которых:транслируют программу (P) в по меньшей мере две опорные машинные команды, одна за другой,вычисляют данные трансляции из битовой строки (B) и упомянутых по меньшей мере двух машинных команд, одна за другой, для конфигурирования процессора (12) так, что процессор (12) исполняет программу (P), когда процессор использует битовую строку (B) в качестве источника машинных команд; иконфигурируют процессор (12) с помощью упомянутых данных трансляции ...

Method and device for realizing verification code

A method and device for realizing a verification code are provided. In some embodiments, a character verification code is obtained and displayed when it is determined to perform identity verification. The character verification code has an incorrect character based on a priori knowledge. The user is prompted to input a correct character corresponding to the incorrect character in the character verification code. Verification information is received. It is determined that the verification is successful when the verification information corresponds to the correct character of the prior knowledge; otherwise, the verification failed.

Key information generating device and method for generating key information

Storage data sanitization

Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

Distributed system resource liens

A method for accessing liens on resources of distributed systems is provided. The method includes receiving an operation control request. The operation control request identifies a lien requestor, a resource of a distributed system, and at least one restricted operation for the resource of the distributed system. The method also includes associating an operation control lien with the resource of the distributed system based on the operation control request. The operation control lien identifies the lien requestor and the at least one restricted operation for the resource of the distributed system. The method further includes: receiving an operation request to execute a corresponding operation on the resource of the distributed system; determining that the corresponding operation of the operation request is a restricted operation identified by the operation control lien associated with the resource of the distributed system; and restricting execution of the corresponding operation of the ...

IDPS access-controlled and encrypted file system design

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

CONTRACT NEGOTIATION ASSISTANCE SYSTEM AND METHOD

In some embodiments, systems, apparatuses, methods, and processes are provided to assist parties in contract negotiations. In some embodiments, a system for use by a first party in contract negotiation with a second party comprises: a control circuit; and a contract term playbook database accessible by the control circuit; wherein the control circuit is configured to: receive, from a user of the first party via a user interface, feedback from the second party regarding a contract term of a draft contract; access the contract term playbook database using the feedback; and output, to the user via the user interface, guidance for response to the second party regarding the contract term and preapproved by the first party.

User authentication device

Examples disclosed herein involve a user authenticator that harvests energy from signals. An example involves an authentication manager to provide authentication information to an authorization device to enable access to a secure device in response to receiving a request signal from the authorization device for the authentication information a power manager to harvest energy from the request signal to power the apparatus.

IDPS ACCESS-CONTROLLED AND ENCRYPTED FILE SYSTEM DESIGN

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

IDPS access-controlled and encrypted file system design

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

Access control based on operation expiry data

TECHNOLOGIES FOR PRIVACY-PRESERVING SECURITY POLICY EVALUATION

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to curry a security policy function to generate a privacy-safe curried function set, the security policy function to generate a security policy as a function of a plurality of policy parameters, the privacy-safe curried function set including a non-sensitive function that receives a non-sensitive parameter of the plurality of policy parameters as an argument, the privacy-safe curried function set further including a sensitive function that receives a sensitive parameter of the plurality of policy parameters as an argument; access unencrypted parameter data corresponding to the non-sensitive parameter of the plurality of policy parameters; evaluate the non-sensitive function of the privacy-safe curried function set to generate the sensitive function; and provide the sensitive ...

IDPS ACCESS-CONTROLLED AND ENCRYPTED FILE SYSTEM DESIGN

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

Technologies for privacy-preserving security policy evaluation

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to curry a security policy function to generate a privacy-safe curried function set, the security policy function to generate a security policy as a function of a plurality of policy parameters, the privacy-safe curried function set including a non-sensitive function that receives a non-sensitive parameter of the plurality of policy parameters as an argument, the privacy-safe curried function set further including a sensitive function that receives a sensitive parameter of the plurality of policy parameters as an argument; access unencrypted parameter data corresponding to the non-sensitive parameter of the plurality of policy parameters; evaluate the non-sensitive function of the privacy-safe curried function set to generate the sensitive function; and provide the sensitive ...

Automatic augmentation of content through augmentation services

A method of automatically augmenting content through augmentation services can include invoking a service to receive an entity determination based on the content and an entity container comprising an object of the content and one or more attributes of the object. The entity determination and corresponding entity container can be assigned as a marker to content being clipped. The marker can be used to enable access and actions that can be taken with respect to the clipping or the structured information augmenting the clipping.

Electronic device and method for providing location data

An electronic device is provided. The electronic device includes a user interface, a location sensor configured to sense a location of the electronic device, a processor electrically connected with the user interface and the location sensor, and a memory electrically connected with the processor and configured to store a first application program and a second application program. The memory is further configured to store instructions that, when executed, enable the processor to receive first location data with a first degree of accuracy regarding the location of the electronic device from the location sensor, process at least part of the first location data to generate second location data with a second degree of accuracy lower than the first degree of accuracy regarding the location of the electronic device, provide the at least part of the first location data to execute the first application program, and provide at least part of the second location data to execute the second application ...

Privacy-Preserving Log Analysis

A method can be used to analyze a log of a device or a plurality of devices of a first entity. The method includes generating an encrypted log by encrypting the log at the first entity, generating an encrypted query by encrypting a query at the first entity, transferring the encrypted log and the encrypted query from the first entity to a second entity, analyzing the encrypted log on the second entity by using the encrypted query, generating an encrypted analysis result at the second entity, transferring the encrypted analysis result from the second entity to the first entity, decrypting the encrypted analysis result on the first entity, and verifying the decrypted analysis result at the first entity.

Display security using gaze tracking

A computing device can track a gaze direction of a user of the computing device. In some embodiments, gaze tracking can be performed using at least one front-facing camera of the computing device. The computing device can determine a position on a display of the device that corresponds to where the user's gaze is directed. The computing device can display content that is decipherable (i.e., readable, legible, recognizable, understandable, non-scrambled, unobscured, etc.) at the position on the display that corresponds to the user's gaze direction. The computing device can scramble at least some content that is displayed at a position(s) on the display other than the position at which the user's gaze is directed.

Late constraint management

A method and system for integrating restrictions in an identity management system is provided. The method includes generating a role/account attribute table storage from static and dynamic rule defined values. A role request for a first role associated with a user is received and a set of attributes comprising a result of the role request are calculated. The set of attributes are transmitted to a target system for evaluation and a result is received.

método de configuração de um processador, dispositivo para configuração de um processador, processador, e produto de programa de computador

Privileged activity monitoring through privileged user password management and log management systems

A system and method is provided for allowing seamless auditing compliance and investigations of privileged account access and activities. Account access information and privileged activity information may be stored in a central data repository. The central data repository may be queried to determine who was granted access to a privileged account, the timeframe that the access was granted, and/or what actions were performed by the user who was granted access.

Automatic augmentation of content through augmentation services

A method of automatically augmenting content through augmentation services can include invoking a service to receive an entity determination based on the content and an entity container comprising an object of the content and one or more attributes of the object. The entity determination and corresponding entity container can be assigned as a marker to content being clipped. The marker can be used to enable access and actions that can be taken with respect to the clipping or the structured information augmenting the clipping.

Privileged Activity Monitoring Through Privileged User Password Management and Log Management Systems

A system and method is provided for allowing seamless auditing compliance and investigations of privileged account access and activities. Account access information and privileged activity information may be stored in a central data repository. The central data repository may be queried to determine who was granted access to a privileged account, the timeframe that the access was granted, and/or what actions were performed by the user who was granted access.

AUTOMATIC AUGMENTATION OF CONTENT THROUGH AUGMENTATION SERVICES

A method of automatically augmenting content through augmentation services can include invoking a service to receive an entity determination based on the content and an entity container comprising an object of the content and one or more attributes of the object. The entity determination and corresponding entity container can be assigned as a marker to content being clipped. The marker can be used to enable access and actions that can be taken with respect to the clipping or the structured information augmenting the clipping.

Bifurcating security event processing

Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Method, system and device for protection against reverse engineering and/or tampering with programs

Unauthorized use of computer programs is made difficult by compiling a processor rather than just compiling a program into machine code. The way in which the processor should respond to machine instructions, i.e. its translation data, is computed from an arbitrary bit string B and a program P as inputs. The translation data of a processor are computed that will execute operations defined by the program P when the processor uses the given bit string B as a source of machine instructions. A processor is configured so that it will execute machine instructions according to said translation data. Other programs P′ may then be compiled into machine instructions B′ for that processor and executed by the processor. Without knowledge of the bit string B and the original program P it is difficult to modify the machine instructions B′ so that a different processor will execute the other program P′.

IDPS ACCESS-CONTROLLED AND ENCRYPTED FILE SYSTEM DESIGN

Portable computing device access

Key information generation device and key information generation method

In initial generation (for example, shipping from the factory), a security device generates an identifier w specific to the security device, with the PUF technology, generates key information k (k=HF(k)) from the identifier w, generates encrypted confidential information x by encrypting (x=Enc(mk, k)) confidential information mk with the key information k, and stores the encrypted confidential information x and an authentication code h (h=HF(k)) of the key information k, in a nonvolatile memory. In operation, the security device generates the identifier w with the PUF technology, generates the key information k from the identifier w, and decrypts the encrypted confidential information x with the key information k. At a timing where the identifier w is generated in the operation, the security device checks whether the current operating environment has largely changed from the initial generation (S311). If a change in operating environment is detected (S311S312), the security device conducts ...

IDPS access-controlled and encrypted file system design

A method and system provides access control encryption for a file system. A resource management module manages access to data on a storage container and hosts a virtual file system including files representing the data on the storage container. An access control and encryption module encrypts each of the files with a respective file encryption key. The access control module generates a plurality of application containers each associated with a respective user and that include respective lists of files that the respective user is authorized to access. The access control and encryption module generates decrypts the files and allows access to files based on the lists of files in the application containers.

ACCESS AND MANAGEMENT OF ENTITY-AUGMENTED CONTENT

Access and management of a user's content may be facilitated by, in response to receiving a request for content related to a specified entity from the repository associated with at least the user's account, identifying, in a content of a file in the repository, an entity container of at least one entity container associated with the specified entity; and communicating the entity container that is associated with the specific entity to a source of the request.

KEY INFORMATION GENERATION DEVICE AND KEY INFORMATION GENERATION METHOD

controle de acesso com base em dados de expiração de operação

Electronic device and method for providing location data

An electronic device is provided. The electronic device includes a user interface, a location sensor configured to sense a location of the electronic device, a processor electrically connected with the user interface and the location sensor, and a memory electrically connected with the processor and configured to store a first application program and a second application program. The memory is further configured to store instructions that, when executed, enable the processor to receive first location data with a first degree of accuracy regarding the location of the electronic device from the location sensor, process at least part of the first location data to generate second location data with a second degree of accuracy lower than the first degree of accuracy regarding the location of the electronic device, provide the at least part of the first location data to execute the first application program, and provide at least part of the second location data to execute the second application ...

PRIVACY-PRESERVING LOG ANALYSIS

For anti-reverse engineering and/or tampering with the procedures of the method, system and apparatus

System, device, and method of detecting malicious automatic script and code injection

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

Cloud Resource Liens

A method for accessing liens on resources of distributed systems is provided. The method includes receiving an operation control request. The operation control request identifies a lien requestor, a resource of a distributed system, and at least one restricted operation for the resource of the distributed system. The method also includes associating an operation control lien with the resource of the distributed system based on the operation control request. The operation control lien identifies the lien requestor and the at least one restricted operation for the resource of the distributed system. The method further includes: receiving an operation request to execute a corresponding operation on the resource of the distributed system; determining that the corresponding operation of the operation request is a restricted operation identified by the operation control lien associated with the resource of the distributed system; and restricting execution of the corresponding operation of the ...

PORTABLE COMPUTING DEVICE ACCESS

According to an example of providing access to a portable computing device, a connection is established with a docking station. A request from the docking station to perform an action related to a portable computing device is received, and a rule associated with the portable computing device from a policy database is fetched. A determination is made whether to perform the action, and in the event that an action is to be performed, an instruction is transmitted to perform the action on the docking station.

KEY INFORMATION GENERATION DEVICE AND KEY INFORMATION GENERATION METHOD

In initial generation (for example, shipping from the factory), a security device generates an identifier w specific to the security device, with the PUF technology, generates key information k (k=HF(k)) from the identifier w, generates encrypted confidential information x by encrypting (x=Enc(mk, k)) confidential information mk with the key information k, and stores the encrypted confidential information x and an authentication code h (h=HF(k)) of the key information k, in a nonvolatile memory. In operation, the security device generates the identifier w with the PUF technology, generates the key information k from the identifier w, and decrypts the encrypted confidential information x with the key information k. At a timing where the identifier w is generated in the operation, the security device checks whether the current operating environment has largely changed from the initial generation (S311). If a change in operating environment is detected (S311S312), the security device conducts ...

Technologies for privacy-preserving security policy evaluation

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one memory, and at least one processor to execute instructions to at least identify one or more non-sensitive parameters of a plurality of policy parameters and one or more sensitive parameters of the plurality of the policy parameters, the plurality of the policy parameters obtained from a computing device in response to a request from a cloud analytics server for the plurality of the policy parameters, encrypt the one or more sensitive parameters to generate encrypted parameter data in response to the identification of the one or more sensitive parameters, and transmit the encrypted parameter data to the cloud analytics server, the cloud analytics server to curry a security policy function based on one or more of the plurality of the policy parameters.

ELECTRONIC DEVICE AND METHOD FOR PROVIDING LOCATION DATA

INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, AND NON-TRANSITORY COMPUTER READABLE MEDIUM

An information processing apparatus connected to multiple devices and a server via a network includes a number-of-licenses acquiring unit, a display controller, and an installation controller. The number-of-licenses acquiring unit acquires, from the server, number-of-licenses information indicating the number of licenses, which is the number based on which a user is capable of using application software. The display controller performs control to display information indicating the application software and information indicating the devices in a form of a list. The installation controller performs control to install the application software into at least one of the devices when an operation for dragging and dropping the information indicating the application software onto the information indicating the at least one device is received from the user. The display controller performs the control to display information indicating the acquired number-of-licenses information adjacent to or over ...

Electronic device and method for providing location data

An electronic device is provided. The electronic device includes a user interface, a location sensor configured to sense a location of the electronic device, a processor electrically connected with the user interface and the location sensor, and a memory electrically connected with the processor and configured to store a first application program and a second application program. The memory is further configured to store instructions that, when executed, enable the processor to receive first location data with a first degree of accuracy regarding the location of the electronic device from the location sensor, process at least part of the first location data to generate second location data with a second degree of accuracy lower than the first degree of accuracy regarding the location of the electronic device, provide the at least part of the first location data to execute the first application program, and provide at least part of the second location data to execute the second application ...

Information processing system, information processing device, server device, and method

The invention discloses an information processing system, an information processing device, a server device, and a method. The information processing system including an information processing device connected to a first communication network, a terminal device connected to the first communication network, and a server device connected to a second communication network. The server device includes a receiving unit, a first request unit, and a providing unit. The receiving unit receives an instruction from the terminal device to provide the information processing device with a predetermined service. The first request unit presents a test to the information processing device to authenticate whether or not the information processing device is being operated by a human and sends a request to the information processing device to respond to the test. The providing unit provides the information processing device with the service if the device to which the response is sent to by the first request ...

User authentication device

Portable computing device access

Privileged Activity Monitoring through Privileged User Password Management and Log Management Systems

A system and method is provided for allowing seamless auditing compliance and investigations of privileged account access and activities. Account access information and privileged activity information may be stored in a central data repository. The central data repository may be queried to determine who was granted access to a privileged account, the timeframe that the access was granted, and/or what actions were performed by the user who was granted access.

INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING DEVICE, SERVER DEVICE, AND METHOD

An information processing system including an information processing device connected to a first communication network, a terminal device connected to the first communication network, and a server device connected to a second communication network. The server device includes a receiving unit, a first request unit, and a providing unit. The receiving unit receives an instruction from the terminal device to provide the information processing device with a predetermined service. The first request unit presents a test to the information processing device to authenticate whether or not the information processing device is being operated by a human. The providing unit provides the information processing device with the service in accordance with the instruction. The terminal device includes an instruction unit and a response unit. The instruction unit sends the instruction to the server device. The response unit makes a response to the test on behalf of the information processing device.

Information processing system, the information processing device and method and server device

TECHNOLOGIES FOR PRIVACY-PRESERVING SECURITY POLICY EVALUATION

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one memory, and at least one processor to execute instructions to at least identify one or more non-sensitive parameters of a plurality of policy parameters and one or more sensitive parameters of the plurality of the policy parameters, the plurality of the policy parameters obtained from a computing device in response to a request from a cloud analytics server for the plurality of the policy parameters, encrypt the one or more sensitive parameters to generate encrypted parameter data in response to the identification of the one or more sensitive parameters, and transmit the encrypted parameter data to the cloud analytics server, the cloud analytics server to curry a security policy function based on one or more of the plurality of the policy parameters.

Secure storage device sanitization

Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

Privileged activity monitoring through privileged user password management and log management systems

A system and method is provided for allowing seamless auditing compliance and investigations of privileged account access and activities. Account access information and privileged activity information may be stored in a central data repository. The central data repository may be queried to determine who was granted access to a privileged account, the timeframe that the access was granted, and/or what actions were performed by the user who was granted access.

METHOD, SYSTEM AND DEVICE FOR PROTECTION AGAINST REVERSE ENGINEERING AND/OR TAMPERING WITH PROGRAMS

Unauthorized use of computer programs is made difficult by compiling a processor rather than just compiling a program into machine code. The way in which the processor should respond to machine instructions, i.e. its translation data, is computed from an arbitrary bit string B and a program P as inputs. The translation data of a processor are computed that will execute operations defined by the program P when the processor uses the given bit string B as a source of machine instructions. A processor is configured so that it will execute machine instructions according to said translation data. Other programs P may then be compiled into machine instructions B for that processor and executed by the processor. Without knowledge of the bit string B and the original program P it is difficult to modify the machine instructions B so that a different processor will execute the other program P.

SECURE AND EFFICIENT MEMORY SHARING FOR GUESTS

Secure and efficient memory sharing for guests is disclosed. For example, a host has a host memory storing first and second guests whose memory access is managed by a hypervisor. A request to map an IOVA of the first guest to the second guest is received, where the IOVA is mapped to a GPA of the first guest, which is is mapped to an HPA of the host memory. The HPA is mapped to a second GPA of the second guest, where the hypervisor controls access permissions of the HPA. The second GPA is mapped in a second page table of the second guest to a GVA of the second guest, where a supervisor of the second guest controls access permissions of the second GPA. The hypervisor enables a program executing on the second guest to access contents of the HPA based on the access permissions of the HPA.

Identifying, marking and erasing sensitive information in screen captures for data loss prevention

Sensitive information displayed on a screen is protected against leakage and loss. A section of a bitmap containing sensitive information is defined as a protection region. A protection marker identifying the protection region is embedded into the bitmap. The defined protection region is divided into multiple sub-regions, and a separate sub-region protection marker is embedded in each sub-region of the original protection region. The defining, embedding and dividing are performed before the bitmap is copied to the screen buffer. When content that was displayed on the screen has been captured, for example by screen capturing software, the captured content is parsed. All sub-region protection markers embedded in the captured content are detected, and a real protection region in the captured content is calculated, based on information in the detected sub-region protection markers. The sensitive information in the captured content is erased.

Distributing search loads to optimize security event processing

Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Detecting patterns of abuse in a virtual environment

Embodiments of the invention provide techniques for detecting patterns of abuse in users of a virtual world. The patterns of abuse may be detected by examining records of inappropriate interactions between users. Subsequently, preventative actions may be taken to prevent further abuse. The preventative actions may include blocking access to all or part of the virtual world, blocking interactions with other users, warning other users, or notifying authorities of the behavior of the other user.

Technologies for privacy-preserving security policy evaluation

Technologies for privacy-safe security policy evaluation include a cloud analytics server, a trusted data access mediator (TDAM) device, and one or more client devices. The cloud analytics server curries a security policy function to generate a privacy-safe curried function set. The cloud analytics server requests parameter data from the TDAM device, which collects the parameter data, identifies sensitive parameter data, encrypts the sensitive parameter data, and transmits the encrypted sensitive parameter data to the cloud analytics server. The cloud analytics server evaluates one or more curried functions using non-sensitive parameters to generate one or more sensitive functions that each take a sensitive parameter. The cloud analytics server transmits the sensitive functions and the encrypted sensitive parameters to a client computing device, which decrypts the encrypted sensitive parameters and evaluates the sensitive functions with the sensitive parameters to return a security policy ...

TECHNOLOGIES FOR PRIVACY-PRESERVING SECURITY POLICY EVALUATION

Technologies for privacy-safe security policy evaluation are disclosed herein. An example apparatus includes at least one processor, and memory including instructions that, when executed, cause the at least one processor to curry a security policy function to generate a privacy-safe curried function set, the security policy function to generate a security policy as a function of a plurality of policy parameters, the privacy-safe curried function set including a non-sensitive function that receives a non-sensitive parameter of the plurality of policy parameters as an argument, the privacy-safe curried function set further including a sensitive function that receives a sensitive parameter of the plurality of policy parameters as an argument; access unencrypted parameter data corresponding to the non-sensitive parameter of the plurality of policy parameters; evaluate the non-sensitive function of the privacy-safe curried function set to generate the sensitive function; and provide the sensitive ...

Selectively permitting or denying usage of wearable device services

Selectively permitting or denying usage of a service available on a device is provided. Usage restrictions on usage of services available on the device are maintained, the usage restrictions including customizable restrictions on usage of the services available on the device. A usage restriction for a service indicates usage parameter(s) of the device under which the service is usable or is unusable to users of the device. Based on detecting an event associated with the device, current usage parameter(s) of the device are identified and compared to usage parameter(s) indicated by a usage restriction to determine whether the service is to be usable or unusable. Usage of the service by a user of the device is then permitted or denied based the comparison.

Access control based on operation expiry data

The controlling of access to a file system entity based on location of the requestor and operation expiry data of the file system entity. Operation expiry data and location data are associated with a file system entity (e.g., a file, a directory, a partition, or a disk) such that the file system entity and the operation expiry data and the location data are moved or copied atomically together. Upon receiving a request to perform an operation on the file system entity, the system identifies a location status of the requestor. The system then identifies expiry data that corresponds to the location status, and that is associated with the requested operation. The system then uses the identified expiry data to determine whether or not the requested file operation is to be permitted.

SYSTEM, DEVICE, AND METHOD OF DETECTING MALICIOUS AUTOMATIC SCRIPT AND CODE INJECTION

Devices, systems, and methods of detecting user identity, differentiating between users of a computerized service, and detecting a possible attacker. The methods include monitoring of user-side input-unit interactions, in general and in response to an interference introduced to user-interface elements. The monitored interactions are used for detecting an attacker that utilizes a remote access channel; for detecting a malicious automatic script, as well as malicious code injection; to identify a particular hardware assembly; to perform user segmentation or user characterization; to enable a visual login process with implicit two-factor authentication; to enable stochastic cryptography; and to detect that multiple users are utilizing the same subscription account.

USER AUTHENTICATION DEVICE

Examples disclosed herein involve a user authenticator that harvests energy from signals. An example involves an authentication manager to provide authentication information to an authorization device to enable access to a secure device in response to receiving a request signal from the authorization device for the authentication Information a power manager to harvest energy from the request signal to power the apparatus.

ELECTRONIC DEVICE AND METHOD FOR PROVIDING LOCATION DATA

An electronic device is provided. The electronic device includes a user interface, a location sensor configured to sense a location of the electronic device, a processor electrically connected with the user interface and the location sensor, and a memory electrically connected with the processor and configured to store a first application program and a second application program. The memory is further configured to store instructions that, when executed, enable the processor to receive first location data with a first degree of accuracy regarding the location of the electronic device from the location sensor, process at least part of the first location data to generate second location data with a second degree of accuracy lower than the first degree of accuracy regarding the location of the electronic device, provide the at least part of the first location data to execute the first application program, and provide at least part of the second location data to execute the second application ...

Distributing Search Loads to Optimize Security Event Processing

Disclosed herein are methods, systems, and processes to distribute and disperse search loads to optimize security event processing in cybersecurity computing environments. A search request that includes a domain specific language (DSL) query directed to a centralized search cluster by an event processing application is intercepted. The event processing application is inhibited from issuing the search request to the centralized search cluster if a structured or semi-structured document matches the DSL query.

Information processing system, information processing device, server device, and method

An information processing system including an information processing device connected to a first communication network, a terminal device connected to the first communication network, and a server device connected to a second communication network. The server device includes a receiving unit, a first request unit, and a providing unit. The receiving unit receives an instruction from the terminal device to provide the information processing device with a predetermined service. The first request unit presents a test to the information processing device to authenticate whether or not the information processing device is being operated by a human. The providing unit provides the information processing device with the service in accordance with the instruction. The terminal device includes an instruction unit and a response unit. The instruction unit sends the instruction to the server device. The response unit makes a response to the test on behalf of the information processing device.

Secure and efficient memory sharing for guests

Secure and efficient memory sharing for guests is disclosed. For example, a host has a host memory storing first and second guests whose memory access is managed by a hypervisor. A request to map an IOVA of the first guest to the second guest is received, where the IOVA is mapped to a GPA of the first guest, which is is mapped to an HPA of the host memory. The HPA is mapped to a second GPA of the second guest, where the hypervisor controls access permissions of the HPA. The second GPA is mapped in a second page table of the second guest to a GVA of the second guest, where a supervisor of the second guest controls access permissions of the second GPA. The hypervisor enables a program executing on the second guest to access contents of the HPA based on the access permissions of the HPA.

Access and management of entity-augmented content

Access and management of a user's content may be facilitated by, in response to receiving a request for content related to a specified entity from the repository associated with at least the user's account, identifying, in a content of a file in the repository, an entity container of at least one entity container associated with the specified entity; and communicating the entity container that is associated with the specific entity to a source of the request.

STORAGE DATA SANITIZATION

Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

CONTRACT NEGOTIATION ASSISTANCE SYSTEM AND METHOD

In some embodiments, systems, apparatuses, methods, and processes are provided to assist parties in contract negotiations. In some embodiments, a system for use by a first party in contract negotiation with a second party comprises: a control circuit; and a contract term playbook database accessible by the control circuit; wherein the control circuit is configured to: receive, from a user of the first party via a user interface, feedback from the second party regarding a contract term of a draft contract; access the contract term playbook database using the feedback; and output, to the user via the user interface, guidance for response to the second party regarding the contract term and preapproved by the first party.

Storage data sanitization

Technologies are provided for secure sanitization of a storage device. A storage device can be configured to support an operational mode, into which the storage device is placed by default, and in which requests to cryptographically erase the storage device are rejected. The storage device can support a separate sanitization mode in which a request to cryptographically erase the storage device will be processed. Access to the sanitization mode can be restricted to trusted sources (such as a boot firmware of a computer connected to the storage device). The storage device can be configured to reject a command to place the storage device in the sanitization mode, unless the command is received during an initialization of the storage device. In at least some embodiments, the storage device can reject data access commands while it is in the sanitization mode.

Detecting patterns of abuse in a virtual environment

Embodiments of the invention provide techniques for detecting patterns of abuse in users of a virtual world. The patterns of abuse may be detected by examining records of inappropriate interactions between users. Subsequently, preventative actions may be taken to prevent further abuse. The preventative actions may include blocking access to all or part of the virtual world, blocking interactions with other users, warning other users, or notifying authorities of the behavior of the other user.

User authentication device

Information processing system, information processing device, server device, and method

INFORMATION PROCESSING SYSTEM, INFORMATION PROCESSING DEVICE, SERVER DEVICE, AND PROGRAM

PROBLEM TO BE SOLVED: To guarantee that when a terminal device connected to a first communication network requests a server device connected to a second communication network to provide service for an information processing device connected to the first communication network, the information processing device is authentic. SOLUTION: An image formation system 9 includes an image formation device 1 and a terminal device 2 connected to a LAN 4, and a document server 5 connected to a cloud 6 such that a relay device 3 relays communication between a terminal device 2 and the LAN 4. The document server 5 receives an instruction to provide service of image formation for the image formation device 1 from the terminal device 2, presents a test of human interactive certification to the image formation device 1 to request a response, and provides the service for the image formation device 1 when accepting the human interactive certification. The terminal device 2 acts for the image formation device ...

For privacy protection security policy evaluation techniques

情報処理システム、情報処理装置、サーバ装置およびプログラム

Audio human verification

A system generates an audio challenge that includes a first voice and one or more second voices, the first voice being audibly distinguishable, by a human, from the one or more second voices. The first voice conveys first information and the second voice conveys second information. The system provides the audio challenge to a user and verifies that the user is human based on whether the user can identify the first information in the audio challenge.

Privacy-sensitive sample analysis

Processes are described for provision of privacy-sensitive sample analysis results to a sample provider. The sample provider generates a cryptographic commitment encoding a secret value, r, and a sample identifier, s, associated with a sample container. The sample provider provides the commitment to an analysis provider in association with the sample container containing a sample for analysis. The analysis provider analyzes the sample to obtain a set of analysis results corresponding to the sample identifier, s, and generates a cryptographic pre-credential, σ′, corresponding to the sample identifier, s. The pre-credential, σ′, encodes the set of analysis results and the commitment. Completion of the pre-credential, σ′, requires knowledge of the secret value, r, in the commitment. In response to cryptographic proof of knowledge by the sample provider of at least the secret value, r, in the commitment encoded in the pre-credential, σ′, corresponding to the sample identifier, s, the analysis provider supplies the pre-credential, σ′, to the sample provider. The sample provider then completes the pre-credential, σ′ using the secret value, r, to obtain a cryptographic credential, σ, encoding the set of analysis results.

Ink ejection nozzle with thermal actuator coil

A printhead for an inkjet printer is disclosed. The printhead has ink nozzles formed on a print face of the printhead. Each ink nozzle has an ink chamber with an ink ejection port and an ink inlet port. A paddle device is arranged inside each chamber. Each ink nozzle further has a bi-layer thermal actuator coil with a fee end connected to the paddle device. Heating of the thermal actuator coil displaces the paddle device, causing ejection of an ink droplet through the ink ejection port.

Approver Identification Using Multiple Hierarchical Role Structures

Systems and methods for automating and increasing the efficiency of business processes using multiple hierarchical role structures. In one embodiment, a method comprises defining two or more hierarchies, defining an approver for a business process where the approver is associated with at least a first role in a first one of the hierarchies and a second role in a second one of the hierarchies, and identifying an approver position within an organization where the approver position is associated with the first and second roles. The hierarchies may, for example, be selected from a hierarchy of functional roles, a hierarchy of legal roles and a hierarchy of level roles.

Computer system, management system and recording medium

The present invention prevents the deterioration of security while maintaining usability in a case where a plurality of policies are applied to a client computer. Policies created by respective management servers 10 (Ma through Md) and by a highest-level management server 10 (Msa) are set in a client computer 20 . The highest-level management server delivers, to the client computer, a merge rule for creating one policy from a plurality of policies. The client computer creates a new policy from a plurality of policies and the merge rule, and manages a security function.

Verifying access-control policies with arithmetic quantifier-free form constraints

A system and method is provided for verifying an access-control policy against a particular constraint for a multi-step operation. In disclosed embodiments, the method includes expressing the access-control policy as a first quantifier-free form (QFF) constraint and identifying the particular constraint as a second QFF constraint. The method also includes identifying an operation vector and providing copies of the operation vector associated with steps in the multi-step operation. The method also includes determining a third QFF constraint using the first QFF constraint, the second QFF constraint, and the copies of the operation vector. The method also includes solving the third QFF constraint to determine a solution and outputting a result of the solving.

Protection against malware on web resources

A method and system for identification of malware threats on web resources. The system employs a scheduled antivirus (AV) scanning of web resources. The scheduled scanning of web resources allows to create malware check lists and to configure access to web resources. Frequency and depth of inspection (i.e., scan) are determined for each web resource. The user identifiers are used for scheduled AV scanning of web resources. The system allows for scanning a web resource based on selected configurations without using additional client applications.

Storage apparatus, host apparatus, and storage system

Disclosed herein is a storage apparatus including: a first storage block configured to record and hold encrypted content data and output the encrypted content data on an on-demand basis; a second storage block configured to record and hold a confidential title key; a title stream key generation block configured to generate a title stream key corresponding to a subject of encryption of the content data by use of the held confidential title key; and a communication block configured to transmit the generated title stream key with confidentiality thereof held.

Accessing resources of a secure computing network

According to one embodiment of the present invention, a method for accessing resources of a secure computing network may be provided. The method may include receiving a request to allow a user to access a secure computing network. The user may be associated with an avatar that has a unique set of one or more identifiers that are associated with the user. A security clearance level of the avatar may be determined from the unique set of identifiers of the avatar. The avatar may be authorized to access one or more virtual compartments of the secure computing network according to the security clearance level of the avatar. The virtual compartment may comprise one or more resources of the secure computing network. The method may further include facilitating display of one or more resources of a virtual compartment accessed by the avatar.

Fingerprint authentication server, client computer and fingerprint authentication method

A fingerprint authentication server device is disclosed. The fingerprint authentication server device includes a database in which user IDs and the registered fingerprint data of plural users are stored; and a hash value table including user hash values of the user IDs and the registered fingerprint data of the users. The fingerprint authentication server device is configured to receive a hash value of a user ID of a user to be authenticated and a hash value of registered fingerprint data associated with the user ID from a client computer; perform a search in the hash value table to determine whether there are hash values corresponding to the received hash values in the hash value table; and transmit a determination result to the client computer, thereby to cause the client computer to perform a fingerprint authentication process for a user for which correspondence of the hash values has been confirmed.

Decryption and print flow control system and method

A method and system for determining a data file's security classification, special handling instructions, and disposition, with the additional option of subsequently adding material to the print image contained within the document, is disclosed. The method and system provide control of sensitive information contained in print documents, wherein a first file is encrypted. A second document accompanies the first document containing information for decrypting the first document, control redaction, and/or provide for addition of content or restrictions as to which rendering device the first document may print on. The rendering device, upon receipt of both first and second documents, communicates with a host computer that determines the first document's classification and disposition. The host computer then processes the second document, sending decryption information over a secure line from the second document to the rendering device to enable decryption and modification of the first document, followed by rendering.

Image forming apparatus and authentication method

An image forming apparatus including applications and system side software for providing system side services to the applications is provided, in which the image forming apparatus includes: an authentication module for displaying an authentication screen on an operation panel of the image forming apparatus, wherein the authentication module allows the image forming apparatus to display a screen for using the image forming apparatus instead of the authentication screen if authentication data input from the authentication screen satisfies an authentication condition, and wherein the authentication module is provided in the image forming apparatus separately from the system side software.

Method, device, and system for issuing license

A system for issuing a license includes a Content Issuer (CI) configured to receive a Cooperate-RORequest from a Rights Issuer (RI). The CI encapsulates, according to the information carried in the Cooperate-RORequest, content related information by using a key of a destination entity to obtain an encapsulation key, and generates a Message Authentication Code (MAC) on part of information of a license. The CI sends the generated MAC and obtained encapsulation key to the RI, so that the RI sends the license that includes the MAC and the encapsulation key to the destination entity.

Method and system for biometric authentication

A method of authentication is provided that includes capturing biometric data for a desired biometric type from an individual, determining an algorithm for converting the biometric data into authentication words, converting the captured biometric data into authentication words in accordance with the determined algorithm, including the authentication words in a probe, and comparing the probe against identity records stored in a server system. Each of the identity records includes enrollment biometric words of an individual obtained during enrollment. Moreover, the method includes identifying at least one of the identity records as a potential matching identity record when at least one of the authentication words included in the probe matches at least one of the enrollment biometric words included in the at least one identity record, and generating a list of potential matching identity records.

Method and Apparatus for Detecting Changes in Websites and Reporting Results to Web Developers for Navigation Template

A computerized appliance includes a non-transitory physical memory medium couple to the computerized appliance, and software executing on the computerized appliance from the non-transitory physical memory medium. The computerized appliance performs a method comprising steps of accessing an electronic information page on a network by proxy on behalf of a client, following a navigation template assembled from a plurality of functional logic blocks, determining failed execution of the navigation template, determining the logic block involved at the point of failure, determining information necessary to repair the logic block determined at the point of failure, creating a new modular logic block according to the information, and installing the newly-created modular logic block into the navigation template that failed, and automatically replacing the failed logic block in all stored navigation templates that depend on the failed logic block.

Information processing system, web server, information processing apparatus, control methods therefor, and program

This invention provides an information processing system which sets a validity period of authentication in an Web application provided by a Web server activated from an information processing apparatus in accordance with the logout transition time in the information processing apparatus, a Web server, an information processing apparatus, and control methods therefor. To accomplish this, a Web application activated on a Web server acquires the information of the logout transition time set in an information processing apparatus, and updates the validity period of authentication in the Web application in accordance with the acquired logout transition time. The Web application receives the notification of an operation event occurring in an MFP in addition to an operation event on the Web application, and properly resets a timer for the validity period of authentication in the Web application.

System, method and computer readable medium for recording authoring events with web page content

A web page that includes content form fields may be modified to include an event observer module and an authored content module. The authored content module adds a hidden “events observed” field to the form fields. Events generated during the authoring of content by a user are recorded by the event observer module. When the content is submitted from a client browser to the web server, the events generated during the authoring of the content are added to the events observed field and submitted with the content. The web server uses the events to determine a DOM of the web page and compare the observed DOM with a stored DOM for that web page and that particular interaction. The page structure may be optionally modified by the web server to enhance the analysis of the DOM comparison. The web server analysis facilitates detection of non-human content submission at a client browser.

System, method and computer program product for portal user data access in a multi-tenant on-demand database system

In accordance with embodiments, there are provided mechanisms and methods for portal user data access in a multi-tenant on-demand database system. These mechanisms and methods for portal user data access in a multi-tenant on-demand database system can enable embodiments to provide portal-specific user accounts to the multi-tenant on-demand database system which have reduced configuration requirements than users directly accessing the multi-tenant on-demand database system. The ability of embodiments to provide portal-specific user accounts can reduce processing requirements of the database system.

Flash memory distribution of digital content

Methods, apparatuses, and computer-readable media for distributing digital content. One embodiment comprises an apparatus comprising: a device ( 100 ) communications bus; coupled to the device communications bus ( 150 ), a bi-directional communications controller ( 110 ) capable of communicatively interfacing with a computer ( 710 ); coupled to the device communications bus ( 150 ), an integrated processor ( 130 ) capable of executing ( 270 ) computer-executable instructions; and coupled to the integrated processor ( 130 ), a storage module ( 140 ) capable of storing computer-executable instructions.

Method for authorizing use of augmented reality (ar) information and apparatus

A method for authorizing use of Augmented Reality (AR) information includes acquiring information regarding a location at which the AR information is to be provided, authorizing a user to use the AR information, creating attribute information including the AR information, the location information, and authority information, and transmitting the attribute information to an AR system. The AR system can register the attribute information, and can provide the AR information only to authorized users. An apparatus to authorize use of Augmented Reality (AR) information includes a location information acquiring unit, an authorization unit to authorize a user to use the AR information, and an AR information processor to create attribute information. The attribute information is transmitted to an AR system as a request for the AR system to register the attribute information so the AR system provides the AR information only to authorized users.

Communication terminal device and security method

Provided is a communication terminal device which can prevent the situation that the communication terminal device cannot be used for a while within a security area, can release a security lock without making a user aware of the release, and can increase usability. In the device, a GPS unit ( 105 ) acquires current position information. By a security setting unit ( 110 ), security is released when the position information is within the security area, and security is set when the position information is outside the security area. An information storage unit ( 104 ) previously stores a BSI of a base station associated with the security area. A radio unit ( 102 ) acquires BSIs of a plurality of base stations. A GPS control unit ( 108 ) controls a timing to start acquisition of the position information by the GPS unit ( 105 ), on the basis of the BSI stored in the information storage unit ( 104 ) and the BSI acquired by the radio unit ( 102 ).

System and method for performing a management operation

There is provided a system and method of performing a management operation. An exemplary method comprises receiving a command that comprises information derived from a private key in response to a request to generate the command for an electronic device. The exemplary method also comprises verifying a source of the command using the information derived from the private key and a corresponding public key stored in an immutable memory of the electronic device. The exemplary method additionally comprises performing a management operation corresponding to the command if the verifying of the source of the command determines that the command is from an authorized source.

Online User Authentication

A user establishes a verified online identity, for example by providing an identity token and biometric information, and an assurance level is established for that identity for use in an authentication service. Different assurance levels may be provided based on the degree of verification of the user's identity, for example by social network scoring, credit references, or by means of the identity token and biometric information.

Multitenant-aware protection service

Implementing a data protection service. One method includes receiving a request to provision a first tenant among a plurality of tenants managed by a single data protection service. A tenant is defined as an entity among a plurality of entities. A single data protection service provides data protection services to all tenants in the plurality of tenants. A first encryption key used to decrypt the first tenant's data at the data store is stored. The first encryption key is specific to the first tenant and thus cannot be used to decrypt other tenants' data at the data store from among the plurality of tenants. Rather each tenant in the plurality of tenants is associated with an encryption key, not usable by other tenants, used at the data store to decrypt data on a tenant and corresponding key basis.

System and method of protecting data on a communication device

A system and method of protecting data on a communication device are provided. Data received when the communication device is in a first operational state is encrypted using a first cryptographic key and algorithm. When the communication device is in a second operational state, received data is encrypted using a second cryptographic key and algorithm. Received data is stored on the communication device in encrypted form.

Method and Apparatus for Authenticating Users of An Emergency Communication Network

An authentication system is configured to weight multiple available network supplied and user supplied authentication factors to determine whether a user should be provided with access to an Emergency Communication Network (ECN). The multiple factors may include the location of the user, MIN, short PIN, token, biometric information, and other information. The level of access to be provided to the user may be tiered based on the authentication level achieved during the weighting process. Authentication information may be shared between groups of individuals, so that the authentication requirements for group members may be reduced as other members of the group supply authentication information to the ECN. Group authentication may be used to enable group services such as conferencing and push-to-talk to be set up automatically for the group.

Application control constraint enforcement

Systems and methods for performing application control constraint enforcement are provided. According to one embodiment, file system or operating system activity of a computer system is intercepted relating to a code module. A cryptographic hash value of the code module is checked against a local whitelist database containing cryptographic hash values of approved code modules, which are known not to contain viruses or malicious code. The local whitelist database also contains execution constraint information. When the cryptographic hash value matches one of the cryptographic hash values of approved code modules, authority of the computer system or an end user of the computer system to execute the code module is further validated if the execution constraint information so indicates by performing a constraint check regarding the code module. If the authority is affirmed by the constraint check, then allowing the code module to be executed.

Selectively wiping a remote device

A system and method for selectively securing data from unauthorized access on a client device storing a plurality of data types with reference to an authorization level indicated in a command. A command is received at a client device comprising an authorization level indicator. Based on at least one predefined rule, which may be implemented in an IT policy stored at the client device, each of the plurality of data types to be secured is determined, and then the data corresponding to those types is secured. The data may be secured by encrypting and/or deleting the data at the client device. The predefined rules associated with each authorization level may be configured by a user or administrator having an authorization level that exceeds the associated authorization level.

Attesting a Component of a System During a Boot Process

A method, apparatus and program product for attesting a component of a system during a boot process. The method comprises the steps of: verifying that the system is in a trusted state; in response to verifying that the system is in a trusted state, requesting an enrollment of the system wherein the requesting step further comprises the step of: retrieving enrollment data associated with the system; retrieving current input data associated with the component of the system; comparing the current input data against the enrollment data in order to determine whether the system can retain its trusted state; wherein in response to the comparing step, if the current input data matches the enrollment data, the system retains its trusted state; and accepting the trusted state until receipt of a notification, from the system having a retained trusted state, of an update to the system.

Demand based usb proxy for data stores in service processor complex

A method, apparatus, system, and computer program product for secure server system management. A payload containing system software and/or firmware updates is distributed in an on-demand, secure I/O operation. The I/O operation is performed via a secured communication channel inaccessible by the server operating system to an emulated USB drive. The secure communication channel can be established for the I/O operation only after authenticating the recipient of the payload, and the payload can be protected from access by a potentially-infected server operating system. Furthermore, the payload can be delivered on demand rather than relying on a BIOS update schedule, and the payload can be delivered at speeds of a write operation to a USB drive.

Detecting Malicious Use of Computer Resources by Tasks Running on a Computer System

A method, apparatus, and computer program product for identifying malware is disclosed. The method identifies processes in a running process list on a host computer system. The method identifies ports assigned to the processes in the running process list on the host computer system. The method determines whether any one of ports that is currently in use in the host computer system is not assigned to any of the processes in the running process list. The method then makes a record that a hidden, running process is present as a characteristic of an attack in response to a determination that one of the ports is currently in use but is not assigned to any of the processes in the running process list in the host computer system.

System and Method for Automatic Authentication of an Item

A system, apparatus and method automatically authenticating an item. The media device includes a housing, a processor disposed within the housing, the item disposed within or attached to the housing, and a memory disposed within the housing. The memory stores computer readable instructions that when executed by the processor causes the processor to perform the steps: (a) obtaining the one or more identifiers from the item wherein the one or more identifiers includes a serial number or code; (b) transmitting the obtained identifier(s) to a server device for authentication; (c) receiving an authentication message from the server device; (d) continuing operation of the media device whenever the authentication message from the server device indicates that the item is authentic; and (e) performing one or more actions based on the authentication message whenever the authentication message from the server device indicates that the item is not authentic or cannot be verified.

Method and apparatus for downloading drm module

A Digital Rights Management (DRM) service system providing digital content to which DRM technology is applied, when one or more DRM content is provided to a client device, download information for a DRM module capable of installing a DRM agent corresponding to a DRM system applied to the DRM content is provided together, making it possible for the client device to download the DRM module based on the download information, install the DRM agent, and use the DRM content.

Collection agency data access method

An account data access method allowing access to an agency account database, such as that of a collection or other debt recovery agency, from public sites over a network by agency affiliates and clients of the agency. The invention provides for secure access to a client's accounts using a web browser over the internet. The invention also provides for different levels of access to the accounts among different representatives of the client.

Wireless intrusion prevention system and method

A wireless intrusion prevention system and method to prevent, detect, and stop malware attacks is presented. The wireless intrusion prevention system monitors network communications for events characteristic of a malware attack, correlates a plurality of events to detect a malware attack, and performs mitigating actions to stop the malware attack.

Data integrity protecting and verifying methods, apparatuses and systems

The disclosure provides data integrity protecting and verifying methods, apparatuses and systems. A data integrity protecting method include: calculating a Hash value of each of the data blocks by using a first Hash function, to obtain a plurality of block Hash values which form a first series of Hash values; calculating a second series of Hash values based on the first series of Hash values, the second series of Hash values comprising a plurality of chain Hash values, each of which being associated with a corresponding block Hash value in the first series of Hash values and being associated with a neighbor chain Hash value in the second series of Hash values, wherein the first series of Hash values and the second series of Hash values used as integrity information of the data; and generating verification information of the data by using a last chain Hash value.

Method, System And Device For Securing A Digital Storage Device

Method of securing a digital storage device, wherein a host is connected to the storage device, the host digitally locks the storage device so that unauthorized data access to the storage device is denied, the host sets the encryption conditions of the storage device in one of a condition wherein encryption of data on the storage device is enabled, and a condition wherein encryption of data on the storage device is disabled.

Printing apparatus

A printing apparatus includes: a receiving section which receives a print data from the external apparatus; a storage section in which the print data received by the receiving section is stored; an input section which receives from a user a print instruction for printing based on the print data stored in the storage section; a print section which performs the printing of the image on the recording medium based on the print data stored in the storage section in a case that the input section receives the print instruction from the user; and a controller which controls the storage section and which calculates and sets for the print data stored in the storage section a storage time-period within which the print data is storable in the storage section.

Objects in a Virtual Computing Infrastructure

An action is performed on an object in a cloud computing environment having a plurality of computing nodes. A policy path is determined from at least one permission within a policy of a customer. A first delegation path is determined from within the determined policy path. The first delegation path is directed to at least one object permission for the object upon which the action is to be performed. An authorized user is assigned from a second delegation path from within the determined policy path. The second delegation path is directed to at least one user permission for the action to be performed.

Methods for processing private metadata

According to one aspect of the invention, a file received from a first user is stored in a storage device, where the file includes private metadata encrypted by a secret key associated with a second user. A private metadata identifier is stored in a predetermined storage location, indicating that private metadata of the file has not been decrypted and indexed. In response to an inquiry subsequently received from the second user, the predetermined storage location is scanned to identify the private metadata identifier based on the inquiry. The encrypted metadata identified by the private metadata identifier is transmitted to the second user for decryption. In response to the metadata that has been decrypted by the second user, the decrypted metadata is indexed for the purpose of subsequent searches of at least one of the metadata and the file.

Techniques for mobile device authentication

A user authenticates a mobile device (MD) to a network-based service (NBS) for initial authentication. Policy is pushed from the NBS to the MD and the MD automatically obtains details about devices and attributes that are near or accessible to the MD in accordance with the policy. The details are pushed as a packet from the MD to the NBS and multifactor authentication is performed based on the details and the policy. If the multifactor authentication is successful, access privileges are set for the MD for accessing the NBS and perhaps for accessing local resources of the MD.

Globally valid measured operating system launch with hibernation support

An event log can comprise, not only entries associated with components instantiated since a most recent power on of a computing device, but also entries of components instantiated prior to that power on, such as components that were instantiated, and represent, a state of the computing device prior to hibernation that has now been resumed. Upon hibernation, the current values of the Platform Configuration Registers (PCRs) of a Trusted Platform Module (trusted execution environment), as well as a quote of those current values, and a current value of a monotonic counter of the trusted execution environment can be logged. The monotonic counter can be incremented at each power on to track successive generations of the computing device and to guard against an intervening, not-logged generation. A subsequent parsing of the event log can verify the prior generational entries with reference to the PCR values in the log that are associated with those generations.

Printhead integrated circuit with a solenoid piston

A printhead integrated circuit comprising a wafer substrate defining a nozzle outlet port; an electromagnetic piston mounted to the wafer substrate via torsion springs, said piston operatively forced towards the outlet port when activated; and a solenoid coil positioned on the wafer substrate about the piston to activate the piston when a current is passed through the coil. The piston is magnetised during a final high temperature step in a fabrication process of the nozzle apparatus to ensure that the Curie temperature is not exceeded after magnetisation

Interactive Bill Payment Center

A software suite that provides a bill-payment module and comprises an interactive main interface listing bills due and payment accounts, an interactive history link, an interactive set-up link embedded in the main interface, an interactive transfer-funds link, an interactive calendar link, a plurality of interactive drop-down menus providing upon invocation a plurality of selectable, interactive options for treating the listed bill and an interactive refresh-all link embedded in the main interface.

Virtualization Layer in a Virtual Computing Infrastructure

A cloud computing environment having a plurality of computing nodes is described. The plurality of computing nodes may be organized into a plurality of clusters, each of the plurality of clusters including a cluster controller. A virtual computing environment is created on each of the plurality of computing nodes. Communication with the virtual computing environment is enabled. An authorization to service a launch plan is received from a user. The launch plan includes at least one instance to launch. Bandwidth information is requested from each of the cluster controllers of the plurality of clusters. A score is computed for each of the plurality of clusters that responded to the requested bandwidth information. The launch plan is assigned to a cluster from the plurality of clusters based on the computed scores.

Security system for computing resources pre-releases

Technology is provided for provisioning a user computer system with membership in a privilege set in order to execute a pre-release resource. Some examples of pre-release resources are alpha and beta versions of firmware or software which can be downloaded to user computer systems. The pre-release resources are associated with different privilege sets based on their security risk levels. In one example, a security risk level may represent a number of user computer systems at risk of an integrity failure of the pre-release resource. In other examples, the security risk may represent an operational layer of the user computer system affected by the resource or a level of security testing certification success for the pre-release resource. A privilege set identifier indicates membership in one or more privilege sets.

Information processor

An information processor includes a keyword registration means for accepting an input of a keyword composed of a predetermined character string and storing the accepted keyword in a storage device; and a content display means for displaying externally acquired content on a display device. The content display means is configured to display the content on the display device by replacing a character string in a preset range containing the keyword with other display data if the keyword stored in the storage device exists in character information contained in the content.

Method and apparatus for controlling access to data based on layer

Disclosed is an access control apparatus and method for giving access authority with respect to data. The access control apparatus may encrypt, using a Public Key (PK) of a terminal, a Node Key (NK) of a target layer in which the access authority is to be granted to the terminal, and produce an Access Control List (ACL) of the target layer based on the encrypted NK and ID information of the terminal. Also, the access control apparatus may produce a copy of the ACL based on the produced ACL, and store the produced copy of the ACL in a lower layer.

Peripheral authentication

This document describes techniques ( 300, 400 ) and apparatuses ( 100, 500, 600, 700 ) for peripheral authentication. These techniques ( 300, 400 ) and apparatuses ( 100, 500, 600, 700 ) may configure data lines for authentication between host device ( 102 ) and peripheral ( 106 ), use these configured data lines to authenticate the peripheral ( 106 ), and then reconfigure the data lines for use.

Integrated Application Feature Store

An application feature store may be integrated with an application. The feature store may be accessed by a user through a feature storefront hosted within the application. The user may search the feature store for additional desired features available for the augmentation of the productivity application.

Mobile Posture-based Policy, Remediation and Access Control for Enterprise Resources

A mobile device management system that monitors the security state of one or more mobile devices and sets indicators related to such security state. Enterprise network applications, such as an email application, can access the security state information when making access control decisions with respect to a given mobile device.

Computer system and control method thereof

A computer system includes a number of input devices, a storage unit storing a plurality of modules, and a processing unit to execute the plurality of modules. The plurality of modules includes instructions executable by the processing unit to switch the operation mode of the computer system from a normal mode to a children mode when a mode switching command has been received. In the normal mode, the processing unit executes the number of the modules to determine which of applications of the computer system is subject to disablement and which of all the input devices is subject to disablement in the children mode, and regard any operation command on any application subject to disablement as an invalid operation command and any user operation on any input device subject to disablement as an invalid user operation when in the children mode. A related method is also provided.

Apparatus, system and method for preventing data loss

A device and method are provided for a device that communicates security information to a user entering content into the device. In an aspect, the device may access content from a server over a connection through the network. The device displays the content on a user interface of the device. The device detects information entered into a field of the displayed content and evaluates a security state of the device. If the security state is below a security threshold and, if the entered information is identified as protected information based on stored criteria, the device displaying a visual indication on the user interface.

Electronic Book Security Features

A method and system for fingerprinting a content item is described, the and system method include providing the content item, the content item including a set of content item elements, the set of content item elements denoted E, such that E={E 1 , E 2 , E i , E m }, providing information uniquely associated with a single user, the information including a string of bits, hereinafter denoted S 0 , parsing S 0 into a plurality of subsequences of strings of bits, hereinafter denoted S 1 ,, Sn, the parsing being performed such that S 0 equals a function of S 1 ,, Sn, providing a matrix of content item replacement elements, the matrix denoted R, each row of matrix R including, for at least each one of n members of set E, an array of content item replacement elements for E i denoted R i , such that R i ={R i1 , R ij }, uniquely associating each one of S 1 , Sn with one matrix element of matrix R, so that for every one of S 1 ,, Sn there exists a corresponding element of E, for every one of S 1 ,, Sn replacing at least one instance of the corresponding element E in the content item with the associated one matrix element of matrix R for the corresponding one of S 1 ,, Sn, and outputting a replacement content item including the result of the replacing, wherein the members of R i for each E i are chosen according to at least one similarity criterion. Related hardware, systems and methods are also described.

Random-id function for smartcards

A method for low-level security based on the UID. In particular it enhances an RFID system by adding the ability to dynamically modify the UID of the smartcard or to randomly generate a new UID for the smartcard.

Apparatus and method for restricting file operations

An information processing apparatus determines whether a particular operation on a first file, for example, is restricted or not. The information processing apparatus also restricts the particular operation on a second file related to the first file if the particular operation on the first file is restricted.

Interactive image-based document for secured data access

The present invention is directed to a method and system for verifying a user for copying or printing a limited portion of digital content while allowing the user to view the digital content. The digital content may have image portions that are digital images generally scanned from a printed page of the content and text portions that are digital texts including all forms of letters, characters, symbols, etc. An interactive image document displaying image portions of the digital content is provided for secure data access to text portions. A user can request and obtain a limited text portion of the digital content or view the image portions of the digital content via user interactions within the interactive image document. While the text portions can be reproduced, copied, or printed, the image portions can not be re-used or manipulated by the user due to their non-text accessible format.

Architecture for network management in a multi-service network

A mechanism is provided for a non-converged network for a service provider. A core network is divided into individually managed domains, where each of the domains comprises multiprotocol label switching for packets. A management system is coupled to each of the domains. Network elements in each of the domains are restricted from directly transferring packets to network elements in another one of domains. Each of the domains has a domain firewall at an edge of the domains, and the domain firewall restricts packets from being received from other domains. To transfer packets from one domain to another domain, the management system receives the packets from one domain and transfers the packets to the other domain after authentication.

Computing system

Disclosed is a computing system which comprises a data processing device exchanging communication data with the external and processing the communication data; and a security integrated circuit (IC) monitoring the communication data.

Data management system and method

A data management apparatus includes an index generation unit configured to subdivide an entire interval of data into bucket intervals, allocate indices for the respective bucket intervals, transform the bucket intervals having the allocated indices into bucket intervals of specific lengths, and generate bucket-based indices for pieces of data included in the bucket intervals of the specific lengths. The data management apparatus further includes a data management unit configured to transmit the encrypted data and the bucket-based indices to a server-side data management apparatus in order to store the encrypted data, transmit a user query to the server-side data management apparatus in order to search for a desired encrypted data, and decrypt encrypted data corresponding to the user query from the server-side data management apparatus. The user query includes the index of first bucket interval and the index of second bucket interval neighboring to the first bucket interval.

Apparatus and method to harden computer system

In some embodiments, a processor-based system may include a processor, the processor having a processor identification, one or more electronic components coupled to the processor, at least one of the electronic components having a component identification, and a hardware security component coupled to the processor and the electronic component. The hardware security component may include a secure non-volatile memory and a controller. The controller may be configured to receive the processor identification from the processor, receive the at least one component identification from the one or more electronic components, and determine if a boot of the processor-based system is a provisioning boot of the processor-based system. If the boot is determined to be the provisioning boot, the controller may be configured to store a security code in the secure non-volatile memory, wherein the security code is based on the processor identification and the at least one component identification. Other embodiments are disclosed and claimed.

Mobile phone atm processing methods and systems

Embodiments provide systems, methods, processes, computer program code and means for using mobile devices to conduct transactions with ATM devices.

Display apparatus with touch-sensitive screen lock/unlock function and method thereof

A display apparatus and a method for locking and unlocking a touch-sensitive screen are provided. A user interface is provided on the display apparatus for a user to set at least two types of passwords. At least two types of passwords displayed on the user interface are stored when input of the at least two types of passwords ends. The touch-sensitive screen is locked according to any one of the at least two stored types of passwords. The touch-sensitive screen is unlocked if an input password matches any one of the at least two types of passwords.

Process and device for authentication

The authentication process comprises: a step of generating a random number ( 105 ), a step of generating a time-stamp ( 115 ), a step of generating a first secret key ( 120 ), a step of truncating the message authentication code utilizing said first secret key ( 125 ), a step of symmetrically encrypting the random number, time-stamp and truncation ( 135 ), utilizing a second secret key ( 130 ) to produce an authentication code ( 145 ). Preferably, during the step of generating a random number, a quantum generator ( 100 ) is utilized. Preferably, during the truncation step, a cryptographic message authenticator is generated utilizing the first secret key. Preferably, during the step of symmetrically encrypting the random number, time-stamp and truncation, by utilizing the second secret key, in addition a hash ( 140 ) is produced.

Policy-based access to virtualized applications

When a request is received to execute a virtualized application, an application virtualization client component evaluates an execution policy to determine if the application may be executed. If the application virtualization client component determines based on the execution policy that the virtualized application may be executed, the application virtualization client component publishes the virtualized application. The application virtualization client component publishes the application by making the virtualized application available for execution if the application is installed, and installing the virtualized application if it is not installed. The application virtualization client component also evaluates the execution policy during execution of the virtualized application. If the application virtualization client component determines that the execution policy is no longer satisfied, the application virtualization client component unpublishes the virtualized application, thereby preventing execution of the virtualized application.

Voice-capable system and method for authentication query recall and reuse prevention

A system and method for use with a voice-capable system, includes but is not limited to a method including receiving an authentication request by the voice-capable system from a user computationally networked to the voice-capable system, and determining an authentication session in response to the authentication request, the determining the authentication session including identifying a series of questions associated with the user, the series of questions determined via consulting a predetermined period of time configured to prevent one or more questions from the series of questions from being reused until the predetermined period of time has elapsed.

Method and system for subscription digital rights management

A system and method for managing use of items having usage rights associated therewith. The system includes an activation device adapted to issue a software package having a public and private key pair, the public key being associated with a user, a license device adapted to issue a license, a usage device adapted to receive the software package, receive the license and allow the user to access the item in accordance with the license, and a subscription managing device adapted to maintain a subscription list including the public key associated with the user. License's is issued by the license device upon verifying presence of the public key in the subscription list corresponding to requested content.

Defense-in-depth security for bytecode executables

Defense-in Depth security defines a set of graduated security tasks, each of which performs a task that must complete before another task can complete. Only when these tasks complete successfully and in the order prescribed by Defense-in-Depth security criteria is a final process allowed to execute. Through such Defense-in-Depth security measures, vulnerable software, such as bytecode, can be verified as unaltered and executed in a secure environment that prohibits unsecured access to the underlying code.

System And Method For Harvesting Electronically Stored Content By Custodian

A system and method for harvesting electronically stored content by custodian is provided. Content associated with user names for one or more custodians is maintained in a collaboration environment. A custodian list with names of at least a portion of the custodians is received. Access reports each having user names and associated unique identifiers for the custodians with access to the content within a collaboration environment are obtained. One or more of the user names are mapped with at least one of the custodians by comparing the list of custodians to the access reports and by determining a selected user name for the at least one custodian. The content associated with the at least one custodian is identified using the selected user name.

Removable devices

Methods and removable devices are provided. Some such removable devices may include a secure partition and a public partition. The secure partition is not accessible by an operating system of a host for some embodiments. The secure partition is configured to store information so that formatting/reformatting does not alter the stored information for other embodiments.

Method, Apparatus and System for Accessing Remote Files

The present invention relates to a method, apparatus and system for accessing remote files, wherein the method for accessing remote files comprising the following steps: obtaining download operation information for downloading a file in an operational system server; redirecting the download operation to a file server with safety space; saving a real copy of the downloaded file in the safety space and enumerating a corresponding virtual copy in the safety space. In the present invention, local file operations are redirected to the network file operations of network file storage system by redirecting the download operation on the file in the operational system server to the file server instead of being saved in the local user terminal to realize the “Not to local” effect for the key file. Even when it is power-off and then restarted, the data will not be saved in the local user terminal to achieve an effect close to “physical-like isolation”, which solves the safety problems of the offline key file much better.

System and method for enforcing software security through cpu statistics gathered using hardware features

This disclosure is directed to measuring hardware-based statistics, such as the number of instructions executed in a specific section of a program during execution, for enforcing software security. The counting can be accomplished through a specific set of instructions, which can either be implemented in hardware or included in the instruction set of a virtual machine. For example, the set of instructions can include atomic instructions of reset, start, stop, get instruction count, and get CPU cycle count. To obtain information on a specific section of code, a software developer can insert start and stop instructions around the desired code section. For each instruction in the identified code block, when the instruction is executed, a counter is incremented. The counter can be stored in a dedicated register. The gathered statistics can be used for a variety of purposes, such as detecting unauthorized code modifications or measuring code performance.

Protecting Codes, Keys and User Credentials with Identity and Patterns

Computer security applications use cryptography keys, cryptography codes—such as one-time passcodes—and other user credentials to protect the secrecy, authenticity and integrity of applications such as financial information, financial transactions and infrastructure (e.g. the electrical grid, power plants, and defense systems). The prior art attempted to generate (e.g. derive) an invariant from a biometric template, biometric print or non-biometric pattern that is used as a security key or code. Biometric variability has been a difficult obstacle for the prior art. In an embodiment, the invariant is at least partially generated (e.g., derived) a transformation between the biometric templates or prints. In an embodiment, the invariant is a cryptography key. In an embodiment, the transformation(s) help perform an authentication of the user and are executed by digital computer program instructions. In an embodiment, pattern transformation(s) are represented with colors, geometry or frequencies.

System and methods for protecting users from malicious content

A method, system and device for allowing the secure collection of sensitive information is provided. The device includes a display, and a user interface capable of receiving at least one user-generated interrupt in response to a stimulus generated in response to content received by the device, wherein the action taken upon receiving the user-generated interrupt depends on a classification of the content, the classification identifying the content as trusted or not trusted. The method includes detecting a request for sensitive information in content, determining if an interrupt is generated, determining if the content is trusted, allowing the collection of the sensitive information if the interrupt is generated and the content is trusted, and performing an alternative action if the interrupt is generated and the content is not trusted. The method may include instructions stored on a computer readable medium.

System and method for distorting a clockface for captcha validation

A system and method of generating a challenge/response test to determine if a computer user is human provides the following steps performed for each instance of the challenge/response test: selecting a graphical image representing an analog clock face with an indicated time; storing the indicated time; applying a distortion filter to the graphical image to generate a distorted graphical image; presenting the distorted graphical image to the computer user with a challenge to identify the indicated time; receiving input from the computer user; and comparing the input to the stored indicated time to determine if the computer user is human.

Content Access Control in Social Network

A method includes concurrently displaying a content item area and access control list information corresponding to an access control list of distribution entities; receiving, from a user of a client system, input in the content item area, the input including a content item; presenting to the client system user an affordance that enables the client system user to update the access control list to produce an updated access control list including one or more distribution entities, at least one distribution entity of the one or more distribution entities corresponding to one or more recipient entities; and transmitting the content item and access control list to a server system for storing the content item in conjunction with the access control list. The server system enables access to the content item to one or more recipient entities in accordance with the access control list.

Program execution device

A program execution device capable of protecting a program against unauthorized analysis and alteration is provided. The program execution device includes an execution unit, a first protection unit, and a second protection unit. The execution unit executes a first program and a second program, and is connected with an external device that is capable of controlling the execution. The first protection unit disconnects the execution unit from the external device while the execution unit is executing the first program. The second protection unit protects the first program while the execution unit is executing the second program.

System and Method for Enforcing Future Policies in a Compute Environment

A disclosed system receives a request for resources, generates a credential map for each credential associated with the request, the credential map including a first type of resource mapping and a second type of resource mapping. The system generates a resource availability map, generates a first composite intersecting map that intersects the resource availability map with a first type of resource mapping of all the generated credential maps and generates a second composite intersecting map that intersects the resource availability map and a second type of resource mapping of all the generated credential maps. With the first and second composite intersecting maps, the system can allocate resources within the compute environment for the request based on at least one of the first composite intersecting map and the second composite intersecting map.

Rule-based contest handling

An embodiment of a method includes receiving a content request including a first set of attribute values, using at least one of the attribute values from the first set of attribute values to determine a second set of attribute values, traversing a hierarchy of decision nodes, wherein each decision node implements business logic based on one of the attribute values from the first set of attribute values or the second set of attribute values, and generating a decision from a last node in the hierarchy, wherein the decision dictates how to respond to the content request.

Digital works having usage rights and method for creating the same

Digital work adapted to be distributed within a system for controlling at least one of the distribution and use of digital works. The digital work includes digital content representing a portion of a digital work suitable for being rendered by a rendering device and usage rights associated with the digital content. The usage rights specify a manner of use indicating one or more stated purposes for which the digital work can be at least one of used and distributed by an authorized party.

Digital works having usage rights and method for creating the same

Digital work adapted to be distributed within a system for controlling at least one of the distribution and use of digital works. The digital work includes digital content representing a portion of a digital work suitable for being rendered by a rendering device and usage rights associated with the digital content. The usage rights specify a manner of use indicating one or more stated purposes for which the digital work can be at least one of used and distributed by an authorized party.

Online authentication using audio, image and/or video

Systems, methods, and computer program products for online authentication using audio, video and/or image data. In some examples, audio, video and/or image data of a user may be captured, and recognition may be performed on at least part of the captured data during an attempt to confirm that the user is who he/she is supposed to be. If the attempt is successful, a validation confirmation may be generated. In some cases of these examples, the validation confirmation or a part thereof may optionally be provided to a server during user authentication relating to a resource provided by the server. Additionally or alternatively, in some cases of these examples, at least part of the captured data may optionally be provided to the server during user authentication. Depending on the example, the server may or may not be a web server.

Information processing apparatus, control method therefor, and storage medium storing program thereof

An information processing apparatus acquires, from a Web server, an operation screen for inputting authentication information, displays the acquired operation screen, and accepts authentication information input by a user. The apparatus then executes authentication processing using the accepted authentication information without transmitting the authentication information to the Web server, and authorizes, when the authentication succeeds, the user to use a function of itself.

Security countermeasure management platform

A management platform that allows security and compliance users to view risks and vulnerabilities in their environment with the added context of what other mitigating security countermeasures are associated with that vulnerability and that are applicable and/or available within the overall security architecture. Additionally, the platform allows users to take one or more actions from controlling the operation of a security countermeasure for mitigation purposes to documenting the awareness of a security countermeasure that is in place.

System and method for fingerprinting in a cloud-computing environment

A system and method for uniquely fingerprinting an execution environment instance in a cloud-computing environment in which an application is assigned to the execution environment instance, and a license key is required for the application to access a desired licensed feature. The application requests a fingerprint certificate from a cloud infrastructure management unit via the application's execution environment instance. The management unit identifies the fingerprint assigned to the execution environment instance, digitally signs a fingerprint certificate, and assigns an expiration timestamp. An application programming interface (API) sends the signed certificate and timestamp back to the application. The application verifies the digital signature and the timestamp and utilizes the fingerprint certificate to request a license key from a licensing system. The licensing system verifies the fingerprint certificate before generating the license key, and the application verifies that the license key matches the fingerprint before accessing the licensed feature.

Method and apparatus for editing, filtering, ranking and approving content

The system provides a method and apparatus for editing, filtering, ranking and approving content. In one embodiment, the system provides a browsing environment for children that routes all internet requests through a central server. A request to a blocked website is automatically forwarded to one of a plurality of editors who can then access the site and determine on a page or site basis as to whether the request is suitable for the browsing environment. The system includes a workflow management system that determines which of the plurality of editors will be assigned a link to review. Approved content is categorized by the age and gender of the users of the content. The approved content is also categorized as a resource or reference to assist in accomplishing homework assignments. Parents can receive updates and can manage the content remotely.

Data security management systems and methods

Data security management system and methods are provided. First, a first system having a management authority is provided. The first system displays an input interface on an input device. A switch switches the management authority from the first system to a second system, wherein the second system operates with a secure mechanism. When the management authority is switched to the second system, the first system transmits layout information of the input interface and an input device characteristic of the input device to the second system. The second system receives input data via the input device, and decodes the input data according to the layout information and the input device characteristic.

Enterprise level data management

A system for identifying data of interest from among a multiplicity of data elements residing on multiple platforms in an enterprise, the system including background data characterization functionality characterizing the data of interest at least by at least one content characteristic thereof and at least one access metric thereof, the at least one access metric being selected from data access permissions and actual data access history and near real time data matching functionality selecting the data of interest by considering only data elements which have the at least one content characteristic thereof and the at least one access metric thereof from among the multiplicity of data elements.

Secure caching technique for shared distributed caches

The present invention relates to a secure caching technique for shared distributed caches. A method in accordance with an embodiment of the present invention includes: encrypting a key K to provide a secure key, the key K corresponding to a value to be stored in a cache; and storing the value in the cache using the secure key.

Method and apparatus for validating integrity of a mobile communication device

A method for validating integrity of a mobile communication device includes installing an integrity verification application on the mobile communication device. The method also includes establishing a first pass indicator and a second pass indicator including receiving a first instance of the first pass indicator. The method also includes receiving a second instance of the first pass indicator as a challenge for verification. In response to receiving the second instance of the first pass indicator, the second pass indicator may be displayed as an indication of the integrity.

Data Storage Device and Data Management Method Thereof

An embodiment of the invention provides a data storage device and data management method thereof. The data storage device is coupled to a host, and includes a storage media having data sectors for storing data and a controller. The controller is coupled to the storage media for sequentially receiving one or more read commands and corresponding one or more logical addresses thereto, reads a plurality of first data sectors from the storage media according to the read commands and the corresponding logical addresses, outputs data of the first data sectors to the host, calculates a valid duration required for the one or more read commands, calculates an average data throughput according to the number of the first data sectors and the valid duration, and determines whether the average data throughput exceeds a predetermined threshold. When the average data throughput exceeds the predetermined threshold, the controller performs a blocking procedure to prevent the storage media from being accessed.

System and Method for Content Protection on a Computing Device

Systems and methods for handling user interface field data. A system and method can be configured to receive input which indicates that the mobile device is to enter into a protected mode. Data associated with fields displayed on a user interface are stored in a secure form on the mobile device. After the mobile device leaves the protected mode, the stored user interface filed data is accessed and used to populate one or more user interface fields with the accessed user interface field data for display to a user.

Method and Apparatus for Regulating Electronic Mail Transmission through Account Verification

Methods and apparatus for regulating the transmission of electronic mail messages are provided. The type of account or necessary permissions to transmit the electronic mail messages to their destination is determined and the sender's account is queried to ensure it is of the proper type or has the necessary permissions. If so, the electronic mail message is sent to its destination. If not, the electronic mail message is held and the user is allowed to obtain the proper type of account or an account with the necessary permissions for delivery of the electronic mail message. In determining the proper type of account or necessary permissions, variables can include the geographic location of the electronic mail message's destination or the size of the electronic mail message and its attachments.

System and methods for identity attribute validation

A method of identity attribute validation at a computer server involves the computer server receiving an identity attribute validation request from a communication terminal. The computer server further receives a credential, and is configured with an attribute disclosure profile of attributes authorized for disclosure to the communication terminal. The computer server determines the validity of the credential, and provides the communication terminal with a response to the identity attribute validation request based on an outcome of the credential validity determination. The attribute validation response includes attributes data associated with the credential authorized for disclosure by the attribute disclosure profile but excludes attributes data associated with the credential not authorized for disclosure by the attribute disclosure profile.

File sharing mechanism

An embodiment of the invention provides a data sharing method for a portable device. The method comprises executing an application program to create a data sharing event by a first user, and creating a user list by the first user, wherein when a second user of the user list shares a first file via the data sharing event, the first user receives and stores the first file in the portable device.

Storage system, storage control apparatus, and storage control method

In a storage system, a storage apparatus has an encryption key generator and an encryption processor that encrypts data to be recorded in a storage region using an encryption key from the encryption key generator, and is able to change an encryption key for each divided region set in the storage region. A control apparatus has a logical volume setting unit that requests the encryption processor to set an individual divided region for each storage region set as a logical volume in the storage region of the storage apparatus and a data erasure processor that requests the encryption processor to change the encryption key used for encryption in the divided region corresponding to the logical volume to be erased.

Security enforcement in virtualized systems

A system includes a virtual machine (VM) server and a policy engine server. The VM server includes two or more guest operating systems and an agent. The agent is configured to collect information from the two or more guest operating systems. The policy engine server is configured to: receive the information from the agent; generate access control information for a first guest OS, of the two or more guest operating systems, based on the information; and configure an enforcer based on the access control information.

Controlling, filtering, and monitoring of mobile device access to the internet, data, voice, and applications

Systems and methods for controlling, filtering, and monitoring mobile device access to the internet are disclosed. According to an embodiment a server is responsible for controlling, filtering and monitoring internet activity. For every request, the server interacts with back-end databases that categorize requests, and based on user/carrier/corporate settings, allow or disallow access to particular content.

Handling User-Specific Information for Content During Content-Altering Operations

A content player receives user-specific information from different users and associates the information with content. Subsequently, the player receives a request to perform a content-altering operation. In response, the player performs the operation such that the information for the requesting user is affected, but not the information for other users. The information may include a placeholder, an indication as to whether the content and/or the entire content has been accessed, a protection status indicating whether or not the content can be deleted, and so on. The information may be added to and/or configured to accompany and/or otherwise be associated with the content. The player may identify the user so that different information for different users can be associated with the content for the respective user, such as by prompting the user to select an identifier from a list or perform a “log in.”

Encryption information transmitting terminal

The communication unit transmits and receives a communication message. The authentication processor performs an authentication process for establishing the network connection by transmitting and receiving an authentication message to and from an authentication server through the communication unit. The encryption information generator generates an encryption key shared with the authentication server when the authentication process is successfully completed. The first message generator generates a first communication message instructing the destination device to acquire the encryption key from the authentication server. The second message generator generates a second communication message including data to be transmitted to the destination device. The communication unit transmits the first communication message to the destination device, encrypts the second communication message with the encryption key, and transmits an encrypted second communication message to the destination device.