Researchers respond to developer’s accusation that they used crypto wrong

Researchers who developed a set of attacks against encryption schemes in CryptDB—a technology seen by many as key in creating secure cloud-based database applications—faced a rebuttal from one of the technology’s developers last week, who essentially claimed they were testing it the wrong way. In a series of e-mails to Ars, both the research team and CryptDB’s original lead developer have further responded to each other’s claims. And one of the researchers responded at length to the rebuttal in a blog post on Monday, further pressing his case.

As Ars reported last week, CryptDB is central to many efforts to easily add strong security to existing Structured Query Language-based applications—and to move some of those applications safely into private and public cloud database services.

“The awesome thing about CryptDB is that you can store your data in encrypted form without rewriting your apps,” said Charles Wright of Portland State University, one of the authors of the paper, in an e-mail to Ars. “That’s what makes CryptDB such an exciting system, and why so many other groups have taken up the idea and run with it.”

Read 13 remaining paragraphs | Comments

The guns of (this) August: Ars gets a demo of digitally enhanced artillery

Video shot and edited by Nathan Fitch. (video link)

Shooting things you can see is hard enough. Shooting things you can’t see based on directions someone being shot at is giving you over a staticky radio is even harder. But a digital addition to the Army’s most nimble of artillery pieces is making the job of delivering explosive packages accurately and on time a lot easier.

Over the past two years, the US Army has been applying technology that was once the province of submarines and strategic bombers to a piece of weaponry with a somewhat more humble history: light field artillery. The M119 howitzer, the modern descendant of the towed cannons that have been used to lob shells at enemies since the Middle Ages, has been upgraded with a digital inertial navigation system that makes it possible for a gun crew to set it up within minutes and start firing in support of soldiers in the field.

The M119, technically speaking, is a “gun-howitzer”—a cannon that can be used both for direct fire (aimed at the target with an optical sight or radar) and indirect fire aimed based on positions provided by a spotter. Howitzers were originally guns with shorter barrels relative to their shell caliber that were used to lob shells in a high arc, at greater distances than the even shorter-barreled mortar.

Read 2 remaining paragraphs | Comments

MS researchers claim to crack encrypted database with old simple trick

A team of Microsoft researchers led by Seny Kamara claims to have been successful at recovering a substantial amount of data from health records stored in CryptDB (PDF), a database technology that uses layers of encryption to allow users to search through encrypted data without exposing its contents.

CryptDB was originally developed at MIT. It functions as an addition to a standard, unmodified SQL database and is intended to allow applications to interact with encrypted data using Structured Query Language. By using layers of encryption, CryptDB can allow certain properties of data to be revealed to applications processing the queries while keeping the data itself protected. In theory, the encryption prevents the database administrator (or anyone who attacks the database by gaining trusted access) from being able to view the contents of the database. Data from different users is encrypted with different keys.

CryptDB has been used with the open-source MySQL and PostgreSQL databases, and Google uses it to provide an encrypted version of its BigQuery cloud database. SAP and other large database vendors are looking to apply the technology to their own databases as well. And the federally funded MIT Lincoln Laboratory (PDF) has worked with CryptDB as an additional interface to the Apache Accumulo NoSQL database—the same database originally developed by the National Security Agency to store NSA’s multi-level security “big data.”

Read 6 remaining paragraphs | Comments

White House Eyes Sanctions for China Over Cyber-theft of Trade Secrets

The Washington Post’s Ellen Nakashima reports that under the direction of the Obama administration, US government officials are planning “a package of unprecedented economic sanctions against Chinese companies and individuals” who have profited from trade secrets stolen from US companies by Chinese government-sponsored hackers.

The talk of sanctions comes just weeks before the arrival of Chinese president Xi Jinping for a state visit, and it may just be talk—a final call on whether to impose sanctions will likely be made within the next two weeks, according to the Post’s unnamed administration sources. While the Justice Department announced indictments against members of China’s People’s Liberation Army for the electronic theft of trade secrets last year, the indictments were largely symbolic. The sanctions under discussion would likely include the seizure of economic assets of Chinese companies making use of what officials allege to be data stolen from US companies—and elevate tensions with China further as the governments continue to face off over other economic and military issues.

The sanctions will not, apparently, include action over the theft of US government employee data from the Office of Personnel Management. The administration’s concern is greater over economic espionage, including the theft of “everything from nuclear power plant designs to search engine source code,” Nakashima reported. The Federal Bureau of Investigations reported last month that the number of economic espionage cases being investigated had jumped by 53 percent in the last year—and most of that growth was attributed to China’s aggressive use of computer and network espionage against US companies.

Read 2 remaining paragraphs | Comments

Fiat Chrysler “connected car” bug lets hackers take over Jeep remotely

A pair of computer security researchers based in St. Louis demonstrated weaknesses in an automobile system with cellular connectivity installed in as many as 471,000 vehicles in the US. Charlie Miller and Chris Valasek highlighted the vulnerability of the system by attacking a Jeep Cherokee equipped with the Uconnect system remotely while Wired‘s Andy Greenberg was driving it.

 

Hacking Team built drone-based Wi-Fi hacking hardware

Leaked e-mails from the Italy-based computer and network surveillance company Hacking Team show that the company developed a piece of rugged hardware intended to attack computers and mobile devices via Wi-Fi. The capability, marketed as part of the company’s Remote Control System Galileo, was shown off to defense companies at the International Defense Exposition and Conference (IDEX) in Abu Dhabi in February, and it drew attention from a major defense contractor. But like all such collaborations, it may have gotten caught up in the companies’ legal departments.

 

FBI Says Crypto Ransomware has Raked in >$18 Million for Cybercriminals

The FBI’s Internet Crime Complaint Center (IC3) has issued an alert warning businesses and individuals about the continued spread of cryptographic ransomware. This malware encrypts a victim’s files with a key held by criminals on a remote server, and it then extorts money from the victim to recover those files. The biggest threat among these continues to be CryptoWall, the ransomware family that first emerged last April.

So far, the FBI’s IC3 has been contacted by 992 victims of CryptoWall, and their combined losses total over $18 million (~£11.4 million). That number falls far short of the actual number of victims, some of whom have not reported being affected by the malware and have simply paid up or abandoned their files. And the current cost figure does not include all of the business losses from those reporting CryptoWall incidents. Those hidden impacts can include lost productivity, the cost of bringing in IT services to clean up the mess, or the price of handling the potential breach of personal information associated with the malware.

“CryptoWall 3.0 is the most advanced crypto-ransom malware at the moment,” said Stu Sjouwerman, CEO of the security training company KnowBe4, in an e-mail to Ars. “The $18 million in losses is likely much more, as many companies do not report their infections to the FBI and the downtime caused by these infections is much higher.”

Read 2 remaining paragraphs | Comments

Security Shade Thrown in Spat Between ADP and HR Cloud Service Provider

It’s not often that you see a CEO launching a Change.org petition drive and a Twitter hashtag campaign over a dispute with another company. But that’s exactly what Parker Conrad, the CEO and co-founder of the cloud HR software company Zenefits, has done in a battle of words with the payroll processing giant ADP.

In his blog posts about ADP’s move to cut off clients’ access to data through Zenefits, Conrad also directed customers to a Change.org petition directed at ADP’s CEO Carlos Rodriguez and asked them to air their complaints on Twitter using the hashtag #ADPeeved. But ADP has responded by filing suit against Zenefits and Conrad, claiming that statements by Conrad accusing ADP of anti-competitive practices are defamatory.

Zenefits offers businesses its human resources management services for free and is funded by commissions from insurers and other benefit providers. The company ran afoul of ADP, according to statements issued by ADP, because of its unorthodox approach to integration with ADP’s data. An ADP spokesperson has issued statements accusing Zenefits of poor security practices that could have exposed the personal identifying information of clients’ employees and taxing ADP’s systems by using “screen scraping” to get access to payroll data rather than through a partner data interface.

Read 13 remaining paragraphs | Comments

Navy Research Lab develops cheap “swarm” glider mini-drones

At the Department of Defense’s “Lab Day” last week at the Pentagon, scientists from the Naval Research Laboratory unveiled the world’s smallest spy drone yet: a tiny, intelligent glider called the “Cicada.” More formally known as the Covert Autonomous Disposable Aircraft, the Cicada is intended (like its namesake) to be deployed in large swarms—and to expire when its mission is complete.