Author: Sean Gallagher

Researchers who developed a set of attacks against encryption schemes in CryptDB—a technology seen by many as key in creating secure cloud-based database applications—faced a rebuttal from one of the technology’s developers last week, who essentially claimed they were testing it the wrong way. In a series of e-mails to Ars, both the research team and CryptDB’s original lead developer have further responded to each other’s claims. And one of the researchers responded at length to the rebuttal in a blog post on Monday, further pressing his case.

As Ars reported last week, CryptDB is central to many efforts to easily add strong security to existing Structured Query Language-based applications—and to move some of those applications safely into private and public cloud database services.

“The awesome thing about CryptDB is that you can store your data in encrypted form without rewriting your apps,” said Charles Wright of Portland State University, one of the authors of the paper, in an e-mail to Ars. “That’s what makes CryptDB such an exciting system, and why so many other groups have taken up the idea and run with it.”

Video shot and edited by Nathan Fitch. (video link)

Shooting things you can see is hard enough. Shooting things you can’t see based on directions someone being shot at is giving you over a staticky radio is even harder. But a digital addition to the Army’s most nimble of artillery pieces is making the job of delivering explosive packages accurately and on time a lot easier.

Over the past two years, the US Army has been applying technology that was once the province of submarines and strategic bombers to a piece of weaponry with a somewhat more humble history: light field artillery. The M119 howitzer, the modern descendant of the towed cannons that have been used to lob shells at enemies since the Middle Ages, has been upgraded with a digital inertial navigation system that makes it possible for a gun crew to set it up within minutes and start firing in support of soldiers in the field.

The M119, technically speaking, is a “gun-howitzer”—a cannon that can be used both for direct fire (aimed at the target with an optical sight or radar) and indirect fire aimed based on positions provided by a spotter. Howitzers were originally guns with shorter barrels relative to their shell caliber that were used to lob shells in a high arc, at greater distances than the even shorter-barreled mortar.

A team of Microsoft researchers led by Seny Kamara claims to have been successful at recovering a substantial amount of data from health records stored in CryptDB (PDF), a database technology that uses layers of encryption to allow users to search through encrypted data without exposing its contents.

CryptDB was originally developed at MIT. It functions as an addition to a standard, unmodified SQL database and is intended to allow applications to interact with encrypted data using Structured Query Language. By using layers of encryption, CryptDB can allow certain properties of data to be revealed to applications processing the queries while keeping the data itself protected. In theory, the encryption prevents the database administrator (or anyone who attacks the database by gaining trusted access) from being able to view the contents of the database. Data from different users is encrypted with different keys.

CryptDB has been used with the open-source MySQL and PostgreSQL databases, and Google uses it to provide an encrypted version of its BigQuery cloud database. SAP and other large database vendors are looking to apply the technology to their own databases as well. And the federally funded MIT Lincoln Laboratory (PDF) has worked with CryptDB as an additional interface to the Apache Accumulo NoSQL database—the same database originally developed by the National Security Agency to store NSA’s multi-level security “big data.”

The Washington Post’s Ellen Nakashima reports that under the direction of the Obama administration, US government officials are planning “a package of unprecedented economic sanctions against Chinese companies and individuals” who have profited from trade secrets stolen from US companies by Chinese government-sponsored hackers.

The talk of sanctions comes just weeks before the arrival of Chinese president Xi Jinping for a state visit, and it may just be talk—a final call on whether to impose sanctions will likely be made within the next two weeks, according to the Post’s unnamed administration sources. While the Justice Department announced indictments against members of China’s People’s Liberation Army for the electronic theft of trade secrets last year, the indictments were largely symbolic. The sanctions under discussion would likely include the seizure of economic assets of Chinese companies making use of what officials allege to be data stolen from US companies—and elevate tensions with China further as the governments continue to face off over other economic and military issues.

The sanctions will not, apparently, include action over the theft of US government employee data from the Office of Personnel Management. The administration’s concern is greater over economic espionage, including the theft of “everything from nuclear power plant designs to search engine source code,” Nakashima reported. The Federal Bureau of Investigations reported last month that the number of economic espionage cases being investigated had jumped by 53 percent in the last year—and most of that growth was attributed to China’s aggressive use of computer and network espionage against US companies.

So far, the FBI’s IC3 has been contacted by 992 victims of CryptoWall, and their combined losses total over $18 million (~£11.4 million). That number falls far short of the actual number of victims, some of whom have not reported being affected by the malware and have simply paid up or abandoned their files. And the current cost figure does not include all of the business losses from those reporting CryptoWall incidents. Those hidden impacts can include lost productivity, the cost of bringing in IT services to clean up the mess, or the price of handling the potential breach of personal information associated with the malware.

“CryptoWall 3.0 is the most advanced crypto-ransom malware at the moment,” said Stu Sjouwerman, CEO of the security training company KnowBe4, in an e-mail to Ars. “The $18 million in losses is likely much more, as many companies do not report their infections to the FBI and the downtime caused by these infections is much higher.”