Google Releases Security Updates for Chrome

Original release date: February 05, 2015

Google has released Chrome 40.0.2214.111 for Windows, Mac, and Linux to address multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Google Chrome blog entry and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Why even strong crypto wouldn’t protect SSNs exposed in Anthem breach

Another day, another data breach, and another round of calls for companies to encrypt their databases. Cryptography is a powerful tool, but in cases like this, it's not going to help. If your OS is secure, you don't need the crypto; if it's not, the crypto won't protect your data.

In a case like the Anthem breach, the really sensitive databases are always in use. This means that they're effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere. It may be in the OS, it may be in the DBMS, or it may even be in the application itself (though that's less likely if a large relational database is in use, which it probably is). What's to stop an attacker from obtaining that key, or perhaps from just making database queries?

The answer, in theory, is other forms of access control. Perhaps the DBMS requires authentication, or operating system permissions will prevent the attacker from getting at the keys. Unfortunately—and as these many data breaches show—these defenses are not configured properly or aren't doing the job. If that's the case, though, adding encryption isn't going to help; the attacker will just go around the crypto. There's a very simple rule of thumb here: Encryption is most useful when OS protections cannot work.

Read 4 remaining paragraphs | Comments

Sony Pictures co-chair steps down months after hacks on company

The co-chairwoman of Sony Pictures has stepped down Thursday from her post in the wake of the hacking scandal that tormented the company late last year.

Her fellow co-chair, Michael Lynton, remains the chief executive of the film studio, according to The New York Times, which added that the resignation would take effect as of May 2015.

Sony Pictures did not immediately respond to Ars’ request for comment.

Read 3 remaining paragraphs | Comments