Electronic CIPHER, Issue 156, July 24, 2020 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 156 July 24, 2020 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items from the Media - Social Media Gets Social Engineered - ATM Hacks, Because That's Where the Money Is - Online: Iranian Hacking Course Materials - The Not So Very Good Privacy Shield - Russians Interested in Hacking Vaccine Research (but why is that bad?) o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: It is still hard for to me think that disinfecting a computer now means cleaning the keyboard and touchscreen to remove virus contamination. Going viral means, well, we know that it means the increase in new COVID-19 cases exceeds the previous day's percentage. A mathematician friend marvels that "I've never seen so many people interested in a third derivative." Our distanced lives go on, in times of trouble Internet video comes to me. Let it Zoom. I have found many creative videos and songs that commemorate this period of quarantine and isolation, and I'm struck by the inspiration that people derive from the odd situation. But it is challenging to get noticed and to sell creative works under these circumstances. The software/tech industry seems prescient in having converted to online collaboration decades ago. I seem to recall that X Windows was written with no in-person meetings of the development team. Of course, the fragile security basis for online trust is taking a beating as everyone moves to using their home network for professional work. Twitter suffered the embarrassment of having many of its high profile accounts hacked. Though the damage was limited to scamming some cryptocurrency cash, the potential for deep damage is worrisome. If meeting in person remains an unhealthy act, and if online persona become untrustworthy and fakable, then where does that leave us? "Infected be the air whereon they ride, And damn'd all those that trust them." (Macbeth, Act 4, Scene 1), Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------------------- Social Media Gets Social Engineered Twitter lost control of its internal systems to Bitcoin-scamming hackers Celebrity account holders weren't the only targets. Late hacker Adrian Lamo was, too. https://arstechnica.com/information-technology/2020/07/twitter-lost-control-of-its-internal-systems-to-bitcoin-scamming-hackers/ Publisher: Ars Technica Date: 7/15/2020 By: Dan Goodin Summary: Several high profile Twitter accounts were hacked and used to solicit cryptocurrency donations and scam unsuspecting users of about $100K in total. Twitter blames a social engineering attack against some of their employees, but one report says a simple bribe was the tool of of corruption. One expert noticed an unsolicited password reset message preceded the partially successful takeover of an account. ----------------------------------------------- ATM Hacks, Because That's Where the Money Is Crooks have acquired proprietary Diebold software to "jackpot" ATMs ATM maker is investigating the use of its software in black boxes used by thieves. https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/ Publisher: Ars Technica Date: 7/20/2020 By: Dan Goodin Summary: What better hack than to turn ATM machines into fountains of money? Doing this through access to stolen credentials and the local network for the ATM is something that can be thwarted by normal security measures. But recent exploits have attached black boxes to the ATMs, and those boxes have run Diebold's own software. Hacking is a lot easier if you have all the APIs and libraries available on an Arduino that you can attach to the ATM! Several variants on the scheme have been reported. Diebold is glad to see that the proprietary software is not of recent vintage, a small ray of good news in a pool of theft. ----------------------------------------------- Online: Iranian Hacking Course Materials Iranian state hackers caught with their pants down in intercepted videos IBM researchers steal 40GB of data from group targeting presidential campaigns. https://arstechnica.com/information-technology/2020/07/iran-state-hackers-caught-with-their-pants-down-in-intercepted-videos/ Publisher: Ars Technica Date: 7/17/2020 By: Dan Goodin Summary: The Iranian hacker group known as ITG18 is a professional organization that trains their members in the arts of account compromise and date exfiltration. Their methods are painstaking and "meticulous", according to the people who have seen their videos. Those videos came to light when the organization uploaded them to a server. Everyone needs a way to share video, it seems. In this case, the server was known as a base for ITG18, so that upload was intercepted. ITG18 teaches its operatives how to comb through a compromised account (including that of an enlisted member of the US Navy) to find personal information and credentials for associated accounts and social media. They are also adept at deleting emails about suspicious account activity. ----------------------------------------------- The Not So Very Good Privacy Shield US-EU Privacy Shield data sharing agreement struck down by court Much as in 2015, US surveillance practices and EU privacy law don't mesh well. https://arstechnica.com/tech-policy/2020/07/court-tosses-us-eu-data-sharing-agreement-amid-us-surveillance-concerns/ Publisher: Ars Technica Date: 7/16/2020 By: Kate Cox Summary: The EU has privacy protections for its citizens that exceed those in the US, and therein lies an IT problem. Even when a US company operating in the EU obeys those regulations, since 2016 they have been able to store personal data on servers that are physically in the US. A European court has ruled that once the data is in the US, it is subject to US surveillance that is incompatible with EU law. By keeping the data within EU boundaries, the data may seem to have more protections, but some experts worry that the result may weaker security. When companies spin up server farms in EU, that benefits the EU economy, but if the facilities are run by a variety of interests with a diversity of security considerations, the data might be more vulnerable to criminal or foreign government attacks. ----------------------------------------------- Russians Interested in Hacking Vaccine Research (but why is that bad?) Russian state-sponsored hackers target Covid-19 vaccine researchers UK National Cyber Security Centre says drug firms and research groups being targeted by group known as APT29 https://www.theguardian.com/world/2020/jul/16/russian-state-sponsored-hackers-target-covid-19-vaccine-researchers Publisher: The Guardian Date: 07/16/20 Summary: Officials in the UK allege that a well-known Russian hacker group is targeting vaccine research companies and their employees. It is unclear why the UK is releasing this information now (presumably a state sponsored hacking group targets many thousands of people on a daily basis) or what the intent of the Russians might be. A Russian analyst suggests that any advance warning about results that might indicate the origin of the virus would have deep geopolitical implications. There is no indication that the research sites had data altered; that might slow down the research trials and delay vaccine production. [Ed. Given the importance of a vaccine to everyone in the world, why isn't all the data being openly published?]. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ IoTSMS 2020 7th International Conference on Internet of Things: Systems, Management and Security, Paris, France, December 14-16, 2020. https://emergingtechnet.org/IOTSMS2020/ Submission date: 20 July 2020 WPES 2020 Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM Conference on Computer and Communications Security (CCS 2020), Orlando, Florida, USA, November 9, 2020. https://wpes.tech/ Submission date: 23 July 2020 CFATI 2020 1st International Workshop on Cyber Forensics and Advanced Threat Investigations in Emerging Networks, Held in conjunction with the 11th International Conference on Emerging Ubiquitous Systems and Pervasive Networks (EUSPN 2020), Madeira, Portugal, November 2-5, 2020. https://cfati.conceptechint.net/index.html Submission date: 20 July 2020 CCSW 2020 ACM Cloud Computing Security, Held in conjunction with the ACM Conference on Computer and Communications Security (CCS 2020), Orlando, Florida, USA, November 9, 2020. https://ccsw.io Submission date: 31 July 2020 NDSS 2021 Network and Distributed System Security Symposium, San Diego, CA, USA, February 21-24, 2021. https://www.ndss-symposium.org/ndss-2021/call-for-papers/ Submission date: 31 July 2020 Elsevier Computer Networks, Special Issue on Novel Cyber-Security Paradigms for Software-defined and Virtualized Systems. https://www.journals.elsevier.com/computer-networks/call-for-papers /special-issue-on-novel-cyber-security-paradigms-for-software Submission date: 1 August 2020 ISI 2020 18th Annual IEEE International Conference on Intelligence and Security Informatics, Virtual, November 9-10, 2020. http://www.isi-conf.org/. Submission date: 15 August 2020 TrustData 2020 11th International Workshop on Trust, Security and Privacy for Big Data, Held in conjunction with the 13th International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, Nanjing, China, Oct 23-25, 2020. http://www.spaccs.org/trustdata2020/ Submission date: 23 August 2020 DL-CTI 2020 1st ICDM Workshop on Deep Learning for Cyber Threat Intelligence, Held in conjunction with the IEEE International Conference on Data Mining (ICDM 2020), Sorrento, Italy, November 17-20, 2020. https://www.dl-cti.org/ Submission date: 24 August 2020 DependSys 2020 6th IEEE International Conference on Dependability in Sensor, Cloud, and Big Data Systems and Applications, Fiji, December 14-16, 2020. http://cse.stfx.ca/~dependsys/2020/ Submission date: 1 September 2020 SP 2021 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 23-27, 2021. https://www.ieee-security.org/TC/SP2021/cfpapers.html Submission dates: 5 March, 2020, 4 June, 2020, 3 September 2020, and 3 December, 2020 SECICT 2020 13th International Conference on Security for Information Technology and Communications, Bucharest, Romania, November 19-20, 2020. http://www.secitc.eu/ Submission date: 20 September 2020 IET Image Processing, Special Issue on Recent Trends in Multimedia Analytics and Security. https://digital-library.theiet.org/files/IET_IPR_CFP_RTMAS.pdf Submission date: 1 October 2020 IFIP119-DF 2021 17th Annual IFIP WG 11.9 International Conference on Digital Forensics, SRI International, Arlington, Virginia, USA, February 1-2, 2021. http://www.ifip119.org/Conferences/ Submission date: 11 October 2020 USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11-13, 2021. https://www.usenix.org/conference/usenixsecurity21/call-for-papers Submission date: 11 June, 2020, 15 October 2020, and 4 February, 2021 Journal of Information Security and Applications, Special Issue on Security and Privacy in D2D-aided Fog Computing Environment: Current Progress and Future Challenge,. https://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/security-and-privacy-in-d2d-aided-fog-computing-environment Submission date: 15 November 2020 IEEE Transactions on Dependable and Secure Computing, Special Issue on Explainable Artificial Intelligence for Cyber Threat Intelligence (XAI-CTI) Applications. https://www.computer.org/digital-library/journals/tq/call-for-papers-special-issue-on-explainable-artificial-intelligence-for-cyber-threat-intelligence-xai-cti-applications Submission date: 1 December 2020 SP 2021 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 23-27, 2021. https://www.ieee-security.org/TC/SP2021/cfpapers.html Submission dates: 5 March, 2020, 4 June, 2020, 3 September 2020, and 3 December, 2020 Electronics, Special Issue on Security and Privacy for IoT and Multimedia Services. https://www.mdpi.com/journal/electronics/special_issues/secure_Iot_multimedia Submission date: 30 December 2020 USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11-13, 2021. https://www.usenix.org/conference/usenixsecurity21/call-for-papers Submission dates: 11 June, 2020, 15 October 2020, and 4 February, 2021 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Mark Gondree Manager, Security Research UC Davis and Sonoma State University Google oakland19-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2020 Chair: Hilarie Orman Gabriela Ciocarlie Purple Streak, Inc. SRI International 500 S. Maple Dr. oakland20-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year