Electronic CIPHER, Issue 159, January 24, 2021 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 159 January 24, 2021 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News From the Media - When SolarWinds Are Ill Winds - SolarWinds Hack Becalmed - Covert Solar Ops - Tool for Discovering Malware in the Style of the SolarWinds Hack - Shining in the Rain - Email Security Futility - Hacking Is Better Than Backdoors - TLS + DNS < DNS - Whoa, Joe! o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The big security news of recent weeks is the SolarWinds hack that led to the creation of a major spying vulnerability for thousands of customer networks, including some internal to the US government. Ironically, the software product was supposed to provide security protections. It is easy to think this must be "yet another zero day vulnerability", but it was the result of a very sophisticated set of intrusions into the processes of releasing software products. The perpetrators showed patience, careful deliberation, and precise selection of high value targets. Above all, the malware seems to have worked flawlessly for many months. I found the exploit to be fascinating, and I've included summaries and links to the information uncovered in ongoing analyses. We have all gone Zoom. Even the least technological of my friends and family know how to join an online videoconference. There has been a great increase in bandwidth demand, and there is a cacophony of calls for "more fiber". More communication means more energy is needed for handling all that network traffic, and at the same time, a more savvy public wants to have "security with that." The encryption also uses more energy, perhaps more than the network routing. Will this be the straw that drives our planet over the hot climate precipice? From what I can tell about conference planning, we are in for several more months of virtual tech conferences, so get a big screen (more energy!) and a comfortable chair and look forward to the IEEE Security and Privacy flagship conferences from the comfort of your home as we head into the season. There comes a warning like a spy An encrypted packet, say. A stealing that is not a stealth And Emails are away- (Apologies to the great Emily Dickenson) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Editor's note: There are several articles here about now the SolarWinds network monitoring product Orion was used for backdoor access on customer networks. The actors behind the malware and its use have not been identified. Although the extent of the direct damage has not been revealed, the sophistication and pervasiveness of the attack signal a new era in software corruption and new challenges to protection of the software supply chain. -------------------------------------- When SolarWinds Are Ill Winds What you need to know about the biggest hack of the US government in years. Russian agents are suspected in the Orion breach, which affected the treasury and commerce departments - and perhaps others. https://www.theguardian.com/technology/2020/dec/15/orion-hack-solar-winds-explained-us-treasury-commerce-department Publisher: The Guardian Date: 15 Dec 2020 By: Kari Paul Summary: The US government's Departments of Commerce and Treasury are reeling from the discovery that thousands of their email accounts were subject to surveillance by an unknown party. The malware was introduced by a corrupted version of the SolarWinds network monitoring software. Many other non-government customers also downloaded the software. The Guardian article says that: FireEye described the malware's dizzying capabilities - from initially lying dormant up to two weeks to hiding in plain sight by masquerading its reconnaissance forays as Orion activity. SolarWinds is working with FireEye as well as the FBI, the intelligence community, and other law enforcement to investigate the breach, said Kevin Thompson, the CEO and president of SolarWinds. "We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state," SolarWind's Thompson said. The key component of the vulnerability was a bogus DLL in the binary distribution of the software. How did that DLL get there? No one is saying, but if it is similar to the technique described below, it happened with SolarWinds and was included in its trusted binary distribution. ---------------------------- SolarWinds Hack Becalmed Microsoft and industry partners seize key domain used in SolarWinds hack UPDATED: The seized domain has been turned into a killswitch to prevent the SolarWinds hackers to escalate infections and make new victims. https://www.zdnet.com/article/microsoft-and-industry-partners-seize-key-domain-used-in-solarwinds-hack/ Publisher: Zero Day By Catalin Cimpanu December 15, 2020 Summary: The command and control server for the SolarWinds attack masqueraded as a DNS server, and it sent encoded instructions in the CNAME field. Microsoft took control of the server and watched incoming traffic in order to identify infected sites. Further examination of the malware revealed that the server could return an IP address that served as a "drop dead" signal to the malware. That has been implemented, and attack seems to be vanquished. ---------------------------- Editor's Note: This next article is interesting in that it seems to presage the type of attack perpetrated on SolarWinds software. Also note that the following article about evading detection mentions a known attack in September of 2019. Supply Chain Hacking in 2019 A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree A group of likely Chinese hackers has poisoned the software of at least six companies in just the past three years. https://www.wired.com/story/barium-supply-chain-hackers/ By: Andy Greenberg Publisher: Wired Date: 05.03.2019 Summary: Starting in 2017, security experts began noticing that some software distributions included code to contact mysterious remote servers by using network communication packets that were ostensibly for Domain Name Service (DNS) lookups. If fact, they were the tip of a dangerous iceberg of malware. Games, network management tools, space management utilities, and a computer manufacturer's software updates were some of the six applications that appeared to have had backdoors installed by the same malicious hackers. Those backdoors were used sparingly as the hackers seemed bent on spying on a few selected users. The investigators did not feel that they had access to the full scope of the exploit because various stages of infiltration were used sparingly, probably in order to evade detection. Given the scope and variety of the attack, one would guess that the hackers were trying to get footholds into various software distributions in order to work their way up into a major distributor with customers considered to be high value targets by the hackers. Perhaps that step-at-time approach was the pathway into the SolarWinds software distribution. ---------------------------- Covert Solar Ops Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long The SolarWinds hackers put in "painstaking planning" to avoid being detected on the networks of hand-picked targets. https://www.zdnet.com/article/microsoft-this-is-how-the-sneaky-solarwinds-hackers-hid-their-onward-attacks-for-so-long/ Publisher: ZDNet By: Liam Tung Date: January 21, 2021 Summary: The exploitation of the vulnerability introduced in the SolarWinds software was a campaign of stealth and evasion. Rather than greedily grabbing control of user accounts and files, the software relayed network data and waited for instructions to load modules that would penetrate further into the network. The loader kept its connection to the SolarWinds software obscure. Even if the loader were detected, the security administrators might not realize how it got onto their systems. ------------------------------ Tool for Discovering Malware in the Style of the SolarWinds Hack FireEye releases tool for auditing networks for techniques used by SolarWinds hackers New Azure AD Investigator is now available via GitHub. https://www.zdnet.com/article/fireeye-releases-tool-for-auditing-networks-for-techniques-used-by-solarwinds-hackers/ Publisher: Zero Day By: Catalin Cimpanu Date: January 19, 2021 Summary: There is a free tool on GitHub for detecting traces of the SolarWinds Orion exploit. Produced by investigators at FireEye, the tool is based on the techniques that they originally used to reveal the existence of the malware. Similar tools to the one FireEye released today have also been released by the US Cybersecurity and Infrastructure Security Agency (called Sparrow https://github.com/cisagov/Sparrow) and CrowdStrike (called CRT) https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/ . FireEye Whitepaper: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf --------------------------- Shining in the Rain Fourth malware strain discovered in SolarWinds incident Symantec said it identified Raindrop, the fourth malware strain used in the SolarWinds breach, after Sunspot, Sunburst, and Teardrop. https://www.zdnet.com/article/fourth-malware-strain-discovered-in-solarwinds-incident/ Publisher: Zero Day By: Catalin Cimpanu January 19, 2021 Summary: This is a fairly comprehensive description of the mechanics of the software of the SolarWinds compromise. The build process for the Orion product had been modified by hackers to include their DLL for communicating with a command and control server, for installing additional packages, and for network monitoring. The hackers seem to have installed the add-ons only when they believed that high value targets were on the network. Only a few examples of the add-ons were found, and in some cases the method for their installation remains unknown. ------------------------------------------ Email Security Futility Email security firm Mimecast says hackers hijacked its products to spy on customers https://www.reuters.com/article/us-global-cyber-mimecast/email-security-firm-mimecast-says-hackers-hijacked-its-products-to-spy-on-customers-idUSKBN29H22K Publisher: Reuters By: Reuters Staff Date: January 12, 2021 Summary: Mimecast provides email security services, but its product was manipulated to allow a third party to spy on its customers. Somehow, their certificate that authenticates the connection to Microsoft Cloud services was compromised. The compromise may have originated with the SolarWinds hack. As in that case, only a few customer accounts were targeted by the invaders. ------------------------ Hacking Is Better Than Backdoors How law enforcement gets around your smartphone's encryption Openings provided by iOS and Android security are there for those with the right tools. https://arstechnica.com/information-technology/2021/01/how-law-enforcement-gets-around-your-smartphones-encryption/ By: Lily Hay Newman Publisher: wired.com Date: 1/15/2021 Summary: Johns Hopkins cryptographer Matthew Green has done extensive research to understand how encryption protects smartphones, and he reached an epiphany: "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?" His team found that the strongest protections for the phones are only available under circumstances that the user might not fully appreciate. For example, an iPhone must be powered down in order to erase the access keys from memory. --------------------------- Law Enforcement's Forensic Searches of Mobile Phones Mass Extraction: The Widespread Power of U.S. Law Enforcement to Search Mobile Phones https://www.upturn.org/reports/2020/mass-extraction/ Publisher: Upturn By: Logan Koepke, Emma Weil, Urmila Janardan, Tinuola Dada, and Harlan Yu Date: October 2020 Summary: The report examines public information about law enforcement's use of tools for obtaining total access to the data in a cellphone. In the past 5 years, this has been done hundreds of thousands of times. From the report: Every day, law enforcement agencies across the country search thousands of cellphones, typically incident to arrest. To search phones, law enforcement agencies use mobile device forensic tools (MDFTs), a powerful technology that allows police to extract a full copy of data from a cellphone - all emails, texts, photos, location, app data, and more - which can then be programmatically searched. As one expert puts it, with the amount of sensitive information stored on smartphones today, the tools provide a "window into the soul." -------------------------------------- TLS + DNS < DNS The NSA warns enterprises to beware of third-party DNS resolvers Yes, plaintext DNS is insane, but encrypting it has its own tradeoffs. https://arstechnica.com/information-technology/2021/01/the-nsa-warns-enterprises-to-beware-of-third-party-dns-resolvers/ Publisher: Ars Technica By: Dan Goodin Date: 1/15/2021 Summary: Although using TLS to encrypt DNS lookups seems to offer greater privacy, in practice it has the disadvantage of bypassing network security tools. The technique might rely on a server that does not value the privacy of the requestors, thus undermining the advantages of using TLS in the first place. In light of the use of DNS to establish command and control communication for the SolarWinds malware, this warning from NSA is timely. https://media.defense.gov/2021/Jan/14/2002564889/-1/-1/0/CSI_ADOPTING_ENCRYPTED_DNS_U_OO_102904_21.PDF ------------------------------------------- Whoa, Joe! Joe Biden's Peloton bike may pose cybersecurity risk, experts warn President reportedly starts each day with workout on exercise bike, which streams virtual group classes https://www.theguardian.com/us-news/2021/jan/21/joe-biden-peloton-fitness-bike-cybersecurity-risk Publisher: The Guardian By: Martin Belam 21 Jan 2021 Summary: Joe Biden may be the oldest person to become US President, but he doesn't want to be the least fit. His morning exercise includes use of a Peloton bike that is normally connected to an online Internet class. Will the President disconnect and use the Peloton as an ordinary stationary bike, or will the White House cybersecurity team batten it down with firewalls? An anxious nation awaits the answer. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Computer Networks, Special Issue on Side-Channel Attacks on Mobile and IoT Devices for Cyber-Physical Systems. https://www.journals.elsevier.com/computer-networks/call-for-papers/side-channel-attacks-on-mobile-and-iot-devices Submission date: 20 January 2021 ACM-CCS 2021 28th ACM Conference on Computer and Communications Security, Seoul, South Korea, November 14-19, 2021. https://www.sigsac.org/ccs/CCS2021/ Submission dates: 20 January 2021 and 6 May 2021 SafeThings 2021 5th IEEE Workshop on the Internet of Safe Things, Held in conjunction with IEEE S&P 2021, Virtual event, May 27, 2021. https://www.ieee-security.org/TC/SP2021/SPW2021/safethings2021 Submission date: 25 January 2021 CPSS 2021 7th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2021, Hong Kong, China, June 7, 2021. https://spritz.math.unipd.it/events/2021/CPSS/index.html Submission date: 27 January 2021 Computers & Security, Special Issue on Zero-trust security in cloud computing environments https://www.journals.elsevier.com/computers-and-security/call-for-papers /zero-trust-security-in-cloud-computing-environments Submission date: 1 February 2021 WTMC 2021 6th International Workshop on Traffic Measurements for Cybersecurity, Held in conjunction with IEEE S&P 2021, Virtual event, May 27, 2021. https://wtmc.info Submission date: 1 February 2021 USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11–13, 2021. https://www.usenix.org/conference/usenixsecurity21/call-for-papers Submission date: 11 June, 2020, 15 October 2020, and 4 February, 2021 SADFE 2021 6th International Workshop on Traffic Measurements for Cybersecurity, Held in conjunction with IEEE S&P 2021, Virtual event, May 27, 2021. http://sadfe.org/Sadfe21/callforpapers21.html Submission date: 5 February 2021 EuroSP Workshops 2021 6th IEEE EuroS&P Symposium, Vienna, Austria, September 7-11, 2021. https://www.ieee-security.org/TC/EuroSP2021/cfw.html Workshop Proposal Submission date: 12 February 2021 CSR 2021 IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, July 26-28, 2021. https://www.ieee-csr.org/ Submission date: 15 February 2021 IEEE Transactions on Industrial Informatics, Special Section on Security, Privacy and Trust Analysis and Service Management for Intelligent Internet of Things Healthcare http://www.ieee-ies.org/images/files/tii/ss/2020/Security_Privacy_and_Trust_Analysis_and_Service_Management_for_Intelligent_Internet_of_Things_Healthcare-V2-CFP.pdf Submission date: 25 February 2021 IoTSPT-ML 2021 11th International Workshop on Security, Privacy, Trust, and Machine Learning for Internet of Things, Held in conjunction with the 30th International Conference on Computer Communications and Networks (ICCCN 2021), Athens, Greece, July 22, 2021. https://sites.google.com/uw.edu/iotspt-ml2021 Submission date: 5 March 2021 SecMT 2021 International Workshop on Security in Mobile Technologies, Held in conjunction with ACNS 2021, Kamakura, Japan, June 21-24, 2021. https://spritz.math.unipd.it/events/2021/ACNS_Workshop/index.html Submission date: 20 March 2021 HOST 2021 IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA, December 5-8, 2021. http://www.hostsymposium.org/host2021/ Submission date: 25 March 2021 ESORICS 2021 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4-8, 2021. https://esorics2021.athene-center.de/call-for-papers.php Submission date: 5 January 2021 and 5 May 2021 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Gabriela Ciocarlie Manager, Security Research SRI International Google oakland20-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2020 Chair: Hilarie Orman Alvaro Cardenas Purple Streak, Inc. University of California, Santa Cruz 500 S. Maple Dr. sp21-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year