_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 160 March 22, 2021 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "The Design of Rijndael: The Advanced Encryption Standard (AES)" by Joan Daemen and Vincent Rijmen o News Items: - Best Science of Cybersecurity Award Nominations - Basic Insecurity - MalMac - The Best SpyWare is NSA's - How Many Engineers Does It Take to Make a SolarWinds Hack? - Finger Pointed at Microsoft's Inadequate Defenses - The SolarWinds Hack, In Detail - No Fair Exchange - Where Server Flaws Go, Ransomware follows - Federal Reserve Outage - Business Transparency - The Gift of Gab Hacking o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: You can help determine the best security paper of 2020. Nominations from the public are open for the National Security Agency's Best Science of Cybersecurity award through April 15. The winning authors will be honored at an awards ceremony (someday this will be an in-person event again). See our News section for more information. Past winners and honorable mentions are described at https://cps-vo.org/group/sos/papercompetition/pastcompetitions . The venerable Security and Privacy Symposium is always held in May, and this year is no exception, although it will again be virtual. The dates are May 23-27, and some of the accepted paper titles are now listed on the website, http://www.ieee-security.org/TC/SP2021/program-papers.html . Registration information will be available soon. The downwinders of the SolarWinds hack are numerous, but the resulting revelation of a vulnerability in Microsoft's Exchange product has turned out to be worse. Enterprises seem to have the unenviable choice of running local email servers with buggy proprietary software or trusting a third-party email provider with all their messages. Which is better? The pendulum swings, and having swung, swings back. CyberOps Hackers are from everywhere, Hackers all are thieves, A Hacker came to GMail, And stole my private keys. I phished at Hacker's house, But Hacker wasn't there. Hacker came to my house, Leaving ransomware. I went to Hacker's house, Hacker used Exchange, I stole his email, And beat about his head. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html _______________________________________________________________________ Book Review By Sven Dietrich 3/21/21 The Design of Rijndael: The Advanced Encryption Standard (AES) by Joan Daemen and Vincent Rijmen _______________________________________________________________________ Springer Verlag 2020. ISBN ISBN 978-3-662-60768-8, ISBN 978-3-662-60769-5 (eBook) 300 pages This book about the Rijndael cryptographic cipher takes us back to the late 1990s, somewhat in the middle of those crypto wars and in the aftermath of the failed adoption of the Clipper chip and its associated cipher SKIPJACK. Back then the world was looking at a new hope and an open design for a newer encryption standard to replace the aging Data Encryption Standard (DES). I recall the controversy around cryptography then, the worry about export-grade ciphers in Internet browsers, the worry about exporting strong crypto when traveling to another country from the United States with a laptop. A competition had been announced by the United States National Institute of Standard and Technology (NIST), to be held openly across the world, for a new Advanced Encryption Standard (AES), in a process much different from what had been done with DES in the 1970s, which was all behind closed doors. The finalist of this open competition would be the Rijndael cipher, a subset of which we now call AES, to be adopted as AES in FIPS Pub 197 in November 2001. This book "The Design of Rijndael," written by none other than the authors of the cipher, Joan Daemen and Vincent Rijmen, is now in its updated and renewed second edition, almost 20 years later from the first one in 2002. And the world has changed quite a bit since then: AES has been widely adopted, both in the Internet browser world and on our various Internet-connected devices. The second edition of the book acts as a refreshed version, updating its terminology to the 2020s, adding four new chapters of new material for a total of about 300 pages in 15 chapters total, plus two appendices and reference code in the C programming language. In the first chapter "The Advanced Encryption Standard Process," the authors set the stage for what was going to be a new milestone in open-research cryptography: an international competition by NIST for replacing the DES by AES. Here the reader finds out the names of the other competitors in this "crypto game," as well as the requirements imposed by NIST at the time including the hardware context (Ugh, who remembers the first Intel Pentium processors?). In the second chapter "Preliminaries," the reader is given the proper background, e.g. in abstract algebra and basic cryptography, to be able to understand the terminology in the book. For those not up to speed, it is a reminder to pull out those math books and catch up. And for the others, it just brings back the right terminology into the proper context. The third chapter "Specification of Rijndael" introduces the reader to the cipher structure of Rijndael, which is simply a block cipher with both a variable block length and a variable key length. AES is a subset of the block and key options for Rijndael, as it fixes the block length to 128 bits and key lengths of 128, 192 or 256 bits, making it the only difference between the two ciphers. The chapter mentions the main components of the key-iterated block cipher, such as the various rounds, mixing, and shifting, in the right setting of implementation using the hardware at the time. The fourth chapter "Implementation Aspects" then delves deeper into the implementation aspects of the cipher, since running on 8-bit processors was one of the requirements. While that may seem extremely restrictive, keep in mind that AES is nowadays found even in embedded devices and smartcards. The reader learns about 32-bit processor implementations, the AES-NI instructions in modern processors as well as specialized hardware. In the fifth chapter "Design Philosophy" the authors discuss their approach for designing the cipher, focusing on simplicity and symmetry as key aspects for achieving the security goals. They also mention their security goals in terms of modern cryptographic terminology, such as pseudorandom permutation (PRP) advantage and strong pseudorandon permutation (SPRP) advantage, and the declared resistance against forms of linear and differential cryptanalysis, the value of the key-alternating cipher structure, and the key schedule. The sixth chapter reflects on its NIST's cipher predecessor DES and its vulnerability to both linear and differential cryptanalysis, which are both explained here. In the seventh chapter "Correlation Matrices," the reader learns about more extensive tools for linear cryptanalysis and to what extent they can be applied to ciphers such as DES or Rijndael. Following this pattern, in the eighth chapter "Difference Propagation," the reader learns about more tools related to differential cryptanalysis and how they apply to DES. The concept of a differential trail as a component for difference propagation for block ciphers is introduced here. The ninth chapter "The Wide Trail Strategy" explains the strategy for designing a cipher like Rijndael in making it resistant to both linear and differential cryptanalysis. The diffusion (based on Shannon's diffusion concept) measure "branch number" is introduced, still building up the proper tools for understanding and analyzing the inner workings of the cipher. The round structure of Rijndael is explained further here. The tenth chapter "Cryptanalysis," after covering the resistance to linear and differential cryptanalysis (a major concern in the late 1990s) in the previous three chapters, elaborates on other attacks on the cipher, such as Truncated Differentials, Saturations Attacks (since such attacks worked on Square, the natural predecessor to Rijndael), working on reduced-round versions of the cipher. The reader also finds out about Related-Key Attacks, Interpolation Attacks, and Biclique Attacks, among others, but the list is by no means complete by the authors' own admission. Last but not least, the authors mention implementation attacks, as well as the usual side channels that can be found, such as power analysis and timing attacks. In the eleventh chapter "The Road to Rijndael," the roadmap for the inception of Rijndael is revealed, as a natural evolution from previous ciphers such as SHARK, Square, BKSQ, with some technical background on each and a direct connection to Rijndael. Those three, as well as Rijndael, are all key-iterated block ciphers. Chapter twelve of the second edition, "Correlation Analysis in GF(2^n)," is a reworking of Appendix A of the first edition and newer material. Our dear friend Evariste Galois comes to the rescue in a generalized form of Rijndael which the authors call Rijndael-GF. So this is a more generalized approach for correlation analysis. In chapter thirteen "On the EDP and the ELP of Two and Four Rijndael Rounds," the authors build on earlier results from chapters 7 and 8 and expand on the expected differential probability (EDP) and expected linear potential (ELP). Here the reader must flip back to chapters 7 and 8 to connect the dots. Chapter fourteen "Two-Round Differential Trail Clustering" goes into more detail on analyses ond reduced-round Rijndael considerations based on material published since the first edition of the book. Back references to chapters 3, 9, and 13 are essential for capturing the material. In chapter fifteen "Plateau Trails," the authors bring in further material from earlier work to explain plateau trails as a means for looking at the resistance of Rijndael to differential cryptanalysis. Finally the book wraps up with Appendices on "Substitution Tables" and "Test Vectors." And of course the reader gets to parse the C code as a reference implementation of Rijndael. Overall the book is a great insight into the design of Rijndael and the Advanced Encryption Standard (aka AES). The reader, whether an undergraduate or graduate student or even professional, gets to understand what was on the designers' mind when creating this cipher, nowadays known as AES, that has become omnipresent in the context of secure communications in the 2020s. The second edition retrofits the first edition with modern terminology so that one can connect modern cryptography articles to the nomenclature that was in use in the late 1990s, as well as putting Rijndael in the proper light for what has happened in terms on cryptanalysis. I enjoyed reading this book, which is now sitting on my new office bookshelves, as it brought back memories of the late 1990 and early 2000s crypto waiting game, going from round to round in the NIST competition. And then there was Rijndael. ------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------- Best Science of Cybersecurity Award Nominations What 2020 paper did most to advance the science of cybersecurity? Nominations for NSA's annual Best Science of Cybersecurity paper award are open. Were there any papers published in 2020 that you think were especially good, in the sense that they advanced the foundations of cybersecurity and/or exemplified excellence in scientific study in this multidisciplinary field? To help you remember what's been published in the past year, a table providing links to many of the relevant conferences and journals is available here: https://cps-vo.org/sos/papercompetition/sources-2020 Last year's winning paper was was "Spectre Attacks: Exploiting Speculative Execution," by Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom published at the 2019 IEEE Security & Privacy Symposium. Please take a few moments to honor a paper by nominating it for NSA's Best Science of Cybersecurity paper competition, which is described here: https://cps-vo.org/group/sos/papercompetition . Submit your nomination here: https://cps-vo.org/group/sos/papercompetition/submit Nominations close 15 April 2021. ------------------------------------------------------------ Basic Insecurity Hackers try to contaminate Florida town's water supply through computer breach https://www.reuters.com/article/us-usa-cyber-florida/hackers-try-to-contaminate-florida-towns-water-supply-through-computer-breach-idUSKBN2A82FV Publisher: Reuters, Internet News Date: February 8, 2021 By: Christopher Bing Summary: An employee at a water treatment facility said that his computer screen showed that someone was accessing it via Teamviewer, a remote access tool used for technical support. He said that the unknown remote user commanded the system to put a massive amount of lye into the water supply. Other operators at the plant reversed the command, and they asked for help from local law enforcement. The operators of the water treatment facility say that the lye (which is used in small quantities to neutralize the pH of the water) increased only minimally, and "additional" controls would have prevented further damage. [Ed.: Despite involvement by the FBI and Secret Service, there is no further information available about this incident.] ------------------------------------------------------------ MalMac Nearly 30,000 Macs reportedly infected with mysterious malware https://www.cnn.com/2021/02/21/tech/mac-mysterious-malware/index.html Publisher: CNN Business Date: February 21, 2021 By: Alexis Benveniste Summary: Malware that infects Apple's new M1 chip has shown up on Mac computers around the globe. Known as Silver Sparrow, the software seems to do nothing malign, but its quick ubiquity is unsettling to security experts. It may signal ongoing development of a new attack tool. ------------------------------------------------------------ The Best SpyWare is NSA's Chinese spyware code was copied from America's NSA: researchers https://www.reuters.com/article/us-usa-cyber-china/chinese-spyware-code-was-copied-from-americas-nsa-researchers-idUSKBN2AM11R Publisher: Reuters, Aerospace and Defense Date: February 22, 2021 By: Raphael Satter Summary: In a nod to the skill of US intelligence services, malware developers in China appear to have used NSA's hacking software as the basis for a new project. From the article: Tel Aviv-based Check Point Software Technologies issued a report noting that some features in a piece of China-linked malware it dubs "Jian" were so similar they could only have been stolen from some of the National Security Agency break-in tools leaked to the internet in 2017. Good software gets re-used, re-purposed, and improved. Hacking software is no different, it can "escape" from its point of origin and evolve into the core of countless derived tools. ------------------------------------------------------------ How Many Engineers Does It Take to Make a SolarWinds Hack? SolarWinds hack was work of 'at least 1,000 engineers', tech executives tell Senate True scope of the breach, which affected 100 companies and several federal agencies, is still unknown https://www.theguardian.com/technology/2021/feb/23/solarwinds-hack-senate-hearing-microsoft Publisher: The Guardian Date: February 23, 2021 By: Kari Paul and agencies Summary: The Solarwinds hack provided backdoor access to thousands of systems in the US, including some at US agencies. The instigator and beneficiary of the attack appears to be Russia. At a Congressional hearing on the matter, the president of Microsoft said that creation of the software must have been the work of at least 1000 skilled engineers. Either this speaks to tremendous inefficiancy by Microsoft's engineer or the hackers must have been a well-organized software production company, perhaps government financed. Although Microsoft itself was victimized, the company's president nonetheless blamed the victim's for poor security practices. ------------------ Finger Pointed at Microsoft's Inadequate Defenses Microsoft failed to shore up defenses that could have limited SolarWinds hack: U.S. senator https://www.reuters.com/article/us-cyber-solarwinds-microsoft/microsoft-failed-to-shore-up-defenses-that-could-have-limited-solarwinds-hack-u-s-senator-idUSKBN2AP2XD Publisher: Reuters, Technology News Date: February 25, 2021 By: Joseph Menn Summary: In Congressional hearings about the SolarWinds hack, Microsoft was on the defensive about its failure to provide protection against known vulnerabilities in its Office360 product. The company said the few victims were compromised through that pathway, but because one of them was the US Department of Justice, U.S. Senator Ron Wyden took Microsoft to task over its failings. Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council faulted large computing companies of "perhaps failing to adequately mitigate the risk of high impact, low probability failures in systems at the root of their security model" In the SolarWinds case, part of the attack required inside access to a victim's network. Security experts often discount such attacks on the grounds that if the network has been compromised, then there must be some greater security flaw elsewhere. Nonetheless, Microsoft knew about the flaws and could have fixed them before they were exploited. ------------------ The SolarWinds Hack, In Detail SolarWinds Hack: Retrospective Part 2: What caused the breach and what does the malware do? https://medium.com/cloud-security/solarwinds-hack-retrospective-322f03b4eb9b Publisher: 2nd Sight Lab Date: Dec 16, 2020 By: Teri Radichel Summary: This article has a good and thorough analysis of the SolarWinds attack. It briefly describes, among other things, the "Golden SAML" trick for mimicing a trusted server inside a corporate network. This is the flaw that Microsoft rated as a low priority target for patching. ------------------------------------------------------------ No Fair Exchange Microsoft issues emergency patches for 4 exploited 0-days in Exchange Attacks are limited for now but may ramp up as other hackers learn of them. https://arstechnica.com/information-technology/2021/03/microsoft-issues-emergency-patches-for-4-exploited-0days-in-exchange/ Publisher: Ars Technica Date: 3/2/2021 By: Dan Goodin Summary: Microsoft discovered that its on-premises Exchange servers (NOT its cloud servers) were being hacked through four zero-day exploits. These are unrelated to the SolarWinds vulnerabilities. At the time of the announcement, Microsoft believed that only one group, Hafnium, was behind the attacks, but the patches reveal enough about the problems that other groups will be likely to pounce on them and to develop their own attacks. ------------------ Where Server Flaws Go, Ransomware follows Microsoft says ransom-seeking hackers taking advantage of server flaws https://www.reuters.com/article/us-usa-cyber-microsoft/microsoft-says-ransom-seeking-hackers-taking-advantage-of-server-flaws-idUSKBN2B40FE Publisher: Reuters Date: March 11, 2021 By: Raphael Satter Summary: Microsoft Corp security program manager Phillip Misner announced via Twitter that security flaws in its Exchange mail server product were being avidly exploited by a variety of bad actors. Ransomware is being spread via that mechanism. Small businesses without up-to-date security patches are suspected of being particularly tasty targets for the exploiters who are suspected of being a state-sponsored group ("Hafnium") operating out of China. Microsoft released a slew of patches for the problems on March 2 (see https://www.cnn.com/2021/03/03/tech/microsoft-exchange-server-hafnium-china-intl-hnk/index.html). Microsoft says a group of cyberattackers tied to China hit its Exchange email servers). Woe betide any organizations that have failed to apply them. ------------------------------------------------------------ Federal Reserve Outage The Federal Reserve suffers widespread disruption to payment services https://www.cnn.com/2021/02/24/business/federal-reserve-outage-fedwire/index.html Publisher: CNN Business Date: February 25, 2021 By: Matt Egan and Rare Outage Takes Fed Payment Systems Offline https://www.cfo.com/credit/2021/02/rare-outage-takes-fed-payment-systems-offline/ Publisher: CFO.com Date: February 25, 2021 By: Matthew Heller Summary: The Federal Reserve banking system provides a funds transfer system "Fedwire" that banks use to move money for payment services. The system suffered an "operational error" on Feb. 24 and was unusable for most of the day. Associated services problems lingered through at least the next day. The Fedwire system can take 2 days to clear transactions, and there was concern that the backlog due to the outage would increase that lag. Experts note that instant transfers are the norm in some other countries. There seemed to be no follow-ups about cascading problems or malicious software. The failure seemed to be unique. ------------------------------------------------------------ Business Transparency Verkada surveillance cameras at Tesla, hundreds more businesses breached: hackers https://www.reuters.com/article/us-verkada-breach/verkada-surveillance-cameras-at-tesla-hundreds-more-businesses-breached-hackers-idUSKBN2B2048 Publisher: Reuters, Internet News Date: March 9, 2021 By: Paresh Dave, Jeffrey Dastin Summary: No one really knows who is using those creepy surveillance cameras, and the revelation of poor security by one of the suppliers of the devices added to the worry about unsuspected access. According to a hacker insider, Verkada cameras at hundreds of businesses, including a Tesla factory in Shanghai, were accessed for live video feeds, unbeknownst to the businesses involved. The hackers were able to use the administrative access to the cameras. Verkada says it was able to disable the access path quickly after being notified. ----------------------------------------------------------------------- The Gift of Gab Hacking Gab: hack gives unprecedented look into platform used by far right Data breach appears to show neo-Nazis among investors as well as conversations between CEO and QAnon influencer https://www.theguardian.com/world/2021/mar/11/gab-hack-neo-nazis-qanon-conspiracy-theories Publisher: The Guardian Date: March 11, 2021 By: Jason Wilson Summary: There's little privacy on the Internet, a fact that was underscored by the exposure of databases from the social media site Gab. Hackers twice gained access to the site, in one case taking over the accounts of 178 users. The databases of user accounts, postings, and direct messages have provided a great deal of insight into QAnon investors, for example. Interesting reading for anyone interested in the extremist groups that seem to favor Gab. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== No new postings. http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html CODASPY 2021 11th ACM Conference on Data and Application Security and Privacy, Baltimore-Washington, DC Area, USA, March 22-24, 2021. http://www.codaspy.org/2021/ ACM WiSec 2021 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Virtual, June 28 - July 1, 2021. https://sites.nyuad.nyu.edu/wisec21/ Submission date: 25 March 2021 IoTSPT-ML 2021 11th International Workshop on Security, Privacy, Trust, and Machine Learning for Internet of Things, Held in conjunction with the 30th International Conference on Computer Communications and Networks (ICCCN 2021), Athens, Greece, July 22, 2021. https://sites.google.com/uw.edu/iotspt-ml2021 Submission date: 26 March 2021 DBSec 2021 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Virtual, July 19 – 20, 2021. https://dbsec2021.ucalgary.ca Submission date: 29 March 2021 SecureComm 2021 17th EAI International Conference on Security and Privacy in Communication Networks, Canterbury, Great Britain, September 6 - 9, 2021. https://securecomm.eai-conferences.org/2021/ Submission date: 31 March 2021 SecMT 2021 International Workshop on Security in Mobile Technologies, Held in conjunction with ACNS 2021, Kamakura, Japan, June 21-24, 2021. https://spritz.math.unipd.it/events/2021/ACNS_Workshop/index.html Submission date: 5 April 2021 Cloud S&P 2021 3rd Workshop on Cloud Security and Privacy, Held in conjunction with ACNS 2021, Kamakura, Japan, June 21-24, 2021. http://cloudsp2021.encs.concordia.ca/ Submission date: 15 April 2021 HOST 2021 IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA, December 5-8, 2021. http://www.hostsymposium.org/host2021/ Submission date: 27 April 2021 ESORICS 2021 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4-8, 2021. https://esorics2021.athene-center.de/call-for-papers.php Submission date: 5 January 2021 and 5 May 2021 ACM-CCS 2021 28th ACM Conference on Computer and Communications Security, Seoul, South Korea, November 14-19, 2021. https://www.sigsac.org/ccs/CCS2021/ Submission date: 20 January 2021 and 6 May 2021 CSET 2021 14th Cyber Security Experimentation and Test Workshop, Virtual, August 9, 2021. https://cset21.isi.edu/ Submission date: 11 May 2021 CUING 2021 5th International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Vienna, Austria, August 17 – 20, 2021. http://www.ares-conference.eu Submission date: 13 May 2021 ENS 2021 4th International Workshop on Emerging Network Security, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Vienna, Austria, August 17 – 20, 2021. http://www.ares-conference.eu Submission date: 13 May 2021 WiMob 2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications, Bologna, Italy, October 11-13, 2021. http://wimob.org/wimob2021/ Submission date: 15 May 2021 SP 2021 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 23-27, 2021. https://www.ieee-security.org/TC/SP2021/cfpapers.html SafeThings 2021 5th IEEE Workshop on the Internet of Safe Things, Held in conjunction with IEEE S&P 2021, Virtual, May 27, 2021. https://www.ieee-security.org/TC/SP2021/SPW2021/safethings2021 WTMC 2021 6th International Workshop on Traffic Measurements for Cybersecurity, Held in conjunction with IEEE S&P 2021, Virtual event, May 27, 2021. https://wtmc.info SADFE 2021 6th International Workshop on Traffic Measurements for Cybersecurity, Held in conjunction with IEEE S&P 2021, Virtual event, May 27, 2021. http://sadfe.org/Sadfe21/callforpapers21.html OID 2021 Open Identity Summit, Copenhagen, Denmark, June 1-2, 2021. https://oid2021.compute.dtu.dk/ CPSS 2021 7th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2021, Hong Kong, China, June 7, 2021. https://spritz.math.unipd.it/events/2021/CPSS/index.html CSF 2021 34th IEEE Computer Security Foundations Symposium, Virtual, June 21-25, 2021. https://www.ieee-security.org/TC/CSF2021/ CSR 2021 IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, July 26-28, 2021. https://www.ieee-csr.org/ USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11–13, 2021. https://www.usenix.org/conference/usenixsecurity21/call-for-papers EuroSP Workshops 2021 6th IEEE EuroS&P Symposium, Vienna, Austria, September 7-11, 2021. https://www.ieee-security.org/TC/EuroSP2021/cfw.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Gabriela Ciocarlie Manager, Security Research SRI International Google oakland20-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2021 Chair: Hilarie Orman Alvaro Cardenas Purple Streak, Inc. University of California, Santa Cruz 500 S. Maple Dr. sp21-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year