_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
============================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 139 July 18, 2017
Hilarie Orman, Editor Sven Dietrich, Assoc. Editor
cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org
Yong Guan
Book Review Editor Calendar Editor
cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org
============================================================================
The newsletter is also at http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year
Contents:
* Letter from the Editor
* Commentary and Opinion and News
- Nominations due for Cybersecurity Awards
- News Items
. Uncle Sam in the Sky with Clouds
. SCOTUS to Think About Cellphone Towers and Privacy
. Summer Power "brown-outs" to be "Russky-Outs"?
. Oz on Forefront of Re-Opening Crypto Wars
. Our Fake Election?
. North Korea, New Player in the Ransomware Game
. New NIST Standard for Digital Identity Guidelines
. Hacking As a Service
. New Security Solution: Partnerships With the Enemy
. DoD to start using STARTTLS option for email transport
. Too Much Room at the Top
o Book reviews, Conference Reports and Commentary and News items
from past Cipher issues are available at the Cipher website
* List of Computer Security Academic Positions, by Cynthia Irvine
* Conference and Workshop Announcements
o Upcoming calls-for-papers and events
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
We have a short newsletter this month, due to the summer doldrums
and summer travel, all of which seems to hit hackers as hard as
researchers.
It is difficult to know what to say about computer security in these
"interesting times". In the brilliant words of Don Goode, "We need
some". Beyond that poignant observation, we find our attention
shifting from understanding the lastest exploit against an OS weakness
to shock at the extent to which we are under attack from nation
states, and a feeling that the US government is ambivalent about
its role in cybersecurity. But maybe that's just the doldrums speaking.
I hope your summer travels include at least one of the
security and privacy conferences, and I hope that your interest in
computer security is steadfast.
Elections officials, fly away home.
Your precinct's on fire, your voters alone.
Hilarie Orman
cipher-editor @ ieee-security.org
====================================================================
News Briefs
====================================================================
The IEEE Cybersecurity Initiative is announcing the opening of the
competition for two new awards:
The IEEE Cybersecurity Award for Practice
The IEEE Cybersecurity Award for Innovation
These awards will recognize individuals who have generated
transformative cybersecurity capabilities and concepts. They will be
awarded for:
Game-changing ideas that have substantially advanced, or have the
potential to substantially advance, the practice of cybersecurity;
Approaches for designing or building novel cybersecurity systems
whose impact can be quantified in terms of cost, time, and/or
effectiveness;
Sustained leadership in cybersecurity research, policy, education,
and/or enabling of best practices in implementation or
engineering;
Work accelerating tech transfer of cybersecurity products, toward
the enabling of cost-aware, secure solutions.
Winners receive a check in the amount of $1000 and a plaque
commemorating their win. The IEEE thanks the MITRE corporation for
their generous gift in support of this award.
The following distinguished review board will select the winners:
Mark Maybury (chair), MITRE
Jonathan Katz (vice chair), Univ. of Maryland
Anup Ghosh, CEO Invincia
Robert Wisneieff, IBM
Donna Dodson, NIST
Radu Sion, Stony Brook University
Yoshi Kohno, Univ. of Washington
Nominations Due: 1 August, 2017
Decisions: 15 August, 2017
Send nominations to cyberawards17@ieee.org, cover material described here:
https://s3.amazonaws.com/cybersec-prod/wp-content/uploads/2017/07/11155157/IEEE-Award-Details.pdf
The awards will be given out at IEEE SecDev 2017 in Boston, MA.
https://secdev.ieee.org/2017/home/
----------------------------------------------------------------------------
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
---------------
Uncle Sam in the Sky with Clouds
The U.S. Government heads to the cloud to keep America safe
http://www.foxbusiness.com/features/2017/05/31/u-s-government-heads-to-cloud-to-keep-america-safe.html
FOX Business
By Katie McKenna
May 31, 2017
Summary:
Homeland Security Advisor Tom Bosser has said that cloud services are
the security solution for the cyberinfrastructure of the 190 agencies
within the Federal government.
---------------
SCOTUS to Think About Cellphone Towers and Privacy
Supreme Court to decide if a warrant is needed to track a suspect through cellphone records
https://www.washingtonpost.com/politics/courts_law/supreme-court-to-decide-if-a-warrant-is-needed-to-track-a-suspect-through-cellphone-records/2017/06/05/ebc7923e-49f3-11e7-a186-60c031eab644_story.html
The Washington Post
June 5, 2017
By Robert Barnes
Summary:
In Carpenter v. U.S., the government is asking for access to the
numbers dialed by a cellphone without showing probable cause.
Although previous Supreme Court decisions have denied such access,
based on Fourth Amendment protections, the Justice Department may
argue that such decisions should be re-examined in the light of
law enforcement's reliance on technology in its investigations.
---------------
Summer Power "brown-outs" to be "Russky-Outs"?
Russia has developed a cyberweapon that can disrupt power grids,
according to new research
https://www.washingtonpost.com/worldational-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids-according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html
The Washington Post
Jun 12, 2017
By Ellen Nakashima
Summary:
Forensic analysis of malware samples associated with power grid
disruptions in the US and the Ukraine shows that Russians are
associated with the software development and deployment.
This report, by the Dragos cybersecurity company, describes the software:
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
CRASHOVERRIDE, Analysis of the Threat, to Electric Grid
Operations. It is designed to map out the power control devices
on a network and to replace the communication protocols with ones
controlled by the adversary. Tor network nodes were apparently
involved in at least one attack.
---------------
Oz on Forefront of Re-Opening Crypto Wars
George Brandis's salvo in cryptowars could blow a hole in architecture of the internet
https://www.theguardian.com/technology/2017/jun/12/george-brandiss-salvo-in-cryptowars-could-blow-a-hole-in-architecture-of-the-internet
Technology | The Guardian
Jun 12, 2017
By Paul Farrell
Summary:
The Australian attorney general has suggested that some kind of
cross-jurisdictional system would compel communication device makers
and social media companies to "cooperate" by providing access to data
encrypted by users. Although he has not suggested a "backdoor" for
encryption, some experts wonder if there is any alternative solution
to Brandis's dilemma.
---------------
Our Fake Election?
Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known
https://www.bloomberg.com/politics/articles/2017-06-13/russian-breach-of-39-states-threatens-future-u-s-elections
Bloomberg
Jun 13, 2017
By Michael Riley and Jordan Robertson
Summary:
Attempts to interfere with the nuts and bolts systems associated with
voting in the 2016 presidential election were detected in 39 states.
The hacking is widely believed to have originated from Russians.
"They're coming after America," former FBI director James Comey told
the Senate Intelligence Committee investigating Russian interference
in the election. "They will be back."
---------------
North Korea, New Player in the Ransomware Game
The NSA has linked the WannaCry computer worm to North Korea
https://www.washingtonpost.com/worldational-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html
The Washington Post
Jun 14, 2017
By Ellen Nakashima
Summary:
The NSA says that the WannaCry ransomware worm was likely a product of
North Korea. If it was an attempt to finance that secretive country,
it was a decisive failure. The few Bitcoins that were paid are
traceable, making them an undesirable asset for any currency exchange.
---------------
New NIST Standard for Digital Identity Guidelines
Mic Drop - Announcing the New Special Publication 800-63 Suite!
http://trustedidentities.blogs.govdelivery.com/2017/06/22/mic-drop-announcing-the-new-special-publication-800-63-suite/
June 22,2017 10:02 AM
NIST Press Release
National Institute of Standards and Technology (NIST):
More than a year in the making, after a large, cross-industry effort, we
are proud to announce that the new Special Publication (SP) 800-63 IS.
NOW. FINAL. With your help, Electronic Authentication Guidelines has
evolved into Digital Identity Guidelines - a suite of documents covering
digital identity from initial risk assessment to deployment of federated
identity solutions. Check it out now at https://pages.nist.gov/800-63
800-63 Suite.
---------------
Hacking As a Service
Two charged with running hacking service used in 'major computer intrusions' of U.S. businesses
https://www.washingtonpost.com/local/public-safety/two-latvians-charged-with-running-major-hacking-service/2017/07/05/17598108-6189-11e7-a4f7-af34fc1d9d39_story.html
The Washington Post
July 5, 2017
By Rachel Weiner
Summary: Any software speciality has its vendor, and that includes
malware. A recent indictment names a pair of Latvians with a
co-conspirator in Virginia that have been running a site that offers a
"buffet" of hacking software, including keyloggers and remote access
Trojans to their 30K customers.
---------------
New Security Solution: Partnerships With the Enemy
Lawmakers blast Trump's plan to work with Russia on cybersecurity
https://www.washingtonpost.comews/the-fix/wp/2017/07/09/trump-suggested-a-cybersecurity-pact-with-russia-lawmakers-say-they-were-dumbfounded/
The Washington Post
Jul 9, 2017
By Cleve R. Wootson Jr.
Summary:
Using his official communication channel on Twitter, the President of
the United States spoke favorably of a partnership with Russia on
cybersecurity. The two countries would create some sort of
"impenetrable Cyber Security unit so that election hacking, & many
other negative things, will be guarded." The idea was met with
widespread skepticism and sarcasm. Later, the President said that the
partnership could not happen.
---------------
DoD to start using STARTTLS option for email transport
The Defense Department will soon use more secure email
Jul. 6, 2017
CNN Money
By Selena Larson
http://money.cnn.com/2017/07/06/technology/department-of-defense-starttls/index.html
Summary:
US Military emails go through the gateway "mail.gov" where they are
screened for viruses. The email is not encrypted, and this has
attracted the atttention of Senator Ron Wyden. His query to DISA,
which runs the gateway, elicited a response blaming old technology for
the omission. The servers cannot enable encryption and still scan the
email for malware. The computers will be upgraded next year, and at
that time the STARTTLS option for SMTP will be enabled by default.
---------------
Too Much Room at the Top
Nature
White House's dwindling science office leaves major research programmes in limbo
11 July 2017
by Sara Reardon
Summary: The US Office of Science and Technology (OSTP) has only a
fraction of the number of members that it did under the previous
administration. The most significant position, that of science
advisor, remain unfilled. The article points out that "... without a
science adviser, OSTP career staff cannot establish new working
groups, call meetings or approve budgets." This seems to leave
cybersecurity without a clear direction.
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/BookReviews.html, and conference
reports are archived at
http://www.ieee-security.org/Cipher/ConfReports.html
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.edu/jobscipher.html
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Conference and Workshop Announcements
====================================================================
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html
The Cipher event Calendar is at
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Cipher calendar entries are announced on Twitter; follow ciphernews
Requests for inclusion in the list should sent per instructions:
http://www.ieee-security.org/Calendar/submitting.html
Our usual listing of security events and CFPs is omitted from
this Cipher due to the summer holidays. The website listings
are available, nonetheless.
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe" or
"unsubscribe postcard" or, if you have subscribed directly to the
xmission.com mailing list, use your password (sent monthly) to
unsubscribe per the instructions at
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
_____________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
_____________________________________________________________________
You may easily join the TC on Security & Privacy (or other TCs) by completing
the on-line form at IEEE at
https://www.computer.org/web/tandc/technical-committees
______________________________________________________________________
TC Conference Publications Online
______________________________________________________________________
The proceedings of previous conferences are available from the
Computer Society's Digital Library.
IEEE Security and Privacy Symposium
IEEE Computer Security Foundations
IEEE Europenan Security and Privacy Symposium
From 2012 onward, these are available without charge from the digital
library 12 months after the conference.
____________________________________________________________________________
TC Officers and SP Steering Committee
____________________________________________________________________________
Chair: Security and Privacy Symposium Chair Emeritus:
Ulf Lindqvist Kevin R. B. Butler
SRI International University of Florida
Menlo Park, CA oakland17-chair@ieee-security.org
ulf.lindqvist@sri.com
Vice Chair: Treasurer:
Sean Peisert Yong Guan
UC Davis and 3219 Coover Hall
Lawrence Berkeley Department of Electrical and Computer
National Laboratory Engineering
speisert@ucdavis.edu Iowa State University, Ames, IA 50011
(515) 294-8378
yguan (at) iastate.edu
Newsletter Editor and Security and Privacy Symposium, 2018 Chair:
TC Awards Chair: Jason Li
Hilarie Orman Intelligent Automation
Purple Streak, Inc. oakland18-chair@ieee-security.org
500 S. Maple Dr.
Woodland Hills, UT 84653
cipher-editor@ieee-security.org
____________________________________________________________________________
BACK ISSUES:
Cipher is archived at: http://www.ieee-security.org/cipher.html
Cipher is published 6 times per year