_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 141 November 30, 2017 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Book Review Editor Yong Guan Sven Dietrich Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items - SEC's "Edgar" site hacked - GAO to SEC: "encrypt data" (repeat for 9 years) - Gotcha! WH Responds to Fake Emails - Firmware updates sometimes missed - The Rise and Fall of Mattel's Digital Nanny - Equifax --- blame the IT guy - States and voting security - Kaspersky works with Russian govmt - Israel blows the whistle on Kaspersky - Mining by visiting Politifact - S3 Buckets Leak Australian Data - WP2 nonce reuse, WiFi standard deeply flawed - North Korean cyberhacking is first-rate - RSA key generation not so good - Digital extortion targets schools - Utah Company and the Long Search - Forensics reveals details of years of Russian hacking - Little (No) Hope for Bill Limiting NSA Phone Surveillance - Major 4th amendment cell phone case before the US Supreme Court - We learn how vulnerability info is shared by the US govmt o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: There has been more news stories about computer security topics than I have been able to keep track of this fall. Hacking, misconfiguration, extortion, mathematical errors, communication protocol faults ... really, there is something for everyone. It seems that the only thing saving us from complete disaster is the sheer number of computers and users. Long may we hover under the radar. The ongoing problems show why security research is more important than ever. Fortunately, there is a conference for almost every aspect of security and privacy. Peruse our calendar and plan to attend, learn, and contribute. Long Live the Neutral Internet: There Can Be Only One, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== SEC's "Edgar" site hacked SEC reveals it was hacked, information may have been used for illegal stock trades https://www.washingtonpost.com/news/business/wp/2017/09/20/sec-reveals-it-was-hacked-information-may-have-been-used-for-illegal-stock-trades By Renae Merle The Washington Post Sep 20, 2017 Summary: The SEC requires that publicly traded companies file information about their plans and finances. The website for doing this is called "Edgar". Some of the information is for the SEC only and contains confidential and personal information. At some point, the SEC realized that the information was not properly protected, and "cyber threat actors" accessed the data, perhaps gaining information useful for making illegal profits. The SEC feels that it should do better going forward. ------------------------ GAO to SEC: "encrypt data" (repeat for 9 years) SEC ignored years of warnings about cybersecurity before massive breach https://www.washingtonpost.com/business/economy/sec-ignored-years-of-warnings-about-cybersecurity-before-massive-breach/2017/10/24/7e7507d0-adf7-11e7-be94-fabb0f1e9ffb_story.html By Renae Merle The Washington Post Oct 24, 2017 Summary: The GAO noted that the SEC's failure to encrypt data at rest posed a serious security vulnerability, but the SEC ignored the warnings and even closed its cybersecurity unit. The Edgar site held data that should have been encrypted, and the data breach might have been prevented if the GAO advice had been heeded. Closing the barn door in the wake of the theft will require about $1.6 billion next year, accoring to SEC Chair Jay Clayton. ------------------------ Gotcha! WH Responds to Fake Emails https://www.washingtonpost.com/lifestyle/style/how-an-email-prankster-punked-a-series-of-white-house-marks/2017/09/27/a7642984-a3a0-11e7-ade1-76d061d56efa_story.html How an email prankster punked a series of White House marks By Paul Farhi The Washington Post Sep 27, 2017 Summary: Many White House figures have fallen victim to a British citizen who specializes in sending emails with a fake "From" address and eliciting personal replies. Jared Kushner's lawyer, Abbe Lowell, was a recent target, and she responded to an email that appeared to come from Kushner. Her reply went back to the prankster who happily published it. ------------------------ Firmware updates sometimes missed Report: Thousands of Macs and PCs may be vulnerable to a sophisticated kind of computer attack https://www.washingtonpost.comews/the-switch/wp/2017/09/29/report-thousands-of-macs-and-pcs-may-be-vulnerable-to-a-sophisticated-kind-of-computer-attack/ By Brian Fung The Washington Post Sep 29, 2017 Summary: A security firm found that more than 4% of the Mac computers in its survey were running outdated versions of firmware, even though the OS was current. For some reason, the automatic update of the firmware was not done. Apple is committed to fixing the problem. The firm suggests that Windows machines might suffer from a similar problem. ------------------------ The Rise and Fall of Mattel's Digital Nanny My first digital assistant https://www.cnet.com/products/aristotle-by-nabi/preview/ Mattel Aristotle is an Amazon Echo that understands your kids, too CNET Sep 29, 2017 Summary: A new digital assistant from Mattel is an Amazon Alexa with a subsystem designed to interact with children. It comes with a wireless camera with an encrypted video stream. The device conveniently keeps track of a baby's sleep cycles, sings to them, and plays games. Of course, it automatically orders diapers and formula as needed. ---- Do babies have privacy? https://consumerist.com/2017/05/10/privacy-advocates-raise-concerns-about-mattels-always-on-aristotle-baby-monitor/ Privacy Advocates Raise Concerns About Mattel's Always-On "Aristotle" Baby Monitor By Kate Cox Consumerist Sep 29, 2017 Summary: The Campaign for a Commercial-Free Childhood (http://www.commercialfreechildhood.org) finds Mattel's baby smart monitor to be a terribly bad idea. Mattel's chief product officer hopes that children will form emotional ties to the device, although the effect of this on childhood development is completely unknown. The AI-based device plays games and collects information and uses it for marketing. ---- No UberNanny from Mattel Mattel has canceled plans for a kid-focused AI device that drew privacy concerns https://www.washingtonpost.comews/the-switch/wp/2017/10/04/mattel-has-an-ai-device-to-soothe-babies-experts-are-begging-them-not-to-sell-it/ By Hayley Tsukayama The Washington Post October 4, 2017 Summary: Mattel hired a new hired chief technology officer in July, and he announced that the company would not release the Aristotle device because it did not "fully align with Mattel's new technology strategy". The executive director of the Campaign for a Commercial-Free Childhood applauded the decision, saying that children have a right to privacy. ------------------------ Equifax --- blame the IT guy Equifax Breach Caused by Lone Employee's Error, Former C.E.O. Says https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html By Tara Siegel Bernard and Stacy Cowley The New York Times Oct 4, 2017 Summary: Testifying to the House Energy and Commerce Committee, the former chief executive of Equifax apologized for a massive data leak of personal information of millions of consumers. The problem was the result of one employee failing to heed security warnings. One might wonder why the privacy of so many consumers, who had no control over Equifax's collection of their information, rested on the shoulders of a single employee. ------------------------ States and voting security Wary of Hackers, States Move to Upgrade Voting Systems https://www.nytimes.com/2017/10/14/us/voting-russians-hacking-states-.html By Michael Wines The New York Times Oct 14, 2017 Summary: Voting technology varies greatly from state to state, but the hacks and attempted hacks from 2016 have caused states to re-examine the security of their equipment and methods. The US Election Assistance Commission (EAC) and the Department of Homeland Security have guidelines and direct assistance programs that are seeing increased interest from states. Many states are dealing with equipment that is 15 years old and needs replacement, but this is an expensive task. The EAC chairman suggested that consumer-owned equipment could be used as soon as the 2020 election. ------------------------ Kaspersky works with Russian govmt Kaspersky reportedly modified its AV to help Russia steal NSA secrets https://arstechnica.com/information-technology/2017/10/kaspersky-reportedly-modified-its-av-to-help-russia-steal-nsa-secrets/ By Dan Goodin Ars Technica Oct 14, 2017 Summary: The Wall Street Journal reported that modifications to the popular Kaspersky anti-virus software caused it to search for specific keywords in user files, and those modifications required help from Kaspersky itself. This seems to dispel the notion that the Russian government made the modifications by modifying copies of the software through hacking. Although German officials are not worried about Kaspersky, US intelligence agencies reportedly observed the software detecting classified information. Israel blows the whistle on Kaspersky How Israel Caught Russian Hackers Scouring the World for U.S. Secrets https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html By Nicole Perlroth and Scott Shane The New York Times Oct 10, 2017 Summary: In 2014 Israeli operatives hacked into Kaspersky Labs corporate systems, and they remained undetected until mid-2015. In the wake of this situation, Kaspersky has accused Israel of using its software to try to spy on information related to meetings with Iran about its nuclear capabilities and information about NSA. Israel has said that it observed the Russian government using Kaspersky systems for spying on the US. Whatever the truth may be, it seems that Kaspersky A/V is often used for spying operations. ------------------------ Mining by visiting Politifact Hackers have turned Politifact's website into a trap for your PC https://www.washingtonpost.comews/the-switch/wp/2017/10/13/hackers-have-turned-politifacts-website-into-a-trap-for-your-pc By Brian Fung The Washington Post Oct 13, 2017 Summary: The website Politifact was somehow turned into a way to cause visitors to have their computers turned into a data mining operation for a hash chain based digital currency. Visitors found their CPUs running at full capacity after visiting the website, and it was common to find several instances of the software running simultaneously. This is an example of the complexity of web technology, as Politifact was uncertain about the source of the software and speculated that it might have come from a third-party ad provider. ------------------------ S3 Buckets Leak Australian Data Due to Amazon S3 configuration error: Nearly 50,000 sensitive information of Australia Ministry of Finance, financial institutions online exposure https://securitydaily.org/australia-data-leak/ Security Daily Nov 4, 2017 Summary: A Polish researcher with a penchant for misconfigured Internet servers found that personal information about 50,000 Australian government and public-sector employees was exposed to the world through Amazon AWS S3 storage. This is an all too common mistake by the customers of the Amazon service. Apparently there is some confusion about the security settings. Customers might be confused about the term "authorized user" for S3, or they might not have a clear idea of what their settings are. The service is convenient, but the security risks require some detailed attention. ------------------------ WP2 nonce reuse, WiFi standard deeply flawed Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 https://papers.mathyvanhoef.com/ccs2017.pdf By Mathy Vanhoef and Frank Piessens KU Leuven Oct 16, 2017 Summary: This technical paper describes a serious flaw in the WiFi protocol that had gone undetected for 14 years. In brief, an attacker on the network can cause the protocol to return to an earlier state, and this allows the attacker to decrypt traffic. The attacker needs no special privileges to exploit the vulnerability. It is interesting to note that the protocol had been "proven" to be secure. ------------------------ North Korean cyberhacking is first-rate The World Once Laughed at North Korean Cyberpower. No More. https://www.nytimes.com/2017/10/15/world/asiaorth-korea-hacking-cyber-sony.html By David E. Sanger, David D. Kirkpatrick and Nicole Perlroth The New York Times Oct 15, 2017 Summary: North Korea is said to have six thousand people working in cybersecurity offsensive operations, and they are improving their skills steadily. Only a small spelling error prevented them from looting the Bangladesh Central Bank (presumably through the SWIFT banking network). Their goals are to wreak havoc and become wealthy through cybertheft, ransomware, and extortion. ------------------------ RSA key generation not so good Millions of high-security crypto keys crippled by newly discovered flaw https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/ By Dan Goodin Ars Technica Oct 17, 2017 Summary: A number of digital identity cards, including Estonian nation ID cards, are less than highly secure due to a bug in a commonly used software library. The RSA security algorithm is a clever use of large numbers and arithmetic, and if used properly, it is highly secure. However, the arithmetic can be too complicated for energy and memory constrained devices, such as smart cards. It seems that the code for generating keys utilized some shortcuts, and researchers have found that the result is that the all important private key bears a less than random relation to the public key. As a result, hackers could impersonate the card holders. ------------------------ Digital extortion targets schools Hackers are targeting schools, U.S. Department of Education warns http://money.cnn.com/2017/10/18/technology/business/hackers-schools-montana/index.html By Selena Larson CNN Tech Oct. 18, 2017 Summary: School districts around the US have been shocked to receive messages threatening to harm students and staff through release of personal information or even to inflict violence unless a ransom was paid. This has disrupted the schools and caused a great deal of worry. The attacks originate from outside the US by a group called Dark Overlord. It's unclear why the Dark Overlord began targeting schools but someone from the hacking group told the Daily Beast they are "escalating the intensity of our strategy in response to the FBI's persistence in persuading clients away from us." ------------------------ Utah Company and the Long Search Company making progress decrypting Josh Powell computer files https://www.deseretnews.com/article/900002894/company-making-progress-decrypting-josh-powell-computer-files.html By Dave Cawley Deseret News Oct 26, 2017 Summary: Josh Powell was suspected of killing his wife. He killed his two sons and himself. Investigators have long sought to read the contents of his computer hard drive in the hope that it might provide information about the fate of his wife. Two Utah companies have spent four years running software to guess the decryption keys that protect the hard drive contents. They have broken the "first level" of encryption used by the app "True Crypt", but they realize that they cannot break the second level without more computing resources. ------------------------ Forensics reveals details of years of Russian hacking Russian hacking went far beyond US election, digital hitlist reveals https://www.theguardian.com/technology/2017ov/02/russian-hacking-beyond-us-election-digital-hitlist AP Technology | The Guardian Nov 2, 2017 Summary: Russian hackers who tried to interfere in the US presidential election in 2016 were a busy bunch. They targeted thousands of people and organizations of interest to the Kremlin. The company Secureworks slightly turned the tables on the organization behind the hacking software (Fancy Bear) when Secureworks discovered a list of some of their phishing targets online. ------------------------ Little (No) Hope for Bill Limiting NSA Phone Surveillance Senate Republicans block USA Freedom Act surveillance reform bill https://www.theguardian.com/us-news/2014ov/18/usa-freedom-act-republicans-block-bill By Spencer Ackerman Technology | The Guardian Nov 2, 2017 Summary: A US Senate bill aimed at limiting NSA's ability to spy on US phone data failed to advance after a year of debate. According to the article, the domestic phone surveillance has not thwarted any terrorist attacks, but many Republican senators felt that the potential of deterrance overrode any civil liberties considerations. ------------------------ Major 4th amendment cell phone case before the US Supreme Court Supreme Court takes on major Fourth Amendment case http://www.cnn.com/2017/11/29/politics/supreme-court-fourth-amendment-case/index.html By Ariane de Vogue CNN Supreme Court Reporter November 29, 2017 Summary: Do Americans voluntarily give up some privacy when they dial a number on a cell phone? That is the subject of a case before the Supreme Court. Law enforcement currently has warrantless access to called numbers, but in today's world, the "phone company" owns a huge amount of personal data about people's communication and movements. Does law enforcement engage in unreasonable search when it demands this information? The court will rule on this basic privacy issue. ------------------------ We learn how vulnerability info is shared by the US govmt White House Releases Vulnerability Equities Policy and Processes https://www.insideprivacy.com/united-states/white-house-releases-vulnerability-equities-policy-and-processes/ By David Fagan and Catlin Meade Covington, Inside Privacy November 16, 2017 Summary: What does the US government do when it discovers a vulnerability in a computer system or app? You can find out by reading the Vulnerabilities Equities Policy and Process for the United States Government for yourself. https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF The policy and process have been secret for many years, but now the Equities Review Board has released the information. The head of the ERB is an NSA employee. -------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Full list at http://my.nps.edu/web/c3o/cipher-jobs Posted November 2017 University of Gothenburg Gothenburg, Sweden PhD student Date position announcement closes: December 23, 2017 URL of position description: https://goo.gl/pcdTAa -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 11/30/17: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ Submissions are due 12/ 1/17: Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security; https://www.journals.elsevier.com/ict-express/call-for-papers/special-issue-on-ci-smart-grid-cyber-security; Submissions are due 12/ 1/17: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 12/ 4/17-12/ 8/17: ACSAC, 33rd Annual Computer Security Applications Conference San Juan, Puerto Rico; http://www.acsac.org 12/ 5/17: ICSS, Industrial Control System Security Workshop, Held in conjunction with the 33rd Annual Computer Security Applications Conference (ACSAC), San Juan, Puerto Rico; https://www.acsac.org/2017/workshops/icss/ 12/ 6/17: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Sungdo, Incheon, Korea; http://asiaccs2018.org/ Submissions are due 12/ 8/17: IWSPA, 4th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2018, Tempe, AZ, USA; http://capex.cs.uh.edu/?q=content/4th-international-workshop-security-and-privacy-analytics-2018 Submissions are due 12/20/17: CNS, IEEE Conference on Communications and Network Security, Beijing, China; http://cns2018.ieee-cns.org/ Submissions are due 1/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due (monthly deadline) 1/ 3/18- 1/ 5/18: IFIP119-DF, 14th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org 1/12/18: DFRWS, 18th Annual DFRWS USA 2018 Conference, Providence, Rhode Island, USA; http://dfrws.org/conferences/dfrws-usa-2018 Submissions are due 1/15/18: BioSTAR, 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://biostar.cybersecurity.bio/ Submissions are due 1/16/18: SADFE, 12th International Workshop on Systematic Approaches to Digital Forensics Engineering, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://dfrws.org/conferences/dfrws-usa-2018 Submissions are due 1/17/18: HotSoS, 5th Annual Hot Topics in the Science of Security Symposium, Raleigh, North Carolina, USA; https://cps-vo.org/group/hotsos/cfp Submissions are due 2/ 1/18: USENIX Security, 27th USENIX Security Symposium, Baltimore, MD, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 2/ 8/18: HotSoS, 5th Annual Hot Topics in the Science of Security Symposium, Raleigh, North Carolina, USA; https://www.usenix.org/conference/usenixsecurity18 Submissions are due 2/28/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ Submissions are due 3/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 3/21/18: IWSPA, 4th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2018, Tempe, AZ, USA; http://capex.cs.uh.edu/?q=content/4th-international-workshop-security-and-privacy-analytics-2018 3/25/18- 3/28/18: PKC, 21st IACR International Conference on Practice and Theory in Public-Key Cryptography, Rio de Janeiro, Brazil; https://pkc.iacr.org/2018/ 4/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 4/10/18- 4/11/18: HotSoS, 5th Annual Hot Topics in the Science of Security Symposium, Raleigh, North Carolina, USA; https://cps-vo.org/group/hotsos/cfp 5/ 1/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html Submissions are due 5/ 2/18- 5/ 3/18: HST, 18th annual IEEE Symposium on Technologies for Homeland Security, Washington D.C., USA; http://ieee-hst.org 5/21/18- 5/23/18: SP, 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html 5/TBD/18: HOST, IEEE International Symposium on Hardware-Oriented Security and Trust, Washington DC, USA; http://www.hostsymposium.org 5/24/18: BioSTAR, 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA; http://biostar.cybersecurity.bio/ 5/30/18- 6/ 1/18: CNS, IEEE Conference on Communications and Network Security, Beijing, China; http://cns2018.ieee-cns.org/ 6/ 4/18- 6/ 8/18: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Sungdo, Incheon, Korea; http://asiaccs2018.org/ 7/15/18-7/18/18: DFRWS, 18th Annual DFRWS USA 2018 Conference, Providence, Rhode Island, USA; http://dfrws.org/conferences/dfrws-usa-2018 7/24/18-7/27/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ 8/15/18-8/17/18: USENIX Security, 27th USENIX Security Symposium, Baltimore, MD, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E140) ___________________________________________________________________ PETS 2018 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain, July 24-27, 2018. (Submissions Due 30 November 2017, 28 February 2018) https://petsymposium.org/ The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in Proceedings on Privacy Enhancing Technologies (PoPETs), a scholarly, open access journal. Submitted papers should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. While PETS/PoPETs has traditionally been home to research on anonymity systems and rivacy-oriented cryptography, we strongly encourage submissions on a number of both well-established and emerging privacy-related topics, for which examples are provided below. PoPETs also solicits submissions for Systematization of Knowledge (SoK) papers. These are papers that critically review, evaluate, and contextualize work in areas for which a body of prior literature exists, and whose contribution lies in systematizing the existing knowledge in that area. Authors are encouraged to view our FAQ about the submission process. - Behavioural targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Empirical studies of privacy in real-world systems - Forensics and privacy - Human factors, usability and user-centered design for PETs - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Machine learning and privacy - Measuring and quantifying privacy - Mobile devices and privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy in cloud and big-data applications - Privacy in social networks and microblogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools - Web privacy ------------------------------------------------------------------------- Information & Communications Technology Express, Special Issue on Critical Infrastructure (CI) & Smart Grid Cyber Security, (Submissions Due 1 December 2017) https://www.journals.elsevier.com/ict-express/call-for-papers/special-issue-on-ci-smart-grid-cyber-security Guest Editors: Leandros A. Maglaras (De Montfort University, UK), Ki-Hyung Kim (Ajou University, Korea), Helge Janicke (De Montfort University, UK), Mohamed Amine Ferrag, Guelma University, Algeria), Artemios G. Voyiatzis (SBA Research, Austria), Pavlina Fragkou (T.E.I of Athens, Greece), Athanasios Maglaras (T.E.I. of Thessaly, Greece), and Tiago J. Cruz (University of Coimbra, Portugal). Cyber-physical systems are becoming vital to modernizing the national critical infrastructure (CI) systems. A smart grid is an energy transmission and distribution network enhanced through digital control, monitoring, and telecommunications capabilities. It provides a real-time, two-way flow of energy and information to all stakeholders in the electricity chain, from the generation plant to the commercial, industrial, and residential end user. Each smart grid subsystem and its associated assets require specific security functions and solutions. For example, the solution to secure a substation is not the same as the solution to secure demand response and home energy management systems. Usual cyber security technologies and best practices - such as antivirus, firewalls, intrusion prevention systems, network security design, defense in depth, and system hardening - are necessary to protect the smart grid. However, history showed they are only part of the solution. Owing to the rapid increase of sophisticated cyber threats with exponentially destructive effects advanced cyber security technologies must be developed. The title of this special issue of ICT Express is therefore coined concisely as "Special Issue on CI & Smart Grid Cyber Security". This special issue focuses on innovative methods and techniques in order to address unique security issues relating to CI and smart grids. Original submissions reflecting latest research observation and achievement in the following areas are invited: - Hardware Security Solutions - Incident response - Real-time threat intelligence - Situation Awareness - Security information and event management (SIEM) systems - Machine Learning Techniques - Safety-Security Interactions - System Vulnerabilities - Cyber Security Engineering - Human Awareness & Training - Intrusion Detection Systems - Trust and privacy - Malware Analysis - Behavioral Modeling - Secure Communication Protocols - Malware analysis - Network security and protocols - Hardware enforced virtualization ------------------------------------------------------------------------- SP 2018 39th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 21-23, 2018. (Submissions Due first day of each month) https://www.ieee-security.org/TC/SP2018/cfpapers.html Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix ?SoK:? in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2018/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- ASIACCS 2018 ACM Symposium on Information, Computer and Communications Security Sungdo, Incheon, Korea, Jun 4-8, 2018. (Submissions Due 6 December 2017) http://asiaccs2018.org/ We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2018 include, but are not limited to: - Access control - Accounting and audit - Applied cryptography - Authentication - Big data security and privacy - Biometrics - Blockchain and alternatives - Cloud computing security - Computer forensics - Cyber-physical system security - Data and application security - Embedded systems security - Formal methods for security - Hardware-based security and applications - IoT security and privacy - Key management - Malware and botnets - Mobile computing security - Network security - Operating system security - Practical post-quantum security - Privacy-enhancing technology - Runtime attacks and defenses - Secure computation - Security architectures - Security of critical infrastructures - Security metrics - Software security - Threat modeling - Trusted computing - Usable security and privacy - Web security - Wireless security and privacy ------------------------------------------------------------------------- IWSPA 2018 4th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2018, Tempe, AZ, USA, March 21, 2018. (Submissions Due 8 December 2017) http://capex.cs.uh.edu/?q=content/4th-international-workshop-security-and-privacy-analytics-2018 Increasingly, sophisticated techniques from machine learning, data mining, statistics and natural language processing are being applied to challenges in security and privacy fields. However, experts from these areas have no medium where they can meet and exchange ideas so that strong collaborations can emerge, and cross-fertilization of these areas can occur. Moreover, current courses and curricula in security do not sufficiently emphasize background in these areas and students in security and privacy are not emerging with deep knowledge of these topics. Hence, we propose a workshop that will address the research and development efforts in which analytical techniques from machine learning, data mining, natural language processing and statistics are applied to solve security and privacy challenges ("security analytics"). Submissions of papers related to methodology, design, techniques and new directions for security and privacy that make significant use of machine learning, data mining, statistics or natural language processing are welcome. Furthermore, submissions on educational topics and systems in the field of security analytics are also highly encouraged. ------------------------------------------------------------------------- CNS 2018 IEEE Conference on Communications and Network Security, Beijing, China, May 30 - June 1, 2018. (Submissions Due 20 December 2017) http://cns2018.ieee-cns.org/ IEEE Conference on Communications and Network Security (IEEE CNS) is a conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cybersecurity. IEEE CNS provides a premier forum for security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of cybersecurity. Building on the success of the past five years' conferences, IEEE CNS 2018 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, from the physical layer to the network layer to the variety of applications reliant on a secure communication substrate. Topics of interest include: - Anonymity and privacy technologies - Computer and network forensics - Cyber deterrence strategies - Game-theoretic security technologies - Implementation and evaluation of networked security systems - Information-theoretic security - Intrusion detection, prevention, and response - Key management, public key infrastructures, certification, revocation, and authentication - Malware detection and mitigation - Security metrics and models - Physical-layer and cross-layer security technologies - Security and privacy for big data - Security and privacy for data and network outsourcing services - Security and privacy for mobile and wearable devices - Security and privacy in cellular networks - Security and privacy in cloud and edge computing - Security and privacy in crowdsourcing - Security and privacy in emerging wireless technologies (dynamic spectrum sharing, cognitive radio networks, millimeter wave communications, MIMO systems, etc.) - Security and privacy in peer-to-peer and overlay networks - Security and privacy in Wi-Fi, ad hoc, mesh, sensor, vehicular, body-area, disruption/delay tolerant, and social networks - Security and privacy in smart cities, smart and connected health, IoT, and RFID systems - Security for critical infrastructures (smart grids, transportation systems, etc.) - Security for future Internet architectures and designs - Security for software-defined and data center networks - Social, economic, and policy issues of trust, security, and privacy - Traffic analysis - Usable security and privacy - Web, e-commerce, m-commerce, and e-mail security ------------------------------------------------------------------------- DFRWS 2018 18th Annual DFRWS USA 2018 Conference, Providence, Rhode Island, USA, July 15-18, 2018. (Submissions Due 12 January 2018) http://dfrws.org/conferences/dfrws-usa-2018 We invite contributions in five categories: research papers, presentation proposals, panel proposals, workshop proposals, and demo proposals. Topics of Interest: - Memory analysis and snapshot acquisition - Storage forensics, including solid state - "Big data" forensics, related to collection, analysis, and visualization - Incident response and live analysis - Forensics of cloud and virtualized environments - Malware and targeted attacks (analysis and attribution) - Network and distributed system forensics - Event reconstruction methods and tools - Mobile and embedded device forensics - Digital evidence storage and preservation - Data recovery and reconstruction - Multimedia analysis - Database forensics - Tool testing and development - Digital evidence and the law - Case studies and trend reports - Data hiding and discovery - Anti-forensics and anti-anti-forensics - Interpersonal communications and social network analysis - Non-traditional forensic scenarios and approaches (e.g. vehicles, Internet of Things, industrial control systems, and SCADA) - Archival preservation & reconstruction ------------------------------------------------------------------------- BioSTAR 2018 3rd International Workshop on Bio-inspired Security, Trust, Assurance and Resilience, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA, May 24, 2018. (Submissions Due 15 January 2018) http://biostar.cybersecurity.bio/ As computing and communication systems continue to expand and offer new services, these advancements require more dynamic, diverse, and interconnected computing infrastructures. Unfortunately, defending and maintaining resilient and trustworthy operation of these complex systems are increasingly difficult challenges. Conventional approaches to Security, Trust, Assurance and Resilience (STAR for short) are often too narrowly focused and cannot easily scale to manage large, coordinated and persistent attacks in these environments. Designs found in nature are increasingly used as a source of inspiration for STAR and related networking and intelligence solutions for complex computing and communication environments. Nature's footprint is present in the world of Information Technology, where there are an astounding number of computational bio-inspired techniques. These well-regarded approaches include genetic algorithms, neural networks, ant algorithms, immune systems just to name a few. For example several networking management and security technologies have successfully adopted some of nature's approaches, such as swarm intelligence, artificial immune systems, sensor networks, moving target defense, diversity-based software design, etc. Nature has also developed an outstanding ability to recognize individuals or foreign objects and adapt/evolve to protect a group or a single organism. Solutions that incorporate these nature-inspired characteristics often have improved performance and/or provided new capabilities beyond more traditional methods. The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of nature-inspired STAR aspects in computing and communications. Topics of interests include, but are not limited to: - Nature-inspired anomaly and intrusion detection - Adaptation algorithms - Biometrics - Nature-inspired algorithms and technologies for STAR - Biomimetics - Artificial Immune Systems - Adaptive and Evolvable Systems - Machine Learning, neural networks, genetic algorithms for STAR - Nature-inspired analytics and prediction - Cognitive systems - Sensor and actuator networks and systems - Information hiding solutions (steganography, watermarking) for network traffic - Cooperative defense systems - Cloud-supported nature-inspired STAR - Theoretical development in heuristics - Management of decentralized networks - Nature-inspired algorithms for dependable networks - Platforms for STAR services - Diversity in computing and communications - Survivable and sustainable systems - STAR management systems - Autonomic cyber defenses ------------------------------------------------------------------------- SADFE 2018 12th International Workshop on Systematic Approaches to Digital Forensics Engineering, Co-located with 39th IEEE Symposium on Security and Privacy (IEEE S&P 2018), San Francisco, CA, USA, May 24, 2018. (Submissions Due 16 January 2018) http://sadfe.org/cfp/ SADFE (Systematic Approaches to Digital Forensic Engineering) promotes systematic approaches to digital forensic investigation on failures of today's cyber systems and networks. SADFE furthers Digital Forensic Engineering (DFE) advancement as a disciplined and holistic scientific practice. The 12th International Conference on Systematic Approaches to Digital Forensic Engineering (SADFE) is calling for paper submissions in the broad field of Digital Forensics from both practitioner and researcher's perspectives. With the dynamic change and rapid expansion of the types of electronic devices, networked applications, and investigation challenges, systematic approaches for automating the process of gathering, analyzing and presenting digital evidence are in unprecedented demands. The SADFE conference aims at promoting solutions for related problems. Past speakers and attendees of SADFE have included computer scientists, social scientists, forensic practitioners, lawyers and judges. The synthesis of hard technology and science with social science and practice forms the foundation of this conference. Papers focusing on any of the system, legal, or practical aspects of digital forensics are solicited. Topics to be Addressed: - Digital Data and Evidence Management: advanced digital evidence discovery, collection, management, storage and preservation - Digital Evidence, Data Integrity and Analytics: advanced digital evidence and digitized data analysis, correlation, and presentation - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA, obsolete storage media) - Forensic and digital data integrity issues for digital preservation and recovery - Scientific Principle-Based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Legal/technical aspects of admissibility and evidence tests - Legal, Ethical and Technical Challenges ------------------------------------------------------------------------- HotSoS 2018 5th Annual Hot Topics in the Science of Security Symposium, Raleigh, North Carolina, USA, April 10-11, 2018. (Submissions Due 17 January 2018) https://cps-vo.org/group/hotsos/cfp HoTSoS draws together researchers, practitioners, and thought leaders from government, industry, and academia. The conference provides a forum for dialogue centered upon the development and advancement of scientific foundations in cybersecurity. The technical emphasis of HoTSoS is on scientific methods, data gathering and analysis, experimental approaches, mathematical models, and the interactions among those approaches to build a foundational science of security. The HoTSoS vision is one of engaging and growing a community - including researchers and skilled practitioners from diverse disciplines - that is focused around the advancement of scientific methods. We invite submissions on any topic related to science of security that aligns with the conference scope and goals listed above. The 2018 HoTSoS will highlight the following themes: - Scalability and composability in the construction of secure systems - Policy-governed collaboration for handling data across different domains of authority while ensuring security and privacy - Security metrics to guide choice-making in security engineering and response - Resilient architectures that can deliver service despite compromised components - Analysis of human behavior, including modeling users, operators, and adversaries, to support improved design and analysis - Foundational research related to privacy that allows for the ability to use (i.e., collect, store, and share) data in accordance with requirements - Foundations for the security of cyber-physical systems, including applications to the Internet of Things ------------------------------------------------------------------------- USENIX Security 2018 27th USENIX Security Symposium, Baltimore, MD, USA, August 15-17, 2018. (Submissions Due 8 February 2018) https://www.usenix.org/conference/usenixsecurity18 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. USENIX Security is interested in all aspects of computing systems security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Kevin R. B. Butler SRI International University of Florida Menlo Park, CA oakland17-chair@ieee-security.org ulf.lindqvist@sri.com Vice Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2018 Chair: TC Awards Chair: Jason Li Hilarie Orman Intelligent Automation Purple Streak, Inc. oakland18-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year