_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 150 July 22, 2019 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News items - US Can Improve Russia's Dark Skies - We hacked, we did not hack, we may have hacked - What's in Presidential Memorandum 13? - This is Your MAC on Zoom: It's Always On! - Losing Face Only Costs $5B USD - The name is Equifax, the fine is for some hacks - Addicted to Data, the NSA Theft Reveals Hoarding Disease o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o (the announcements are not included this month, please visit our website) * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month's Cipher is short and newsy. It is summer time, and the conference circuit is in full swing. Researchers socialize and revitalize their deep thoughts in conference season, and then return to the tough job of generating new papers in the fall. More and more conferences, including the venerable Security and Privacy Symposium, are switching to a continuous paper submission model, which gives the academic workflow some leeway, but puts more pressure on reviewers. Whatever your role in this process may be, Cipher wishes you an enjoyable summer. A few of our news articles this month concern the US Cyber Command and Presidential Memorandum 13. The issue is the reality of offensive cyber operations by the US against foreign countries. We know very little about these operations, but hints have been leaked about infiltrating Russia's power grid. This has caused me to think about the rapid pace of technology and its effect on how we think about the world. Computers are assets integral to the functioning of government and society, computer communication enables world-wide human communication, computers create an amorphous and essential virtual world of data and processing. Now computers are the subject of warfare, the means of warfare, the province of policy, negotiations, and treaties. That's just 60 years from calculating tool to world linchpin. With that kind of rapid change, can we say that we understand the ramifications of cyberwar? It seems unlikely, given that we cannot even guarantee the integrity of something as important as elections. Something to think about during these equinox months. The Cipher monthly parody of a work that has nothing to do with computer security until its words are twisted: Moscow Nights (from an American to his Russian lover) Even whispers aren't heard in the garden, Everything has died down without power. If you only knew how dear to me Are these Moscow nights. The river moves, unmoving, All in silver moonlight. A song is heard, yet unheard, In these silent nights. Why do you, dear, look askance, With your head lowered so? Do you suspect, should I confess, I hacked Moscow's power grid? I wanted us to be alone In the darkened garden. No lights, no Internet, Just a summer, Moscow night. (My apologies to Mikhail Matusovsky) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== US Can Improve Russia's Dark Skies U.S. Escalates Online Attacks on Russia's Power Grid https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html New York Times By By David E. Sanger and Nicole Perlroth June 15, 2019 Summary: Last year the US military organization Cyber Command was given new authorities through National Security Presidential Memoranda 13. That document is said to allow the Command more leeway on conducting offensive cyber ops without presidential approval. Recently, unnamed US officials said that the US planted computer code in Russian power grid computers. The implication seems to be that the US is establishing its ability to control those systems. "It has gotten far, far more aggressive over the past years," said one official, speaking of offensive capabilities. ------- We hacked, we did not hack, we may have hacked Trump accuses New York Times of 'virtual treason' over Russia cyber warfare report https://www.theguardian.com/us-news/2019/jun/16/trump-new-york-times-virtual-treason-report-digital-incursion-into-russia The Guardian June 16, 2019 Summary: Following the New York Times story about US offsensive cyber operations against Russia's power grid, Trump used Twitter to object to the story, tweeting that the accusations were "not true", calling the media "corrupt" and journalists "the enemy of the people". Nonetheless, the story apparently had the approval of the National Security Council. The release of the information may be intended as a warning to Moscow. ------- What's in Presidential Memorandum 13? Trump is rattling sabers in cyberspace -- but is the U.S. ready? While cyber defenses are improving, some experts worry about how the U.S. would recover from an even larger strike. Politico By Michael B. Farrell, Tim Starks and Gavin Bade 07/13/2019 Summary: US Congressional members have become concerned about the secrecy surrounding US moves into offensive cyber operations. Rep. Jim Langevin (D-R.I.) is concerned about the stability of cyberspace, and is seeking to compel the administration to release Presidential Memorandum 13 which addresses the operations. "This is my first time in 19 years of Congress that a document this major has not been provided to Congress. I can't understand what the hold up is," Langevin said. --------------------------- This is Your MAC on Zoom: It's Always On! (2 stories) Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk, Change Settings Now https://www.forbes.com/sites/zakdoffman/2019/07/09/warning-as-millions-of-zoom-users-risk-webcam-hijack-change-your-settings-now/#4d9b22f42d9f Forbes by Zak Doffman Silent Mac update nukes dangerous webserver installed by Zoom Fix also requires users to confirm they want to join a Zoom conference. https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/ Ars Technica Dan Goodin 7/9/2019 Summary: These two article describe a flaw that existed in a popular, easy-to-use videoconferencing app. The videoconferencing app Zoom opened a major security flaw when installed on Apple MACs, one that was disturbingly difficult to avoid until the Zoom developers took it seriously and pushed a update to all users. The Zoom app is characterized by one-click meeting join, and this feature requires a server process to be running all the time. The server could be forced to join a conference without any user intervention. More disturbingly, unless the user had thought to disable the "start with video on" option, the user's camera would start broadcasting to the conference, all without the user's direct intervention. As yet another security shock, even uninstalling the app would not get rid of the server, and other machines on the same local network could force the machine to reinstall the app. Seeking to preserve the app's ease of use, the developers at first sought to inform users about changing their default video setting, but finally changed the server so that there is always a prompt requiring user confirmation before joining a conference. It also allows the server to be deleted from the system when uninstalling the app. ---------------------- Losing Face Only Costs $5B USD The US government is fining Facebook $5 billion for privacy violations, and Wall Street thinks that's great news Because a $5 billion fine won't change Facebook's business. At all. https://www.vox.com/recode/2019/7/12/20692434/facebook-5-billion-fine-ftc-privacy-regulation VOX By Peter Kafka Jul 12, 2019 Summary: The FTC will fine Facebook about 25% of its current yearly profit for improperly disclosing user data to third parties such as Cambridge Analytica. This caused Facebook share to rise, presumably because the company had already planned for the payment, and its yearly income continues to increase. Although the company will have to work harder to assure the government that it stays within boundaries on privacy laws, there are no new restrictions on sharing data with third paries. ------------------------ The name is Equifax, the fine is for some hacks (2 stories) Equifax Nears $700 Million Settlement of Probes Into Data Breach https://www.bloomberg.com/news/articles/2019-07-20/equifax-nears-700-million-settlement-of-probes-into-data-breach Bloomberg By David McLaughlin July 19, 2019, 6:17 PM MDT Equifax to Pay Around $700 Million to Resolve Data-Breach Probes Credit-reporting firm nears deal to settle investigations into 2017 hack that exposed millions of Americans' personal data https://www.wsj.com/articles/equifax-to-pay-around-700-million-to-resolve-data-breach-probes-11563577702 The Wall Street Journal By AnnaMaria Andriotis July 19, 2019 Summary: Equifax is apparently going to face a US fine of $700 million for disclosing personal data of 150 million US customers (about half the country's population). Despite the outrage about this two years ago, Congress has failed to enact any new legislation protecting user privacy. See the FTC consumer information page https://www.consumer.ftc.gov/blog/2019/07/equifax-data-breach-settlement-what-you-should-know for their plans to create a site for filing consumer claims to be paid from this settlement. ------------ Addicted to Data. The NSA Theft Reveals Hoarding Disease N.S.A. Contractor Who Hoarded Secrets at Home Is Sentenced to Nine Years in Prison https://www.nytimes.com/2019/07/19/us/politics/hal-martin-nsa-sentence.html By Scott Shane July 19, 2019 Summary: Hal Martin worked for NSA. Being a hard worker, maybe even an obsessive worker, he took his work home with him. NSA employees aren't supposed to do that, but Mr. Martin loved his work. A little data here, a thumb drive there, pretty soon he was holding onto a boatload of bytes. Apparently his hoard was never divulged, stolen, or hacked. Still, it was a crime for which he will serve time in prison. Time already served will count. --------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Nothing new since Cipher E149 (May). http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== Usually we include the lists of current events, but we are skipping it this month. Please visit the website for the complete event lists, or follow our Twitter feed ciphernews. The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Jason Li UC Davis and Intelligent Automation Lawrence Berkeley oakland18-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor Security and Privacy Symposium, 2019 Chair: Hilarie Orman Mark Gondree Purple Streak, Inc. Sonoma State University 500 S. Maple Dr. oakland19-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year