_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 157 September 21, 2020 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of The Ghidra Book - The Definitive Guide by Chris Eagle and Kara Nance o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website o Recent News Headlines - To Be Admin, Reset the Password - Ransomware Evolves and Prospers (history, evolution, and recent uses of ransomware) - Tools for the Good Guys - Research Frontiers: Running in the Dark - Phishing Trumps Encryption * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers ==================================================================== Letter from the Editor ==================================================================== Dear Readers: As we continue to hear mostly upbeat news about the prospects for a COVID-19 vaccine, Cipher can mirror this with news about progress in building tools and systems for white hat use and about progress in understanding the complex nature of Spectre-type attacks when combined with code reuse. Sven Dietrich's book review shows that reverse engineering with the Ghidra tool brings the black art of understanding binaries ever more firmly within the grasp of good practitioners. The US presidential election is careening into the dire possibility of security and reliability problems. Will the absentee ballots run the gauntlet of the US Postal Service? Are the computer systems used for voting and tabulator secure? Are the voter registration rolls securely maintained? And how can we tell a conspiracy theory from a legitimate news story? These are interesting research questions, but the voting process has already begun, and we are urged to vote as though as lives depend on it. Two months from now, the next Cipher issue may be rife with news of unresolved problems stemming from these questions. Due to pandemic disruption, most technical conferences are trying to be flexible about planning events in 2021. Gatherings in person might happen, but preparations for virtual-only are a necessity through at least next summer. First wave, second wave, third wave, ... who knows how many waves will sweep around the globe before a cough in a public place ceases to cause alarm? It has been a year of calamity, and this has led me to my closing piece of literature, this time without any parody: The burden of four seasons. Rain in spring, White rain and wind among the tender trees; A summer of green sorrows gathering, Rank autumn in a mist of miseries, With sad face set towards the year, that sees The charred ash drop out of the dropping pyre, And winter wan with many maladies; This is the end of every man's desire. From "A Ballad of Burdens" by Algernon Charles Swinburne Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 9/20/2020 ____________________________________________________________________ "The Ghidra Book - The Definitive Guide", by Chris Eagle and Kara Nance No Starch Press 2020. ISBN ISBN-13: 978-1-71850-102-7 (print), ISBN-13: 978-1-71850-103-4 (ebook) XXV, 580 pages When the National Security Agency Research Directorate released the Ghidra reverse engineering tool, at version 9.0 in its initial public release, it became apparent that it was a mature tool. It is also free. The existence of Ghidra, pictured by its mythical red dragon figure, had been revealed by WikiLeaks in 2017, but the declassification and publication of the tool did not occur until two years later, in March 2019. It also became clear that Ghidra would compete with the big kid on the block, namely "The IDA Pro Book, 2nd Edition: The Unofficial Guide to the World's Most Popular Disassembler". So it is not surprising that Chris Eagle, the author of the seminal IDA Pro book (which has been my author-signed reverse engineering bible to date), would co-author "The Ghidra Book" with the well-known computer security expert Kara Nance, published this month with No Starch Press in a roundabout 600-page volume. The book is aimed at aspiring and experienced reverse engineers alike, and it will please practitioners as well as students of the trade, whether in a software security course at a university or in a professional seminar. The reverse engineering world is a fascinating one: an analyst is undoing the work of compilers and assemblers, creating something that describes the functionality of the binary program that is being scrutinized by transforming it into a disassembled, intermediate, or even decompiled form. In the early days that meant a lonely task: a former colleague, whose main job function was to reverse engineer malware manually while sitting with three large monitors in a mostly dark office, would keep the Windows Internals book series handy as bedtime reading. Back then it was acceptable to take a few weeks to reverse engineer a piece of malware. Nowadays we need better and faster situational awareness, and we need much better tools. This book will help the reader understand and navigate the set of Ghidra tools that make reverse engineering possible not just as a lone hunter, but also as a collaborative, structured team with specific roles divided amongst it. The book is divided into five parts, for a total of 23 chapters, followed by an appendix. The book is illustrated with helful Ghidra screenshots and code samples. The latter are available from a book companion website for those readers whose curiosity has been piqued and can't wait to just try it out. The five parts are, in order, 'Introduction', 'Basic Ghidra,' 'Making Ghidra work for you,' 'A Deeper Dive,' and 'Real-world Applications,' followed by an appendix called 'Ghidra for IDA Pro Users.' In the first part 'Introduction', the reader learns the basics of the field. For the first chapter 'Introduction to Disassembly,' this means grasping the proper context of programming languages from machine languages to higher forms such as FORTRAN, C/C++ or Java, and understanding that the compilation process is lossy, making the job of the reverse engineer having to reverse that process a challenging task. For the second chapter, 'Reversing and Disassembly Tools,' the reader recognizes that there are two classical disassembly techniques, namely Linear Sweep and Recursive Descent, plus a few ways of expressing the disassembled code, such as the AT&T and Intel notation variants. The first part wraps up with a quick introduction to Ghidra. The second part 'Basic Ghidra Usage' contains seven chapters that explain the basics of Ghidra, such as data displays (i.e. how you view the disassembly), untangling a Ghidra disassembly and how to manipulate it to your liking. Further chapters discuss data types that come with each programming language, as well as data structures, and capturing cross-references in a program, as well as graphs as a more or less simple way of displaying what a program does. In the end, the reader will realize that Ghidra is a database that allows you to label the code incrementally, sometimes automagically, as you move along. The basics explained here include initial guidance on accepting recommendations for code identification, such as processor type, bitness (16/32/64), or even compiler types that may have generated the binary program. In the third part, 'Making Ghidra Work For You,' the authors explore the above-mentioned collaborative software reverse engineering across multiple analysts' devices, customization (Ghidra is available in source and can be adjusted to taste). Customization can include extending the worldview, such as improving the automagic labeling and function identification in the binary, and basic scripting for repeated or repetitive tasks. Moreover, one chapter discusses the integration of the Eclipse IDE of Java fame using GhidraDev plugin. Last but not least in this part, the authors guide the reader on the headless (dragon?) mode, to be used when a GUI is not needed (as in scripting mode). For the fourth part 'A Deeper Dive,' the book goes even further into the nitty gritty of Ghidra, looking at Ghidra loaders for when Ghidra is at wit's end, say in the case of shellcode without proper program headers. Another chapter looks at Ghidra processors, for the (unlikely) event the reader may have to write their own processor definition for a firmware image running on an embedded processor that is not included in the Ghidra library. That chapter also mentions p-code or intermediate representation (IR), with an intermediate language (IL), an important concept found in the common reverse engineering and security literature. The authors also mention the Ghidra Decompiler, which builds on p-code among other things, and the challenges that may occur when dealing with Compiler Variations that can throw the analyst off. In the last part, 'Real-world Applications,' the real fun stuff (well, ok, slightly biased, so for me it's fun) awaits: a discussion of Ghidra use in the context of Obfuscated Code Analysis such as anti-static analysis techniques (e.g. opcode obfuscation, dynamic target computation, control flow obfuscation) and anti-dynamic-analysis techniques (virtualization detection, debugging detection). They also mention Patching Binaries, for when the reader may want to modify a program for a variety of reasons (remove debugging, bypass system checks, phoning home), and Binary Differencing and Version Tracking for understanding the lineage of a malware family. The latter is an especically welcome feature for readers who are fans of the IDA Pro bindiff tool. The book wraps up with an Appendix on 'Ghidra for IDA Pro Users,' for those die-hards who got used to another framework of thinking about reverse engineering and want to explore a new world, as this maps the concepts from the othere (IDA Pro) world to the Ghidra world discussed in the book. Chris Eagle and Kara Nance have delivered a very readable and hands-on book on reverse engineering using a publicly available tool. As Chris Eagle's book on IDA Pro has had a steady spot on my bookshelf, this well-written book will also find its spot on the same bookshelf in my new office. I enjoyed reading this book by the Eagle-Nance team that is bound to make the black art of reverse engineering more accessible. ------------ Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------ To Be Admin, Reset the Password New Windows exploit lets you instantly become admin. Have you patched? Zerologon lets anyone with a network toehold obtain domain-controller password. https://arstechnica.com/information-technology/2020/09/new-windows-exploit-lets-you-instantly-become-admin-have-you-patched/ Ars Technica By Dan Goodin 9/14/20 Summary: An examination of a legacy login procedure for Windows domain-controllers led to the discovery of a vulnerability based on exploitation of the cryptography in the authentication. Anyone with access to the local network of the controller could easily reset the admin password to value of their choice and then login as admin. Although the LAN might itself might be protected, thus limiting the number of people who could execute the exploit, it is still a worrisome loophole in security. ----------------------- Tom Tervoort of Secura has published a whitepaper with a description of the exploit at https://www.secura.com/pathtoimg.php?id=2055 ----------------------------------------------------------------------------- Ransomware Evolves and Prospers Ransomware is turns out to be an effective cash-raising tool when used for extortion as the following articles demonstrate. ------------------- A Short History of Ransomware 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world. In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels. https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/ ZDNET By Danny Palmer December 19, 2019 Summary: The first ransomware attack was easily countered, but the technique has evolved into an effective tool for sabotage and extortion. BitCoin's nearly anonymous nature was a boon to attackers. Victims were forced to pay and leave identification of the perpetrators to law enforcement. The international reach of malware makes recovery of the money highly unlikely, and even when the criminals are identified, their country of residence may decline to act against them. -------------------- Ransomware Trends in 2020 https://www.zdnet.com/article/ransomware-huge-rise-in-attacks-this-year-as-cyber-criminals-hunt-bigger-pay-days/ Ransomware: Huge rise in attacks this year as cyber criminals hunt bigger pay days. Researchers warn of a seven-fold rise in ransomware attacks compared with last year alone - and attackers are continually evolving their tactics. ZDNet By Danny Palmer 9/9/20 Summary: Ransomware technology is always changing with the times, and each year brings in new fashions and greater effectivity. One group allegedly made enough money to retire from the game. Beyond simply encrypting files, some attackers have noticed that they have access to sensitive material of their victims. Threats to release the data can be more lucrative than the attempt to deny access through encryption. Thus, even if the victim is able to restore the data without paying the ransom, they still have to deal with the loss of data privacy. -------------------- Saved the Files but Paid the Extortion University of Utah pays more than $450,000 in ransomware attack on its computers https://www.sltrib.com/news/2020/08/21/university-utah-pays-more/ The Salt Lake Tribune By Scott D. Pierce 8/21/20 Summary: The University of Utah's College of Social and Behavioral Science had their computers hacked in mid July. Although they detected the attack quickly and were able to stop it and restore data, they found themselves subjected to extortion because the hackers seemed to have captured sensitive data about students and staff. The Tribute says ... after "careful consideration" - the ransom was paid "as a proactive and preventive step to ensure information was not released on the internet." -------------------- Evil's Harmin' Garmin Ransomware attack on Garmin thought to be the work of 'Evil Corp' Russian cybercrime gang is believed to be responsible for taking Garmin services offline https://www.theguardian.com/technology/2020/jul/27/ransomware-attack-on-garmin-thought-to-be-the-work-of-evil-corp The Guardian By Alex Hern 7/27/20 Summary: Garmin may have paid as much as $10M to recover from a ransomware attack that kept it offline for 3 days. The culprits are suspected to be the highly effective Russian-base 'Evil Corp' using the WastedLocker software. That software was first detected in May of this year. The attacks have been carefully targeted against large businesses and their critical infrastructure servers. The backup services are also targeted, making independent recovery difficult or impossible. The infection may have been initiated by malware stored on corrupted newspaper websites. At least one such site was a US publisher, accoring to Symantec. ------------------------------------------------------------------------------ Tools for the Good Guys New MITRE project to provide free emulation plans that mimic major threat actors in order to train and help defenders. MITRE releases emulation plan for FIN6 hacking group, more to follow https://www.zdnet.com/article/mitre-releases-emulation-plan-for-fin6-hacking-group-more-to-follow/ ZDNet By Catalin Cimpanu 9/15/20 Summary: Recognizing and responding to a cyberattack requires knowledge and skills that are best learned through training. To get a realistic environment for this, MITRE is building an open-source, configurable software environment. Named the Adversary Emulation Library, the project is the work of the MITRE Engenuity's Center for Threat-Informed Defense. MITRE Corporation previously released two other emulation plans, the first for APT3 (Chinese state-sponsored hacking group) in 2017, and a second one for APT29 (Russian state-sponsored hacking group) earlier this year in 2020. The first malware system modeled by the Adversary Emulation Library is the FIN6 system that has had success in attacking point-of-sale systems. ------------------------------------------------------------------------------ Research Frontiers: Running in the Dark Speculative Probing: Hacking Blind in the Spectre Era https://www.vusec.net/projects/blindside/ VUSec (the Systems and Network Security Group at Vrije Universiteit Amsterdam) Announcement of research paper accepted for CCS 2020 9/9/20 Summary: There are some very clever ways to exploit side effects of CPU instruction execution, and there are clever ways to abuse software if there is even a single error that allows "jump random". These are difficult to eliminate, but modern kernels and loaders and run-time detection schemes have risen to the occasion with mitigation methods. Along comes a new technique, Blindside, that weaves its way unscathed. How? The authors make this important assertion: "Our results show that it is crucial to consider synergies between different (Spectre vs. code reuse) threatmodels to fully comprehend the attack surface of modern systems." Full paper at https://download.vusec.net/papers/blindside_ccs20.pdf ------------------------------------------------------------------------------ Phishing Trumps Encryption Iranian Hackers Found Way Into Encrypted Apps, Researchers Say Reports reveal that hackers have been secretly gathering intelligence on opponents of the Iranian regime, breaking into cellphones and computers and outsmarting apps like Telegram. https://www.nytimes.com/2020/09/18/world/middleeast/iran-hacking-encryption.html New York Times By Ronen Bergman and Farnaz Fassihi 9/18/20 Summary: This story is about the increasing cometency of Iranian cyberhacksers and their ability to infiltrate the devices of their enemies without detection. The methods themselves are the usual sort of things that prompt users to download code or grant permissions to untrustworthy apps. Nonetheless, it shows that governments around the world are increasingly turning to cyberhacking for maintaining their own interests. ----------------------------- Checkpoint report on "RampantKitten" at https://blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/ ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html -------------- 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, SP 2021 May 23-27, 2021. Submission dates: 5 March, 2020, 4 June, 2020, 3 September 2020, and 3 December, 2020 https://www.ieee-security.org/TC/SP2021/cfpapers.html 13th International Conference on Security for Information Technology and Communications, SECICT 2020 Bucharest, Romania, November 19-20, 2020. Submission date: 20 September 2020 http://www.secitc.eu/ IET Image Processing, Special Issue on Recent Trends in Multimedia Analytics and Security Submission date: 1 October 2020 https://digital-library.theiet.org/files/IET_IPR_CFP_RTMAS.pdf CODASPY 2021 11th ACM Conference on Data and Application Security and Privacy, Baltimore-Washington, DC Area, USA, March 22-24, 2021. Submission date: 1 October 2020 (see CFP for abstract info) http://www.codaspy.org/2021/ IEEE SP/SPW 2021, IEEE Security and Privacy Workshops, Held in conjunction with the 42nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 23-27, 2021. Workshop Proposal Submission Due 2 October 2020 https://www.ieee-security.org/TC/SP2021/cfworkshops.html USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11–13, 2021. Submission date: 11 June, 2020, 15 October 2020, and 4 February, 2021 https://www.usenix.org/conference/usenixsecurity21/call-for-papers 17th Annual IFIP WG 11.9 International Conference on Digital Forensics, SRI International, Arlington, Virginia, USA, February 1-2, 2021. Submission date: 18 October 2020 http://www.ifip119.org/Conferences/>IFIP119-DF 2021 Journal of Information Security and Applications, Special Issue on Security and Privacy in D2D-aided Fog Computing Environment: Current Progress and Future Challenge Submission date: 15 November 2020 https://www.journals.elsevier.com/journal-of-information-security-and-applications/call-for-papers/security-and-privacy-in-d2d-aided-fog-computing-environment IEEE Transactions on Dependable and Secure Computing, Special Issue on Explainable Artificial Intelligence for Cyber Threat Intelligence (XAI-CTI) Applications Submission date: 1 December 2020 https://www.computer.org/digital-library/journals/tq/call-for-papers-special-issue-on-explainable-artificial-intelligence-for-cyber-threat-intelligence-xai-cti-applications Electronics, Special Issue on Security and Privacy for IoT and Multimedia Services Submission date: 30 December 2020 https://www.mdpi.com/journal/electronics/special_issues/secure_Iot_multimedia ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Gabriela Ciocarlie Manager, Security Research SRI International Google oakland20-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2021 Chair: Hilarie Orman Alvaro Cardenas Purple Streak, Inc. University of California, Santa Cruz 500 S. Maple Dr. sp21-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year