_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 161 May 31, 2021 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Security Engineering: A Guide to Building Dependable Distributed Systems" by Ross Anderson o News Items: - File Transfer Appliance Leveraged for Fun and Profit (4 articles) - Facebook's Neverending Privacy Failure (2 articles) - Emissions Testing Hits 404 - Fed Chair Looks Deep Into the Eyes of Cyber and Sees the Abyss - The FBI is Your Uninvited IT Staff - Software Hacks Defeat Oil Infrastructure (4 articles) - WiFi's Unfixable Insecurities - How Bad Crypto Machines Became Good Business o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Another sterling edition of the Security and Privacy Symposium has come and gone. The virtual event featured over a hundred great research papers and over 1200 registrants from around the world. I had the pleasure of meeting a first-time attendee from India via the "meeting new people" random matching feature of the virtual platform, and that was a very positive experience. I hope the event will be a hybrid one next year. For example, I would have been unable to attend in-person this year irrespective of COVID-19, but I greatly enjoyed being a remote attendee. Many of the news items selected for this issue are about ransomware attacks, especially the one that shut down an oil distribution pipeline in the eastern US. They had been advertising for a high-level cybersecurity position at the time they were hit. I also read an article about the huge number of cybersecurity positions in the US that cannot be filled. When I got started in this field, I hardly imagined that in 2021 that we would be trying to throw more and more people at the problem. Does that make sense? Maybe there's something wrong with the way computer systems are paid for and insured. I predict that the next issue of Cipher will be similarly filled with ransomware stories, but don't let that spoil a marvelous, vaccinated summer! Jack and Jill went up the hill, To fetch a pail of water. But when they got there, The pipeline was bare Due to ransomware. Jack and Jill went back to school And trained as cyber warriors. Now they spend their days Watching screen arrays And drinking bottled water. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 5/31/21 Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson -------------------------------------------------------------------------- Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson Wiley Publishing 2020. ISBN ISBN-13: ISBN: 978-1-119-64278-7 (Hardcover) 1232 pages, Third Edition We live amid constant reminders in real life about what could have been done better from a computer security perspective. When something goes wrong, we find it is a protocol that is exhibiting an exploitable vulnerability, or a software repository that has been infiltrated with code containing a vulnerability, or a critical infrastructure system held for ransom. One wonders what design principles the system authors and builders had considered to mitigate any compromises or to allow them to continue to function in the presence of those compromises. How can we engineer those solutions, how can we build better systems: more secure, more dependable? One book attempts to provide this background. At over 1200 pages, Ross Anderson's third edition of 'Security Engineering: A Guide to Building Dependable Distributed Systems' is a large update after the first edition in 2001 and the second edition in 2008. This is a comprehensive book on security engineering, providing anywhere from an introduction to the various subfields of computer and network security to considerations necessary to building secure and resilient real-world systems, and all the way to identifying research problems that remain to be addressed for the topics in each chapter. The book is divided into three parts, with a total of 29 chapters, and contains an extensive bibliography. The first part covers the basics, the second part looks at applications of secure systems, and the third part broadly discusses politics, management, and assurance. Each chapter covers several themed subsections, followed by a chapter summary, a set of research problems, and further reading. The chapters read well and flow easily within themselves as well as from one chapter to the next. While it is a a descriptive treatise, not a rigorous mathematical treatment of the various subjects, nonetheless occasional mathematical formulas or charts will pop up inline to illustrate the broad concepts brought forth and to whet the reader's appetite to seek out the original research paper or other references cited. The first part spans 8 chapters that quickly set the stage for Ross Anderson's approach to the subject matter: 'What is Security Engineering?', 'Who is the Opponent?', 'Psychology and Usability', 'Protocols', 'Cryptography', 'Access Control', 'Distributed Systems', and last but not least 'Economics'. The reader learns about what it means to deal with adversity in the 2020s, identifying the threat models, the pitfalls, and the consequences of not getting security right. The big impact here is from the author's contribution to the security field, the systems view, the psychology and usability aspects, as well as the economics aspects, topics for which the author has organized (or otherwise contributed to) workshops and conferences. The second part discusses real-world applications of secure systems, covering many decades of security work, from the early days of 'Multilevel Security' and 'Nuclear Command and Control', to 'Advanced Cryptographic Engineering', 'Biometrics' and 'Tamper Resistance' as well as Digital Rights Management in 'Copyright and DRM', to 'Network Attack and Defence', 'Phones', 'Locks and Alarms', just to mention some of the 16 chapters in here. This part is wrapped up with thoughts on 'New Directions' in the field, talking among others about the combination of Machine Learning, Artificial Intelligence and Security and what it means for both attacker and defender sides. The third part covers politics, management, and assurance in four chapters. Here the reader learns about 'Surveillance or Privacy', 'Secure Systems Development', 'Assurance and Sustainability'. Controversial topics of surveillance versus privacy are brought up in the context of political and technological settings that have affected Internet users for many years, including wiretapping and censorship. Risk quantification and DevSecOps are brought into the picture here as well. This part wraps up with 'Beyond "Computer Says No"', reminding us what Ross Anderson has told us all along in these chapters: think about the big picture, and how does it fit in? This is a fantastic book for organizing one's thinking about security engineering and design. The reader how all the facets fit together in the real world through both scientific references and anecdotes from the last few decades. The depth is provided, should the reader care to delve deeper, through an absolutely impressive bibliography of close to 2100 entries. The narrative is easy to follow throughout the book, whether the reader is learning about DDoS attacks (always close to my heart), espionage (Snowden's surveillance revelations, for example), security protocol failures, financial transaction protocols, mobile phone security, electronic voting security (very relevant in the last few years), security printing, covert channels, DNS security, deception, or ransomware, among others. The breadth of the topics covered provides a good perspective for appreciating the impact that good (secure?) design can have on real-world systems that surround us. That is even more so relevant now that the Internet has invaded, uh, permeated our homes with Internet-of-Things devices that make our lives more Internet-centric with all the advantages and risks that come with it. The accessible style of this book and, most importantly, the relevant context of the discussed secure systems, make for one pleasurable reading. While it could be considered a very comprehensive introduction to the idea of security engineering, there are enough timely and thought-provoking musings to keep more advanced readers interested in seeking out the scientific articles providing the adequate depth, hindsight, and foresight. This book is a must-have if security engineering is your intended field or connected to your field. Ross Anderson did a great job of producing the third edition of 'Security Engineering: A Guide to Building Dependable Distributed Systems' in 2020, a book intended to last for many years. He is a well-known expert in the security field and this overarching treatise makes for one impressive (and heavy!) book. The book is a welcome addition to my bookshelf, to be used as a reference or even textbook in the years to come. ---------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------------------------ Privacy vs. Criminal Extortion, The Two-Pronged Ransomware Dilemma (4 articles) Ransomware group targets universities in Maryland, California in new data leaks The Clop ransomware group has posted financial documents and passport information allegedly belonging to the University of Maryland and the University of California online. https://www.zdnet.com/article/ransomware-group-targets-universities-of-maryland-california-in-new-data-leaks/ Publisher: ZDNET Date: March 30, 2021 By: Charlie Osborne Summary: One of the many ransomware groups operating today is called "Clop". They have a double-threat attack that exfiltrates files and then encrypts them locally. An organization that can overcome the encryption problem with backups will still be subjected to extortion if any of the files contained sensitive information, such as names and social security numbers or passport data. The University of California Merced, University of Maryland, University of Miami, University of Colorado, and Shell seem to have endured the disclosures rather than pay the extortion demands. ------------------------ File Server Vendor Responds to Exploitation of Legacy Product Press Release: Accellion Provides Update to FTA Security Incident Following Mandiant’s Preliminary Findings Mandiant Identifies Criminal Threat Actor and Mode of Attacks https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/ Publisher: Acellion Date: February 22, 2021 Summary: Accellion published the patches needed to protect its legacy file transfer app from exploitation by ransomware actors. They emphasize that only a couple of dozen customers suffered significant consequences from the exploit. The four steps in the compromise of the application were: SQL injection via a crafted Host header OS command execution via a local web service call (takes advantage of improper parsing of commands that execute locally) SSRF (server-side request forgery) via a crafted POST request OS command execution via a crafted POST request ------------------------ SQL Injection, the Root of All Evil Threat Research: Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html" Publisher: FireEye Date: February 22, 2021 By: Andrew Moore, Genevieve Stark, Isif Ibrahima, Van Ta, Kimberly Goody Summary: This is a description from FireEye of the early results from their investigation of the compromise of the Accellion file transfer app. The core of the exploit involved installing a "web shell" that could run arbitrary commands locally. The shell had not been seen before, and the method of delivery was obscure. "... the DEWMODE web shell is written to the system. The timing of these requests suggests that DEWMODE was delivered via the oauth.api web shell; however, the available evidence does not indicate the exact mechanism used to write DEWMODE to disk." ------------------------ Extorters Reveal Company's Intellectual Property Airplane maker Bombardier data posted on ransomware leak site following FTA hackhttps://www.zdnet.com/article/airplane-maker-bombardier-data-posted-on-ransomware-leak-site-following-fta-hack/ Publisher: ZDNET Date: February 23, 2021 By: Catalin Cimpanu Summary: One of the users of Accellion's FTA app was an airplane manufactorer, Bombardier. Although they carefully separated their network to isolate their operational resources from more outward-facing applications, like FTA, they were still subjected to exposure of their internal designs by the exploit. FTA is a web-based file sharing app that handles arbitrarily large files, and one might assume that they needed FTA to share information with engineering design partners. As the saying goes, "Trust but encrypt!". ----------------------------------------------------------------------------- Facebook's Neverending Privacy Failure (2 articles) Major Privacy Compromise Strikes FB Users Half a billion Facebook users' information posted on hacking website, cyber experts say https://www.cnn.com/2021/04/04/tech/facebook-user-info-leaked/index.html Publisher: , CNN Business Date: April 5, 2021 By Donie O'Sullivan Summary: This isn't exactly news, but it is significant. Back in 2019, Facebook realized that its trusted partners had the ability to exfiltrate user's personal data, and a giant trove it turned up online ( https://www.cnn.com/2019/09/04/tech/facebook-phone-numbers-exposedHundreds of millions of phone numbers once tied to Facebook accounts posted online). The data has since been usefully indexed and reposted, providing hackers with a more powerful tool for identity theft. Only about 1% of the US population is exposed in this database. Access to the information was being offered for bargain basement prices. ------------------------ Your Information Was Probably Compromised ... Ho Hum Facebook does not plan to notify half-billion users affected by data leak "https://www.reuters.com/article/idUSKBN2BU2ZY" Publisher: Reuters Date: April 7, 2021 By: Elizabeth Culliford Summary: Facebook seems unconcerned about the recent posted database of users' personal information, dismissing the information as "old". It was current in 2019, and few people are likely to have changed all their identifying information in the past two year, but the company does not think that they are subject to past settlements requiring notifications to users in the event of a privacy breach. The US FTC and Ireland's Data Protection Commission are both seeking answers from the company. ----------------------------------------------------------------------------- Emissions Testing Hits 404 Hackers shut down emissions tests in parts of 8 states, including Utah https://www.ksl.com/article/50142669 Publisher: KSL TV Date: April 8, 2021 By: Dan Rascon Summary: Applus+ Technologies in Wisconsin seems like an innocuous player in the database game. However, when they were hit by ransomware, vehicle emissions testing companies across the US faced a week without income. Apparently the companies lost the ability to upload the testing results to the DMV sites. Owners who needed to get the test results to the DMV immediately were told to get 30 day temporary permits. ----------------------------------------------------------------------------- Fed Chair Looks Deep Into the Eyes of Cyber and Sees the Abyss Cyberattacks are the number-one threat to the global financial system, Fed chair says https://www.cnn.com/2021/04/12/business/jerome-powell-cyberattacks-global-threat/index.html Publisher: CNN Business Date: April 12, 2021 By: Brian Fung Summary: Federal Reserve Chairman Jerome Powell says that he fears a breakdown in liquidity if an attack should blockade money transfers for banks or payment processors. That could cause as much damage as any human-caused swings in investment. Powell also said that if the US gets involved in crypto currency, it will be "done right". ----------------------------------------------------------------------------- The FBI is Your Uninvited IT Staff FBI hacks vulnerable US computers to fix malicious malware US justice department says bureau hacked devices to remove malware from insecure software https://www.theguardian.com/technology/2021/apr/14/fbi-hacks-vulnerable-united-states-computers-to-fix-hack-malicious-malware-microsoft-exchange-software Publisher: The Guardian Date: 14 Apr 2021 By: Alex Hern Summary: Some hundreds of privately owned US computer servers got an unrequested upgrade from the FBI. Although Microsoft published the critical patches quite a while ago, not all companies took the trouble to apply them. Because the vulnerabilty could be used to attack other systems, the FBI took the extraordindary step of applying the patches by first exploiting the vulnerability and then closing it from within. --------------------------------------------------------------------------- Software Hacks Defeat Oil Infrastructure (4 articles) Unctuous Ransomware Hackers "https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/" Cyber attack shuts down U.S. fuel pipeline "jugular," Biden briefed Publisher: Reuters Date: May 7, 2021 By: Christopher Bing and Stephanie Kelly Summary: Perhaps you'd never heard of Colonial Pipeline before it shutdown for a week. It's an important piece of infrastructure: "Colonial transports 2.5 million barrels per day of gasoline, and other fuels through 5,500 miles (8,850 km) of pipelines linking refiners on the Gulf Coast to the eastern and southern United States. It also serves some of the country's largest airports, including Atlanta's Hartsfield Jackson Airport, the world's busiest by passenger traffic." When it was crippled by a ransomware attack, it shut down delivery, turning off that 2.5 billion barrels per day and causing panic buying in the eastern US. "... investigators are looking at a group dubbed "DarkSide," known for deploying ransomware and extorting victims while avoiding targets in post-Soviet states." ------------------------ Biden Acts on Cybersecurity Biden cybersecurity order mandates new rules for govt software https://www.reuters.com/technology/biden-signs-executive-order-improve-us-cybersecurity-amid-colonial-pipeline-2021-05-12/ Publisher: Reuters Date: May 12, 2021 By: Christopher Bing and Nandita Bose Summary: Back in March, after the SolarWinds exploits, Biden drafted an order that was touted as requiring more cooperation from software vendors when their US government customers were affected by exploits (a href="https://www.reuters.com/technology/exclusive-software-vendors-would-have-disclose-breaches-us-government-users-2021-03-25/" target="_">Reuters, March 25). The Colonial pipeline fiasco apparently spurred Biden to sign the draft, which also creates an organization to review major security failures. Furthermore, it mandates two-factor authentication and encryption for not just communication, but also stored data. More rules will be drawn up and enforced through government software acquisition contracts. ------------------------ Advantage to RW How the Colonial Pipeline hack is part of a growing ransomware trend in the US Cybercriminals have attacked solar power firms, water treatment plants and police departments in attempts to extort money. Motorists were faced with long lines and dry pumps after Colonial Pipeline was shut down following a ransomware attack. "https://www.theguardian.com/technology/2021/may/13/colonial-pipeline-ransomware-attack-cyber-crime" Publisher: The Guardian Date: 14 May 2021 By: Adam Gabbatt Summary: This article is an overview of the scope of serious ransomware attacks against computer systems in the US. It notes that Colonial Pipeline's vulnerability stemmed from the need to protect the health of workers by letting them work remotely. The company allegedly paid $5M in ransom in order to bring back operations. The large number of attacks means that a lot of money is changing hands and sophisticated versions of ransomware are being promulgated widely. There are even tech support hotlines for attackers to consult. This has gone from a food truck movement to a major industry. ------------------------ RW website vanishes Ransomware group's extortion website offline after cyberattack leads to shutdown of major fuel pipeline https://www.cnn.com/2021/05/14/politics/ransomware-extortion-website-colonial-pipeline/index.html Publisher: CNN Date: May 14, 2021 By: Geneva Sands and Natasha Bertrand Summary: The website used by the ransomware group that struck Colonial Pipeline went offline after posting the message "A couple of hours ago, we lost access to the public part of our infrastructure," including its blog and payment server. Security experts were divided as to whether or not law enforcement had taken down the website or if it was an "exit scam" by the hackers. --------------------------------------------------------------------------- WiFi's Unfixable Insecurities Fragment and Forge: Breaking Wi-Fi ThroughFrame Aggregation and Fragmentation https://fragattacks.com By: Mathy Vanhoef, New York University Abu Dhabi Summary: This research paper about some serious flaws in the WiFi protocol has raised a great deal of discomfort. Although it was known that there was some hand-waving in the WiFi specifications when it came to handling fragmented packets, no one had looked at the problem seriously until now. There is a hodge-podge of implementation variations, some of them quite insecure. The paper will be presented at USENIX Security in August, but --------------------------------------------------------------------------- How Bad Crypto Machines Became Good Business Swiss cabinet blames intelligence community for Crypto AG affair https://www.reuters.com/technology/swiss-cabinet-blames-intelligence-community-crypto-ag-affair-2021-05-28/ Publisher: Reuters Date: May 28, 2021 Summary: I think that most people with even a small amount of cryptography knowledge realized that the US government was collecting at least some intelligence information from intercepts of communication that was encrypted with insecure ciphers during the 1970s and 1980s. However, the idea that the cryptography implementations were being sold surreptiously by the US government to unsuspecting users through a Swiss company seemed far-fetched. The reality of it was that the company Crypto AG, based in Switzerland, was doing just that because it was actually owned by the US CIA and German BND intelligence service. This came to light last year, and the Swiss were not amused. Bern's investigation into the matter revealed that a small number of people in the Swiss intelligence service chose to approve the operation to keep it a secret unto themselves. The secret "escaped political control." Changes to government rules are being enacted to prevent future escapdes. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html IEEE Security & Privacy, Special Issue on Security and Privacy Issues of Home Globalization, https://www.computer.org/digital-library/magazines/sp /call-for-papers-special-issue-on-security-and-privacy-issues-of-home-globalization Submission date: 31 May 2021 TrustData 2021 12th International Workshop on Trust, Security and Privacy for Big Data, New York, NY, USA, October 1-3, 2021. http://www.spaccs.org/trustdata/trustdata2021/ Submission date: 1 June 2021 OID 2021 Open Identity Summit, Copenhagen, Denmark, June 1-2, 2021. https://oid2021.compute.dtu.dk/ SEED 2021 IEEE International Symposium on Secure and Private Execution Environment Design, Virtual, September 20-21, 2021. https://seed-symposium.org Submission date: 4 June 2021 CPSS 2021 7th ACM Cyber-Physical System Security Workshop, Held in conjunction with ACM AsiaCCS 2021, Hong Kong, China, June 7, 2021. https://spritz.math.unipd.it/events/2021/CPSS/index.html USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10-12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers Submission date: 8 June 2021, 12 October 2021, and 1 February 2022 EUROUSEC 2021 European Symposium on Usable Security, Virtual, October 11-12, 2021. https://eurousec2021.secuso.org/ Submission date: 11 June 2021 VizSec 2021 18th IEEE Symposium on Visualization for Cyber Security, Virtual, October 27, 2021. https://vizsec.org/vizsec2021/ Submission date: 21 June 2021 WiMob 2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications, Bologna, Italy, October 11-13, 2021. http://wimob.org/wimob2021/ Submission date: 21 June 2021 SecMT 2021 International Workshop on Security in Mobile Technologies, Held in conjunction with ACNS 2021, Kamakura, Japan, June 21-24, 2021. https://spritz.math.unipd.it/events/2021/ACNS_Workshop/index.html Cloud S&P 2021 3rd Workshop on Cloud Security and Privacy, Held in conjunction with ACNS 2021, Kamakura, Japan, June 21-24, 2021. http://cloudsp2021.encs.concordia.ca/ CSF 2021 34th IEEE Computer Security Foundations Symposium, Virtual, June 21-25, 2021. https://www.ieee-security.org/TC/CSF2021/ ASHES 2021 5th Workshop on Attacks and Solutions in Hardware Security, Co-located with ACM CCS 2021, Seoul, South Korea, November 19, 2021. http://ashesworkshop.org Submission date: 25 June 2021 WPES 2021 20th Workshop on Privacy in the Electronic Society, Co-located with ACM CCS 2021, Seoul, South Korea, November 19, 2021. http://wpes2021.di.unimi.it Submission date: 25 June 2021 ACM WiSec 2021 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Virtual, June 28 - July 1, 2021. https://sites.nyuad.nyu.edu/wisec21/ DBSec 2021 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Virtual, July 19 – 20, 2021. https://dbsec2021.ucalgary.ca IoTSPT-ML 2021 11th International Workshop on Security, Privacy, Trust, and Machine Learning for Internet of Things, Held in conjunction with the 30th International Conference on Computer Communications and Networks (ICCCN 2021), Athens, Greece, July 22, 2021. https://sites.google.com/uw.edu/iotspt-ml2021 NDSS 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10–12, 2022. https://www.ndss-symposium.org/ndss2022/call-for-papers/ Submission date: 21 May 2021 and 23 July 2021 CSR 2021 IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, July 26-28, 2021. https://www.ieee-csr.org/ CSET 2021 14th Cyber Security Experimentation and Test Workshop, Virtual, August 9, 2021. https://cset21.isi.edu/ USENIX Security 2021 30th USENIX Security Symposium, Vancouver, B.C., Canada, August 11–13, 2021. https://www.usenix.org/conference/usenixsecurity21/call-for-papers Digital Communications and Networks, Special Issue on Privacy Preserved Learning in Distributed Communication Systems, http://www.keaipublishing.com/en/journals/digital-communications-and-networks /call-for-papers/si-on-privacy-preserved-learning-in-distributed/ Submission date: 15 August 2021 CUING 2021 5th International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Vienna, Austria, August 17 – 20, 2021. http://www.ares-conference.eu BASS 2021 4th International Workshop on Behavioral Authentication for System Security, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Virtual, August 17-20, 2021. https://www.ares-conference.eu/workshops/bass-2021/ IWCC 2021 10th International Workshop on Cyber Crime, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Virtual, August 17-20, 2021. https://www.ares-conference.eu/workshops/iwcc-2021/ ENS 2021 4th International Workshop on Emerging Network Security, Held in conjunction with the 16th International Conference on Availability, Reliability and Security (ARES 2021), Vienna, Austria, August 17 – 20, 2021. http://www.ares-conference.eu SP 2022 43nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2022. https://www.ieee-security.org/TC/SP2022/cfpapers.html Submission date: 15 April 2021, 19 August 2021, and 2 December 2021 Secure Smart World, Special Issue on Concurrency and Computation: Practice and Experience, https://onlinelibrary.wiley.com/pb-assets/assets/15320634 /Secure%20Smart%20World%20SI%202.0%20-1620390879547.pdf Submission date: 1 September 2021 SecureComm 2021 17th EAI International Conference on Security and Privacy in Communication Networks, Canterbury, Great Britain, September 6 - 9, 2021. https://securecomm.eai-conferences.org/2021/ EuroSP Workshops 2021 6th IEEE EuroS&P Symposium, Vienna, Austria, September 7-11, 2021. https://www.ieee-security.org/TC/EuroSP2021/cfw.html ESORICS 2021 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4-8, 2021. https://esorics2021.athene-center.de/call-for-papers.php International Journal of Ad Hoc and Ubiquitous Computing, Special Issue on Recent Advances in Wearable Devices for Emerging Expert Systems, https://www.researchgate.net/publication/350387566_CFP_International_Journal_of_Ad_Hoc_and_Ubiquitous_Computing_Special_Issue_on_Recent_Advances_in_Wearable_Devices_for_Emerging_Expert_Systems Submission date: 30 October 2021 ACM-CCS 2021 28th ACM Conference on Computer and Communications Security, Seoul, South Korea, November 14-19, 2021. https://www.sigsac.org/ccs/CCS2021/ HOST 2021 IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA, December 5-8, 2021. http://www.hostsymposium.org/host2021/ ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulfar Erlingsson Gabriela Ciocarlie Manager, Security Research Elpha Secure Google oakland20-chair@ieee-security.org tcchair at ieee-security.org Vice Chair: Treasurer: Brian Parno Yong Guan Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2020 Chair: Hilarie Orman Alvaro Cardenas Purple Streak, Inc. University of California, Santa Cruz 500 S. Maple Dr. sp21-chair@ieee-security.org Woodland Hills, UT 84653 cipher-editor@ieee-security.org TC Awards Chair EJ Jung UCSF ejun2 @ usfca.edu https://www.usfca.edu/faculty/eunjin-ej-jung ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year