_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 163 September 27, 2021 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items - Spyware Creepers Scale the Wall - Ransomware Key Revealed - Better Late Than Never ... FBI Delayed Release of Ransomware Key - Accenture Unfazed by LockBit - Who Was That Guy in the Voting Machine Meeting? - Industrial Systems Need Cybersecurity - SEC Casts Wide SolarWinds Net o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers ==================================================================== Letter from the Editor ==================================================================== Dear Readers: As we move past the equinox, we note that planning is well underway for the 2022 security research conferences sponsored by the Technical Committee on Security and Privacy. The deadline for papers for the flagship event, the Security and Privacy Symposium, is coming up December 2. After that, there will be three opportunities to submit papers for 2023. The conferences altogether offer publication opportunities for thousands of high quality research papers. This is a remarkable growth rate and represents a huge increase in knowledge about all aspects of security and privacy. If you have a contribution, please consider submitting a paper to SecDev, HOST, S&P, EuroS&P, or CSF (see https://www.ieee-security.org for links). Computer security problems are like COVID-19. They emerge in new forms with distressing regularity, the cost of eliminating them is higher than society can bear, and it is a depressing fact that we have to live with bad things threatening us all the time. Computer security failures, though, kill few people, whereas the death toll in the US from COVID-19 is on track to be the most lethal event the country's history. Technology has been very good at invention but seems to let us down on protection and maintenance. There's no magic in the long term. Snarky comment of the bimonth: There's probably no better way to fail at solving a problem than by declaring a "war" on it. If we had declared war on the moon, we probably never would have put a spacecraft on it. Please don't declare war on software vulnerabilities! Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------ Spyware Creepers Scale the Wall Why Apple's walled garden is no match for Pegasus spyware https://www.theguardian.com/technology/2021/jul/21/why-apples-walled-garden-is-no-match-for-pegasus-spyware Publisher: The Guardian Date: 21 Jul 2021 By: Alex Hern Summary: The Guardian and 16 other media organizations investigated the spyware that was used to infect and steal information from the cellphones of targeted people, including journalists and politicians. Their findings get at the very heart of how mobile devices, indeed any computing device, is protected. One interesting quote from an expert: "What that means in practice is that the only thing that can protect iOS users from an attack is Apple – and if Apple fails, there's no other line of defence." --------------------------------------------------------------------------- Ransomware Key Revealed Software vendor caught up in ransomware attack obtains decryptor key https://www.cnn.com/2021/07/22/tech/kaseya-revil-ransomware-decryptor/index.htm Publisher: CNN Business Date: July 22, 2021 By: Brian Fung and Geneva Sands Summary: The security firm Kaseya had a remote access tool that was exploited for a large number of ransomware attacks against its customers. Somehow Kaseya obtained the decryption key that the victims need to recover their files. -------------- Better Late Than Never ... FBI Delayed Release of Ransomware Key FBI Withheld REvil Ransomware Decryptor Key as Some MSPs Suffered Encryption https://www.msspalert.com/cybersecurity-news/fbi-withheld-revil-ransomware-decryptor-key-as-some-msps-suffered-encryption/ Publisher: MSSP Alert! By: D. Howard Kass Date: Sep 22, 2021 Summary: It turned out that the decryption key that Kaseya gave to victims of a ransomware attack was given to them by the FBI. The FBI chose to delay revealing the information for 3 weeks. FBI director Christopher Wray told a Senate Security Committee hearing that "We make the decisions as a group, not unilaterally. These are complex ... decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world." --------------------------------------------------------------------------- Accenture Unfazed by LockBit https://www.cnn.com/2021/08/11/tech/accenture-ransomware/index.html Another big company hit by a ransomware attack Publisher: CNN Business Date: August 11, 2021 By: Brian Fung Summary: Did the REvil gang disappear into the LockBit ransomware-as-a-service group? Rumors of a ransomware attack against the global consulting firm Accenture have raised speculations about the possible realignment of ransomware software groups. Accenture was threatened by LockBit with public release of sensitive files. For its part, Accenture said it had detected and dealt with "irregular activity" with no impact on its operations or those of its customers. --------------------------------------------------------------------------- Who Was That Guy in the Voting Machine Meeting? FBI joins investigation into QAnon-affiliated leak of voting machine logins in Colorado https://www.cnn.com/2021/08/17/politics/fbi-voting-machine-colorado/index.html Publisher: CNN Date: August 17, 2021 By: Paul P. Murphy Summary: Mesa County Colorado has been in turmoil over an argument over who has the right to supervise elections. The battle between the state and county started when the login credentials for administering the county's voting machine were shown in a video posted online. The video was suspected of being shot by an unauthorized visitor to a confidential meeting of officials and the voting machine vendor's representatives. --------------------------------------------------------------------------- Industrial Systems Need Cybersecurity https://www.cnn.com/2021/09/22/politics/biden-administration-security-guidance-cyberattacks/index.html Biden administration issuing new security guidance to companies aimed at blunting cyberattacks Publisher: CNN Date: September 22, 2021 By: Sean Lyngaas Summary: In July the Biden administration released a report on Security goals for Cybersecurity for Critical Infrastructure Control Systems: https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28ational-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/ Recommendations for practices that can assure those goals are the subject of a further report to be released soon. An incident at a Florida water treatment plant in February (reported in Ciphernews in March) highlighted the need to securing the cybersecurity at all levels of critical infrastructure. --------------------------------------------------------------------------- SEC Casts Wide SolarWinds Net Wide-ranging SolarWinds probe sparks fear in Corporate America https://www.reuters.com/technology/exclusive-wide-ranging-solarwinds-probe-sparks-fear-corporate-america-2021-09-10/ Publisher: Reuters Date: September 10, 2021 By: Christopher Bing and Chris Prentice, Joseph Menn Summary: Tension has developed over an SEC request to businesses for reports on all cybersecurity incidents since October 2019. The government request is voluntary and only applies to companies that downloaded a SolarWinds product that was later shown to have a serious flaw (see Ciphernews for January and March 2021). The SEC says that they are investigating the scope of the wide-scale attack, but business leaders are concerned that they may be liable for unrelated incidents that could be revealed by the requested records. --------------------------------------------------------------------------- ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ TrustData 2021 12th International Workshop on Trust, Security and Privacy for Big Data, New York, NY, USA, October 1-3, 2021. http://www.spaccs.org/trustdata/trustdata2021/ DFRWS EU 2022 Digital Forensic Research Workshop EU, Online and Physical (Location TBC), March 28-31, 2022, https://dfrws.org/conferences/dfrws-eu-2022/ Submission date: 3 October 2021 CODASPY 2022 12th ACM Conference on Data and Application Security and Privacy, Baltimore-Washington, DC area, USA, April 24-26, 2022. http://www.codaspy.org/2022/ Submission date: 4 October 2021 FPS 2021 14th International Symposium on Foundations & Practice of Security, Espace Hamelin, Paris, France, December 8-10, 2021. http://www.fps-2021.com/ Submission date: 4 October 2021 ESORICS 2021 26th European Symposium on Research in Computer Security, Darmstadt, Germany, October 4-8, 2021. https://esorics2021.athene-center.de/call-for-papers.php USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10–12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers Submission date: 8 June 2021, 12 October 2021, and 1 February 2022 EUROUSEC 2021 European Symposium on Usable Security, Virtual, October 11-12, 2021. https://eurousec2021.secuso.org/ WiMob 2021 17th International Conference on Wireless and Mobile Computing, Networking and Communications, Bologna, Italy, October 11-13, 2021. http://wimob.org/wimob2021/ SecDev 2021 IEEE Secure Development Conference, Virtual, October 18 - 20, 2021. https://secdev.ieee.org/2021/papers/ CyberSciTech 2021 6th IEEE Cyber Science and Technology Congress, Calgary, Canada, October 25-28, 2021. http://cyber-science.org/2021/ VizSec 2021 18th IEEE Symposium on Visualization for Cyber Security, Virtual, October 27, 2021. https://vizsec.org/vizsec2021/ International Journal of Ad Hoc and Ubiquitous Computing, Special Issue on Recent Advances in Wearable Devices for Emerging Expert Systems. https://www.researchgate.net/publication/350387566_CFP_International_Journal_of_Ad_Hoc_and_Ubiquitous_Computing_Special_Issue_on_Recent_Advances_in_Wearable_Devices_for_Emerging_Expert_Systems Submission date: 30 October 2021 PAKDD 2022 26th Pacific-Asia Conference on Knowledge Discovery and Data Mining, Chengdu, China, May 16-19, 2022. http://pakdd.net/ Submission date: 31 October 2021 CRiSIS 2021 16th International Conference on Risks and Security of Internet and Systems, Ames, IA, USA, November 11-13, 2021. http://www.crisis-2021.com/ IFIP 11.9 Digital Forensics 2022 18th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 3-5, 2022. http://www.ifip119.org/Conferences/WG11-9-CFP-2022.pdf Submission date: 12 November 2021 CCSW 2021 ACM Cloud Computing Security Workshop, Co-located with ACM CCS 2021, Seoul, South Korea, November 14, 2021. https://ccsw.io ACM-CCS 2021 28th ACM Conference on Computer and Communications Security, Seoul, South Korea, November 14-19, 2021. https://www.sigsac.org/ccs/CCS2021/ WPES 2021 20th Workshop on Privacy in the Electronic Society, Co-located with ACM CCS 2021, Seoul, South Korea, November 15, 2021. http://wpes2021.di.unimi.it ASHES 2021 5th Workshop on Attacks and Solutions in Hardware Security, Co-located with ACM CCS 2021, Seoul, South Korea, November 19, 2021. http://ashesworkshop.org/ SP 2022 43nd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2022. https://www.ieee-security.org/TC/SP2022/cfpapers.html Submission dates for 2023: 15 April 2021, 19 August 2021, and 2 December 2021 HOST 2021 IEEE International Symposium on Hardware Oriented Security and Trust, Washington DC, USA, December 5-8, 2021. http://www.hostsymposium.org/host2021/ ACSAC 2021 Annual Computer Security Applications Conference, Virtual, December 6-10, 2021. https://www.acsac.org/ ICSS 2021 7th Annual Industrial Control System Security Workshop, Held in conjunction with the Annual Computer Security Applications Conference (ACSAC 2021), Online, December 7, 2021. https://www.acsac.org/2021/workshops/icss/ICSS_2021_CFP.pdf AsianHOST 2021 Asian Hardware Oriented Security and Trust Symposium, Pudong, Shanghai, China, December 16-18, 2021. http://asianhost.org/2021/ DependSys 2021 7th IEEE International Conference on Dependability in Sensor, Cloud, and Big Data Systems and Applications, Haikou, China, December 17-19, 2021. http://www.ieee-cybermatics.org/2021/dependsys/ USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10–12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers Submission date: 8 June 2021, 12 October 2021, and 1 February 2022 NDSS 2022 Network and Distributed System Security Symposium, San Diego, California, USA, February 27 – March 3, 2022. https://www.ndss-symposium.org/ndss2022/call-for-papers/ Euro S&P 2022 7th IEEE European Symposium on Security and Privacy, Genoa, Italy, June 6-10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfp.html Submission date: 22 September 2021 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Alvaro Cardenas Associate Professor Associate Professor Carnegie Mellon University University of California, Santa Cruz tcchair at ieee-security.org sp21-chair@ieee-security.org Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2022 Chair: Hilarie Orman Rakesh Bobba Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Oregon State University Woodland Hills, UT 84653 https://eecs.oregonstate.edu/ cipher-editor@ieee-security.org people/bobba-rakesh TC Awards Chair Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year