Electronic CIPHER, Issue 165, January 24, 2022 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 165 January 24, 2022 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of the book, "Computer Security and the Internet: Tool and Jewels from Malware to Bitcoin" (second edition) by Paul C. van Oorschot o News - All About The Leaky Java Logger . Hole in the Logger Undercuts Web Security . Just How Big Is That Gaping Hole? . The Long Tail of Log4j - Want a Cryptominer With That? - Updates to Sun Tzu - Open Source Needs Help, Will the Feds Support It? o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: On beyond omicron! Plans are afoot for in-person conferences in late spring, and the Security and Privacy conference will be held in San Francisco, May 22-26. Fingers crossed! The program will have the usual selection of the best of recent research, and workshops will offer in-depth look at special areas: SecWeb for designing web security, ConPro for consumer protection, DLS for deep learning and security, LangSec for language-theoretic security, SafeThings for security with the IoT, and WOOT for "offensive technologies". This month we have a "second edition" book review. Sven Dietrich reviewed Paul van Oorschot's "Computer Security and the Internet" book last year, but now there are two new chapters resulting in the second edition, so we have a book review update. Sven Dietrich and Yong Guan are stalwarts in helping to produce this newsletter. I'm particularly grateful to them for persisting through the pandemic. Both are currently traveling and dealing with the worries and complexities of a constantly changing health and regulatory landscape. A side effect of the pandemic has been the rush to move so much of life to online interactions. Disruptive as it has been, overall the move has caused little more than minor stirs with respect to the security of computers and communications. Is this a good sign, or the calm before the storm? One thing that has not improved, however, is the process of signing up for online services. It generally takes me about 30 minutes to complete the process of finding the correct "create an account" web page, filling in the information, wending through the thicket of allowable and required password characters, getting the confirmation email, putting the confirmation code into webpage, and then, for reasons that are opaque to me, having to start all over. Is this security or insanity? Last year we dealt with the SolarWind vulnerability, this year it is the Log4J shell that caused sleepless nights for security teams. Despite being billed as the biggest security loophole of all time, the problem seems to have been largely contained, though it may be "endemic", which is, oddly enough, what we hope that our current disease nemesis will become. I think "endemic" as used today means "we give up". As someday it may happen that a victim must be found, I've got a little list -- I've got a little list. Of security offenders whose mistakes must be unwound, And who never would be missed - who never would be missed. There's the coder with the strings whose lengths are never checked, They cause stack overflows that turn memory into dreck, All sysadmins who leave the password files online, All RAM designers who set the bytes that never will align, And open source reusers who blithely set the sudo bits, And all those snarky kids who make the zero day rootkits, They'd none of them be missed -- they'd none of them be missed. (Thank you to the immortal G&S) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ "Computer Security and the Internet: Tool and Jewels from Malware to Bitcoin" Book Review By Sven Dietrich Jan 24, 2022 ____________________________________________________________________ "Computer Security and the Internet: Tool and Jewels from Malware to Bitcoin" by Paul C. van Oorschot (with a foreword by Peter G. Neumann) Second edition, October 2021 Publisher: Springer International Publishing ISBN: 978-3-030-83410-4 (hardcopy), 978-3-030-83411-1 (eBook) XXIX, 446 pages As we navigate this new normal, we have to deal with many surprising variations of old known problems. On the upside (intentionally skipping the word 'positive' here), we see that this 'new normal' can generate new editions of computer security books much sooner than later. Paul C. van Oorschot has done this with his second edition of "Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin." It was a bit of a (pleasant) surprise to see a revised and enhanced edition of this already great security book so soon, with only 80 pages more than the previous edition. As a little birdie told me, the camera-ready version of the first edition was submitted to the publisher in mid-2019. So that makes a second edition of this book, with its camera-ready copy submitted in June 2021, appearing in late 2021 much more palatable. So I will refer back to my previous review from May 2020 (https://www.ieee-security.org/Cipher/BookReviews/2020/Oorschot_by_dietrich.html), summarize that first edition, and focus on what changed in this second edition. You may think of it as the revised edition of the book review. The first edition was already a fine collection of computer security concepts, very densely assembled into an almost Cliff-Notes-style book (yet better). The changes in the second edition round off that previous great achievement and add a touch of varnish. In the second edition of "Computer Security and the Internet," there are now thirteen chapters, two more chapters than before, which got tacked on at the end as Chapters 12 and 13: Basic Concepts and Principles, Cryptographic Building Blocks, User Authentication - Passwords, Biometrics, and Alternatives, Authentication Protocols and Key Establishment, Operating System Security and Access Control, Software Security - Exploits and Privilege Escalation, Malicious Software, Public-Key Certificate Management and Use Cases, Web and Browser Security, Firewalls and Tunnels, Intrusion Detection and Network-Based Attacks, Wireless LAN Security: 802.11 and Wi-Fi (new), Bitcoin, Blockchains and Ethereum (new). As before, the text throughout the book is color-coded, with different colors for concepts, program or operating system names, and keywords. Many diagrams and figures illustrating this book are also in color. The first new chapter, Chapter 12 in the book, explains wireless security concepts, from the earlier, tremendously insecure mechanism called Wired Equivalent Privacy (WEP) up to the latest WiFi Protected Access aka WPA3, which recent operating systems and wireless routers support. In a world of wireless devices it is important to understand these fine differences in wireless security assurance as our (private?) bits fly through the air, and also how we got to WPA3 after a long and difficult road, sprinkled with many 'nails in the coffin for WEP' papers. The second new chapter, Chapter 13 in the book, discusses blockchain, cryptocurrencies, and smart contracts in a succinct, yet complete, manner. In the 'popular science' public eye, cryptocurrencies and blockchain appear to have started with Bitcoin in 2009, but insiders know that the foundations were put in place many, many years before. This chapter provides a nice overview of the blockchain concepts, with cryptocurrencies and of course smart contracts with Ethereum. A combination view of the Ethereum white, yellow, and beige papers lets the reader zoom in and out to get a high-level understanding of Ethereum and smart contracts. As a logical follow-on topic, the reader also learns about Non-Fungible Tokens (NFTs), something that some of you may have seen in connection with the art world. Paul C. van Oorschot's "Computer Security and the Internet" is a great textbook for a computer security course, as I have used it myself for both undergraduate and graduate students, as well as a reference book for researchers and computer security professionals. The book also has a web page (link to https://people.scs.carleton.ca/~paulv/toolsjewels.html) outlining the book and its contents, with all its chapters available in PDF format for personal use, as well as a list of errata that continuously get worked into the most recent PDFs. The reader can assess where to best get their copy: at a book shop, their university library, the publisher, or simply online. My copy will definitely be a hard copy to sit on my bookshelf next to the other books by Paul C. van Oorschot that I already have in my collection. I enjoyed reading this book and look forward to having this second edition readily available on my bookshelf for many years to come. ------------------------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html The Leaky Java Logger The discovery of a major vulnerability in a common web server module set off a storm of angst among Internet administrators around the world. --------------------- Hole in the Logger Undercuts Web Security Recently uncovered software flaw 'most critical vulnerability of the last decade' https://www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell Publisher: The Guardian via Associated Press Date: 10 Dec 2021 Summary: The online retailer Alibaba reported a security problem in November of 2021. The commonly used Java logger, called Log4j, could be corrupted via carefully crafted web accesses, and as a result, any kind of software could be downloaded and manipulated by remote parties. Exploits emerged immediately after the discovery of the problem. Log4j is an open source module used with Apache servers. Not all versions of the module are susceptible, but the long-standing and ubiquitous use of it affects a huge swathe of software. Major hosting sites were able to rid themselves of the problem during December. --------------------- Just How Big Is That Gaping Hole? Understanding the Impact of Apache Log4j Vulnerability https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html Publisher: Google Open Source Insights Team Date: December 17, 2021 By: James Wetter and Nicky Ringland Summary: The scope of the Log4j problem can be understood by doing a survey of the open source software that depends on the module. Tens of thousands of packages are affected. --------------------- The Long Tail of Log4j Log4j activity expected to play out well into 2022 https://www.cybersecuritydive.com/news/log4j-threats-2022/616616/ Publisher: Cybersecurity Dive Date: Jan. 4, 2022 By: David Jones Summary: While much of the world has scrambled to upgrade their web servers to use the non-vulnerable version of Log4j, older versions are widespread. Malicious parties like "Aquatic Panda" are on the lookout for it. (https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools) Any web accessible versions are likely to be hit in the coming months. --------------------- Want a Cryptominer With That? Security News This Week: Norton Put a Cryptominer in Its Antivirus Software https://www.wired.com/story/norton-antivirus-cryptominer-nft-thefts-security-roundup/ Publisher: Wired Date: 1/8/22 By: Brian Barrett Summary: One of the reported exploits associated with the remote code execution problem is "installing a cryptominer." The problem with cryptominers is that it's the bad guys who steal your computing power for their own profit. Why should you lose out? Norton decided to remedy this inequity by giving users their own cryptominers. Usage is optional (of course, Norton takes 15% of the gross), but the idea of bundling unrelated software with a security product is startling. Perhaps it is meant to help the world, as if your roofer automatically installed solar panels for free. You might need those if you get into serious cryptomining. --------------------- Updates to Sun Tzu Ukraine malware Microsoft finds 'destructive' malware in Ukraine https://www.cnn.com/2022/01/16/europe/ukraine-malware-microsoft-warning-intl/index.html Publisher: CNN Date: January 16, 2022 By: Sean Lyngaas Summary: In addition to the element of surprise and controlling the high ground, perhaps "confuse their web servers" should be added to common military tactics. As troops menace Ukraine, malicious software has disrupted some of its web servers at government agencies and non-profits. The software is disguised as ransomware, but it seems to have no criminal purpose. Ukraine said that Belarusian intelligence was behind the disruptive attacks via a hacking group that they control. The hacking might be a precursor to a military attack, or it might the "normal" sort of cyber harrassment that characterizes poor international relations. --------------------- Open Source Needs Help, Will the Feds Support It? Big tech pushes White House for open source funding, standards after Log4j https://www.cybersecuritydive.com/news/white-house-open-source-security/617206/ Publisher: Cybersecurity Dive Date: Jan. 14, 2022 By: David Jones Summary: National Security Advisor Jake Sullivan conducted a timely "constructive discussion" about improving the security of open source software. The Log4j problems illustrated that open source is an important part of software ecology, but greater security is a necessity. That security will come at a price, one that the tech sector would like to see funded by the Federal government. "Akamai Technologies called for the government and industry to prioritize investment in new technologies that will increase visibility into the use of open source, ideally using automated tools." One presumes these automated tools will themselves be open source and recursively subject to such visibility? ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10-12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers Submission date: 8 June 2021, 12 October 2021, and 1 February 2022 ASIGCOMM 2022, Amsterdam, the Netherlands, August 22-26, 2022. https://conferences.sigcomm.org/sigcomm/2022/ Submission date: 2 February 2022 ACM WiSec 2022 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, Texas, USA, May 16-19, 2022. https://wisec2022.cs.utsa.edu/ Submission date: 2 February 2022 PODC 2022 41st ACM Symposium on Principles of Distributed Computing, Salerno, Italy, July 25-29, 2022. https://www.podc.org Submission date: 13 February 2022 NDSS 2022 Network and Distributed System Security (NDSS) Symposium, San Diego, California, USA, February 22 - March 3, 2022. https://www.ndss-symposium.org/ndss2022/call-for-papers/ FHE 2022 1st Annual FHE.org Conference on Fully Homomorphic Encryption, Held in conjunction with EUROCRYPT 2022, Trondheim, Norway, May 29, 2022. https://fhe.org/conference/fhe-org-conference-2022-call-for-presentations Submission date: 7 March 2022 Cloud S&P 2022 4th Workshop on Cloud Security and Privacy, Rome, Italy, June 20-23, 2022. https://cloudsp2022.encs.concordia.ca/ Submission date: 21 March 2022 DFRWS EU 2022, Online and Physical (Location TBC), March 28-31, 2022. https://dfrws.org/conferences/dfrws-eu-2022/ SecureComm 2022 18th EAI International Conference on Security and Privacy in Communication Networks, Kansas City, USA, October 17-19, 2022. https://securecomm.eai-conferences.org/2022/ Submission date: 3 April 2022 SCN 2022 13th Conference on Security and Cryptography for Networks, Amalfi, Italy, September 12-14, 2022. https://scn.unisa.it/ Submission date: 24 April 2022 CODASPY 2022 12th ACM Conference on Data and Application Security and Privacy, Baltimore-Washington, DC area, USA, April 24-26, 2022. http://www.codaspy.org/2022/ ACM CCS 2022, Los Angeles, U.S.A, November 7-11, 2022. https://sigsac.org/ccs/CCS2022/call-for-papers.html Submission date: 14 January 2022 and 2 May 2022 PAKDD 2022 26th Pacific-Asia Conference on Knowledge Discovery and Data Mining, Chengdu, China, May 16-19, 2022. http://pakdd.net/ SP 2022 43rd IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2022. https://www.ieee-security.org/TC/SP2022/cfpapers.html Euro S&P 2022 7th IEEE European Symposium on Security and Privacy, Genoa, Italy, June 6 - 10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfp.html Euro S&P Workshops 2022 7th IEEE European Symposium on Security and Privacy, Genoa, Italy, June 6 - 10, 2022. https://www.ieee-security.org/TC/EuroSP2022/cfw.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Alvaro Cardenas Associate Professor Associate Professor Carnegie Mellon University University of California, Santa Cruz tcchair at ieee-security.org sp21-chair@ieee-security.org Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2022 Chair: Hilarie Orman Rakesh Bobba Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Oregon State University Woodland Hills, UT 84653 https://eecs.oregonstate.edu/ cipher-editor@ieee-security.org people/bobba-rakesh sp22-chair@ieee-security.org TC Awards Chair Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--