Electronic CIPHER, Issue 164, December 4, 2021 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 164 December 4, 2021 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Introduction to Privacy Enhancing Technologies: A Classification-Based Approach to Understanding PETs" by Carlisle Adams o News Items: - Dept of Commerce Dips Toe in Data Privacy for Foreign Apps - Evil Journalist Discovers How to Decode Top Secret Base64 Algorithm - FBI Email Server Hacked, But No Worries - Azure Gives Database Users the Blues o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We note that Thursday Dec. 2 was the last date for submitting papers for Security and Privacy 2022. The conference will be held May 22-26, and Euro S&P will be held June 6-10 with Genoa, Italy as the host city. More and more security conferences, and indeed, events of all kinds, are "going hybrid" with in-person and remote participation options. The picture for spring events is not clear yet, vaccinations and boosters notwithstanding, but opportunities for publication are plentiful. Quantum computation seems to garner more and more attention. If hope were progress, then we would have quantum computation at our fingertips. Meanwhile, classical computation shows itself to be no laggard, and supercomputers (40M+ cores!) will continue to hold quantum at bay for at least the near-term future. Given the constant stream of reports of hacks that reveal and steal personal information and the incessant consolidation of personal information garnered from social media and ecommerce sites, why is it that we assume that we have any privacy at all? Surely everything useful about everyone in the US and Europe has been gleaned by now. What is left to protect, I wonder? Streaming from the Woods on a Snowy Evening Whose woods are these, I think I know, His house is on my map app now. He will not mind me stopping here, To capture snow with video. My ipad app must think it queer To stop without a network near Between the woods and frozen lake The wifi weak on chilly gear. The cellphone hums and starts to shake, To ask if there is some mistake. The only other sound's the beep Of app alerts and one snowflake. The woods are lovely, dark and deep, But I have messages aheap, Gigabytes to read before I sleep, Gigabytes to read before I sleep. (Heartfelt apologies to Robert Frost) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich December 5, 2021 ____________________________________________________________________ Introduction to Privacy Enhancing Technologies: A Classification-Based Approach to Understanding PETs by Carlisle Adams Springer Verlag, Novemeber 2021. ISBN ISBN 978-3-030-81042-9 ; ISBN 978-3-030-81043-6 (eBook) Privacy is on many citizens' minds in this pandemic world. Talk of (pandemic) contact tracing may cause shivers to run down our spines as our social network accounts, location data, movement profile, shopping habits, call patterns, and surfing behavior are revealed to government and non-government entities. Many of us cherish our privacy: the idea of being "unbehelligt" in German (literally "not shined on with a light", but which could be roughly translated as "unchecked" in English), seems appealing to some. Today's data correlation and fusion abilities can quickly deanonymize vague references to individuals, something that seemed highly unlikely just a few years ago. Collected data from viewed ads might reconstruct much information about a (fictitious) person browsing the web from apartment 2G at 314 West 72nd St on the Upper West Side in Manhattan. Many people are woefully unconcerned and trade their privacy for free services on this big thing called the Internet and also elsewhere. There are privacy tools available to us, and it is important to apply and deploy them adequately to maximize their benefit. Carlisle Adams talks about those tools in his new graduate-level textbook "Introduction to Privacy Enhancing Technologies". It has the introductory material, and the end of each chapter features solid research paper references as well as thought-provoking questions for sparking a discussion either for the reader or for an entire class to talk amongst themselves. Many sidebars provide more in-depth knowledge about related topics for each chapter. The book is divided into twelve chapters: the first ten chapters cover the core parts of the book, whereas the last two chapters, clearly delimited, cover cryptography basics and provide a compiled bibliography with all the references used in the book. It is a solid book with technical foundations and proper real-world context. The first chapter "The Privacy Minefield" sets the initial stage for the book and elaborates on the privacy problems. It introduces our beloved characters Alice and Bob in the privacy context, and shows why privacy matters in modern society. The second chapter "A Collection of Tools: The Privacy Tree" covers four decades of privacy enhancing technologies (aka PETs) in this classification-based approach, as befits the subtitle of the book being "A Classification-Based Approach to Understanding PETs." The author builds on his own approach of the "privacy tree" while melding in previous taxonomies from that time period. Here the author lays out the foundations of his classification, which are then covered in the following six chapters. "Limiting Exposure by Hiding the Identity" is the title of the third chapter, which summarizes the early approaches such as Chaumian networks, "Mix Networks," anonymous remailers, and last but not least onion routing and Tor. Here the reader learns about this perspective for protecting the privacy of the online user. The fourth chapter summarizes "Limiting Exposure by Hiding the Action" by discussing tools such as TLS, IPsec, and Private Information Retrieval. TLS and IPsec will be familiar to many users from common usage of secure connections to websites or VPNs, very much common practice these days. Moving forward to "Limiting Exposure by Hiding the Identity-Action Pair" in chapter five, the reader sees another form of network layer security, still IPsec but in a different mode, and a tool perhaps known from certain aspects of investigative journalism, OTR or Off-The-Record. Here the separation of Identity and Action is at play, a different view of the previous two chapters. Switching from exposure concerns to disclosure concerns, the author proceeds to talk about "Limiting Disclosure by Hiding the Identity." The reader is taught about improving privacy by hiding in a group via "k-anonymity" and about "digital credentials." Continuing on the disclosure track, the next chapter, chapter seven, "Limiting Disclosure by Hiding the Attribute" delves into differential privacy, database privacy, garbled circuits, and multi-party computation. Chapter eight, "Limiting Disclosure by Hiding the Identity-Attribute Pair" goes on to elaborate on Hippocratic Databases (what an apropos name, mind you, given the current state of the world), the privacy preferences project (P3P) with its Privacy Bird browser plugin (which almost gave one of my colleagues a heart attack while browsing the web due to its bone-chilling "warning call" many years ago), and other architectures for privacy enforcement. The parts become the whole in the next chapter which presents a practical viewpoint for the above-mentioned technologies in "Using the Privacy Tree in Practice". It provides, among other things, insight for security technologies on the legal side as well as software-defined networking and machine learning. Chapter ten, "The Path Forward", motivates further reflection on the variety of privacy enhancing approaches in the previous nine chapters. It allows the reader to make decisions in the privacy game of "Hide-and-seek." Chapters eleven is the "Cryptography Primer" mentioned above. Many readers won't need it, but it provides an on-demand reference for the cryptography terminology and concepts used throughout the book. Chapter twelve is the complete set of references, compiled from what was given at the end of each chapter, as a single source for the researcher, graduate student, practictioner, or the super-curious readers wanting to know more. Carlisle Adams has written a nice textbook to be used for a graduate privacy course, a supplement for a computer security course, or a self-learning guide on privacy, covering most of the desired, relevant topics It was a fun book to read, with quite a few detours down memory lane for me, having learned about many of these techniques as they got published in the past years. The book will be yet another addition to my new bookshelf, which is still under pandemic construction. --------------------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ---------- Dept of Commerce Dips Toe in Data Privacy for Foreign Apps U.S. agency submits initial recommendations on app data security to White House https://www.reuters.com/technology/us-agency-submits-initial-recommendations-app-data-security-white-house-2021-10-12/> Publisher: Reuters Date: October 12, 2021 By: David Shepardson Summary: Aiming to address worries that popular apps like TikTok and WeChat could harvest personal information of US citizens for nefarious uses in China, the Department of Commerce issued recommendations aimed at protecting such data without a full-out ban on foreign apps. The previous administration had tried to ban TikTok and WeChat from online app stores. ----------- Evil Journalist Discovers How to Decode Top Secret Base64 Algorithm Missouri gov. calls journalist who found security flaw a "hacker," threatens to sue https://arstechnica.com/tech-policy/2021/10/missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue/ Publisher: Ars Technica Date: 10/14/2021 By: Jon Brodkin Summary: Somehow the governor of Missouri decided that base64 encoding is an encryption method, and that led him to threaten legal action against the press for finding that his state had exposed private information of the state's teachers. The journalist who was behind this dastardly decoding of 3 SSNs on a state website had immediately reported the problem to the state. Of course, the state then had to do the embarrassing thing of telling the teachers that their private information had been exposed. The governor decided that the best apology is a broadside, so he condemned all parties involved in helping the state recognize a serious problem. Surprisingly, Cybersecurity Guide (https://cybersecurityguide.org/states/missouri) notes that Missouri has a "wealth of cybersecurity educational opportunities" and that Missouri University of Science and Technology is "recognized by the NSA for ... excellence". ----- Missouri follow-up: Nov. 10, 2021, State of Missouri statement re "Vulnerability Incident" admits some culpability re mishandling private information. https://dese.mo.gov/communications/news-releases/State%20of%20Missouri%20Offers%20Credit%20and%20Identity%20Theft%20Monitoring%20to%20Educators%20after%20Data%20Vulnerability%20Incident ----------------- FBI Email Server Hacked, But No Worries FBI Says No Network Data Compromised After Fake Email Incident https://www.bloomberg.com/news/articles/2021-11-14/fbi-says-no-network-data-compromised-after-fake-email-incident Publisher: Bloomberg News Date: November 14, 2021 By: Belinda Cao Summary: A fake email emanating from an FBI server caused some worry about the integrity of the agency's infrastructure on November 13, but by the next day the problem was explained away. The server was dedicated to forwarding FBI notifications to state and local law enforcement, and its configueration was quickly changed to eliminate the misuse. -------------------- Azure Gives Database Users the Blues ChaosDB: How we hacked thousands of Azure customers' databases https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases Publisher: Wiz Date: August 26, 2021 By: Nir Ohfeld and Sagi Tzadik and ChaosDB: Infosec bods could pull anyone's plaintext Azure Cosmos DB keys at will from Microsoft admin tools, and they had a wildcard cert too. Still feeling secure? https://www.theregister.com/2021/11/12/chaos_db_wiz_azure_cosmos_research_pwnage/ Publisher: The Register Date: 12 Nov 2021 By: Gareth Corfield Summary: Microsoft's Azure cloud service features a database service named Cosmos DB. Many Fortune 500 companies, and others, use this tool for large-scale data management tasks that underlie their critical operations. So a bug that reveals the passwords for Cosmos DB users would be a Big Deal. But would Microsoft leave a gaping security hole like that in a flagship product? That's really unlikely. But that did happen when Microsoft developed a tool for Cosmos users that included an open-source web app for sharing live code. That app ran C# code as root. This was an astronomically large attack surface that was discovered by security researchers. They described the details recently at Black Hat Europe. Microsoft's security team closed the hole in 48 hours after being notified. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html We regret that our usual summary of upcoming events is not available this month, but the list is available online, as usual. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Alvaro Cardenas Associate Professor Associate Professor Carnegie Mellon University University of California, Santa Cruz tcchair at ieee-security.org sp21-chair@ieee-security.org Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor Security and Privacy Symposium, 2022 Chair: Hilarie Orman Rakesh Bobba Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Oregon State University Woodland Hills, UT 84653 https://eecs.oregonstate.edu/ cipher-editor@ieee-security.org people/bobba-rakesh TC Awards Chair Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year