Electronic CIPHER, Issue 168, August 5, 2022 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 168 August 5, 2022 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News items - Russia Aims to Protect Its Cyberspace with Domestic Software - Big Guns to Respond to Hacking? - If U Cn R This ... - Apple Core Rot - Spy vs. Spy - US TikTok Users Get the Oracle Treatment - Italian Spyware Enters the Fray - A Billion Here, A Billion There, Soon the Whole Earth - Singular, but Not So Super o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Recent reading has led us to recall earlier times when computers were few and the Internet was nascent. In those times, there was excitement over the potential of this wondrous technology that had limitless possibilities. Today we are seeing the beginnings quantum computing, and it might hold new wonders. Yet there are rumblings that such new forms of computing could be misused, and researchers are urged to consider how new machines might be regulated and controlled. We used to lament that "security" should have been taken more seriously when computing was new. Today, a gloomy view of the very nature of novel computing threatens to swamp scientific thinking. Quantum computing: Threat or Menace? Somehow this pessimism is lost when it comes to personal electronics and the Internet of Things. As some of our news articles in this Cipher issue illustrate, mobile devices can be used against their owners, and building secure hardware, operating systems, and apps is an elusive art. Yet we see no computer apocalypse on the classical computing horizon. Somehow, visionaries of the future of computing need a framework that can naturally balance risks against benefits. That being said, it is the summer conference season, and techie folk are traveling to meetings. COVID-19 seems to be a regular attendee, though, so be careful of crowded gatherings while enjoying the return of the social side of conferences. A virus in biology, evades our immunology. A virus cyberlogical, is highly diabolical. Vaccines and firewalls may not suffice, I fear I might well perish twice, Once in body, Once in device. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html - Russia Aims to Protect Its Cyberspace with Domestic Software Putin promises to bolster Russia's IT security in face of cyber attacks https://www.reuters.com/world/europe/putin-warns-cyber-aggression-against-russia-promises-security-shakeup-2022-05-20/ Publisher: Reuters Date: May 20, 2022 Editing By: Kevin Liffeye Summary: Stung by a barrage of attacks against its state and private websites, Russia talked of relying on domestic software for protection. This shift seemed to be motivated by refusal of Western software providers to deal with Russia at all, rather than the thought that Russian could write better software. -------------------------------- - Big Guns to Respond to Hacking? Russia says West risks 'direct military clash' over cyber attacks https://www.reuters.com/world/europe/russia-says-west-risks-direct-military-clash-over-cyber-attacks-2022-06-09/ Publisher: Reuters Date: June 9, 2022 Summary: As more Russian websites were hacked to show pro-Ukrainian messages, Moscow accused the West of "militarizing" cyberspace and indicated that unspecified military responses ensure. ---------------------------------------------------------------------------- - If U Cn R This ... 'Tough to Forge' Digital Driver's Licenses Are - Yep - Easy to Forge Researchers found a litany of security flaws that allow simple, quick, and cheap forgeries in Australia. https://www.wired.com/story/digital-drivers-license-forgery-identity-theft/ Publisher: Ars Technica Date: May 25, 2022 By: Dan Goodin Summary: There were so many security mechanisms built into the Australian digital driver's license system that you'd think it would take a world-class expert to find a flaw, let alone an exploitable flaw. But the anti-forgery mechanism in the app depended on a 4 digit PIN (so convenient!) and nothing else. A little searching on the device (no need to jailbreak!) would cough up the key, and the user could alter any information. ---------------------------------------------------------------------------- Apple Core Rot - Researchers discover a new hardware vulnerability in the Apple M1 chip https://www.csail.mit.edu/news/researchers-discover-new-hardware-vulnerability-apple-m1-chip Publisher: MIT CSAIL Date: June 10, 2022 By: Rachel Gordon Summary: Wouldn't it be nice if pointer errors, which are the root of so many exploitable software vulnerabilities, were impossible to exploit because the hardware prevented the access via the bad pointer? Of course it would, and the Apple M1 chip tries to do just that. But speculative execution undermines the pointer protection mechanism by allowing an attacker to guess the "pointer authentication code" and use it to bypass the protection. The hardware giveth and the hardware taketh away. ---------------------------------------------------------------------------- - Spy vs. Spy Ron Wyden says White House right to raise doubts about possible deal for contractor L3Harris to take over surveillance technology Key Democrat warns of major security risk if US firm acquires NSO hacking code https://www.theguardian.com/world/2022/jun/16/ron-wyden-democrat-nso-group-technology Publisher: The Guardian Date: 16 Jun 2022 By: Stephanie Kirchgaessner Summary: US defense contractor L3Harris announced plans to acquire controversial surveillance technology by purchasing the Israeli firm NSO. Its tools have been used by governments around the world tracks the activities of mobile device user through surreptitiously introduced software. Senator Ron Wyden noted the danger of relying on foreign hacking tools, saying "If the US plans on using foreign-made surveillance technology, it might as well bcc the country that produces it on every intercept." L3 and NSO apparently have "issues" yet to be resolved in the negotiations. ---------------------------------------------------------------------------- - US TikTok Users Get the Oracle Treatment TikTok moves US users' data to Oracle servers to address security concerns https://www.cnn.com/2022/06/17/tech/tiktok-user-data-oracle/index.html Publisher: CNN Business Date: June 17, 2022 By: Brian Fung Summary: The social media video sharing company TikTok has Chinese ties, and that concerns the US Defense Departmnt. Although the Trump administration failed in its efforts to ban the app, last year the Biden administration issued a more general order regulating software produced by "foreign adversaries." To comply, TikTok is moving the data for US users to Oracle servers based in the US, and Oracle will audit the servers to check for anomalous activity. ---------------------------------------------------------------------------- - Italian Spyware Enters the Fray Apple and Android phones hacked by Italian spyware, says Google Report claims Milan-based RCS Lab developed tools to spy on private messages and contacts of targeted devices https://www.theguardian.com/technology/2022/jun/23/apple-and-android-phones-hacked-by-italian-spyware-says-google Publisher: The Guardian Date: 23 Jun 2022 Summary: The Alphabet company Google has reported on hacking tools that were used to spy on both Apple and Android smartphones in Italy and Kazakhstan. The Italian software firm RCS is at the center of revelation, and it says that its software (named Hermit) complies with all applicable regulations. Google seemed upset that the software could be used on it Android operating system for mobile devices, and it has taken steps to secure the system against Hermit's means of entry. ---------------------------------------------------------------------------- - A Billion Here, A Billion There, Soon the Whole Earth Hacker claims to have obtained data on 1 billion Chinese citizens https://www.theguardian.com/technology/2022/jul/04/hacker-claims-access-data-billion-chinese-citizens Personal information allegedly taken from Shanghai police database would be one of biggest data breaches in history Publisher: The Guardian Date: July 4, 2022 Summary: An anonymous hacker, "ChinaDan", last week posted an offer to sell the more than 23 terabytes (TB) of data for 10 Bitcoin, equivalent to about $200,000. The leak was unverified at the time of the Guardian publication, but other sources have said that the police database was installed without enabling a password for remote access. ---------------------------------------------------------------------------- - Singular, but Not So Super Post-Quantum Encryption Contender Taken Out by Single-Core PC in One Hour https://arstechnica.com/information-technology/2022/08/sike-once-a-post-quantum-encryption-contender-is-koed-in-nist-smackdown/ Publisher: Ars Technica Date: August 2, 2022 Summary: One of the post-quantum algorithms selected for consideration by the U.S. National Institute of Standards and Technology is the The Supersingular Isogeny Key Encapsulation (SIKE) algorithm. Unfortunately, the algorithm turned out to be pre-quantum unsafe. KU Leuven researchers used a single classical computer to break it in only one hour using a previously known attack. How had this escaped notice in prior vetting allegedly done by NSA? ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html WPES 2022 21st Workshop on Privacy in the Electronic Society, Held in conjunction with ACM CCS 2022, Los Angeles, CA, USA, November 7, 2022. https://arc.encs.concordia.ca/wpes22/cfp.html Submission date: 1 August 2022 SSS 2022 24th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Clermont-Ferrand, France, November 15-17, 2022. https://sss2022.limos.fr/ Submission date: 15 April 2022 and 5 August 2022 CNS-CRW 2022 IEEE Conference on Communications and Network Security - Cyber Resilience Workshop, Austin, TX, USA, Hybrid, September 26-28, 2022. https://cns2022.ieee-cns.org/cyber-resilience-workshop Submission date: 7 August 2022 CSET 2022 15th Cyber Security Experimentation and Test Workshop, Preceding USENIX Security Symposium 2022, Virtual, August 8, 2022. https://cset22.isi.edu/ USENIX-Security 2022 31st USENIX Security Symposium, Boston, MA, USA, August 10-12, 2022. https://www.usenix.org/conference/usenixsecurity22/call-for-papers SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html Submission dates: 1 April 2022, 19 August 2022, and 2 December 2022 NordSec 2022 27th Nordic Conference on Secure IT Systems, Reykjavik, Iceland, November 30 - December 2, 2022. https://nordsec2022.ru.is Submission date: 22 August 2022 SIGCOMM 2022, Amsterdam, The Netherlands, August 22-26, 2022. https://conferences.sigcomm.org/sigcomm/2022/ CUING 2022 International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 17th International Conference on Availability, Reliability and Security (ARES 2022), Vienna, Austria, August 23-26, 2022. https://www.ares-conference.eu/workshops/cuing-2022/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission dates: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ Submission date: 1 September 2022 and 15 December 2022) SCN 2022 13th Conference on Security and Cryptography for Networks, Amalfi, Italy, September 12-14, 2022. https://scn.unisa.it/ SEED 2022 IEEE International Symposium on Secure and Private Execution Environment Design, Virtual, September 26-27, 2022. https://seed22.engr.uconn.edu CNS 2022 IEEE Conference on Communications and Network Security, Austin, TX, USA, Hybrid, September 26-28, 2022. https://cns2022.ieee-cns.org CNS-CRW 2022 IEEE Conference on Communications and Network Security - Cyber Resilience Workshop, Austin, TX, USA, Hybrid, September 26-28, 2022. https://cns2022.ieee-cns.org/cyber-resilience-workshop ISC2 2022 8th IEEE International Smart Cities Conference, Paphos, Cyprus, September 26-29, 2022. https://attend.ieee.org/isc2-2022/call-for-papers/ USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission dates: 7 June 2022, 11 October 2022, and 7 February 2023 SecureComm 2022 18th EAI International Conference on Security and Privacy in Communication Networks, Kansas City, USA, October 17-19, 2022. https://securecomm.eai-conferences.org/2022/ ACM CCS 2022, Los Angeles, U.S.A, November 7-11, 2022. https://sigsac.org/ccs/CCS2022/call-for-papers.html WPES 2022 21st Workshop on Privacy in the Electronic Society, Held in conjunction with ACM CCS 2022, Los Angeles, CA, USA, November 7, 2022. https://arc.encs.concordia.ca/wpes22/cfp.html ASHES 2022 6th Workshop on Attacks and Solutions in Hardware Security, Held in conjunction with ACM CCS 2022, Los Angeles, CA, USA, November 11, 2022. http://ashesworkshop.org SSS 2022 24th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Clermont-Ferrand, France, November 15-17, 2022. https://sss2022.limos.fr/ ISPEC 2022 International Conference on Information Security Practice and Experience, Taipei, Taiwan, November 23-25, 2022. https://ispec2022.ndhu.edu.tw/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission dates: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 NordSec 2022 27th Nordic Conference on Secure IT Systems, Reykjavik, Iceland, November 30 - December 2, 2022. https://nordsec2022.ru.is Elsevier Computers & Security, Special Issue on Benefits and Outlook of Program Analysis for Systems Security. https://www.journals.elsevier.com/computers-and-security/forthcoming-special-issues/special-issue-on-benefits-and-outlook-of-program-analysis-for-systems-security?utm_campaign=STMJ_175559_CALLP_HYB&utm_medium=email&utm_acid=30314051&SIS_ID=&dgcid=STMJ_175559_CALLP_HYB&C Submission date: 1 December 2022 SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html Submission date: 1 April 2022, 19 August 2022, and 2 December 2022 ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ Submission date: 1 September 2022 and 15 December 2022) USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission dates: 7 June 2022, 11 October 2022, and 7 February 2023 NDSS 2023 32nd Network and Distributed System Security Symposium, San Diego, California, USA, February 27 - March 3, 2023. https://www.ndss-symposium.org/ndss2023-call-for-papers/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission dates: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023. https://www.ieee-security.org/TC/SP2023/cfpapers.html ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Rakesh Bobba Associate Professor Associate Professor Carnegie Mellon University Oregon State University tcchair at ieee-security.org https://eecs.oregonstate.edu/ people/bobba-rakesh Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2023 Chair: Hilarie Orman Daniel Takabi Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Georgia State University Woodland Hills, UT 84653 https://cas.gsu.edu/profile/daniel-takabi cipher-editor@ieee-security.org sp23-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--