_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 170 November 20, 2022 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News from the media - Stories About Election Software: Deniers Con a DA? - Exchange Becomes a Generator - Don't Worry, God is My Sysadmin - Repurposing Old Satellites for Fun and Broadcast - You Can Encrypt, but You Can't Hide: Tearing Off the Cryptocurrency Veil - IBM has hundreds of qubits, ho-hum, but Wait Until Next Year o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We arrive at the holiday season with hope that all research papers are ready before conference deadlines, all grant proposals are submitted in time, and everyone can enjoy festivities through the end of the year. The TCSP's website home page (https://ieee-security.org/) has a new look from a new webmaster, Ivan Liang. He has retained the TCSP "brand" with the Trojan Horse images. These have a long history with TCSP, going back to a photo that Carl Landwehr took at an amusement park about 25 years ago. Recent news articles indicate that online security has become increasingly complicated, yet we continue moving onward with new applications and new computing paradigms. Cryptocurrencies are an interesting example of the struggle between daring to be new and risking falling to attacks that are old. When the idea of sharing computer information over a communication network first surfaced, no one foresaw that money itself might become a computer science challenge, but here we are. No cyber hack can stay Cyber's first coin is Bit, With chain of blocks well-fit. The early values tower, But only so an hour. Then Bit subsides to junk, The wallet's value sunk. So bits must all decay, No cyber hack can stay. (with apologies to Robert Frost and the color gold) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------------ Russians Target US State Websites Russian-speaking hackers knock US state government websites offline https://www.cnn.com/2022/10/05/politics/russian-hackers-state-government-websites/index.html Publisher: CNN Date: Wed October 5, 2022 By: Sean Lyngaas Summary: In the month preceding the US midterm elections, a few state government websites temporarily disabled by hacks from a Russian hacktivist group. Though the attacks did not seem directly related to the elections, they did interfere with access to information intended to help voters. Some states reported that they might have been targets of intended attacks that did not succeed in disabling access. ------------------------------------------------------------------- Stories About Election Software: Deniers Con a DA? Part 1: the Arrest Head of Election Worker Management Company Arrested in Connection with Theft of Personal Data https://da.lacounty.gov/media/news/head-election-worker-management-company-arrested-connection-theft-personal-data Publisher: Los Angeles County District Attorney, Media Relations Division Date: October 4, 2022 Summary: The LA DA had the founder of a small software company in Michigan arrested. At issue was the software, used by LA County, for keeping track of election poll workers. Under the terms of the contract, the data had to be kept only on servers based in the US. LA County said it was shared with servers in China. The founder of the company was born in China. ------------------------------------------ Part 2: The Story Takes Wing FBI, CISA Say Malicious Cyber Activity Unlikely to Disrupt Election https://www.securityweek.com/fbi-cisa-say-malicious-cyber-activity-unlikely-disrupt-election Publisher: SecurityWeek Date: October 06, 2022 By: Eduard Kovacs Summary: This story reassures voters that although foreign actors were attempting to attack the periphery election systems, they would not be able to disrupt actual voting or tabulating. The article mentions the arrest of the Michigan man and the suspected ties to China. ------------------------------------------ Part 3: You've Been Played The strange twists and turns of an alleged election conspiracy https://www.washingtonpost.com/politics/2022/10/26/strange-twists-turns-an-alleged-election-conspiracy/ Publisher: The Washington Post Date: October 26, 2022, Updated November 10, 2022 Analysis by: Glenn Kessler Summary: The story gets murkier and murkier. The claims about sharing data with the Chinese government originated not from an investigation by LA County but by an organization called "True the Vote" based in Texas. They supplied the information that LA County used to issue and arrest warrant for a Michigan man. But were the claims true, and were they based on legally obtained information? Those questions were raised in federal court in Texas. The WP analyst says, "The outcome of this complex case may not be clear for some time. But it indicates how election deniers have begun to gain a foothold within the legal system to advance their claims." ------------------------------------------------------------------- Exchange Becomes a Generator Binance-linked blockchain hit by $570 million crypto hack https://www.reuters.com/technology/hackers-steal-around-100-million-cryptocurrency-binance-linked-blockchain-2022-10-07/ Publisher: Reuters Date: October 7, 2022 By: Elizabeth Howcroft Summary: As cryptocurrencies seek mainstream usage, the expansion seem to regularly run afoul of computer security issues. In this case, a blockchain meant to serve as a transfer hub between different applications turned into a firehouse shooting out 2 million "illicit" coins for a larcenous user. Apparently the user got away with $100M before the activity was detected and stopped. In order to recover most of the coins, the BNB Chain had to ask its "validators" to back up and eliminate most of the coin transactions. The people behind the BNB "ecosystem" said they were implementing more checks to detect and stop the hack. They also intend to expand their community of 44 validators. The BNB Chain is said to be "linked to" the cryptocurrency exchange Binance. Binance recently declined to take over the battered and now collapsed rival FTX. ------------------------------------------------------------------- Don't Worry, God is My Sysadmin LDS Church discloses March computer breach affecting member data https://www.heraldextra.com/news/faith/2022/oct/17/lds-church-discloses-march-computer-breach-affecting-member-data/ Publisher: Utah Daily Herald Date: Oct 17, 2022 By: Genelle Pugmire Summary: The LDS church announced that it was working with US federal law enforcement authorities to investigate some kind of breach into its database of church members, employees, contractors, and "friends". Some kind of illicit access may have been gained by hacking an online account. No financial information was leaked by this. The church is asking for information from the public that might help the investigation. ------------------------------------------------------------------- Repurposing Old Satellites for Fun and Broadcast An old satellite was hacked to broadcast signals across North America The demonstration reveals the vulnerability of decommissioned, but not dead, satellites. https://www.freethink.com/space/decommissioned-satellite-hacking Publisher: Freethink Date: April 14, 2022 By: B. David Zarley Summary: A couple of years ago the US Air Force decided to see what hackers could do with a satellite that was not longer in use but still had accessible features for broadcast. They gave DEFCON hackers permission to try their skills out with the equipment. Reports this spring show that they were successful and were able to broadcast signals across a wide area of Canada and the northern US. Are these old satellites, which have little or nothing in the way of access control, a point of vulnerability for national security? Or an opportunity for open access broadcast of a new and democratic kind? Earlier articles about this hack: Researchers Used a Decommissioned Satellite to Broadcast Hacker TV What happens when an old satellite is no longer in use but can still broadcast? Hacker shenanigans, that's what. https://www.wired.com/story/satellite-hacking-anit-f1r-shadytel/ DEFCON hackers compete to hijack a satellite in orbit, Hacking satellites to "secure the final cyberfrontier." https://www.freethink.com/technology/hacking-satellites ------------------------------------------------------------------- You Can Encrypt, but You Can't Hide: Tearing Off the Cryptocurrency Veil The Hunt for the Dark Web's Biggest Kingpin, Part 1: The Shadow https://www.wired.com/story/alphabay-series-part-1-the-shadow/ The notorious Alpha02 oversaw millions of dollars a day in online narcotic sales. For cybercrime detectives, he was public enemy number one - and a total mystery. By: Andy Greenberg Date: Oct 25, 2022 Publisher: Wired Summary: Anonymity is a theoretical concept for computer science, but it is also something sought by the humans behind online entities. The science tells us that anonymity for cryptocurrency is based on statistical evidence, but how do you know that your data is below that statistically significant limit? And what about that email message you sent to an online forum 20 years ago? Surely it's long lost, no way it could be connected to you now? And besides, it would take an army of computer science PhDs to unravel those tiny online footprints, wouldn't it? The real story of how some very persistent FBI agents wore away the anonymity of a skilled, online crime kingpin is fascinating reading. Wired magazine has been publishing it as an online weekly series, and it is captivating reading for real life crime junkies or doctoral researchers in security and privacy. Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. This story is excerpted from Greenberg's forthcoming book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, available November 15, 2022, from Doubleday. Courtesy of Penguin Random House ------------------------------------------------------------------- IBM has hundreds of qubits, ho-hum, but Wait Until Next Year IBM launches its most powerful quantum computer with 433 qubits https://www.reuters.com/technology/ibm-launches-its-most-powerful-quantum-computer-with-433-qubits-2022-11-09/ November 9, 2022 Reuters By Jane Lanhee Lee Summary: IBM issued a brief press release noting that it had launched a new quantum computer with 433 qubits. This is 3 times as many qubits as their previous version which debuted last year. There will not be another version of this design as IBM expects that it will have a new, modular design next year, and that will scale to many thousands of qubits. IBM has announced a plethora of wonderful features for the next generation chip (see https://research.ibm.com/blog/next-wave-quantum-centric-supercomputing ). One of the most interesting is the ability to run classical computing in between quantum operations. Presumably this enables a hybrid computation model that interleaves classical and quantum computing in some way that does not destroy the quantum state. The future architectures for quantum computing are slowly taking shape, as if through a photon pair, darkly. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman and Yong Guan Date (Month/Day/Year), Event, Locations, web page for more info. IEEE Internet of Things Journal, Special Issue on Smart Blockchain for IoT Trust, Security and Privacy. https://ieee-iotj.org/wp-content/uploads/2022/05/IEEEIoT-SmartBlockchain-TSP.pdf Submission date: 15 November 2022 SSS 2022 24th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Clermont-Ferrand, France, November 15-17, 2022, https://sss2022.limos.fr/ ISPEC 2022 International Conference on Information Security Practice and Experience, Taipei, Taiwan, November 23-25, 2022, https://ispec2022.ndhu.edu.tw/ USEC 2023 Usable Security and Privacy Symposium, Held in conjunction with NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023, https://www.usablesecurity.net/USEC/usec23/ Submission date: 18 November 2022 FHE 2023 2nd Annual FHE.org Conference on Fully Homomorphic Encryption, Co-located with Real World Crypto 2023, Tokyo, Japan, March 26, 2023, https://fhe.org/conferences/conference-2023/home Submission date: 19 November 2022 FSE 2023 29th Fast Software Encryption, Beijing, China, March 20-24, 2023, https://fse.iacr.org/2023/ Submission dates: 1 March 2022, 1 June 2022, 1 September 2022, and 23 November 2022 PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission dates: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 NordSec 2022 27th Nordic Conference on Secure IT Systems, Reykjavik, Iceland, November 30 - December 2, 2022, https://nordsec2022.ru.is APWG eCrime 2022 17th Symposium on Electronic Crime Research, Virtual, November 30 - Dec 2, 2022. https://apwg.org/event/ecrime2022/ Elsevier Computers & Security, Special Issue on Benefits and Outlook of Program Analysis for Systems Security. https://www.journals.elsevier.com/computers-and-security/forthcoming-special-issues/special-issue-on-benefits-and-outlook-of-program-analysis-for-systems-security?utm_campaign=STMJ_175559_CALLP_HYB&utm_medium=email&utm_acid=30314051&SIS_ID=&dgcid=STMJ_175559_CALLP_HYB&C Submission date: 1 December 2022 SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023, https://www.ieee-security.org/TC/SP2023/cfpapers.html Submission dates: 1 April 2022, 19 August 2022, and 2 December 2022 GNNet 2022 1st Graph Neural Networking Workshop, Co-located with ACM CoNEXT 2022, Rome, Italy, December 9, 2022, https://conext-gnnet2022.hotcrp.com/ ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023, https://asiaccs2023.org/ Submission dates: 1 September 2022 and 15 December 2022 ACM Distributed Ledger Technologies: Research and Practice, Special Issue on Recent Advances of Blockchain Evolution: Architecture and Performance. https://dl.acm.org/journal/dlt/calls-for-papers Submission date: 15 December 2022 UbiSec 2022 2nd International Conference on Ubiquitous Security, Zhangjiajie, China, December 28-31, 2022, http://ubisecurity.org/2022/ MetaCom 2023 International Conference on Metaverse Computing, Networking and Applications, Kyoto, Japan, June 26-28, 2023, http://www.ieee-metacom.org/2023 Submission date: 30 December 2022 VehicleSec 2023 Inaugural Symposium on Vehicle Security and Privacy, Held in conjunction with the Network and Distributed System Security Symposium (NDSS 2023), San Diego, CA, USA, February 27, 2023. https://www.ndss-symposium.org/ndss2023/cfp-vehiclesec/ Submission date: 3 January 2023 HOST 2023 16th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 1-4, 2023. http://www.hostsymposium.org Submission dates: 17 October 2022 and 16 January 2023 IFIP 11.9 DF 2023 19th Annual IFIP WG 11.9 International Conference on Digital Forensics, SRI International, Arlington, Virginia, USA, January 30-31, 2023, http://www.ifip119.org CSF 2023 36th IEEE Computer Security Foundations Symposium, Dubrovnik, Croatia, July 10-14, 2023, https://csf2023.ieee-security.org Submission dates: 13 May 2022, 30 September 2022, and 3 February 2023 USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023, https://www.usenix.org/conference/usenixsecurity23/call-for-papers Submission dates: 7 June 2022, 11 October 2022, and 7 February 2023 SaTML 2023 IEEE Conference on Secure and Trustworthy Machine Learning, Raleigh, North Carolina, USA, February 8-10, 2023, https://satml.org NDSS 2023 32nd Network and Distributed System Security Symposium, San Diego, California, USA, February 27 - March 3, 2023, https://www.ndss-symposium.org/ndss2023-call-for-papers/ VehicleSec 2023 Inaugural Symposium on Vehicle Security and Privacy, Held in conjunction with the Network and Distributed System Security Symposium (NDSS 2023), San Diego, CA, USA, February 27, 2023. https://www.ndss-symposium.org/ndss2023/cfp-vehiclesec/ USEC 2023 Usable Security and Privacy Symposium, Held in conjunction with NDSS 2023, San Diego, California, USA, February 27 - March 3, 2023, https://www.usablesecurity.net/USEC/usec23/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed). https://petsymposium.org/cfp23.php Submission dates: 31 May 2022, 31 August 2022, 30 November 2022, 28 February, 2023 FSE 2023 29th Fast Software Encryption, Beijing, China, March 20-24, 2023, https://fse.iacr.org/2023/ FHE 2023 2nd Annual FHE.org Conference on Fully Homomorphic Encryption, Co-located with Real World Crypto 2023, Tokyo, Japan, March 26, 2023, https://fhe.org/conferences/conference-2023/home CODASPY 2023 ACM Conference on Data and Application Security and Privacy, Charlotte, NC, USA, April 24-26, 2023, http://www.codaspy.org/2023/ HOST 2023 16th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 1-4, 2023, http://www.hostsymposium.org SP 2023 44th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 22-26, 2023, https://www.ieee-security.org/TC/SP2023/cfpapers.html MetaCom 2023 International Conference on Metaverse Computing, Networking and Applications, Kyoto, Japan, June 26-28, 2023, http://www.ieee-metacom.org/2023 Euro S&P 2023 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands, July 3-7, 2023, https://eurosp2023.ieee-security.org/cfp.html ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023, https://asiaccs2023.org/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-14, 2023 (to be confirmed), https://petsymposium.org/cfp23.php CSF 2023 36th IEEE Computer Security Foundations Symposium, Dubrovnik, Croatia, July 10-14, 2023, https://csf2023.ieee-security.org USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Rakesh Bobba Associate Professor Associate Professor Carnegie Mellon University Oregon State University tcchair at ieee-security.org https://eecs.oregonstate.edu/ people/bobba-rakesh Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2023 Chair: Hilarie Orman Daniel Takabi Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Georgia State University Woodland Hills, UT 84653 https://cas.gsu.edu/profile/daniel-takabi cipher-editor@ieee-security.org sp23-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--