Electronic CIPHER, Issue 173, June 3, 2023 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 173 June 3, 2023 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News from the Media - Canaries Ignored, Solar Winds Blew Through DOJ - Some DarkWeb Goes Light - SubMicron - The USA's Incrediblly Hackable Infrastructure - AI Swears it is Truthful o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The Security and Privacy Symposium was held in San Francisco, CA recently, and I was one of the small group of virtual attendees. In-person attendee numbers were back to pre-COVID levels, which surprised me because I found the virtual experience to be quite pleasant. At the Technical Committee business meeting there was a lively discussion about how to support in-person attendance while minimizing the registration cost, which is about twenty times higher than 20 years ago when S&P was "Oakland". The conference will be in San Francisco again next year, but further years out are TBD. If you have input or interest on the subject of the location of future S&Ps, there is a discussion list sp-location @ lists.ieee-security.org . For other topics about S&P, contact the steering committee at sp-sc @ ieee-security.org. As usual, the research papers covered a wide swath of topics from cryptographic attacks to machine learning privacy and onto IoT side channels. We live in an electronic ecosystem in which everything is connected to everything else, just like the ecosystem of living things. When those systems merge, as the AI pundits assure us they will, what will "security" mean? Along the lines of AI, it seems that being as attack and defense in computer systems is an adversarial game, and being as the "moves" in the game are easily discernible from documents about network protocols and from open source software, I predict that machine learning will turn up the next generation of zero day attacks, as well as some interesting "pre-zero-day" defenses. And we shall play a game of chess, Opening all ports and waiting for a ping upon the wall. (a tweaking of a tiny bit of T. S. Eliot), Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Canaries Ignored, Solar Winds Blew Through DOJ The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed In May 2020, the US Department of Justice noticed Russian hackers in its network but did not realize the significance of what it had found for six months. Date: Apr 28, 2023 Publisher: Wired URL: https://www.wired.com/story/solarwinds-hack-public-disclosure/ By: Kim Zetter Summary: Way back in 2021 the Solar Wind hack generated a lot of news as mentioned in Cipher and many other places). This was a vulnerability introduced into several commercial software products via a corrupted library file. What was not revealed was that an opportunity to stop it had occurred months earlier when unusual network traffic was found to be emanating from a server using a new version of the Orion software from Solar Winds that was being evaluated by the US Department of Justice. Clearly there had been some exploit, but neither the DOJ nor the software vendor could see how it had come about. The security firm Mandiant was involved in the investigation, and their systems apparently became infected at about that time. Moreover, other companies saw the problems and suspected the Orion software. Still, no one was able to pin it down until December of 2020, whereupon the extent of infiltrations was realized. Was the malware particularly clever, or did the investigators not get enough resources or cooperation to find it, or was the problem not taken seriously? We expect that the story will be told from several points of view, and some heads may roll. =================================================================== Some DarkWeb Goes Light Cops Just Revealed a Record-Breaking Dark Web Dragnet Operation SpecTor likely drew on leads from multiple dark web market busts, including the secret takedown of Monopoly Market in 2021. URL:https://www.wired.com/story/operation-spector-dark-web-busts/ Date: May 2, 2023 Publisher: Wired By: Andy Greenberg Summary: Law enforcement has shown a propensity for undermining illicit Internet commerce, even when the bad guys try to hide behind an intricately woven veil of cryptocurrencies. In 2021 a darkweb commerce site, Monopoly Market, went offline without explanation. Today we know that German police had seized the servers and the data. The information gleaned from that exploit built the foundation for a much larger operation, called SpecTor, that was announced by the US Department of Justice head Garland Merrick. Several countries in Europe and South America participated in the operation and arrested a total of 288 people. Despite this notable coup against it, illegal Internet commerce is not going to fall over dead. "There is a bit of a whack-a-mole problem here," Garland told reporters. "We’re whacking as hard as we can." =================================================================== SubMicron China fails Micron's products in security review, bars some purchases Date: May 21, 2023 Publisher: Reuters URL: https://www.reuters.com/technology/chinas-regulator-says-finds-serious-security-issues-us-micron-technologys-2023-05-21/ Summary: Chinese regulators told the American chipmaker Micron that their products have "serious network security risks" that make them unsuitable for infrastructure use. The company would like to fix the problems, but as yet, they don't know what they are. The Chinese announcement might be a political response to the US intention to maintain more economic distance from China. Micron does not derive much revenue from selling to Chinese infrastructure entities, so the ultimate impact may be small. =================================================================== The USA's Incredibly Hackable Infrastructure U.S. warns China could hack infrastructure, including pipelines, rail systems Date: May 26, 2023 Publisher: Reuters By: Raphael Satter, Zeba Siddiqui and James Pearson URL: https://www.reuters.com/world/china/china-rejects-claim-it-is-spying-western-critical-infrastructure-2023-05-25/ Summary: China may have been scoping out computer and network vulnerabilities in US infrastructure, according to analysts at Microsoft who found the evidence of the probing software. "The U.S. intelligence community assesses that China almost certainly is capable of launching cyberattacks that could disrupt critical infrastructure services within the United States, including against oil and gas pipelines and rail systems," State Department spokesperson Matthew Miller said in a press briefing. =================================================================== AI Swears it is Truthful Lawyer apologizes for fake court citations from ChatGPT Date: May 27, 2023 Publisher: CNN By: Ramishah Maruf URL: https://www.cnn.com/2023/05/27/business/chat-gpt-avianca-mata-lawyers/index.html Summary: A New York attorney used ChatGPT as research for a brief in an injury case. The brief cited several legal cases as background, but at least six of them turned out to be AI hallucinations. The lawyer had not used ChatGPT blindly, he asked it if the cases were real. ChatGPT assured him that they were. Unsurprisingly, they were not. The lawyer filed an affidavit stating that he "was unaware of the possibility that its [ChatGPT's] content could be false." [Editor's remark: this article has little to do with security or privacy at the current time.] ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Posted April 2023 University of Iceland Reykjavik, Iceland Assistant Professor in Cyber Security URL: https://euraxess.ec.europa.eu/jobs/97515 Closes May 12, 2023 -------------- http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission date: 6 June 2023, 17 October 2023, and 8 February 2024 CNS 2023 11th annual IEEE Conference on Communications and Network Security, Orlando, FL, USA, October 2-5, 2023. https://cns2023.ieee-cns.org/ Submission date: 12 June 2023 MarCaS 2023 1st IEEE LCN Workshop on Maritime Communication and Security, Held in conjunction with the 48th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2023), Daytona Beach, Florida, USA, October 2-5, 2023. https://garykessler.net/lcn_marcas/ Submission date: 14 June 2023 ICN 2023 10th ACM Conference on Information Centric Networking, Reykjavik, Iceland, October 8-10, 2023. https://conferences.sigcomm.org/acm-icn/2023 Submission date: 19 June 2023 SecMT 2023 International Workshop on Security in Mobile Technologies, Held in conjunction with ACNS2023, Kyoto, Japan, June 19-22, 2023. https://spritz.math.unipd.it/events/2023/ACNS_Workshop/index.html SecSoft 2023 5th International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures, Co-located with IEEE NetSoft 2023, Madrid, Spain, June 23, 2023. https://www.secsoft-workshop.org/ MetaCom 2023 International Conference on Metaverse Computing, Networking and Applications, Kyoto, Japan, June 26-28, 2023. http://www.ieee-metacom.org/2023 NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, uSA, February 26 - March 1, 2024. https://www.ndss-symposium.org/ndss2024/ Submission date: 19 Apr 2023 and 28 June 2023 CSCML 2023 7th International Symposium on Cyber Security Cryptography and Machine Learning, Virtually, Beer-Sheva, Israel, June 29-30, 2023. https://www.cscml.org/cscml2023 Journal of Systems Architecture, Special Issue on Distributed Learning and Blockchain Enabled Infrastructures for Next Generation of Big Data Driven Cyber-Physical Systems. https://www.sciencedirect.com/journal/journal-of-systems-architecture/about/call-for-papers#distributed-learning-and-blockchain-enabled-infrastructures-for-next-generation-of-big-data-driven-cyber-physical-systems Submission date: 30 June 2023 UbiSec 2023 3rd International Conference on Ubiquitous Security, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/ubisec2023/ Submission date: 1 July 2023 TrustCom 2023 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/trustcom2023/ Submission date: 1 July 2023 Euro S&P 2023 8th IEEE European Symposium on Security and Privacy, Delft, Netherlands, July 3-7, 2023. https://eurosp2023.ieee-security.org/cfp.html WTMC 2023 8th International Workshop on Traffic Measurements for Cybersecurity, Co-located with 8th IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2023), Delft, The Netherlands, July 7, 2023. https://wtmc.info/ DFRWS 2023 23rd Annual Digital Forensics Research Conference, Baltimore, MD, USA, July 9-12, 2023. https://dfrws.org/conferences/dfrws-usa-2023/ SECRYPT 2023 20th International Conference on Security and Cryptography, Rome, Italy, July 10-12, 2023. https://secrypt.scitevents.org ASIACCS 2023 18th ACM ASIA Conference on Computer and Communications Security, Melbourne, Australia, July 10-14, 2023. https://asiaccs2023.org/ PETS 2023 23rd Privacy Enhancing Technologies Symposium, Lausanne, Switzerland, Hybrid, July 10-15, 2023. https://petsymposium.org/cfp23.php CSF 2023 36th IEEE Computer Security Foundations Symposium, Dubrovnik, Croatia, July 10-14, 2023. https://csf2023.ieee-security.org DIMVA 2023 20th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Hamburg, Germany, July 12-14, 2023. https://dimva2023.de ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023. https://iciss.isrdc.in Submission date: 20 July 2023 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html Submission date: 13 April 2023, 3 August 2023, and 6 December 2023 CSET 2023 16th Cyber Security Experimentation and Test (CSET) Workshop, Hybrid, Marina del Rey, CA, USA, August 7, 2023. https://cset23.isi.edu/ USENIX Security 2023 32nd USENIX Security Symposium, Anaheim, CA, USA, August 9-11, 2023. https://www.usenix.org/conference/usenixsecurity23/call-for-papers NSS 2023 17th International Conference on Network and System Security, Canterbury, UK, August 14-16, 2023. ttps://nss2023.cyber.kent.ac.uk/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ Submission date: 21 August 2023 and 7 December 2023 CUING 2023 7th International Workshop on Criminal Use of Information Hiding, Held in conjunction with the 18th International Conference on Availability, Reliability and Security (ARES 2023), Benevento, Italy, August 29 - September 1, 2023. https://www.ares-conference.eu/workshops/cuing-2023/ ENS 2023 5th International Workshop on Emerging Network Security, Held in conjunction with the 18th International Conference on Availability, Reliability and Security (ARES 2023), Benevento, Italy, August 29 - September 1, 2023. https://www.ares-conference.eu/workshops-eu-symposium/ens-2023/ C&ESAR 2023 Cybersecurity of Smart Peripheral Devices (Mobiles / IoT / Edge), Rennes, France, November 21-22, 2023. https://2023.cesar-conference.org Submission date: 26 April 2023, 10 May 2023, and 30 August 2023 PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission date: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 ESORICS 2023 28th European Symposium on Research in Computer Security, Hague, Netherlands, September 25-29, 2023. https://esorics2023.org CLPSC 2023 3rd Annual Cybersecurity Law and Policy Scholars Conference, Boston, MA, USA, September 29-30, 2023. https://www.clpsc.org/ ICN 2023 10th ACM Conference on Information Centric Networking, Reykjavik, Iceland, October 8-10, 2023. https://conferences.sigcomm.org/acm-icn/2023 RAID 2023 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, October 16-18, 2023. https://raid2023.org/call.html USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission date: 6 June 2023, 17 October 2023, and 8 February 2024 CNS 2023 11th annual IEEE Conference on Communications and Network Security, Orlando, FL, USA, October 2-5, 2023. https://cns2023.ieee-cns.org/ MarCaS 2023 1st IEEE LCN Workshop on Maritime Communication and Security, Held in conjunction with the 48th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2023), Daytona Beach, Florida, USA, October 2-5, 2023. https://garykessler.net/lcn_marcas/ SecDev 2023 IEEE Secure Development Conference, Atlanta, GA, USA, October 18-20, 2023. https://secdev.ieee.org/2023/home UbiSec 2023 3rd International Conference on Ubiquitous Security, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/ubisec2023/ TrustCom 2023 22nd IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Exeter, UK, November 1-3, 2023. https://hpcn.exeter.ac.uk/trustcom2023/ TPS 2023 IEEE International Conference on Trust, Privacy and Security in Intelligent systems, and Applications, Atlanta, GA, USA, November 1-3, 2023. http://www.sis.pitt.edu/lersais/conference/tps/2023/calls.html C&ESAR 2023 Cybersecurity of Smart Peripheral Devices (Mobiles / IoT / Edge), Rennes, France, November 21-22, 2023. https://2023.cesar-conference.org CCS 2023 30th ACM Conference on Computer and Communications Security, Copenhagen, Denmark, November 26-30, 2023. https://www.sigsac.org/ccs/CCS2023/index.html PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission date: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html Submission date: 13 April 2023, 3 August 2023, and 6 December 2023 ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ Submission date: 21 August 2023 and 7 December 2023 ACSAC 2023 Annual Computer Security Applications Conference, Austin, Texas, USA, December 4-8, 2023. https://www.acsac.org/2023/submissions/papers/ ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023. https://iciss.isrdc.in USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission date: 6 June 2023, 17 October 2023, and 8 February 2024 NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, uSA, February 26 - March 1, 2024. https://www.ndss-symposium.org/ndss2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php Submission date: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 (to be confirmed). https://petsymposium.org/cfp24.php USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Brian Parno Rakesh Bobba Associate Professor Associate Professor Carnegie Mellon University Oregon State University tcchair at ieee-security.org https://eecs.oregonstate.edu/ people/bobba-rakesh Vice Chair: Treasurer: Gabriela Ciocarlie Yong Guan Elpha Secure Professor tcchair at ieee-security.org Department of Electrical and Computer Engineering Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2023 Chair: Hilarie Orman Daniel Takabi Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Georgia State University Woodland Hills, UT 84653 https://cas.gsu.edu/profile/daniel-takabi cipher-editor@ieee-security.org sp23-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--