_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 176 December 5, 2023 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items - One Call Is All It Takes - Your Cousins' Cousins, Revealed - Too Many Rules, Not Enough Experts? - Even Chinese Banks Get Hacked - Industrial Control Devices, Politics, and War - Cybersecurity, a Work in Progress at UK Nuclear Site o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Normally the sixth issue of Cipher in a given year is issued in November, but sometimes we let Thanksgiving intrude on the schedule, resulting in Cipher in December. Next May the S&P Symposium and Workshops will be in San Francisco, but not at the same hotel as in recent years. Instead, the event will be at the Hilton in the Union Square area which has a multitude of restaurants and shopping. The last of the three deadlines for submitting papers is December 6, so you may be reading this after the deadline. In any case, try to attend the 45th instantiation of the event, May 20-22, 2024. Two news articles in this issue seemed to resonate on the theme of graph connections. In one case, hackers use LinkedIn to identify employees of MGM Resorts in order to initiate a ransomware attack. In another, hackers used the relationships presented in Ancestry's DNA matches to travese the interrelated family trees of a large percentage of the site's users. We should heed the warning "Connections Graphs Considered Harmful" and treat such collations as regulated information with strong security guards and auditing. Another area that needs regulation is that of devices that come with a well-known default password. Currently, the onus is on the end user to secure the device, but when the security of water infrastructure is at stake, extra measures are paramount. --- Holiday Merriment On the first day of Hackmas My computer gave to me, Some malware in an email tree. ... Twelve hammers rowhammering, Eleven pipes ssh-ing, Ten logs overflowing, Nine LANs a-leaking, Eight modprobes maligning, Seven scans attacking, Six greps in rootkits, Five SQL injections, Four calling errors, Three phantom hosts, Two Bitcoin miners, And some malware in an email tree. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html One Call Is All It Takes Hackers claim it only took a 10-minute phone call to shut down MGM Resorts The ALPHV ransomware reportedly used social engineering tactics to hack the international hotel chain. https://www.engadget.com/hackers-claim-it-only-took-a-10-minute-phone-call-to-shutdown-mgm-resorts-143147493.html Publisher: Engadget Date: Sep 13, 2023 By: Katie Malone Summary: MGM resorts suffered significant losses from a cyber attack. The ransomware group ALPHV, reputedly skilled in social engineering attacks, says that they used LinkedIn to identify employees and leveraged that into a phone call that resulted in access to the systems. Although the resorts themselves remained open, their reservation systems and gaming machines were affected. See also: Casino giant MGM expects $100 million hit from hack that led to data breach https://www.reuters.com/business/mgm-expects-cybersecurity-issue-negatively-impact-third-quarter-earnings-2023-10-05/ Publisher: Reuters Date: October 5, 2023 By: Zeba Siddiqui ------------------------------------------------------------------------------- Your Cousins' Cousins, Revealed 23andme hackers accessed ancestry information from thousands of customers and their DNA relatives Hackers got into 0.1 percent of its customers' accounts, then exploited the DNA Relatives feature to access more data. https://www.engadget.com/23andme-hackers-accessed-ancestry-information-from-thousands-of-customers-and-their-dna-relatives-205758731.html Publisher: Engadget Date: Sep 13, 2023 By: Cheyenne MacDonald also: https://www.nytimes.com/2023/12/04/us/23andme-hack-data.html Data Breach at 23andMe Affects 6.9 Million Profiles, Company Says Hackers were able to obtain access because some customers reused old passwords, the genetic testing company said. Publisher: New York Times Date: Dec. 4, 2023 By: Rebecca Carballo Summary: Hackers were able to leverage hacked 23andMe accounts with DNA results into an exploit that revealed the relationships among as many as 30% of the users. Because each DNA analysis is linked to thousands of relations, only 14K initial hacked accounts were needed to span 5.5 million accounts. This exponential feature of relationships shows is a vivid reminder of how networks, be they social or genetic or organizational, can be thoroughly navigated by having only a very few entry points. The article does not claim that any personal information other than genetic matches was revealed, but the relationships, even if identified only by user names, potentially could be amplified into privacy compromises of some magnitude. ------------------------------------------------------------------------------- Too Many Rules, Not Enough Experts? https://www.aol.com/siemens-ericsson-warn-eu-cybersecurity-190427756.html Siemens, Ericsson warn EU cybersecurity rules may disrupt supply chains Publisher: Reuters Date: November 6, 2023 By: Foo Yun Chee Summary: Proposed EU rules for"smart devices" and Internet connected devices put more responsibilities on manufacturers to ensure that their products and secure and remain so. Manufacturers would be required to "assess the cybersecurity risks of their products and take measures to fix problems for a period of five years or through the expected lifetime of the products." Manufacturers would prefer to address vulnerabilities as they are found, rather than conduct assessments. They argue that there are not enough experts to do the work, and if the rules go into effect, it will cause large delays in bringing products to market. ------------------------------------------------------------------------------- Even Chinese Banks Get Hacked https://www.cnbc.com/2023/11/10/icbc-the-worlds-biggest-bank-hit-by-ransomware-cyberattack.html China's ICBC, the world's biggest bank, hit by cyberattack that reportedly disrupted Treasury markets Publisher: CNBC Date: November 10, 2023 By: Arjun Kharpal Summary: The Industrial and Commercial Bank of China has a financial services division that clears transaction with foreign banks, including US Treasury trades. Those trades were disrupted by a day or two when ICBC was hit by a ransomware attack. The software for the attack is rumored to be LockBit 3.0, a robust piece of malware. No group claimed responsibility for launching the attack. ICBC said that it took steps to isolate and restore the compromised systems. The computer systems of US divisions of ICBC were not affected. See also: https://www.ft.com/content/8dd2446b-c8da-4854-9edc-bf841069ccb8>Ransomware attack on ICBC disrupts trades in US Treasury market ------------------------------------------------------------------------------- Industrial Control Devices, Politics, and War https://thehill.com/homenews/ap/ap-u-s-news/ap-breaches-by-iran-affiliated-hackers-spanned-multiple-u-s-states-federal-agencies-say/ Breaches by Iran-affiliated hackers spanned multiple U.S. states, federal agencies say Publisher: The Hill, via AP Date: 12/02/23 By: Frank Bajak and Marc Levy, Associated Press Summary: Several US companies involved with water control systems were attacked by hackers linked to Iran recently. The companies that use a programmable logic controller made in Israel were the targets. US Federal agencies issued an advisory about the device and warned about the all too common practice of leaving the default password in place. At least one US water treatment plant disabled its computer control systems while responding to the intrusion, but it is not known if the intruders did any damage other than leaving a "calling card". Nonetheless, the vulnerability caused great concern among the Congressmen representing the state (Pennsylvania). There are reputedly 200 of the Israeli devices in the US and 1700 world-wide. ------------------------------------------------------------------------------- Cybersecurity, a Work in Progress at UK Nuclear Site https://www.theguardian.com/business/2023/dec/04/sellafield-nuclear-site-hacked-groups-russia-china Sellafield nuclear site hacked by groups linked to Russia and China Malware may still be present and potential effects have been covered up by staff, investigation reveals Publisher: The Guardian Date: 4 Dec 2023 By: Anna Isaac and Alex Lawson Summary: A nuclear waste processing plant in the UK has been dealing with intrusions into its document systems for quite a long time. Although there are no reports of attacks against its control systems, there is concern that sensitive information about disaster planning and response may ave been revealed to foreign powers. The site spokespeople emphasize that cybersecurity improvements are ongoing, but there is a possible criminal investigation being conducted about the inadequate protection of the computer systems. But, information leaks are hardly the worst problems facing the site. https://www.theguardian.com/business/2023/dec/05/sellafield-nuclear-site-leak-could-pose-risk-to-public Revealed: Sellafield nuclear site has leak that could pose risk to public Safety concerns at Europe's most hazardous plant have caused diplomatic tensions with US, Norway and Ireland Publisher: The Guardian Date: 5 Dec 2023 By: Anna Isaac and Alex Lawson Summary: The Sellafield site is the largest nuclear waste storage and treatment plant in Europe. It has more radioactive material than Chernobyl. The Guardian article reveals that the silo holding a great deal of waste is leaking and will continue to leak for the next 25 years. Moreover, a basin holding nuclear sludge has cracks in its concrete and asphalt covering. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ IEEE Communications Magazine - Cybersecurity (In Incubation), IEEE Communications Magazine is starting a new Cybersecurity Series. https://www.comsoc.org/publications/magazines/ieee-communications-magazine/cfp/cybersecurity-incubation Submission date: Anytime during the year SP 2024 45th IEEE Symposium on Security and Privacy, May 20-23, 2024 San Francisco, CA, USA, https://sp2024.ieee-security.org/cfpapers.html Submission date: 13 April 2023, 3 August 2023, and 6 December 2023 ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024 https://asiaccs2024.sutd.edu.sg/cfp/ Submission date: 21 August 2023 and 7 December 2023 ACSAC 2023 Annual Computer Security Applications Conference, Austin, Texas, USA, December 4-8, 2023 https://www.acsac.org/2023/submissions/papers/ FPS 2023 16th Foundations & Practice of Security Symposium, Bordeaux, France, December 11-13, 2023 https://www.fps-2023.com/ VehicleSec 2024 2nd ISOC Symposium on Vehicle Security and Privacy, Co-located with NDSS 2024, San Diego, CA, USA, February 26, 2024 https://www.ndss-symposium.org/ndss2024/submissions/cfp-vehiclesec/ Submission date: 15 December 2023 ICISS 2023 19th International Conference on Information Systems Security, NIT Raipur, India, December 16-20, 2023 https://iciss.isrdc.in IEEE Blockchain 2023 IEEE International Conference on Blockchain, Ocean Flower Island, Hainan, China, December 17-21, 2023 https://ieee-cybermatics.org/2023/blockchain/ CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024 https://ieee-cybermatics.org/2023/blockchain/ Submission date: 18 December 2023 eDemocracy and Open Government (JeDEM), Special Issue on Digital Sovereignty - Interdisciplinary insights into digital technology and infrastructure, information privacy and digital security. https://www.jedem.org/index.php/jedem/announcement/view/61 Submission date: 31 December 2023 IFIP 11.9 DF 2023 20th Annual IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 4-5, 2024 http://www.ifip119.org SPW 2024 29th International Workshop on Security Protocols, Brno, Czechia, April 10-12, 2024 https://www.cl.cam.ac.uk/events/spw/2024/ Submission date: 8 January 2024 DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024 https://dfrws.org/conferences/dfrws-usa-2024/ Submission date: 20 January 2024 EURASIP Journal on Information Security, Special Issue on Trends in Digital Identity: Security, Privacy, and Trust. https://www.springeropen.com/collections/tdispt Submission date: 31 January 2024 CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024 https://csf2024.ieee-security.org Submission date: 15 May 2023, 30 September 2023 and 3 February 2024 USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024 https://www.usenix.org/conference/usenixsecurity24 Submission date: 6 June 2023, 17 October 2023, and 8 February 2024 ACM Transactions on Embedded Computing Systems, Special Issue on Open Hardware for Embedded System Security and Cryptography. https://dl.acm.org/pb-assets/static_journal_pages/tecs/pdf/ACM-TECS-SI_OHW-CFP.pdf Submission date: 15 February 2024 VehicleSec 2024 2nd ISOC Symposium on Vehicle Security and Privacy, Co-located with NDSS 2024, San Diego, CA, USA, February 26, 2024 https://www.ndss-symposium.org/ndss2024/submissions/cfp-vehiclesec/ NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, USA, February 26 - March 1, 2024 https://www.ndss-symposium.org/ndss2024/ FC 2024 28th International Conference on Financial Cryptography and Data Security, Willemstad, Curacao, March 4-8, 2024 https://fc24.ifca.ai/cfp.html FHE 2024 3rd Annual FHE.org Conference on Fully Homomorphic Encryption, Held in conjunction with the Real World Crypto 2024, Toronto, Canada, March 24, 2024 https://asiaccs2024.sutd.edu.sg/cfp/ SPW 2024 29th International Workshop on Security Protocols, Brno, Czechia, April 10-12, 2024 https://www.cl.cam.ac.uk/events/spw/2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 https://petsymposium.org/cfp24.php Submission dates: 31 May 2023, 31 August 2023, 30 November 2023, and 28 February 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024 https://sp2024.ieee-security.org/cfpapers.html CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024 http://www.codaspy.org/2024/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024 https://asiaccs2024.sutd.edu.sg/cfp/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024 https://csf2024.ieee-security.org DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024 https://dfrws.org/conferences/dfrws-usa-2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024 https://petsymposium.org/cfp24.php USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024 https://www.usenix.org/conference/usenixsecurity24 ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--