_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 177 January 22, 2024 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News - Blood Orange? Citrix Bleeds - Terrapins All the Way Down - Museums' Digital Collections Closed by Hackers - Cherchez La Airdop Header - SEC Yes-No-Yes ETF Approval - Russians Eavesdrop on Microsoft Execs Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: When I read the news media these days, I sense a lack of urgency about computer security. There's less panic about foreign powers exerting social media control over children, strangely few articles about ransomware (is it losing its glamour?), and even cryptocurrencies, despite being embraced by the SEC, are much less interesting than ... Generative AI! Will ChatGPT be our new IT department? Will it do the necessary configuration to keep our data safe? Or will it contribute all our information to the greater good of training data for better AI? Ever bigger, ever better? How will an AI-based guardian distinguish protection from attack? Fortunately, we have a large research community to turn to, for pro and con, as the juggernaut moves on. There are thousands of papers in the conferences each year, and we urge you to participate, to learn and to inform. The TCSP sponsors several of these conferences and their associated workshops. The "season" begins in April with "Secure and Trustworthy Machine Learning" and continues with two events in May (Hardware Oriented Security and Trust; Security and Privacy) two events in July (Computer Security Foundations; European Security and Privacy) and winds up with Secure Development in October. There are, of course, a horde of other conferences throughout the year. Become part of the community, help to define the technology for a secure computer future. A Song for the New Year Should olden DDoS be forgot And never spray again? Should auld rowhammer be forgot Like blue-boxed POTS phone lines? For hacks of yore, with bits, For hacks of yore, We'll tak our blockchains to the cloud Bitcoin to be mined. And surely ye'll get a checkpoint saved, And surely I'll save mine And we'll tak a backup to the cloud, Restore from auld lang syne. With apologies to the entire history of Scottish literature, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------------------- - Blood Orange? Citrix Bleeds Xfinity hack affects nearly 36 million customers Publisher: MoneyWatch Date: December 19, 2023 By: Megan Cerullo Summary: Personal data of nearly all Xfinity customers was "probably" accessed by hackers in October using a vulnerability in Citrix cloud software. Citrix notified Xfinity and other companies about the vulnerability on October 10. It released a patch at that time, but other guidance was announced on October 23. Between those October 16 and 19, Xfinity determined that its own customer data had been accessed by unauthorized parties. Xfinity disclosed this situation in a regulatory filing with the SEC. Citrix said that when it issued a notice about the vulnerability on October 10, it was unaware that any exploits had occurred. However, by October 23 it was aware of "targeted attacks" that were enabled by the vulnerability. Mandiant issued guidance about remediation for the affected products (NetScaler ADC and Gateway appliances), and Citrix gave the information to its customers. --------------------------------------------------------------------------- - Terrapins All the Way Down SSH protects the world's most sensitive networks. It just got a lot weaker. Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels. https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Publisher: Ars Technica Date: 12/19/2023 By: Dan Goodin Summary: The SSH protocol for secure access to remote computers has been used since 1996, and it has been the subject of extensive security analysis. Thus, it was a surprise when it was recently found to have a flaw. The hack, named "Terrapin", utilizes an active man-in-middle attack against particular ciphers and/or cipher modes. These are supported by over 75% of Internet servers, and one or more are preferred access modes on over half of the servers. The "ChaCha20-Poly1305" cipher or "CBC with Encrypt-then-MAC" mode for SSH have the vulnerability. If an attacker can block several messages at the beginning of the protocol, when it is setting up a secure end-to-end connection, then the integrity of the exchange can be undermined. The attacker can inject packets that will be accepted by the server as having come from the client. The result is an SSH session that the attacker controls. The researchers who discovered the vulnerability have recommended a complete redesign of SSH. The protocol suffers from having had too many new ciphers and modes added to it over time, and some of those additions are inconsistent with the assumptions used in 2016 to prove the protocol's security. --------------------------------------------------------------------------- - Museums' Digital Collections Closed by Hackers Museum World Hit by Cyberattack on Widely Used Software Hackers targeted software that many museums use to show their collections online and to manage sensitive information. https://www.nytimes.com/2024/01/03/arts/design/museum-cyberattack.html Publisher: New York Times Date: Jan. 3, 2024 By: Zachary Small Summary: Modern-day museums offer views of their collections through online photographs and videos, and management of those digital artifacts is done through software systems tailored to the way museums operate. The company Gallery Systems is such a provider to the likes of the Boston Museum of Fine Arts, the Rubin Museum of Art in New York, and the Frances Lehman Loeb Art Center at Vassar College, When Gallery Systems was hit by a ransomware attack on December 28, they took immediate steps to isolate their affected systems. As a result, the museums' digital collections were unavailable, and in some cases their administrative data, like lists of donors, were similarly offline. Those museums that took care to keep such data on local systems did not suffer disruption to their administrative functions. Curators noted that information is the major part of the value their collections, and they would be much harmed if the information behind the objects was lost. The status of recovery efforts by Gallery Systems was not readily available at the time of this writing. In a similar story, the British Library is "crawling back online" after a cyberattack in October on its website. See https://www.nytimes.com/2024/01/15/arts/british-library-cyberattack.html --------------------------------------------------------------------------- - Cherchez La Airdop Header China says experts "cracked" Apple AirDrop encryption to prevent "transmission of inappropriate information" https://www.cbsnews.com/news/china-apple-airdrop-encryption-cracked-to-block-inappropriate-information/ Publisher: CBS News Date: January 10, 2024 Summary: Beijing Wangshen Dongjian Justice Appraisal Institute in China's capital announced that they could compromise the user privacy of Apple's cellphone protocol for peer-to-peer communication. The announcement implied that the information had been used by police to identify several people suspected of sharing "inappropriate information". The suspects are assumed to be participants in the 2022 anti-government protests in Hong Kong. However, no one familiar with AirDrop security should be surprised. The weaknesses in the protocol are well-known. --------------------------------------- AirDrop crack: Apple was made aware of the vulnerability in 2019 https://9to5mac.com/2024/01/10/airdrop-crack/ Publisher: 9to5Mac.com Date: Jan 10 2024 By: Ben Lovejoy Summary: China monitors iPhone AirDrop usage in Hong Kong, not just during protests. Anti-government people share organizational and other information using the peer-to-peer protocol. Apple's intention was to keep everything except the iPhone "name" (which is user settable) protected from view, but the user name and email address of both the sender and receiver are inadequately obscured. The hash values of the fields are accessible, and there is no cryptographic protection. This means that brute force attacks can easily reveal the information for the phone number, and the email address will also be revealed if it is either short (less than 14 characters randomly chosen) or available in any kind of public database. Apple has known about the problem since at least 2019, but industry experts surmise that changes to the protocol were ruled out because they could not achieve backwards compatibility. --------------------------------------- AIRDROP LEAKAGE Apple's AirDrop leaks users' PII, and there's not much they can do about it Apple has known of the flaw since 2019 but has yet to acknowledge or fix it. https://arstechnica.com/gadgets/2021/04/apples-airdrop-leaks-users-pii-and-theres-not-much-they-can-do-about-it/ target="_"> Publisher: Ars Technica Date: 4/24/2021 By: Dan Goodin Summary: This article, from 2021, explains more detail about the AirDrop protocol and its "handshake" in which "the devices exchange the full SHA-256 hashes of the owners' phone numbers and email addresses". Researchers who found the problem distributed an open source solution called "PrivateDrop" on GitHub, but Apple did not have any comment on the matter. --------------------------------------------------------------------------- - SEC Yes-No-Yes ETF Approval SEC has not approved bitcoin ETFs, says social media account compromised https://www.ksl.com/article/50839821 Publisher: Reuters Date: Jan. 10, 2024 Summary: On January 9, the X social media account for the US Securities and Exchange Commission announced the widely anticipated approval of "spot bitcoin exchange traded product (ETP) shares" (aka ETFs), but the Commission immediately retracted the statement, blaming a compromise of its X account for misinformation. However, the next day, the Commission actually did issue the approval. On January 12, the SEC issued a statement (via https://www.sec.gov/news/statement/gensler-x-account) noting the "unauthorized party" access to its X account, noting that it "takes its cybersecurity obligations seriously" but giving no information other than their preliminary assessment that their internal infrastructure was not compromised. Their statement did not seem to rule out the possibility of an insider ("authorized user") leaking the information ahead of time. Until the SEC releases a complete analysis of the incident, mysteries remain. --------------------------------------------------------------------------- - Russians Eavesdrop on Microsoft Execs Microsoft says state-sponsored Russian hacking group accessed email accounts of senior leaders https://www.cnn.com/2024/01/19/tech/microsoft-russian-hacking-executives/index.html Publisher: CNN Date: January 19, 2024 By: Catherine Thorbecke Summary: As long ago as last November, a nation-state entity surreptitiously accessed "a very small percentage of Microsoft corporate email accounts," the company announced in a blog post. Moreover, some of the accounts belong to members of its senior leadership team and employees in its cybersecurity and legal departments. That attacking entity was "Midnight Blizzard", a Russian state-sponsored group aka "Nobelium." And what was the group seeking from Microsoft's senior leadership? None other than information about Midnight Blizzard itself. And how did they gain access to that small percentage of accounts? Apparently by trying a bank of commonly used passwords. Did Microsoft fail to notice the password guessing activity? Why didn't their own security team detect the guessable passwords as part of normal security checkups? What about two-factor authentication? Etc., etc. In all likelihood, these barndoors are in the process of being closed. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ IEEE Communications Magazine - Cybersecurity (In Incubation), IEEE Communications Magazine is starting a new Cybersecurity Series. https://www.comsoc.org/publications/magazines/ieee-communications-magazine/cfp/cybersecurity-incubation Submission date: Anytime during the year SafeThings 2024 8th IEEE/ACM Workshop on the Internet of Safe Things, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://safe-things-2024.github.io Submission date: 22 January 2024 EURASIP Journal on Information Security, Special Issue on Trends in Digital Identity: Security, Privacy, and Trust. https://www.springeropen.com/collections/tdispt Submission date: 31 January 2024 ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ Submission dates: 2 February 2024 and 19 April 2024 CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org Submission date: 3 February 2024 DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024. https://dfrws.org/conferences/dfrws-usa-2024/ Submission date: 5 February 2024 SAGAI 2024 Workshop on Security Architectures for GenAI Systems, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://sites.google.com/view/sagai2024/home Submission date: 5 February 2024 USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 Submission date: 8 February 2024 SOUPS 2024 20th Symposium on Usable Privacy and Security, Philadelphia, PA, USA, August 11-13, 2024. https://www.usenix.org/conference/soups2024 Submission date: 8 February 2024 ACM Transactions on Embedded Computing Systems, Special Issue on Open Hardware for Embedded System Security and Cryptography. https://dl.acm.org/pb-assets/static_journal_pages/tecs/pdf/ACM-TECS-SI_OHW-CFP.pdf Submission date: 15 February 2024 VehicleSec 2024 2nd ISOC Symposium on Vehicle Security and Privacy, Co-located with NDSS 2024, San Diego, CA, USA, February 26, 2024. https://www.ndss-symposium.org/ndss2024/submissions/cfp-vehiclesec/ NDSS 2024 Network and Distributed System Security Symposium, San Diego, California, USA, February 26 - March 1, 2024. https://www.ndss-symposium.org/ndss2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php Submission date: 29 February 2024 FC 2024 28th International Conference on Financial Cryptography and Data Security, Willemstad, Curacao, March 4-8, 2024. https://fc24.ifca.ai/cfp.html FHE 2024 3rd Annual FHE.org Conference on Fully Homomorphic Encryption, Held in conjunction with the Real World Crypto 2024, Toronto, Canada, March 24, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ SPW 2024 29th International Workshop on Security Protocols, Brno, Czechia, April 10-12, 2024. https://www.cl.cam.ac.uk/events/spw/2024/ ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ Submission dates: 2 February 2024 and 19 April 2024 ESORICS 2024 9th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2024. https://esorics2024.org Submission date: 2 February 2024 and 19 April 2024 SCN 2024 14th International Conference on Security and Cryptography for Networks Amalfi, Italy. September 11-13, 2024. https://scn.unisa.it/scn24/index.php/call-for-papers/ Submission date: 24 April 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html SafeThings 2024 8th IEEE/ACM Workshop on the Internet of Safe Things, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://safe-things-2024.github.io SAGAI 2024 Workshop on Security Architectures for GenAI Systems, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://sites.google.com/view/sagai2024/home CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024. http://www.codaspy.org/2024/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024. https://dfrws.org/conferences/dfrws-usa-2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php SOUPS 2024 20th Symposium on Usable Privacy and Security, Philadelphia, PA, USA, August 11-13, 2024. https://www.usenix.org/conference/soups2024 USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ SCN 2024 14th International Conference on Security and Cryptography for Networks Amalfi, Italy. September 11-13, 2024. https://scn.unisa.it/scn24/index.php/call-for-papers/ ESORICS 2024 9th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2024. https://esorics2024.org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--