_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 178 March 18, 2024 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of Locksport: A Hacker's Guide to Lockpicking, Impressioning, and Safe Cracking by Jos Weyers, Matt Burrough, Walter Belgers, BandEAtoZ, and Nigel K. Tolley o News from the Media - FBI Reaches Deep to Remove Malware from Critical Infrastructure - Chinese Sponsored Hacking, the Genie Unleashed - Spyware Need Not Apply - Finger a Health System Hacker and Win Money - Home Routers Cleaned by FBI - LockBit Badly Mauled - Slow Restoration of Health Insurance System - Microsoft Struggles to Remove Intruders - It's a Bird, It's a Crane, It's a Giant Vulnerability o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This time of year is the balance point between summer and winter, which means that we are approaching flagship conference season. The venerable Security and Privacy Symposium will be held in San Francisco, CA May 20-23, the excellent European Security and Privacy Conference is in Vienna, Austria July 8-12. Time to make travel plans! The news recently has been full of information about hacking emanating from China. It is interesting, even fascinating, to think that the home router sitting in the corner gathering dust could be part of a massive international espionage and sabotage scheme. The Internet has brought forth the age of interconnection, where distance and unfamiliarity are not barriers to intrigue. Some of us grew up in what now seems a primitive age in which landlines and film cameras where the height of technology. Now, we wonder if that amazing bird feeder webcam is controlling cargo unloading in Baltimore. Sven Dietrich has reviewed a recent book about a topic from days of yore: hacking locks. It's like cryptography, but physically tangible. This month's parody poesy is a taken from literature unknown to me until just now when I looked up the source of one of my favorite quotes: FBI's sharp questions must I shun; Must separate my router from the fun - A tangled Internet we weave, When first we practise to deceive! Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 3/17/24 March 18, 2024 Locksport: A Hacker's Guide to Lockpicking, Impressioning, and Safe Cracking by Jos Weyers, Matt Burrough, Walter Belgers, BandEAtoZ, and Nigel K. Tolley No Starch Press 2024. ISBN-13: 978-1-7185-0224-6 (print), ISBN-13: 978-1-7185-0225-3 (ebook) ____________________________________________________________________ And now for something completely different, to use that Monty Python phrase. When we think of secure systems, we often also consider the physical security of the premises. In the cryptography context, we consider (cryptographic) keys as well, even though they are shaped in bits, not in physical objects. In this book review we will talk about lockpicking, as in the actual locks protecting doors and objects with the keys to match them, not merely the conceptual ones we discuss in cryptography or systems security, and cracking real-world safes that (supposedly) keep our valuables safe and secure. There are obvious parallels between these worlds. Just thinking about this topic brings me back close to 25 years ago, to the summer of 2001 at Hackers At Large (HAL): a warm summer breeze at the University of Twente (UoT) in Enschede, in the eastern part of the Netherlands, a soft blanket on the UoT meadow where HAL took place, and a bunch of padlocks and lockpicks available for trying out at the Lockpicking Tent, or whatever it may have been called then. Deep concentration on the matter, a simple padlock, some tools, a good tutor, and after a while the lock opened: voila! Convinced that I would like it, it led me to purchase that first set, which was (and still is) fun to experiment with. Locks are for honest people, as they always say. Jos Weyers, Matt Burrough, Walter Belgers, BandEAtoZ, and Nigel K. Tolley (yes, there is a hacker handle in that author list somewhere) have written a book with close to 400 pages that dissects the subject of lockpicking (how to open locks without a key), impressioning (how to create key when you have lost the one meant for the lock you have), and safe cracking (umm, yeah, opening that safe). And the book was written with competitions in mind for all of these, hence the term sport in Locksport. This approximately 400-page-long book is divided into five parts (I-V) and overall 17 chapters, with an additional introduction, two appendices, and an index. The five aforementioned parts cover The Basics (Part I), Pin Tumbler Lockpicking (Part II), Impressioning (Part III), Safe-Lock Manipulation (Part IV), and Lever Lockpicking (Part V). The book is competently illustrated with color photos, historical sketches, and other explanatory diagrams. The introduction sets up the book for the reader: it is a book about lockpicking and safe cracking, but it is geared to those interested in the sport of lockpicking and safe cracking, in other words manipulating those devices to make them open up. The first part on "The Basics" covers what the locksport competitions are all about, plus all the locks to consider. The reader is given an overview of the types of locks out there, how to disassemble them, understand them, and how to practice with them in preparation for a competition. A brief overview of the legality of lockpicking, or mere possession of lockpicks, is provided for some countries. The illustrations let the reader understand what the inner workings of a lock can look like. The second part on "Pin Tumbler Lockpicking" focuses on one type of lock, the pin tumbler lock, one of the most common and cheapest locks needed for preparation for a competition, according to the authors. The reader learns about basic setups of the pins and tumbler, and also about advanced mechanisms for increasing the security of the locks, such as trap pins (they permanently disable a lock when lockpickers fall into the "trap" of picking that pin), or deceptive security pins (that make the lockpicker falsely believe that they have found the proper setting of the pins). Nicely illustrated with photos of locks, showing the tumbler and pins, plus the associated keys (either inserted or not), this part is great for those wanting to understand the basics of pin tumbler lockpicking and those who want to take the next step at understanding advanced, supposedly pick-safe, pin tumbler locks. Many tools for lockpicking are shown and discussed, from tension tools, simple picks, up to the allrounder rake, and even pick guns. One fine example from popular culture, not referenced in the book, would be the scene in "The Lives of Others" where the East German Stasi enters the dissident's home with a pick gun with the intent to install bugging devices. There is a list of competitions for pin tumbler lockpicking, for those interested in pursuing this beyond reading the book. The third part focuses on "Impressioning," a skill that was once used by locksmiths more frequently, namely for creating a key from the impressions a lock leaves on a blank key. This means you would be creating a key for lock that you don't have a key for. This shows the reader where to find the hits for the cuts to make on the blank key, and starting filing away! The locksport competition has revived the interest in this area in recent years. Manipulating a safe is something we often hear about from spy movies or television crime series. This part on "Safe-Lock Manipulation" delves deep into the art of getting clues about the lock settings of a safe, again for the purpose of a competition, the locksport competitions, that is. Listening devices, understanding the safe wheels, establishing safe-lock graphs, and the various grades (length of resistance to safe-cracking) are part of this process. Here we see much discussion of what you would find in the cryptography field, namely what it would take to brute-force (i.e. trying all combinations) the lock and what more common efforts would look like (not needing to try all combinations.) Of course we find a reference to Matt Blaze's 2004 paper on "Safecracking for the Computer Scientist" (https://www.mattblaze.org/papers/safelocks.pdf). In the last part on "Lever Lockpicking," we go back to earlier lock designs in human history, ones without pins but rather with "levers," metal panels that interact with a shaped key. This type of lock would be more common to find in Europe or India, for example, and perhaps often be associated with old-world (did someone say Switzerland?) safe deposit box keys. Again, detailed illustrations of these locks, with its parts explained, and step-by-step instructions for lockpicking, help with the understanding of the inner workings and for participating in lever-based locksport competitions. The book wraps up with describing other types of locksport competitions, including those found at conferences such as DefCon, ShmooCon, or even BSides, and where to actually find equipment, whether picks, training locks, or more sophisticated picking equipment or materials. There is a brief listing of complementary and seminal books and resources, for those wanting to go back to more basic lockpicking outside of the competitive sport. The authors, well versed and immersed in the field, did a fine job at drawing the reader into this fascinating world of lockpicking, especially by bringing the engaging competition aspect into it. I hope you will enjoy reading (absorbing?) this book as much as I did. My copy has already found its permanent space on my bookshelf. My picks are within reach at all times. And thanks for the latest sets I got last week, you know who you are! ------------------------------------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== - FBI Reaches Deep to Remove Malware from Critical Infrastructure Exclusive: US disabled Chinese hacking network targeting critical infrastructure https://www.reuters.com/world/us/us-disabled-chinese-hacking-network-targeting-critical-infrastructure-sources-2024-01-29/ Publisher: Reuters Date: February 1, 2024 By: Christopher Bing and Karen Freifeld and What is Volt Typhoon, the alleged China-backed hacking group? https://www.reuters.com/technology/what-is-volt-typhoon-alleged-china-backed-hacking-group-2023-05-25 Publisher: Reuters By: Raphael Satter and James Pearson Date: January 30, 2024 Summary: The US Justice Department and FBI carried out an operation to reprogram devices that were running hacked software from the Chinese group Volt Typhoon. The software had been detected several months prior, and its exact purpose was not known, but it seemed to have an affinity for critical infrastructure sites, such as ISPs. Fearing that it might establish a botnet to create command and control capability that could disable critical services in a time of conflict, US law enforcement identified and deleted the malicious software from affected sites. ----------------------------- - Chinese hackers spent up to 5 years in US networks: Cyber officials Chinese hackers aimed to "launch destructive cyber-attacks," officials said. https://abcnews.go.com/Politics/chinese-hackers-spent-5-years-us-networks-cyber/story?id=107059211 Publisher: ABC News By: Luke Barr Date: February 8, 2024 Summary: The Volt Typhoon software, which may have formed a large botnet residing in sites that are part of US and European critical infrastructure, was disabled recently, as noted above, but it had probably been growing, undetected, for several years. CISA Director Jenn Easterly and FBI Director Christopher Wray testified to Congress about the intrusion and said that "that Chinese hackers could disrupt Americans' way of life." ------------------------------- TESTIMONY OF Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security BEFORE Select Committee on Strategic Competition Between the United States and the Chinese Communist Party ON The CCP Cyber Threat to the American Homeland and National Security Date: January 31, 2024 Publisher: United States House of Representatives https://selectcommitteeontheccp.house.gov/sites/evo-subsites/selectcommitteeontheccp.house.gov/files/evo-media-document/cisa-easterly-testimony-house-ccp-cyber-threats-to-us-written-testimony_0.pdf ------------------------------- - Chinese Sponsored Hacking, the Genie Unleashed As China Expands Its Hacking Operations, a Vulnerability Emerges New revelations underscore the degree to which China has ignored, or evaded, U.S. efforts to curb its extensive computer infiltration efforts. https://www.nytimes.com/2024/02/22/us/politics/china-hacking-files-risk.html Publisher: New York Times Date: Feb. 22, 2024 By: Julian E. Barnes and David E. Sanger Summary: Chinese hacking is a sophisticated business with a wide reach in the US and many other places. Volt Typhoon is one of many services contracted by the Chinese government. FBI Direction Christopher Wray is quoted as saying: "In fact, if you took every single one of the F.B.I.'s cyberagents and intelligence analysts and focused them exclusively on the China threat, China's hackers would still outnumber F.B.I. cyberpersonnel by at least 50 to one." This has happened despite a decade of effort by the US to derail the activity. One result has been the diversification of the hacker companies as they find the Chinese government to be an unreliable source of income. Seeking new revenue sources, they turn to cybercrime, creating an expanding sphere of disruption. ----------------------------------------------------------------------------- - Spyware Need Not Apply U.S. rolls out visa restriction policy on people who misuse spyware to target journalists, activists https://www.pbs.org/newshour/politics/u-s-rolls-out-visa-restriction-policy-on-people-who-misuse-spyware-to-target-journalists-activists Date: 5 Feb 2024 Publisher: PBS By: Aamer Madhani, Associated Press, Frank Bajak, Associated Press Summary: People who are known to have been involved with commercial spyware for "misuse" may be subject to visa restrictions under a new US policy. The new policy is meant to crackdown on spyware, such as Pegasus and Predator, that has been used to "target" journalists, activists, etc. The misuse involves monitoring the activities and communications of individuals for the purpose of thwarting or harming them. The announcement did not identify any specific people who might have their visas "restricted." ------------------------------- - U.S. bans maker of spyware that targeted a senator's phone The Treasury Department banned the company, Intellexa, from doing business in the United States. https://www.nbcnews.com/tech/security/us-bans-maker-spyware-targeted-senators-phone-rcna141855 Publisher: NBC News Date: March 5, 2024 By: Kevin Collier Summary: In a first for the US Treasury Department, it issued ban against a spyware manufacturer, Intellexa. Anyone, in the US or outside, who transacts with Intellexa, its founder, or its 4 subsidiaries is prohibited from from doing business with the US. A similar spyware company, the NSO Group, had previously been subjected to additional regulations, but not sanctioned. Intellexa makes Predator, a piece of spyware that turns a victims phone into a surveillance device reporting to an operator. It has been used against two active members of the US Congress. ----------------------------------------------------------------------------- - Finger a Health System Hacker and Win Money US State Department offers $10 million for information on ransomware gang that has attacked US hospitals https://www.cnn.com/2024/02/08/politics/state-department-reward-ransomware-gang-hospitals/index.html Publisher: CNN Date: February 8, 2024 By: Sean Lyngaas Summary: There are rewards available for information about the leaders of a ransomware group that has targeted hospitals and related service. A cybercriminal group known as "Hive" has used ransomware to extort over one billion dollars from service providers in the healthcare industry. The FBI said that it had gained access to the group's computer systems for several months, and during that time it "managed to prevent $130 million in ransom payments from victims." That was not enough to shut down the group, and the US State Department will pay $10M USD for information about their leaders and $5M USD for information that leads to arrests or convictions. There are bounties available for information about other cybercriminals as part of this program. -------------------------------------------------------------------------------- Home Routers Cleaned by FBI US disrupts Russian hacking campaign that infiltrated home, small business routers: DOJ The FBI coordinated with other foreign partners to disrupt the GRU-led campaign.https://abcnews.go.com/Politics/us-disrupts-russian-hacking-campaign-infiltrated-home-small/story?id=107258976 Publisher: Date: February 15, 2024 By: Alexander Mallin, Luke Barr, and Pierre Thomas Summary: Anyone's router might have been cleansed of Russian malware in an operation conducted by the FBI. The specific software identified as "Moobot" was created by the GRU (foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation). It is said to be involved in global espionage, particularly spearfishing directed at US officials. After obtaining a court order, the FBI removed the software from routers located many homes and small businesses. This story might be easily confused with the reports of eliminating Chinese software from critical infrastructure components (as report above), but it seems to be an entirely separate operation. ------------------------------------------------------------------------------- -LockBit Badly Mauled Authorities disrupt operations of notorious LockBit ransomware gang US and UK authorities announce arrests and sanctions following the takedown https://techcrunch.com/2024/02/20/us-uk-authorities-claim-seizure-of-lockbit-ransomware-gangs-dark-web-leak-site/ Publisher: TechCrunch Date: February 20, 2024 By: Carly Page Summary: Authorities in the US and Europe coordinated their efforts to effectively end the command and control servers for the notorious LockBit ransomware operation. This resulted in the seizure of ransomware assets and indictments against several individuals. The LockBit server(s) now display a takedown announcement and links to helpful information for avoiding victimization. The TechCrunch article quotes Allan Liska, a ransomware expert and threat intelligence analyst at Recorded Future, as saying that this action "is absolutely the end of the LockBit operation in its current form." ------------------------------------------------------------------------------- - Research: A New Kind of Attack Against DNS The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNS https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf Publisher: ATHENE & Goethe-Universitat Frankfurt & TU Darmstadt & Fraunhofer SIT Date: January 2024 By: Elias Heftrig and Haya Schulmann and Niklas Vogel and Michael Waidner Summary: This is a research paper about an interesting flaw in the secure version of the Domain Name System (DNSSEC). The primary function of DNSSEC is to provide the resources for storing certificates for the DNS hierarchy and for performing verification of data lookups. The public key operations are time-consuming, but there are resolvers capable of handling the load, which is distributed through the hierarchy. The problem is that in the usual implementations, the validation for a lookup is done in one thread, and that can be tied up for a very long time by a lookup for a domain that has a malicious construction. Thus, a server can be overwhelmed by an small number of lookups that require a huge amount of computation. The fact that the computation is so great arises from a requirement to try all keys in the domain before returning a failure message. The researchers found that some lookups can result in trying n^2 public key operations where n is the number of keys. A malicious domain could have many keys and improperly signed data. The researchers call this an "algorithm attack" that results in resource exhaustion. ------------------------------------------------------------------------------- - Slow Restoration of Health Insurance System Patients struggle to get lifesaving medication after cyberattack on a major health care company The attack on Change Healthcare has upended the lives and work of patients, doctors and pharmacists due to outages in systems used for medical billing and insurance claims. https://www.nbcnews.com/health/health-care/cyberattack-change-healthcare-patients-struggle-get-medication-rcna141841 Publisher: NBC News Date: March 6, 2024 By: Daniella Silva and Aria Bendix Summary: Change Healthcare provides technology for handling United Healthcare's insurance claims, and they were severely compromised by a likely ransomware attack on February 21. That has led to frantic attempts to get necessary medication, to clarify insurance status, and to get payments to health care providers. The company said that they could not bring all systems back online until they could be sure that they had eliminated the malware. In the meantime, everyone dependent on United Healthcare insurance scrambled to find ways to get prescription drugs and payment in a chaotic void. According to NBC news, experts at the cybersecurity companies Recorded Future and Tenable identified a bitcoin wallet that received a payment of more than $22 million last Friday. The wallet belonged to the hacker group Alphv. Wired magazine reported on the incident and the argument between AlphV and a hacker group that claimed they were owed money for helping to carry out the attack. Wired: https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/ ------------------------------------------------------------------------------- - Microsoft Struggles to Remove Intruders Russian hackers breached key Microsoft systems https://www.cnn.com/2024/03/08/tech/microsoft-russia-hack/index.html Publisher: CNN Date: March 8, 2024 By: Sean Lyngaas Summary: Microsoft corporate email systems were infiltrated in January, the problem was detected, but apparently the lurkers were not fully repelled. In a recent SEC filing the company said that some of their software source code was probably accessed using credentials revealed in company email. The email attack was based on flaws in Solar Winds email systems, but those were believed to have been fixed in 2020. ------------------------------------------------------------------------------- - It's a Bird, It's a Crane, It's a Giant Vulnerability Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools Equipment at U.S. ports could pose risk of surveillance or sabotage, officials say; China says concerns are 'paranoia-driven' https://www.wsj.com/articles/pentagon-sees-giant-cargo-cranes-as-possible-chinese-spying-tools-887c4ade Publisher: The Wall Street Journal Date: March 5, 2023 By: Aruna Viswanatha, Gordon Lubold and Kate O'Keeffe Summary: China makes a lot of the equipment for unloading ships at ports around the world, the ZPMC-made giant cranes for lifting containers are ubiquitous. As more and more automation goes into heavy equipment, the number of electronic components increases. However, when someone pointed out that these particular cranes came with cellular modems, questions ensued. Why does a cargo crane need world-wide communication capabilities? Perhaps because the Chinese government wants to base a secret communication network at ports around the world and then to use it to impede port operations during times of tension. The US government believes that it is important to eliminate Chinese cranes at US ports, and several initiatives are planned to make that possible. ------------------------------- Biden Admin To Spend Billions Rooting Out Chinese Tech Risks At US Ports https://dailycaller.com/2024/02/21/biden-admin-20-billion-chinese-tech-us-ports/ Publisher: Daily Caller Date: February 21, 2024 By: Jake Smith Summary: Instead of buying cargo cranes from China, the US plans to buy them from the U.S. subsidiary of Japanese company Mitsui. The company will get an investment of over $20 billion over the next five years, according to the WSJ (see https://www.wsj.com/politics/national-security/u-s-to-invest-billions-to-replace-china-made-cranes-at-nations-ports-d451ef8f?mod=hp_lead_pos1). The $1 trillion bipartisan infrastructure bill passed by Congress in 2021 will be tapped for this investment. ------------------------------- House Homeland, China Select Committee Republicans Demand Answers from CCP-Backed Company Operating at U.S. Ports Amid Shocking Joint Investigation Findings https://homeland.house.gov/2024/03/07/house-homeland-china-select-committee-republicans-demand-answers-from-ccp-backed-company-operating-at-u-s-ports-amid-shocking-joint-investigation-findings/ Publisher: Homeland Security, US Congress Date: March 7, 2024 Summary: Congress has sent a letter to the Chinese company ZPMC asking why cellular modems were installed on cranes in US ports. There was no contractual agreement about this equipment that appears to allow remote monitoring and control. ------------------------------- Chairmen Green, Gallagher, Gimenez, Pfluger Issue Statement on Biden Administration's EO to Combat China's Maritime Port Crane Dominance, Security Threats: "The Right Move by the Administration" https://homeland.house.gov/2024/02/22/chairmen-green-gallagher-gimenez-pfluger-issue-statement-on-biden-administrations-eo-to-combat-chinas-maritime-port-crane-dominance-security-threats-the-right-move-by-t/ Publisher: Homeland Security, US Congress Date: February 22, 2024 Summary: Congressional leaders expressed approval of the administration's plans to invest in domestic production of cargo handling cranes. ---------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== ==================================================================== Listing of academic positions available by Cynthia Irvine http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ IEEE Communications Magazine - Cybersecurity (In Incubation), IEEE Communications Magazine is starting a new Cybersecurity Series. https://www.comsoc.org/publications/magazines/ieee-communications-magazine/cfp/cybersecurity-incubation Submission date: Anytime during the year FHE 2024 3rd Annual FHE.org Conference on Fully Homomorphic Encryption, Held in conjunction with the Real World Crypto 2024, Toronto, Canada, March 24, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ SciSec 2024 6th International Conference on Science of Cyber Security, Copenhagen, Denmark, August 14-16, 2024. https://scisec.org/index.html Submission date: 7 April 2024 RAID 2024 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua, Italy, September 30 - October 2, 2024. https://raid2024.github.io/ Submission date: 9 April 2024 SPW 2024 29th International Workshop on Security Protocols, Brno, Czechia, April 10-12, 2024. https://www.cl.cam.ac.uk/events/spw/2024/ CANS 2024 International Conference on Cryptology and Network Security, Cambridge, UK, September 24-27, 2024. https://2024.cansconference.org/ Submission date: 14 April 2024 ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ Submission date: 2 February 2024 and 19 April 2024 ESORICS 2024 9th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2024. https://esorics2024.org Submission date: 2 February 2024 and 19 April 2024 MarCaS 2024 2nd IEEE LCN Special Track on Maritime Communication and Security, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024. https://garykessler.net/lcn_marcas/ Submission date: 19 April 2024 SCN 2024 14th International Conference on Security and Cryptography for Networks, Amalfi, Italy September 11-13, 2024. https://scn.unisa.it/scn24/index.php/call-for-papers/ Submission date: 24 April 2024 ACM CCS 2024 31th ACM Conference on Computer and Communications Security, Salt Lake City, Utah, USA, October 14-18, 2024. https://www.sigsac.org/ccs/CCS2024/call-for/call-for-papers.html Submission date: 28 January 2024 and 29 April 2024 BASS 2024 4th International Workshop on Behavioral Authentication for System Security, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/workshops/bass/ Submission date: 30 April 2024 CSR 2024 IEEE International Conference on Cyber Security and Resilience, London, UK, Hybrid Conference, September 2-4, 2024. https://www.ieee-csr.org/ Submission date: 3 May 2024 EDid 2024 1st International Workshop on Emerging Digital Identities, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/edid Submission date: 3 May 2024 CSET 2024 17th Cyber Security Experimentation and Test Workshop, Philadelphia, PA, USA, August 13, 2024. https://cset24.isi.edu/index.html Submission date: 17 May 2024 SP 2024 45th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-23, 2024. https://sp2024.ieee-security.org/cfpapers.html SafeThings 2024 8th IEEE/ACM Workshop on the Internet of Safe Things, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://safe-things-2024.github.io SAGAI 2024 Workshop on Security Architectures for GenAI Systems, Held in conjunction with IEEE SP 2024 Conference, San Francisco, California, USA, May 23, 2024. https://sites.google.com/view/sagai2024/home Human-centric Computing and Information Sciences (HCIS) Journal, Special Issues on Human-centric Security and Privacy Protection for Smart City, http://hcisj.com/issues/issue_view.php?wr_id=24&type=1 Submission date: 30 May 2024 CNS 2024 12th IEEE Conference on Communications and Network Security, Taipei, Taiwan, September 30 - October 3, 2024. https://cns2024.ieee-cns.org/ Submission date: 10 June 2024 SYSTOR 2024 17th ACM International System and Storage Conference, Tel Aviv-Yaffo, Israel, September 23-25, 2024. https://www.systor.org/2024/ Submission date: 19 June 2024 CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal, June 19-21, 2024. http://www.codaspy.org/2024/ ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands, July 8-12, 2024. https://csf2024.ieee-security.org DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024. https://dfrws.org/conferences/dfrws-usa-2024/ PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php BASS 2024 4th International Workshop on Behavioral Authentication for System Security, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/workshops/bass/ EDid 2024 1st International Workshop on Emerging Digital Identities, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/edid SOUPS 2024 20th Symposium on Usable Privacy and Security, Philadelphia, PA, USA, August 11-13, 2024. https://www.usenix.org/conference/soups2024 CSET 2024 17th Cyber Security Experimentation and Test Workshop, Philadelphia, PA, USA, August 13, 2024. https://cset24.isi.edu/index.html USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 SciSec 2024 6th International Conference on Science of Cyber Security, Copenhagen, Denmark, August 14-16, 2024. https://scisec.org/index.html ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ CSR 2024 IEEE International Conference on Cyber Security and Resilience, London, UK, Hybrid Conference, September 2-4, 2024. https://www.ieee-csr.org/ SCN 2024 14th International Conference on Security and Cryptography for Networks, Amalfi, Italy. September 11-13, 2024. https://scn.unisa.it/scn24/index.php/call-for-papers/ ESORICS 2024 9th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2024. https://esorics2024.org SYSTOR 2024 17th ACM International System and Storage Conference, Tel Aviv-Yaffo, Israel, September 23-25, 2024. https://www.systor.org/2024/ CANS 2024 International Conference on Cryptology and Network Security, Cambridge, UK, September 24-27, 2024. https://2024.cansconference.org/ RAID 2024 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua, Italy, September 30 - October 2, 2024. https://raid2024.github.io/ CNS 2024 12th IEEE Conference on Communications and Network Security, Taipei, Taiwan, September 30 - October 3, 2024. https://cns2024.ieee-cns.org/ MarCaS 2024 2nd IEEE LCN Special Track on Maritime Communication and Security, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024. https://garykessler.net/lcn_marcas/ ACM CCS 2024 31th ACM Conference on Computer and Communications Security, Salt Lake City, Utah, USA, October 14-18, 2024. https://www.sigsac.org/ccs/CCS2024/call-for/call-for-papers.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--