Electronic CIPHER, Issue 179, June 3, 2024 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 179 June 3, 2024 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Fair Exchange: Theory and Practice of Digital Belongings" by Carlos Molina-Jimenez, Dann Toliver, Hazem Danny Nakib, and Jon Crowcroft o News items - Healthcare Payment Malady Affects Millions - Controlling Water - This Never Happened with a Blackboard: Flipper Zero Cancels Class - Too Open Source - Waiting For the Collapse - The Power of Youth - Crypto Coins, Washed and Starched - Surveilled at Sea - Big Bad Botnet - When Is a Router Not a Router? When it is a Brick - Data Snows From the Cloud o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We note the sudden passing of famed security researcher Ross Anderson. He was a large presence in the security community in many capacities, and I encourage you to read this memorial by Wendy Grossman href=https://netwars.pelicancrossing.net/2024/03/31/rip-ross-j-anderson/ Much of the security news these days is about organizations that did not follow the security engineering principles that Ross Anderson taught, and suffered massive consequences. This has caused me to reflect on how we keep moving into new technologies and both acquiring more risk and perhaps the illusion of constant security. In many ways our daily lives are the same as they were many decades ago, despite the fact that foreign agents might know all our personal data and be monitoring our whereabouts. At the current time, our individual personal security seems reasonably good. Nonetheless, our government warns us that enemy nations might turn off our water and shut down commerce and shipping on a whim. An IT worker who is careless with a password can cause a billion dollars in losses overnight. In what sense is this security? The complexity of the problem seems on a par with global warming. Economics, individual decisions, misaligned corporate and government objectives, ... quo vadis? My hope is for an AI system that can read our research papers from the past 60 years and find the narrow path for putting together the dependable and secure systems that we need. Sven Dietrich has contributed a review of a book about fair exchange protocols for digital "belongings", and interesting topic on many levels. Instead of parody, this issue's amusement is suggestions for collective nouns for the jargon of our field, in the style of "a conspiracy of ravens" and other avian groups. A intuberation of root kits An encipherment of ransomware An impersonation of phishings An embezzlement of bitcoins A factorization of authenticators A blaze of firewalls An astonishment of zero days An equinement of Trojans ... (add your own collectives!) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich 06/04/2024 ____________________________________________________________________ Fair Exchange: Theory and Practice of Digital Belongings by Carlos Molina-Jimenez, Dann Toliver, Hazem Danny Nakib, and Jon Crowcroft World Scientific Publishing 2024. ISBN ISBN: 978-1-80061-516-8 (hardcover), ISBN: 978-1-80061-518-2 (ebook) 292 pages + xxiii ____________________________________________________________________ We are talking about fair exchange protocols here. The world of exchanging information or digital goods in a fair way in our digital economy can get tricky and test the trust relationships of the concerned parties. It can lead to sometimes even going as far as two parties mutually, or in turns writing or adding one letter of a contract at a time. The author team at the University of Cambridge, Carlos Molina-Jimenez, Dann Toliver, Hazem Danny Nakib, and Jon Crowcroft, have set out to create a book that introduces the reader to the world of fair exchange, from theory to practice. And they succeeded in this task. This almost 300-page book is divided into three parts and twenty chapters. Throughout the book, you will find both black-and-white as well as color illustrations and figures, all of which are listed in a List of Figures and List of Tables. A roadmap in the beginning of the book helps the reader understand the flow of the book. A set of references, a glossary, and an index round off the book. Part 1 discusses "A Framework for Fair Exchange" and contains 7 chapters. This is a thorough introduction to the field of fair exchange. The first chapter "Fair Exchange Protocols" goes into the basics, such as definitions, the history, trust assumptions, and other properties one may encounter in this context. The second chapter "Categories of Items" describes the items in the context of fair exchange, such as copyable items, unique items, and digitally inaccessible items, and sets the stage further for grasping this world. The third chapter "Operations of Fair Exchange" shows what the basic operations are, from the initial handshake to the deposit, verify, and synchronize, up to the final release or restore stages. Next, the fourth chapter "Environments for Operation," as well as the fifth chapter "A Diagram Language for Fair Exchange" set up the reader for describing the fair exchange protocols better. As a logical next chapter, "The Fundamental Limits of Fair Exchange" shows how the pieces are put together in understanding the various stages shown in Chapter 3 more thoroughly. The last chapter on "Attestables" describes an interface for independent computation. Part 2, in turn, is on "Protocols Old and New," and also comprises 7 chapters. Armed with the building blocks from Part 1, the reader can now analyze existing protocols, and even create new ones, partially helped by the "attestable" concept introduced in chapter 7. The categorization of protocols divides the space for a better understanding of fair exchange protocols, and goes on to further critique protocols, from escrow-based to optimistic ones, from gradual-release to attestable fair exchange protocols. This leads to a wrap-up of Part 2, Fair Exchange Without Disputes and a family of such protocols. Part 3 "Real World Fair Exchange" has a focus on the real world, keeping in line with the title "theory and practice." Over 6 chapters, the authors connect the topic of fair exchange to real-world scenarios. In "Risk Analysis," the authors discusses topics such as false positives, risk quantification, as well as the impact of faulty environments. In "Legal Considerations," the reader will find topics such as records and evidence, the types of disputes that may (or not) be eliminated by certain fair exchange protocols, and a sample set of protocol phases. "Operational Concerns" and "Commercial Analysis and Use Cases" delve deeper into making it work, such as exchanges of signatures and legal contracts, as well as completing missing information from such a fair exchange protocol. Last but not least, the connection is made to timely topics along the exchange of digital goods, such as smart contracts, secure multiparty computation, and zero-knowledge information exchange. Overall the book is aimed at researchers, industry practitioners in technology, e-commerce, and online marketplaces, and postgraduate students that seek in-depth information about fair exchange protocols, from the tried and true to the latest and greatest ideas. The authors did a fine job at assembling relevant topics of this important aspect of our online presence. I met one of the authors at a conference where smart contracts and blockchain topics were being presented: it is a an excellent connection for this book, as mentioned in Part 3. I very much enjoyed reading this book, and the book will find its place on my bookshelf for any needed reference on this fascinating topic. ------------------------------------ Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Payment Malady Affects Millions A devastating ransomware attack affected medical insurance payments and patient medical records earlier this year. The attack was against United Healthcare, a large company providing services that link insurers and providers. In 2022 they acquired Change Healthcare which is particularly involved in processing claims from hospitals. As United Healthcare worked to incorporate the new company into their IT infrastructure, they may have overlooked one vulnerable server. Hackers captured access credentials, installed ransomware, and havoc ensued that affected individuals, health clinics, hospitals, and a huge loss for United Healthcare. The full story has yet to be told, but the following articles give some insight into the debacle. ------------------------------- https://www.reuters.com/business/healthcare-pharmaceuticals/unitedhealth-hack-takes-toll-healthcare-providers-nations-poor-2024-03-20/ UnitedHealth hack takes toll on healthcare providers to the nation's poor Publisher: Reuters Date: March 20, 2024 By: Julie Steenhuysen Summary: United Healthcare provides the financial conduits that connect healthcare providers and healthcare insurance companies. Last February, the company was hard hit by ransomware, and despite reportedly paying a large sum to the perpetrators, a month later many small providers were unable to use the payment network. Providers with large IT installations were able to install new software that United Healthcare switched to, but smaller operations could not. Rural areas were especially hard hit. The expedient was to allow payment deferment, but the interrupted cash flow was hard to bear. According to https://www.pktech.net/2024/05/united-healthcare-pays-ransom-and-still-has-problems/ Cyberscoop, Change Healthcare processes 15 billion transactions per year, and the hack has cost United Health Group nearly a billion dollars so far. ------------------------------- Data stolen in Change Healthcare attack likely included U.S. service members, executive says UnitedHealth Group CEO Andrew Witty tells Senate committee that Change Healthcare didn't have MFA enabled on the server that was attacked in February, resulting in a $22 million ransom payment. https://cyberscoop.com/change-healthcare-attack-stolen-data-ransom-andrew-witty-unitedhealth/ Publisher: Cyberscoop Date: May 1, 2024 By: Matt Bracken Summary: The CEO of United Healthcare, Andrew Witty, testified to the Senate Finance Committee about the compromise of one of the company's server and the resulting exposure of patient data to the hackers, reputed to be part of ALPHV or BlackCat. The absence of multifactor authentication on the server was the focus of some intense questioning. ------------------------------- Extortion group threatens to sell Change Healthcare data The data reportedly includes personal information and health details for customers of a variety of companies linked to the payment processor. https://cyberscoop.com/extortion-group-threatens-to-sell-change-healthcare-data/ Publisher: Cyberscoop By: AJ Vicens Date: April 9, 2024 Summary: The twisted tale of United Healthcare's server compromise includes some serious accusations of lack of honor among thieves and confusion about just how much data was stolen. Was it 4 terabytes, 6 terabytes, or something much less? And who got the extortion money? ------------------------------- Change Healthcare Cybersecurity Incident Frequently Asked Questions https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index Publisher: U.S. Department of Health and Human Services Date: May 31, 2024 ------------------------------------------------------------------------------- Controlling Water https://www.epa.gov/system/files/documents/2024-03/epa-apnsa-letter-to-governors_03182024.pdf>US warns hackers are carrying out attacks on water systems Publisher: The White House Date: March 18, 2024 Summary: The White House notified state governor's about concerns that Iranian and Chinese threat actors are actively trying to compromise the nation's water systems. There is concern that the Chinese government may acquire enough of a foothold to disable substantial parts of the water systems in time of "geopolitical tensions and/or military conflict". CISA offers resources for securing the IT infrastructure, particularly legacy PLCs (Programmable Logic Controllers), that control water system devices. ------------------------------- Who's Tapping Your Tap? https://www.cbsnews.comews/cyberattacks-on-water-systems-epa-utilities-take-action/ Cyberattacks on water systems are increasing, EPA warns, urging utilities to take immediate action Publisher: CBS News, from AP Date: May 20, 2024 By: Summary: Although the US sees the importance of protecting all parts of the nation's drinking water supply, the EPA is finding resistance to mandates to improve cybersecurity in local systems. It seems impossible to enforce any kind of mandate because there is no explicit Federal authority of that sort. ------------------------------------------------------------------------------- This Never Happened with a Blackboard: Flipper Zero Cancels Class Investigation into electronic device at Utah high school raises larger concerns for police https://www.ksl.com/article/50965764/investigation-into-electronic-device-at-utah-high-school-raises-larger-concerns-for-police- Publisher: KSL.com Date: March 31, 2024 By: Pat Reavy Summary: Instruction at a Utah school was disrupted for a week by a handheld commercial device known as a "Flipper Zero". It seems to be an infrared and Bluetooth signal interceptor and transmitter, capable of creating mischief if not actual theft and criminal disruption. The company touts it as kind of Swiss Army knife for geeks. Although it cannot decode encrypted traffic, it seems capable of disabling audio visual machines and other common electronic devices that use simple command and control sequences over wireless communication. -------------------------------------- Restricting Flipper is a Zero Accountability Approach to Security: Canadian Government Response https://www.eff.org/deeplinks/2024/03/restricting-flipper-zero-accountability-approach-security-canadian-government Publisher: Electronic Frontier Foundation Date: March 28, 2024 By: Bill Budington and Alexis Hancock Summary: Canada has struggled with regulating the Flipper Zero devices, and this article discusses the hype surrounding the idea that it could be used for car theft. ------------------------------------------------------------------------------- Too Open Source Nightmare Supply Chain Attack Scenario What we know about the xz Utils backdoor that almost infected the world Malicious updates made to a ubiquitous tool were a few weeks away from going mainstream. https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/ Publisher: Ars Technica Date: 4/1/2024 By: Dan Goodin Summary: Everyone uses SSH for secure point-to-point communication between computers. It's the workhorse of secure remote access, specified, verified, and crypto configurable. It's also open source, a fact that is reassuring to most, but distasteful to others. Having many eyes on the source should lead to greater security, one supposes. That was borne out recently when a software engineer discovered that the binary form of the program harbored a secret backdoor access method that was hidden in a supporting library. The compromised version of ssh was not released, but it was a close call and a wake-up call to the open source community. The unidentified party behind the hidden method spent some 2+ years establishing a trusted identity on GitHub. Somehow, his malevolent changes to a compression library were accepted. No one noticed that the changes installed a backdoor capability into the ssh daemon. The only reason it was discovered was that it caused the daemon to execute more instructions that before the library was modified. ------------------------------------------------------------------------------- Waiting For the Collapse FBI chief says Chinese hackers have infiltrated critical US infrastructure Volt Typhoon hacking campaign is waiting 'for just the right moment to deal a devastating blow', says Christopher Wray https://www.theguardian.com/world/2024/apr/19/fbi-china-hack-infrastructure Publisher: Reuters Date: 19 Apr 2024 By: Summary: The head of the FBI has told the country that China is poised to create panic in the US by disrupting its critical infrastructure at a "time of its choosing." The implication of his remarks is that a great deal of important control software in the US is known to vulnerable to attacks from China, either because it has been modified remotely or because authentication credentials have been stolen. Presumably water systems are part of the problem, as noted above. ------------------------------------------------------------------------------- The Power of Youth Potent youth cybercrime ring made up of 1,000 people, FBI official says The group known as Scattered Spider is one of the most impactful cybercrime groups working today and has proven elusive to law enforcement so far. https://cyberscoop.com/potent-youth-cybercrime-ring-made-up-of-1000-people-fbi-official-says/ Publisher: Cyberscoop Date: May 24, 2024 By: AJ Vicens Date: Summary: Although foreign governments have developed impressive cyberattack capabilities, law enforcement is taking note of a large group of young people in the US and the UK whose expertise in social engineering has led to large-scale, successful attacks on businesses. Working both cooperatively and competitively with each other, Scattered Spider members pose a growing threat, including some cases of hired violence. ------------------------------------------------------------------------------- Crypto Coins, Washed and Starched Exclusive: North Korea laundered $147.5 mln in stolen crypto in March, say UN experts https://www.reuters.com/technology/cybersecurityorth-korea-laundered-1475-mln-stolen-crypto-march-say-un-experts-2024-05-14/ Publisher: Reuters Date: By: Michelle Nichols Date: May 14, 2024 Summary: North Korea is suspected of having stolen $3.6 billion from cryptocurrency exchanges over a period of 7 seven years, and they are beginning to extract value from those heists. UN monitors say that $1.47 million was laundered through Tornado Cash in March of this year. ------------------------------------------------------------------------------- Surveilled at Sea China-linked group uses malware to try to spy on commercial shipping, new report says "We haven't seen this in the past," said Robert Lipovsky, principal threat intelligence researcher at ESET. https://www.nbcnews.comews/world/china-linked-group-malware-spy-commercial-shipping-cargo-report-eset-rcna152129 Publisher: NBC News Date: May 14, 2024 By: Dan De Luce and Jean-Nicholas Fievet Date: Summary: Remote access Trojan software has been detected over the last several months in a new sector: commercial chipping companies. Mustang Panda is the name of the hacker organization believed to be behind the installation of lurking software in commercial shipping companies and even onboard ships. ------------------------------------------------------------------------------- Big Bad Botnet Europol and US seize website domains, luxury goods in $6bn cybercrime bust 'World's largest botnet' – spread through infected emails – taken down through coordinated police action among several countries Botnet Infected Over 19M IP Addresses to Enable Billions of Dollars in Pandemic and Unemployment Fraud, and Access to Child Exploitation Materials https://www.theguardian.com/technology/article/2024/may/30/botnet-arrests-covid-insurance-fraud Publisher: The Guardian Date: 30 May 2024 By: Blake Montgomery and agencies Summary: Using email as the infection delivery mechanism, a group of fraudsters created the largest botnet ever, and officials in several EU counties and the US and UK cooperated to bring it a grinding halt. The creators of the botnet leased it out to cybercriminals. The operation is said to have operated from 2014 to 2022. ------------------------------- https://www.justice.gov/opa/pr/911-s5-botnet-dismantled-and-its-administrator-arrested-coordinated-international-operation 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation Publisher: Office of Public Affairs, US Justice Department Date: May 29, 2024 Summary: This has an overview of the botnet and its takedown. It includes the additional detail that the botnet used VPNs to mask its traffic, which is probably why it was able to flourish for so long. ------------------------------------------------------------------------------- When Is a Router Not a Router? When it is a Brick Pumpkin Eclipse Mystery malware destroys 600,000 routers from a single ISP during 72-hour span An unknown threat actor with equally unknown motives forces ISP to replace the routers. https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/ Publisher: Ars Technica Date: 5/30/2024 By: Dan Goodin Summary: About 600K routers used by customers of the ISP Windstream were rendered inoperable in a 3 day period last October. Though this was initially thought to be a result of a faulty firmware upgrade, it was actually more serious. The firmware had been overwritten by an unknown party, and the result was that the router no longer performed its function, and the correct firmware could not be restored. Many Windstream customers had no other ISP to turn to and had to wait for new routers. The event was named "Pumpkin Eclipse" by the ISP. Although investigators were able to find out how the software was installed on the routers, they were not able to find the initial vulnerability that led to the mass bricking. ------------------------------------------------------------------------------- User Data Snows From the Cloud The Ticketmaster Data Breach May Be Just the Beginning Data breaches at Ticketmaster and financial services company Santander have been linked to attacks against cloud provider Snowflake. Researchers fear more breaches will soon be uncovered. https://www.wired.com/story/snowflake-breach-ticketmaster-santander-ticketek-hacked/ Publisher: Wired Date: Jun 1, 2024 By: Matt Burgess Summary: Although details are unclear at the time of this writing, the company Live Nation may have suffered a massive breach of customer data. "On May 27, a newly registered account on cybercrime forum Exploit posted an advertisement where they claimed to be selling 1.3 TB of Ticketmaster data, including more than 560 million people’s information" Live Nation owns Ticketmaster, and their data is on servers run by Snowflake, a US-based cloud service provider. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025. https://www.sp2025.ieee-security.org/cfpapers.html Submission date: 6 June 2024 and 14 November 2024 DPM 2024 18th International Workshop on Data Privacy Management, Co-located with ESORICS 2024, Bydgoszcz, Poland September 19, 2024. https://deic.uab.cat/dpm/dpm2024/ Submission date: 6 June 2024 CNS 2024 12th IEEE Conference on Communications and Network Security, Taipei, Taiwan September 30 - October 3, 2024. https://cns2024.ieee-cns.org/ Submission date: 10 June 2024 NSS-SocialSec 2024 Joint 18th International Conference on Network and System Security and 10th International Symposium on Security and Privacy in Social Networks and Big Data, Abu Dhabi, UAE November 20-22, 2024. http://nsclab.org/nss-socialsec2024/index.html Submission date: 10 June 2024 DASC 2024 22nd IEEE International Conference on Dependable, Autonomic and Secure Computing, Boracay Island, Malay, Philippines November 5-8, 2024. http://cyber-science.org/2024/dasc/ Submission date: 15 June 2024 CRiSIS 2024 19th International Conference on Risks and Security of Internet and Systems, Aix-en-Provence, France November 26-28, 2024. https://crisis2024.univ-gustave-eiffel.fr Submission date: 15 June 2024 SYSTOR 2024 17th ACM International System and Storage Conference, Tel Aviv-Yaffo, Israel September 23-25, 2024. https://www.systor.org/2024/ Submission date: 19 June 2024 CODASPY 2024 14th ACM Conference on Data and Application Security and Privacy, Porto, Portugal June 19-21, 2024. http://www.codaspy.org/2024/ SaT-CPS 2024 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, Held in conjunction with the 14th ACM Conference on Data and Application Security and Privacy (CODASPY 2024), Porto, Portugal June 21, 2024. https://sites.google.com/view/sat-cps-2024/ HealthSec 2024 Workshop on Cybersecurity in Healthcare, Held in conjunction with the 31st ACM Conference on Computer and Communications Security (CCS 2024), Salt Lake City, Utah USA October 14, 2024. https://publish.illinois.edu/healthsec/ Submission date: 23 June 2024 eCrime 2024 19th annual APWG eCrime symposium, Boston, Massachusetts, USA September 24-26, 2024. https://ecrime2024.hotcrp.com Submission date: 23 June 2024 ICTAI 2024 36th IEEE International Conference on Tools with Artificial Intelligence, Herndon, VA, USA October 30 - November 1, 2024. https://ictai.computer.org/2024/ Submission date: 1 July 2024 ASIACCS 2024 19th ACM ASIA Conference on Computer and Communications Security, Singapore, July 1-5, 2024. https://asiaccs2024.sutd.edu.sg/cfp/ WTMC 2024 9th International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 9th IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2024), Vienna, Austria, July 8, 2024. https://wtmc.info/ FCS 2024 Workshop on Foundations of Computer Security, Co-located with CSF 2024, Enschede, Netherlands July 8, 2024 https://fcs-workshop.github.io/fcs2024/ NDSS 2025 Network and Distributed System Security Symposium and Workshops, San Diego, CA, USA February 23-28, 2025. https://www.ndss-symposium.org/ndss2025/submisions/call-for-papers/ Submission date: 17 April 2024 and 10 July 2024 CSF 2024 37th IEEE Computer Security Foundations Symposium, Enschede, Netherlands July 8-12, 2024. https://csf2024.ieee-security.org DFRWS 2024 24th Annual Digital Forensic Research Conference, Baton Rouge, LA, USA, July 9-12, 2024. https://dfrws.org/conferences/dfrws-usa-2024/ UIC 2024 21th IEEE International Conference on Ubiquitous Intelligence and Computing, Denarau Island, Fiji, December 2-7, 2024. https://www.ieee-smart-world.org/2024/uic/ Submission date: 15 July 2024 UbiSec 2024 4th International Conference on Ubiquitous Security, Changsha, China, December 29-31, 2024. http://ubisecurity.org/2024/ Submission date: 15 July 2024 PETS 2024 24th Privacy Enhancing Technologies Symposium, Bristol, UK and Online, July 15-20, 2024. https://petsymposium.org/cfp24.php ARES 2024 19th International Conference on Availability, Reliability and Security, Vienna, Austria, July 30 - August 2, 2024. http://www.ares-conference.eu/ CUING 2024 8th International Workshop on Cyber Use of Information Hiding, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/cuing ENS 2024 7th International Workshop on Emerging Network Security, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/ens/ BASS 2024 4th International Workshop on Behavioral Authentication for System Security, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/workshops/bass/ EDid 2024 1st International Workshop on Emerging Digital Identities, Held in conjunction with the 19th International Conference on Availability, Reliability and Security (ARES 2024), Vienna, Austria, July 30 - August 2, 2024. https://www.ares-conference.eu/edid SOUPS 2024 20th Symposium on Usable Privacy and Security, Philadelphia, PA, USA, August 11-13, 2024. https://www.usenix.org/conference/soups2024 CSET 2024 17th Cyber Security Experimentation and Test Workshop, Philadelphia, PA, USA, August 13, 2024. https://cset24.isi.edu/index.html USENIX Security 2024 33rd USENIX Security Symposium, Philadelphia, PA, USA, August 14-16, 2024. https://www.usenix.org/conference/usenixsecurity24 SciSec 2024 6th International Conference on Science of Cyber Security, Copenhagen, Denmark, August 14-16, 2024. https://scisec.org/index.html ICICS 2024 26th International Conference on Information and Communications Security, Mytilene, Greece, August 26-28, 2024. http://icics2024.aegean.gr/submissions/ ACM Distributed Ledger Technologies: Research and Practice, Special Issue on Blockchain for 6G Trust, Security, and Privacy. https://dl.acm.org/pb-assets/static_journal_pages/dlt/pdf/ACM_DLT_SI_Blockchain_6G_Trust_Security_Privacy-1709931907953.pdf Submission date: 1 September 2024 CSR 2024 IEEE International Conference on Cyber Security and Resilience, London, UK, Hybrid Conference, September 2-4, 2024. https://www.ieee-csr.org/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 Submission date: 4 September 2024 and 22 January 2025 FPS 2024 17th International Symposium on Foundations & Practice of Security, Montreal, Canada, December 9-11 2024. https://fps-2024.hec.ca/ Submission date: 6 September 2024 SCN 2024 14th International Conference on Security and Cryptography for Networks, Amalfi, Italy September 11-13, 2024. https://scn.unisa.it/scn24/index.php/call-for-papers/ ESORICS 2024 9th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16-20, 2024. https://esorics2024.org DPM 2024 18th International Workshop on Data Privacy Management, Co-located with ESORICS 2024, Bydgoszcz, Poland, September 19, 2024. https://deic.uab.cat/dpm/dpm2024/ SYSTOR 2024 17th ACM International System and Storage Conference, Tel Aviv-Yaffo, Israel, September 23-25, 2024. https://www.systor.org/2024/ eCrime 2024 19th annual APWG eCrime symposium, Boston, Massachusetts, USA, September 24-26, 2024. https://ecrime2024.hotcrp.com CANS 2024 International Conference on Cryptology and Network Security, Cambridge, UK, September 24-27, 2024. https://2024.cansconference.org/ EuroUSEC 2024 European Symposium on Usable Security conference, Karlstad, Sweden, September 30 - October 1, 2024. https://eurousec24.kau.se RAID 2024 27th International Symposium on Research in Attacks, Intrusions and Defenses, Padua, Italy, September 30 - October 2, 2024. https://raid2024.github.io/ CNS 2024 12th IEEE Conference on Communications and Network Security, Taipei, Taiwan, September 30 - October 3, 2024. https://cns2024.ieee-cns.org/ 6GQ 2024 Workshop on Postquantum Cryptography and Quantum Communication for 6G Networks, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024. https://sites.google.com/view/6gq2024/home MarCaS 2024 2nd IEEE LCN Special Track on Maritime Communication and Security, Held in conjunction with the 49th Annual IEEE Conference on Local Computer Networks (IEEE LCN 2024), Caen, Normandy, France, October 8-10, 2024. https://garykessler.net/lcn_marcas/ HealthSec 2024 Workshop on Cybersecurity in Healthcare, Held in conjunction with the 31st ACM Conference on Computer and Communications Security (CCS 2024), Salt Lake City, Utah USA, October 14, 2024. https://publish.illinois.edu/healthsec/ ACM CCS 2024 31th ACM Conference on Computer and Communications Security, Salt Lake City, Utah, USA, October 14-18, 2024. https://www.sigsac.org/ccs/CCS2024/call-for/call-for-papers.html ICTAI 2024 36th IEEE International Conference on Tools with Artificial Intelligence, Herndon, VA, USA, October 30 - November 1, 2024. https://ictai.computer.org/2024/ DASC 2024 22nd IEEE International Conference on Dependable, Autonomic and Secure Computing, Boracay Island, Malay, Philippines, November 5-8, 2024. http://cyber-science.org/2024/dasc/ SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025. https://www.sp2025.ieee-security.org/cfpapers.html Submission date: 6 June 2024 and 14 November 2024 NSS-SocialSec 2024 Joint 18th International Conference on Network and System Security and 10th International Symposium on Security and Privacy in Social Networks and Big Data, Abu Dhabi, UAE, November 20-22, 2024. http://nsclab.org/nss-socialsec2024/index.html CRiSIS 2024 19th International Conference on Risks and Security of Internet and Systems, Aix-en-Provence, France, November 26-28, 2024. https://crisis2024.univ-gustave-eiffel.fr UIC 2024 21th IEEE International Conference on Ubiquitous Intelligence and Computing, Denarau Island, Fiji, December 2-7, 2024. https://www.ieee-smart-world.org/2024/uic/ FPS 2024 17th International Symposium on Foundations & Practice of Security, Montreal, Canada, December 9-11 2024. https://fps-2024.hec.ca/ UbiSec 2024 4th International Conference on Ubiquitous Security, Changsha, China, December 29-31, 2024. http://ubisecurity.org/2024/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 Submission date: 4 September 2024 and 22 January 2025 NDSS 2025 Network and Distributed System Security Symposium and Workshops, San Diego, CA, USA, February 23-28, 2025. https://www.ndss-symposium.org/ndss2025/submisions/call-for-papers/ SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025. https://www.sp2025.ieee-security.org/cfpapers.html USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--