_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 183 January 28, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o News Items from the Media - China Knows Who You Call - If You Must Secure the Donut, Don't Forget the Hole - How Ewe Can Read BadRAM - No State Too Small for Ransomware - Which Evil: Regulation or Endless Cyberattacks? - The Unceasing Scope of Subaru Surveillance o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Is it possible to secure the software and computers that control our modern infrastructure? What level of security is "good enough"? One of the last policy directives by the Biden administration was to mandate that software supplied to the Federal government must have ironclad security. This is a matter of national security. Can regulation force solutions to problems that seem intractable? How much added security can be bought for each dollar spent over and above current "standards" for security? Can we afford secure computer systems? These questions are likely to be argued in the coming months. My forecast is that it will be full of sound and fury. The devastating fires in Los Angeles show how calculated risk can result in massive losses. Nature is not cooperative with statistical means, nor more so than hackers are with zero day discoveries. The result is that protective measures can cost far more than what is being protected. If we are entering an era of deregulation and unlimited expansion, we should expect larger disasters, both from nature and from computers. On those happy notes, the fruits of research investments will be on display at the many academic security workshops and conferences that are available throughout the year. Each published paper brings us one step closer to true security? How long is that road? The gravity of the situation has crushed levity. There is no appropriate parody, humorous or otherwise, for this time, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ----------------------------------------------------------------------------- China Knows Who You Call US telecoms have shown lax attentiveness to cybersecurity, and that has allowed a Chinese hacking group to access an unknown amount of call metadata and unencrypted text messages. Arguments about the responsibility for fixing it are evident in recent US policy announcements. Many Americans' cellphone data being hacked by China, official says Cyber-espionage group 'Salt Typhoon' targeting 'at least' eight US telecoms and telecom infrastructure firms https://www.theguardian.com/technology/2024/dec/04/chinese-hackers-american-cell-phones Publisher: Reuters via The Guardian Date: 4 Dec 2024 Summary: Several US telecoms were infiltrated by Chinese hackers in the group known as "Salt Typhoon". The full extent of the damage is not known, but call metadata was targeted. ---------------------------------------------- FCC Adopts Cybersecurity Rules in Wake of Salt Typhoon The incoming chair dissented from the order. https://broadbandbreakfast.com/fcc-adopts-cybersecurity-rules-in-wake-of-salt-typhoon/ Publisher: NextGov/FCW Date: Jan 16, 2025 By: Jake Neenan Summary: The Biden administration's FCC ordered telecoms to harden their infrastructure against cyberattacks. It remains to be seen if the new administration will stand behind those new rules. ---------------------------------------------- https://www.nextgov.com/cybersecurity/2025/01/us-sanctions-chinese-firm-behind-sweeping-salt-typhoon-telecom-hacks/402304/ US sanctions Chinese firm behind sweeping Salt Typhoon telecom hacks The Treasury Department also sanctioned an individual involved in recent Chinese hacks into its own systems. Publisher: Date: January 17, 2025 By: David DiMolfetta Summary: The US Department of the Treasury issued sanctions against an individual and a networking company who were associated with the infiltration of several US telecoms. The announcement (see https://home.treasury.gov/news/press-releases/jy2792, Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise) includes information about rewards of up to $10M USD for information about malicious cybersecurity individuals. ----------------------------------------------------------------------------- If You Must Secure the Donut, Don't Forget the Hole Hackers find hole in Krispy Kreme Doughnuts' cyber-security https://www.bbc.com/news/articles/c4gl9np1g2go Publisher: BBC Date: Dec 11, 2024 By: Tom Gerken Summary: Online orders of Krispy Kreme donuts were shutdown in December due to cybersecurity attack, according to a filing with the SEC by the company. Desperate customers could still get the treats from the brick-and-mortar stores. ----------------------------------------------------------------------------- How Ewe Can Read BadRAM Flaw in computer memory leads to global security fixes Cyber security experts studying memory modules in computers have uncovered a key weakness that has led to worldwide security fixes in AMD computer processors. https://www.birmingham.ac.uk/news/2024/flaw-in-computer-memory-leads-to-global-security-fixes Publisher: University of Birmingham Date: December 10, 2024 Press Release Summary: An AMD chip that provides a high level of security through encrypted memory was found susceptible to a relatively easy hands-on attack. The attack starts by changing the information about the size of the RAM so that is appears larger than it really is. Then, by aliasing from a fake address to a real address. When the OS tries to read the non-existent address, it gets the data from the real address. Although the attack requires physical access and does not immediately imperil cloud-computing systems, AMD will fix the chip design to nullify the attack. ----------------------------------------------------------------------------- No State Too Small for Ransomware Personal Data of Rhode Island Residents Breached in Large Cyberattack An "international cybercriminal group" harvested the personal data of potentially hundreds of thousands of people from the state's social services and health insurance systems, officials said. https://www.nytimes.com/2024/12/14/us/cyberattack-rhode-island-ribridges-snap-medicaid.html Publisher: New York Times Date: Dec. 14, 2024 By: Aimee Ortiz Summary: The personal information of applicants for social services in Rhode Island was "most likely" captured by hackers using a ransomware attack against the state's computer systems for benefits. The state detected the attack before the ransom demand and began mitigation of the damage, but attackers subsequently showed that they had obtained a great deal of information. There was no information about any kind of immediate damage suffered by benefit seekers. ----------------------------------------------------------------------------- Which Evil: Regulation or Endless Cyberattacks? Biden Tightens Cybersecurity Rules, Forcing Trump to Make a Choice The president's latest executive order accelerates the move to mandatory compliance by software providers. It may run afoul of the Trump mandate to deregulate. https://www.nytimes.com/2025/01/16/us/politics/biden-trump-cybersecurity.html Publisher: The New York Times Date: Jan 16, 2025 By: David E. Sanger Summary: Despite an ever increasing focus on cybersecurity from software companies, the US continues to suffer from data breaches and system impairments. To better protect US agencies and infrastructure from this harm, the Biden administration issued and executive order throwing responsibility onto the software providers themselves. The EO requires that software provided to the US government must be free of flaws that would let hackers gain entry. Because the EO increases regulation and also seeks to deter Chinese hacking, it seems to present opposing goals for the new administration. ----------------------------------------------------------------------------- The Unceasing Scope of Subaru Surveillance Subaru Security Flaws Exposed Its System for Tracking Millions of Cars Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars' location histories - and Subaru employees still can. https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ Publisher: Wired Date: Jan 23, 2025 By: Andy Greenberg Summary: First, a security researcher found that Subaru that his mother owned had a security flaw that allowed easy, remote access to the car's data and controls. The mechanism for this was part of the vehicle's Starlink system. Moreover, the Starlink website had feeble security controls, allowing any Subaru employee to read all the data from any car. That seemed like a security and privacy nightmare, but it got worse. The cars kept a year's worth of detailed location information, and that was also available to the Subaru organization at large. Subaru said that permission for the data access was granted by the owner at time of purchase, and that it was only used by dealership employees for special purposes, like helping law enforcement. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html Date (Month/Day/Year), Event, Locations, web page for more info. DFRWS-USA 2025 25th Annual Digital Forensics Research Conference, Chicago, Illinois, USA, July 22-25, 2025. https://dfrws.org/conferences/dfrws-usa-2025/ Submission date: 31 January 2025 WEIS 2025 24th Annual Workshop on the Economics of Information Security, Tokyo, Japan, Jun 23-25, 2025. http://kmlabcw.iis.u-tokyo.ac.jp/weis/2025/index.html Submission date: 31 January 2025 WNDSS 2025 International Workshop on Network and Distributed Systems Security, Co-located with the 40th International Information Security and Privacy Conference (IFIP SEC 2025), Maribor, Slovenia, May 23, 2025. https://ifiptc11.org/wg114-events/wg114-workshop/ Submission date: 31 January 2025 CSF 2025 38th IEEE Computer Security Foundations Symposium, Santa Cruz, CA, USA, June 16-20, 2025. https://csf2025.ieee-security.org/ Submission date: 4 February 2025 IWSPA 2025 11th ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2025, Pittsburgh, Pennsylvania, June 6, 2025. https://sites.google.com/view/iwspa-2025 Submission date: 7 February 2025 WTMC 2025 10th International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 10th IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2025), Venice, Italy, June 30, 2025. https://wtmc.info/index.html Submission date: 10 February 2025 NDSS 2025 Network and Distributed System Security Symposium and Workshops, San Diego, CA, USA, February 23-28, 2025. https://www.ndss-symposium.org/ndss2025/submisions/call-for-papers/ USEC 2025 Symposium on Usable Security and Privacy, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-usec/ SDIoTSec 2025 Workshop on Security and Privacy in Standardized IoT, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sdiotsec/ SpaceSec 2025 Workshop on the Security of Space and Satellite Systems, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-spacesec/ WOSOC 2025 Workshop on SOC Operations and Construction, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ FutureG 2025 Workshop on Security and Privacy of Next-Generation Networks, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 24, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ MADWeb 2025 Workshop on Measurements, Attacks, and Defenses for the Web, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-madweb/ IMPACT 2025 Workshop on Innovation in Metadata Privacy-Analysis and Construction Techniques, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-impact/ BAR 2025 Binary Analysis Research Workshop, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-bar/ SELLMOD 2025 Workshop on the Safety and Explainability of Large Models Optimization and Deployment, Co-located with NDSS Symposium 2025, San Diego, California, USA, February 28, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-sellmod/ PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025. https://petsymposium.org/cfp25.php Submission date: 28 February 2025 ARES 2025 20th International Conference on Availability, Reliability and Security, Ghent, Belgium, August 10-13, 2025. https://2025.ares-conference.eu/ Submission date: 28 February 2025 ACM WiSec 2025 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Arlington, Virginia, USA, June 30 - July 3, 2025. https://wisec2025.gmu.edu Submission date: 12 March 2025 Elsevier Online Social Networks and Media Journal (OSNEM), Special issue on Disinformation, toxicity, harms in Online Social Networks and Media. https://www.sciencedirect.com/journal/online-social-networks-and-media Submission date: 31 March 2025 DFDS 2025 1st Digital Forensics Doctoral Symposium, Held in conjunction with Digital Forensics Research Conference Europe (DFRWS EU 2025), Brno, Czech Republic, April 1, 2025. https://www.dfrws.org/conferences/dfds2025/ DFRWS EU 2025 Digital Forensics Research Conference Europe, Hybrid, Brno, Czech Republic, April 1-4, 2025. https://dfrws.org/conferences/dfrws-eu-2025/ SaTML 2025 3rd IEEE Conference on Secure and Trustworthy Machine Learning, Copenhagen, Denmark, April 9-11, 2025. https://satml.org/participate-cfp/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ Submission date: 14 April 2025 ESORICS 2025 30th European Symposium on Research in Computer Security, Toulouse, France, September 22-26, 2025. https://www.esorics2025.org/ Submission date: 22 April 2025 HOST 2025 18th IEEE International Symposium on Hardware Oriented Security and Trust, San Jose, CA, USA, May 5-8, 2025. http://www.hostsymposium.org/call-for-paper.php SP 2025 46th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 12-15, 2025. https://www.sp2025.ieee-security.org/cfpapers.html IFIP TC-11 SEC 2025 40th IFIP TC-11 International Information Security and Privacy Conference, Maribor, Slovenia, May 21-23, 2025. https://www.ndss-symposium.org/ndss2025/submissions/cfp-wosoc/ WNDSS 2025 International Workshop on Network and Distributed Systems Security, Co-located with the 40th International Information Security and Privacy Conference (IFIP SEC 2025), Maribor, Slovenia, May 23, 2025. https://ifiptc11.org/wg114-events/wg114-workshop/ IWSPA 2025 11th ACM International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2025, Pittsburgh, Pennsylvania, June 6, 2025. https://sites.google.com/view/iwspa-2025 CSF 2025 38th IEEE Computer Security Foundations Symposium, Santa Cruz, CA, USA, June 16-20, 2025. https://csf2025.ieee-security.org/ WEIS 2025 24th Annual Workshop on the Economics of Information Security, Tokyo, Japan, Jun 23-25, 2025. http://kmlabcw.iis.u-tokyo.ac.jp/weis/2025/index.html WTMC 2025 10th International Workshop on Traffic Measurements for Cybersecurity, Co-located with the 10th IEEE European Symposium on Security and Privacy (IEEE EuroS&P 2025), Venice, Italy, June 30, 2025. https://wtmc.info/index.html ACM WiSec 2025 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Arlington, Virginia, USA, June 30 - July 3, 2025. https://wisec2025.gmu.edu IEEE EuroS&P 2025 10th IEEE European Symposium on Security and Privacy, Venice, Italy, June 30 - July 4, 2025. https://eurosp2025.ieee-security.org/ PETS 2025 25th Privacy Enhancing Technologies Symposium, Washington, DC and Online, July 14-19, 2025. https://petsymposium.org/cfp25.php DFRWS-USA 2025 25th Annual Digital Forensics Research Conference, Chicago, Illinois, USA, July 22-25, 2025. https://dfrws.org/conferences/dfrws-usa-2025/ ARES 2025 20th International Conference on Availability, Reliability and Security, Ghent, Belgium, August 10-13, 2025. https://2025.ares-conference.eu/ USENIX Security 2025 34th USENIX Security Symposium, Seattle, WA, USA, August 13-15, 2025. https://www.usenix.org/conference/usenixsecurity25 ESORICS 2025 30th European Symposium on Research in Computer Security, Toulouse, France, September 22-26, 2025. https://www.esorics2025.org/ ACM CCS 2025 32nd ACM Conference on Computer and Communications Security, Taipei, Taiwan, October 13-17, 2025. https://www.sigsac.org/ccs/CCS2025/call-for-papers/ ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE European Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Gabriela Ciocarlie Daniel Takabi Associate Professor Associate Professor University of Texas at Georgia State University San Antonio https://cas.gsu.edu/profile/daniel-takabi tcchair at ieee-security.org Vice Chair: Treasurer: Thorsten Holtz Yong Guan Faculty Member Professor CISPA Helmholtz Center for Department of Electrical and Computer Information Security Engineering tcchair at ieee-security.org Iowa State University, Ames, IA 50011 treasurer@ieee-security.org Newsletter Editor: Security and Privacy Symposium, 2024 Chair: Hilarie Orman Trent Jaeger Purple Streak, Inc. Associate Professor 500 S. Maple Dr. Pennsylvania State University Woodland Hills, UT 84653 https://www.cse.psu.edu/~trj1/ cipher-editor@ieee-security.org sp24-chair@ieee-security.org TC Awards Chair: Tegan Brennan Assistant Professor Stevens Institute of Technology tbrenna5 at stevens.edu ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year --=====================_purplestreak_932242421235479791===--