Presents the front cover for this issue of the publication.

Presents information on CS society elections.

Presents the table of contents for this issue of the publication.

Presents a listing of the editorial board, board of governors, current staff, committee members, and/or society editors for this issue of the publication.

Presents the introductory editorial for this issue of the publication.

Advertisement.

Presents a status report from the editor-in-chief for this issue of the publication.

Presents an interview conducted with Susan Landau on the topic of public health, trust, and privacy.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

Android recently introduced the scoped storage defense to better protect application use of shared external storage. This article examines the evolution of Android external storage defenses leading to scoped storage and assesses the impact of the scoped storage defense for limiting opportunities for exploitation.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

We introduce a study examining people?s privacy concerns during COVID-19 and reflect on people's willingness to share their personal data in the interest of controlling the spread of the virus and saving lives.

The MITRE ATT&CK framework counts 530 ways to exploit enterprise systems-and every month new techniques are added. Cybersecurity vendors continuously offer new detective solutions, but purchasing, deploying, and maintaining a specific product is expensive. It's time to reflect on the underlying principles of effective anomaly-based intrusion detection.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

Container-orchestration software such as Kubernetes make it easy to deploy and manage modern cloud applications based on microservices. Yet, its network abstractions pave the way for "unexpected attacks" if we approach cloud network security with the same mental model of traditional network security.

Components of modern critical infrastructures (CIs), like water treatment and smart grids, are potential targets for attackers. We present the state of cryptographic techniques with timeliness and availability being the key focus to suit the unique needs of CI systems.

How might we use computer-supported collective action to hold data aggregators accountable to the individuals whose data they collect and monetize? In this article, we outline a vision for computer-supported collective action in the context of end-user privacy.

Advertisement.

The Cybersecurity Labs and Resource Knowledge-base cybersecurity curriculum resource library is a large-scale design science research project developed to address critical demands in teaching cybersecurity and help faculty prepare cybersecurity graduates for the workforce.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

Delivering new features connected to the Internet while enforcing security in vehicles has pushed the automotive industry into turmoil. The automotive industry will inevitably face seven pain points while adapting their threat analysis and risk assessment practices.

Reviews efforts to capture the body of knowledge in cybersecurity or computer and Internet security (CIS) more specifically and discuss related curricular frameworks. The aim is to increase awareness of resources to guide topic selection of CIS courses for educational and training programs.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

In times of crisis, data sharing is high on policy makers? agendas. The European Union (EU) recently released a proposal for a data governance act (DGA) "to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU." Additionally, the United Kingdom (UK) Data Standards Authority recommended the use of new open standards

Discusses the concept of zero trust architecture (ZTA). ZTA has been introduced as a fine-grained defense approach paradigm that shifts defenses from static, network-based perimeters to users, assets, and resources.1 It assumes that no entities outside and inside the protected system can be trusted and therefore requires articulated and high-coverage deployment of security controls, such as authentication

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.

Presents a listing of the editorial board, board of governors, current staff, committee members, and/or society editors for this issue of the publication.

Advertisement.

Personal information (PI) is valuable to web-based service providers, but its mishandling can be costly due to emerging laws. This article identifies nine legal requirements for privacy compliance in five stages of PI handling and discusses potential technical solutions.

In 2020, Inyo County, California partnered with nonprofit VotingWorks to pilot the use of the Verifiable Audits Using Limited Transparency technique (called VAULT) to conduct an efficient, privacy-preserving, publicly verifiable risk-limiting audit of seven contests in the November general election. We describe VAULT, the pilot, and the software implementation that made this pilot possible.

This article reviews privacy challenges in machine learning and provides a critical overview of the relevant research literature. The possible adversarial models are discussed, a wide range of attacks related to sensitive information leakage is covered, and several open problems are highlighted.

Deploying cybersecurity technologies in large enterprises is a challenging task. This article highlights our lessons learned from developing a proposed security architecture for U.S. federal departments and agencies to help security researchers and practitioners better understand the nuances involved.

The Common Vulnerability Scoring System score is the de facto standard to assess risk of software vulnerabilities, with three temporal components: exploitability, remediation level, and report confidence. We discuss how the latter may be inferred from the first two, pointing practical and conceptual issues in the usage of temporal risk scores.

Cybersecurity advocates motivate individuals and organizations to adopt positive security behaviors. Based on our research, we describe qualities of successful advocates. Our findings have practical implications for expanding the cybersecurity workforce by recruiting and developing professionals who can be effective in advocate or other people-oriented security roles.

Isn't it true that all encryption schemes provide end-to-end security? This is not always the case; end-to-end security can sometimes be difficult to achieve in practice.

Around the world, different jurisdictions, workplaces, and schools have taken wildly different approaches to contact tracing in response to COVID-19, striking varying balances between public health and safety and privacy and civil liberties. This article discusses contact-tracing technologies, with a particular focus on the privacy aspects of contact tracing and exposure-notification apps. It describes

Security certification is supposed to help us build better products, but it can be our enemy if we implement it as box ticking. Eric Vetillard discusses how to avoid such an unhappy ending.

In response to COVID-19, Korea has implemented digital contact tracing and patient route disclosure schemes. While the former has been embraced more willingly, the latter has been shunned due to privacy concerns, demonstrating that privacy is highly dynamic and is of contextual value.

Cybersecurity needs radical rethinking to change its current landscape. This article charts a vision for a cybersecurity moonshot based on radical but feasible technologies that can prevent the largest classes of vulnerabilities in modern systems.

Ransomware attacks on energy systems are on the rise. We consider ransomware attacks within an IT system's operational technology side, reference some known ransomware incidents, consider attack vectors, and comment on the work still to be done.

In this article, we summarize our recent research findings related to infrastructure as code (IaC) scripts, where we have identified 67,801 occurrences of security smells that include 9,175 hard-coded passwords. We hope our work will facilitate awareness among practitioners who use IaC.

One year ago, Mack and Schroer captured in this column1 the current crisis faced by software security quality control:

Can we prevent the abuses of anonymous communication networks without affecting their ability to enhance privacy and evade censorship? We evaluate approaches for balancing the need for anonymity with the desire to mitigate anonymous abuses.

Designing custom secure function evaluation compilers has been an active research area. However, intelligent adaptation of the integrated circuit synthesis tools outperforms these compilers. It is time for the custom compilers to embrace this trend.

Cyberattacks have become more common, sophisticated, and harmful, while, at the same time, there is a critical shortage of cybersecurity professionals. For example, from October 2019 to September 2020, there were more than 40,000 unfilled positions for information security analysts.2 While educational organizations have responded to this burgeoning demand, cybersecurity education and training institutions

Anonymity networks, also referred to as anonymous networks or darknets are an example of privacy-enhancing technology, the historical goal of which is to avoid censorship, preserve user privacy, and promote freedom of speech. The Tor network, undoubtedly the most popular anonymization technology at the time of this writing, according to its website, has several categories of users: individuals who

Most apps and merchants do not want to deal with financial fraud, but, if they accept payments, they will eventually have to. Our position is that credit card fraud prevention is a technical problem that needs technical solutions.

Cryptography as a field of study is exciting because it brings together beautiful mathematics and many cutting-edge areas of computer science and engineering to find solutions that touch all aspects of life in a digital era. In a single day at a cryptography conference, one can hear talks on election security and legislation on regulating encryption, new mathematical constructions that might yield

According to its creators, the Common Vulnerability Scoring System (CVSS) "provides a way to capture the principal characteristics of a vulnerability ... reflecting its severity ... to help organizations properly assess and prioritize their vulnerability management processes."1 However, the CVSS scoring algorithm is not justified, either formally or empirically. According to the specification, using

This article reviews several exploits of input-handling vulnerabilities and categorizes these vulnerabilities based on their root causes. We describe the language-theoretic security paradigm and discuss how it can be used to tackle these categories of vulnerabilities.

This article discusses a recently developed test suite for checking timingbased vulnerabilities in processor caches, which has revealed the insecurity of today's processor caches. The susceptibility of caches to these vulnerabilities calls for more research on secure processor caches.

Presents the front cover for this issue of the publication.

Advertisement.

Presents the table of contents for this issue of the publication.

Presents a listing of the editorial board, board of governors, current staff, committee members, and/or society editors for this issue of the publication.

Presents the introductory editorial for this issue of the publication.

Advertisement.

The articles in this special section focus on system requirements for security, privacy, and trust for the Internet of Things (IoT). IoT has huge potential to push monitoring, computing, and communication deeply into the home, the workplace, medicine, manufacturing, and critical infrastructure. This increased capability offers the hope that urban settings can be transformed in various ways through

Presents a message from the outgoing Editor in Chief.

Prospective authors are requested to submit new, unpublished manuscripts for inclusion in the upcoming event described in this call for papers.