_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
====================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 52 January 20, 2003
Jim Davis, Editor Hilarie Orman, Assoc. Editor
Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide
====================================================================
http://www.ieee-security.org/cipher.html
Contents:
* Letter from the Editor
* Conference and Workshop Announcements
o Information on the IEEE Symposium on Security and Privacy
(Oakland, CA, USA, May 11-14, 2003) can be found at
www.ieee-security.org/TC/SP-Index.html
o Information on the 16th IEEE Computer Security Foundations
Workshop (Pacific Grove, CA, USA, June 30-July 2, 2003) can
be found at www.csl.sri.com/csfw/csfw16
o Upcoming calls-for-papers and events
15 new calls added since Cipher E51:
- Workshop on Principles of Dependable Systems (submissions due
January 27, 2003) http://lpdwww.epfl.ch/fgaertner/podsy2003/
- Fourth Annual IEEE Information Assurance Workshop (submissions
due February 12, 2003) www.itoc.usma.edu/workshop/2003/
- Special session on Web Services Security, First International
Conference on Web Services (submissions due February 17, 2003)
http://tab.computer.org/tfec/icws03
- 7th Colloquium for Information Systems Security Education
(submissions due March 1, 2003) www.ncisse.org
- The Seventh IFIP Communications and Multimedia Security Conference
(submissions due March 3, 2003) http://security.polito.it/cms2003/
o Upcoming calls-for-papers and events
15 new calls added since Cipher E51:
- Workshop on Principles of Dependable Systems (submissions due
January 27, 2003) http://lpdwww.epfl.ch/fgaertner/podsy2003/
- Fourth Annual IEEE Information Assurance Workshop (submissions
due February 12, 2003) www.itoc.usma.edu/workshop/2003/
- Special session on Web Services Security, First International
Conference on Web Services (submissions due February 17, 2003)
http://tab.computer.org/tfec/icws03
- 7th Colloquium for Information Systems Security Education
(submissions due March 1, 2003) www.ncisse.org
- The Seventh IFIP Communications and Multimedia Security Conference
(submissions due March 3, 2003) http://security.polito.it/cms2003/
- Trust and Privacy in Digital Business (submissions due March 14, 2003)
www.uni-regensburg.de/Fakultaeten/WiWi/pernul/dexa03ws/
- Workshop on Cryptographic Hardware and Embedded Systems (submissions
due March 14, 2003) www.chesworkshop.org
- European Conference on Information Warfare and Security (abstracts
due April 1, 2003) www.mcil.co.uk/2m-eciw2003-home.htm
- 8th European Symposium on Research in Computer Security
(submissions due April 11, 2003) www.hig.no/esorics2003/
- 1st International Workshop on Security Issues in Coordination Models,
Languages and Systems (submissions due April 27, 2003)
cs.unibo.it/secco03
- 6th Information Security Conference (submissions due May 1, 2003)
www.hpl.hp.com/conferences/isc03
- First MiAn International Conference on Applied Cryptography and
Network Security (submissions due May 1, 2003)
www.onets.com.cn/dhe.htm
- Sixth IFIP TC-11 WG 11.5 Working Conference on Integrity and
Internal Control in Information Systems (submissions due May 2, 2003)
http://lbd.epfl.ch/e/conferences/IICIS03/index.html
- 5th International Conference on Information and Communications Security
(submissions due May 15, 2003) www.cstnet.net.cn/icics2003/
- 2004 International Workshop on Practice and Theory in Public Key
Cryptography (submissions due September 20, 2003)
www.i2r.a-star.edu.sg/pkc2004/.
* Commentary and Opinion
o Robert Bruen's review of "Securing the Network from Malicious Code"
by Douglas Schweitzer
o Robert Bruen's review of "Security in Computing, 3rd ed"
by Charles Pfleeger and Shari Pfleeger
o Robert Bruen's review of "Computer Security Art and Science"
by Matt Bishop
o Book reviews from past Cipher issues
o Conference Reports and Commentary from past Cipher issues
o News items from past Cipher issues
* Reader's guide to recent security and privacy literature,
by Anish Mathuria (new entries March 15, 2002)
* List of Computer Security Academic Positions, by Cynthia Irvine
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Interesting Links and New reports available via FTP and WWW
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
Please accept my apologies for the lateness of this mailing. We posted
issue E52 on the web January 20, but a hectic travel schedule led to a
considerable delay in creating the text version.
We have a thin issue of Cipher for you this month, but then, it will
be easier to find Robert Bruen's three great book reviews, plus the
links to new calls for papers.
As always, thanks to our colleagues who contribute to Cipher!
Best regards,
Jim Davis
davis@iastate.edu
====================================================================
Conference and Workshop Announcements
====================================================================
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
www.ieee-security.org/cfp.html. The Cipher event Calendar is at
www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, web page for more info.
* 1/31/03: PKI '03, Gaithersburg, MD.
http://middleware.internet2.edu/pki03/
* 1/31/03: SIGCOMM 2003, Karlsruhe, Germany
http://www.acm.org/sigcomm/sigcomm2003
--------------
* 2/06/03- 2/07/03: NDSS'03, San Diego, CA
http://www.isoc.org/isoc/conferences/ndss/03/index.shtml
* 2/10/03: CRYPTO '03, Santa Barbara, CA.
http://www.iacr.org/conferences/crypto2003/cfp.html
* 2/15/03: IEEE-NetMag, Submissions for Middleware issue are due,
http://www.cs.utah.edu/flux/cipher/cfps/cfp-IEEE-NetMag.html
--------------
* 3/3/03: CMS 2003, Turin, Italy; Submissions are due,
http://security.polito.it/cms2003/
* 3/7/03: TRUSTBUS '03, Prague, Czech Republic; submissions are due
http://www.uni-regensburg.de/Fakultaeten/WiWi/pernul/dexa03ws/
* 3/12/03- 3/14/03: SPC-2003, Boppard, Germany; www.dkfi.de
* 3/21/03: ICON 2003, Sydney, Australia. www.ee.unsw.edu.au/~icon/
* 3/26/03- 3/28/03: WPET 2003, Dresden, Germany; www.petworkshop.org
--------------
* 4/5/03- 4/6/03: WITS '03, Warsaw, Poland;
http://www.dsi.unive.it/IFIPWG1_7/index.html
* 4/13/03- 4/17/03: CT-RSA 2003, San Francisco, CA.
http://reg2.lke.com/rs3/rsa2003/crypto.html
* 4/16/03- 4/18/03: NetCompApp '03, Cambridge, MA.
www.cs.utk.edu/~mbeck/NCA03/NCA03-cfp.pdf
* 4/22/03: BITE 2003, Angers, France; www.iceis.org/
* 4/28/03- 4/29/03: PKI '03, Gaithersburg, MD.
http://middleware.internet2.edu/pki03/
* 4/28/03- 4/30/03: ITCC, Las Vegas, Nevada
www.cs.clemson.edu/~srimani/itcc2003/cfp.html
--------------
* 5/1/03: ACNS '03, Kunming, China; submissions are due
http://www.onets.com.cn/dhe.htm
* 5/1/03: ISC '03, Bristol, UK; Submissions are due
http://www.cstnet.net.cn/icics2003/
* 5/11/03: SNPA 2003 www.icc2003.com/workshop1.html
* 5/11/03- 5/14/03: IEEE S & P, Oakland, California.
www.ieee-security.org/TC/SP-Index.html
* 5/15/03: ICICS '03, Mongolia, China; submissions are due;
http://www.cstnet.net.cn/icics2003/
* 5/18/03- 5/21/03: IRMA 2003, Hershey, PA, USA
www.irma-international.org/
* 5/20/03- 5/24/03: WWW-SEC-2003, Budapest, Hungary; www.www2003.org
--------------
* 6/2/03- 6/3/03: SACMAT '03, Como, Italy. www.acm.org/sigsac/sacmat/
* 6/4/03- 6/6/03: POLICY 2003, Lake Como, Italy.
www.labs.agilent.com/policy2003/
* 6/5/03- 6/6/03: EIT 2003, Indianapolis, IN.
www.cis-ieee.org/eit2003
* 6/26/03- 6/28/03: WISE 3, Monterey, CA, USA cisr.nps.navy.mil/wise3/
--------------
* 7/2/03: CSFW 16, Pacific Grove, CA.
www.csl.sri.com/csfw/index.html
--------------
* 8/17/03- 8/21/03: CRYPTO '03, Santa Barbara, CA.
www.iacr.org/conferences/crypto2003/cfp.html
* 8/25/03- 8/29/03: SIGCOMM 2003, Karlsruhe, Germany
http://www.acm.org/sigcomm/sigcomm2003
--------------
* 9/1/03- 9/5/03: TRUSTBUS '03, Prague, Czech Republic
http://www.uni-regensburg.de/Fakultaeten/WiWi/pernul/dexa03ws/
* 9/20/03: PKC '04, Singapore; submissions are due;
http://www.i2r.a-star.edu.sg/pkc2004/
* 9/28/03-10/1/03: ICON 2003, Sydney, Australia.
www.ee.unsw.edu.au/~icon/
--------------
* 10/1/03-10/3/03: ISC '03, Bristol, UK;
http://www.hpl.hp.com/conferences/isc03/call_for_papers.htm
* 10/2/03-10/3/03: CMS 2003, Turin, Italy;
http://security.polito.it/cms2003/
* 10/10/03-10/13/03: ICICS '03, Mongolia, China;
http://www.cstnet.net.cn/icics2003/
* 10/16/03-10/19/03: ACNS '03, Kunming, China,
http://www.onets.com.cn/dhe.htm
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
____________________________________________________________________
Second Annual PKI Research Workshop, NIST, Gaithersburg MD, USA,
April 28-29, 2003. (submissions due January 31, 2003)
This workshop among leading security researchers will explore the issues
relevant to this area of security management, and will seek to foster a
long-term research agenda for authentication and authorization in populations
large and small via public key cryptography. We solicit papers, panel
proposals, and participation. The goals of this workshop are to
cross-pollinate existing research efforts, to identify the key remaining
challenges in deploying public key authentication and authorization, and
to develop a research agenda addressing those outstanding issues.
- What are the key areas in current PKI approaches that need
further work?
- For each area, what approaches appear most promising?
- How do the approaches in one area affect the methodologies in
other areas?
A complete list of topics of interest and the full call for papers can
be found at the workshop web site at http://middleware.internet2.edu/pki03/
Security in Distributed Computing (special track of the 22nd Annual
ACM SIGACT-SIGOPS Symposium on Principles of Distributed Systems),
Boston, Massachusetts, USA, July 13-16, 2003. (submissions due January 31, 2003)
We are soliciting research contributions on the design, specification,
implementation, application and theory of secure distributed computing.
We welcome submissions on any topic in the intersection of security
and distributed computing, including but not limited to:
- Secure multiparty and two-party computations
- Secret sharing and verifiable secret sharing
- Resiliency to corruptions: distributed, forward and proactive security
- Security, privacy and anonymity in the Internet and in mobile
communication systems
- Secure/security protocols and distributed algorithms
- Secure multicast and broadcast
- Denial of service (clogging) and its prevention
- Non-repudiation, certification and time stamping protocols
- Distribution of intellectual property and its (copyright) protection
- Secure distributed marketplaces, auctions, and gambling
- Cryptographic protocols, including: authentication, key management, etc.
- Secure electronic commerce, banking and payment protocols
- Security for Peer to Peer computing
- Secure bandwidth reservation and QOS
- Distributed access control and trust management
- Secure mobile agents and mobile code
- Security for Storage Area Networks
The special track is an integral part of PODC; see www.podc.org/podc2003/
for additional information.
Workshop on Data Mining for Counter Terrorism and Security, (held in
conjunction with the Third SIAM International Conference on Data Mining),
San Francisco, CA, USA, May 3, 2003. (submissions due February 1, 2003)
The purpose of this workshop is to discuss ways in which data mining and
machine learning can be used to analyze data from numerous sources of
high-complexity for the purpose of preventing future terrorist activity.
This is inherently a multidisciplinary activity, drawing from areas such
as intelligence, international relations, and security methodology. From
the data mining and machine-learning world this activity draws from text
mining, data fusion, data visualization, data warehousing, and high
scalability are necessary for a successful endeavor. Papers in these areas
with clear application to the issues of counter terrorism are particularly
solicited. Topics of interest include:
- Methods to integrate heterogeneous data sources, such as text,
internet, video, audio, biometrics, and speech
- Scalable methods to warehouse disparate data sources
- Identifying trends in singular or group activities
- Pattern recognition for scene and person identification
- Data mining in the field of aviation security, port security,
bio-security
- Data mining on the web for terrorist trend detection.
More information can be found on the workshop web page at
http://ic.arc.nasa.gov/~ashok.
7th International Conference on Knowledge-Based Intelligent Information &
Engineering Systems (special session on Artificial Intelligence Applications
to Information Security), St Anne's College, University of Oxford, U.K.,
September 3-5, 2003. (submissions due February 1, 2003)
In spite of the efforts from Information Security researchers, there are
still a considerable number of unsolved problems that may benefit from the
application of Artificial Intelligence techniques. The increasing awareness
in solving such problems has resulted in a concerted effort of Artificial
Intelligence and Information Security researchers. Therefore, AI techniques
like agents, evolutionary computation, neural networks, cellular automata,
classic and fuzzy logic and machine learning may play an important role in
specific problems concerning Information Security. We particularly encourage
the discussion of the following topics:
- Semantic analysis of cryptologic protocols,
- Security of mobile agents,
- Security through agents,
- Representation and use of trust induced by PKIs,
- Optimisation heuristics in cryptanalysis
- Machine Learning techniques in cryptanalysis - AI techniques in
cryptology
- Any other work addressing information security problems by means
of AI techniques
This session aims at bringing together members from the two research
communities, information security and artificial intelligence. Consequently,
discussion papers, conceptual papers, theoretical papers and application
papers will be welcomed. Please visit the conference web site at
scalab.uc3m.es/~docweb/AIIS_KES03.html for more detail on the topics of
interest as well as general conference information.
4th Annual IEEE Information Assurance Workshop, United States Military
Academy, West Point, New York, June 18-20, 2003. (submissions due
February 12, 2003)
The workshop is designed to provide a forum for Information
Assurance researchers and practitioners to share their research
and experiences. Attendees hail from industry, government, and
academia. The focus of this workshop is on innovative, new technologies
designed to address important Information Assurance issues. Papers will
be divided into two broad categories. Approximately 2/3 of the papers will
focus on innovative new research in Information Assurance. The remaining
1/3 of the papers will be recent experience and lessons learned from
Information Assurance practitioners. Areas of particular interest at
this workshop include, but are not limited to:
- Innovative intrusion detection and response methodologies
- Information warfare
- Information Assurance education and professional development
- Secure software technologies
- Computer forensics
More details can be found at: www.itoc.usma.edu/workshop/2003/
Communications Security Symposium (part of the IEEE GLOBECOM 2003 workshop),
San Francisco, CA, USA, December 1-5, 2003. (submissions due
February 15, 2003) The inaugural symposium on Communications Security
solicits submissions of new results in all security topics for wireless,
mobile, ad hoc, peer-to-peer, or landline communication networks. Please
see the complete call posted at www.globecom2003.com/CFP1.html
(under GLOBECOM 2003 Symposia Titles).
Special session on Web Services Security, First International Conference
on Web Services (ICWS'03), Las Vegas, Nevada, USA, June 23-26, 2003.
(submissions due February 17, 2003)
As is the case in many other applications, the information processed in
Web services might be commercially sensitive and it is similarly important
to protect this information against security threats such as disclosure
to unauthorized parties. This technical session mainly focuses on
different theoretical and technical approaches to handle the security
issues in Web services. More information can be found on the conference
web page at http://tab.computer.org/tfec/icws03
7th Colloquium for Information Systems Security Education, Washington DC,
June 1-5, 2003.(submissions due March 1, 2003) This colloquium, the
seventh in an ongoing annual series, will bring together leading figures
from academia, government, and industry to address the national need for
security and assurance of our information and communications infrastructure.
The colloquium solicits papers from practitioners, students, educators,
and researchers. The papers should discuss course or lab development,
INFOSEC curricula, standards, best practices, existing or emerging
programs, trends, and future vision, as well as related issues. We are
especially interested in novel approaches to teaching information security
as well as what should be taught. This includes the following general
topics:
- Assessment of need (e.g. how many information security workers/
researchers/ faculty are needed?)
- Integrating information assurance topics in existing graduate or
undergraduate curricula
- Experiences with course or laboratory development
- Alignment of curriculum with existing information assurance
education standards
- Emerging programs or centers in information assurance
- Late breaking topics
- Best practices
- Vision for the future
We particularly encourage papers that discuss tools, demonstrations, case
studies, course modules, shareware, and worked examples that participants
(and others) can use to help educate people in computer security. Papers
reporting work in progress are also welcomed, especially if enough
information to evaluate the work will be available at the time of the
colloquium. The complete call for papers can be found at
http://cisse.info/call_for_papers.htm and the conference web site is at
http://www.ncisse.org.
The Seventh IFIP Communications and Multimedia Security Conference
(joint working conference IFIP TC6 and TC11), Turin, Italy, October 2-3, 2003.
(submissions due March 3, 2003) CMS 2003 is the seventh working
conference on Communications and Multimedia Security since 1995.
State-of-the-art issues as well as practical experiences and new trends
in these areas are the topics of interest of the conference:
- applied cryptography
- biometry
- multimedia security
- digital signature and digital watermarking
- infrastructure protection
- network and communication security
- security policies
- security of e-commerce
This year the organizers especially encourage submissions on advanced
topics such as security of wireless networks, survivability of critical
communication infrastructures, and protection of electronic documents.
Visit the web site for further information, or download the PDF call for
papers at http://security.polito.it/cms2003/cfp.pdf.
Trust and Privacy in Digital Business (in conjunction with DEXA 2003,
Prague, Czech Republic, September 1-5, 2003. (submissions due March 14, 2003)
The purpose of this workshop is twofold: First, all issues of digital business,
focusing on trust and privacy problems will be discussed. In particular, we
are interested in papers that deal with trust and privacy, confidence and
security, reliability and consistency, fairness and legality, and other
issues critical for the success of future digital business. Second, the
workshop should be a forum for the exchange of results and ongoing work
performed in R&D projects, either on a national or international level.
We invite papers, work-in-progress reports, industrial experiences describing
advances in all areas of digital business applications, including, but not
limited to:
- Privacy & confidentiality management
- Trust architectures and underlying infrastructures
- Electronic cash, wallets and pay-per-view systems
- Businesses models with security requirements
- Enterprise management and consumer protection
- Trust and privacy issues in mobile environments
- Global security architectures and infrastructures
- Protocols and transactional models
- Trustful management and negotiation
- Public administration, governmental services
- Anonymous or pseudonymous access to Web services
- Reliability and security of content and data
- Intellectual property rights, watermarking and fingerprinting
- Common practice, legal and regulatory issues
- Trust issues in E-Services, E-Voting and E-Polling
- PKI, biometrics, smart cards
- Intrusion detection and information filtering
More information can be found on the conference web page at
http://www.uni-regensburg.de/Fakultaeten/WiWi/pernul/dexa03ws/
Workshop on Cryptographic Hardware and Embedded Systems, Cologne, Germany,
September 8-10, 2003. (submissions due March 14, 2003) The focus of
this workshop is on all aspects of cryptographic hardware and security
in embedded systems. The workshop will be a forum of new results from the
research community as well as from the industry. Of special interest are
contributions that describe new methods for efficient hardware implementations
and high-speed software for embedded systems, e.g., smart cards,
microprocessors, DSPs, etc. We hope that the workshop will help to fill
the gap between the cryptography research community and the application
areas of cryptography. Consequently, we encourage submissions from academia,
industry, and other organizations. All submitted papers will be reviewed. The
topics of CHES 2002 include but are not limited to:
- Computer architectures for public-key and secret-key cryptosystems
- Efficient algorithms for embedded processors
- Reconfigurable computing in cryptography
- Cryptographic processors and co-processors
- Cryptography in wireless applications (mobile phone, LANs, etc.)
- Security in pay-TV systems
- Smart card attacks and architectures
- Tamper resistance on the chip and board level
- True and pseudo random number generators
- Special-purpose hardware for cryptanalysis
- Embedded security
- Device identification
Additional information can be found on the conference web page at
http://www.chesworkshop.org
The second European Conference on Information Warfare and Security (ECIW),
University of Reading, United Kingdom, June 30-July 1, 2003. (abstracts
due April 1, 2003) The second European Conference on Information Warfare
and Security is an opportunity for academics, practitioners and consultants
from Europe and elsewhere who are involved in the study, management,
development and implementation of systems and concepts to combat information
warfare or to improve information systems security to come together and
exchange ideas. The conference in July 2003 is seeking qualitative,
experience-based and quantitative papers as well as case studies and
reports of work in progress from academics, information systems practitioners,
consultants and government departments. The full call-for-papers and
registration details can be found http://www.mcil.co.uk/conf-management.htm.
8th European Symposium on Research in Computer Security, Gjovik, Norway,
October 13-15, 2003 (submissions due April 11, 2003)
Papers offering novel research contributions in any aspect of computer
security are solicited for submission to the Eighth European Symposium
on Research in Computer Security (ESORICS 2003). Papers may present theory,
technique, applications, or practical experience are solicited.
A complete list of topics can be found on the conference web
page at http://www.hig.no/esorics2003/
1st International Workshop on Security Issues in Coordination Models,
Languages and Systems (affiliated with ICALP 2003), Eindhoven, the
Netherlands, June 28-29, 2003. (submissions due April 27, 2003)
Coordination models and languages, which advocate a distinct separation
between the internal behaviour of the entities and their interaction,
represent a promising approach. However, due
to the openness of these systems, new critical aspects come into
play, such as the need to deal with malicious components or with
a hostile environment. Current research on network security
issues (e.g. secrecy, authentication, etc.) usually focuses on
opening cryptographic tunnels between fully trusted entities. For
this to work the structure of the system must be known beforehand.
Therefore, the proposed solutions in this area are not always
exploitable in this new scenario. The aim of the workshop is to cover
the gap between the security and the coordination communities. More
precisely, we intend to promote the exchange of ideas, focus on common
interests, gain in understanding/deepening of central research questions,
etc. More information can be found at http://cs.unibo.it/secco03.
6th Information Security Conference, Bristol, United Kingdom, October 1-3, 2003.
(submissions due May 1, 2003)
ISC aims to bring together individuals involved in multiple disciplines of
information security to foster exchange of ideas. Topics of interest
include, but are not limited to: Access Control, Applied Cryptography,
Cryptographic Protocols, Digital Rights Management, E-Commerce Protocols,
Formal Aspects of Security, Information Hiding, Intrusion Detection,
Key Management, Legal and Regulatory Issues, Mobile Code & Agent Security,
Network & Wireless Security, Software Security, Security Analysis Methodologies,
and Trust Management. More information can be found on the conference web
page at http://www.hpl.hp.com/conferences/isc03
First MiAn International Conference on Applied Cryptography and Network
Security, Kunming, China, October 16-19, 2003. (submissions due May 1, 2003)
Original paper on all aspects of applied cryptography and network security
are solicited for submission to the conference. Areas of interests include
but not restricted to: Biometric Security Applications, Cryptographic and
Anti-cryptographic Analysis, Cryptographic Applications, Data Recovery and
Coding, Differential Power Attacks, Efficient Implementation, Firewall and
Intrusion Detection, GPRS and CDMA Security, Identification and Entity
Authentication, Key Management Techniques, Network Protocol and Analysis,
PKI/PMI and Bridge CA, Secure e-commerce and e-government, Security Management
and Strategy, Smart Card Security, Verification and Testing of Secure Systems,
Virus and Worms, VPN and SVN, WLAN and Bluetooth Security. More information
can be found at the conference web page at http://www.onets.com.cn/dhe.htm
Sixth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control
in Information Systems, Lausanne, Switzerland, November 13-14, 2003.
(submissions due May 2, 2003)
Confidentiality, integrity and availability are high-level objectives of IT
security. The IFIP TC-11 Working Group 11.5 has been charged with exploring
the area of the integrity objective within IT security and the relationship
between integrity in information systems and the overall internal control
systems that are established in organizations to support corporate governance
codes. The goals for this conference are to find an answer to the following
questions: what is the status quo of research and development in the area of
integrity and internal control; where are the gaps between business needs on
the one hand and research and development on the other and what needs to be
done to bridge these gaps; and what precisely do business managers need to
have confidence in the integrity of their information systems and their data.
More information and the full call-for-papers can be found on the conference
web site at http://lbd.epfl.ch/e/conferences/IICIS03/index.html.
5th International Conference on Information and Communications Security,
Huhehaote City, Inner-Mongolia, China, October 10-13, 2003. (submissions
due May 15, 2003)
Information and communication security is a challenging topic at the best
of times. This conference series brings together researchers and scholars
to examine important issues in this area. Original papers on all aspects
of information and communications security are solicited for submission to
ICICS2003. Areas of interests include but not limited
to: Access control, Anonymity, Authentication and Authorization, Biometric
Security, Data and System Integrity, Database Security, Distributed Systems
Security, Electronic Commerce Security, Fraud Control, Information Hiding and
Watermarking, Intellectual Property Protection, Intrusion detection, Key
Management and Key Recovery, Language-based Security, Operating System
Security, Network Security, Risk Evaluation and Security Certification,
Security for Mobile Computing, Security Models, Security Protocols, Virus
and Worms. More information can be found on the conference web page at
http://www.cstnet.net.cn/icics2003/
2004 International Workshop on Practice and Theory in Public Key Cryptography,
Singapore, March 1-4, 2004. (submissions due September 20, 2003)
For the last few years the International Workshop on Practice and Theory
in Public Key Cryptography PKC is the main annual workshop focusing on
research on all aspects of public key cryptography. The first workshop was
organized in 1998 in Japan. Other PKCs have taken place in Australia, France,
Japan, South Korea and USA. PKC has attracted papers from famous international
authors in the area. Submissions in all areas related to applications and
theory in public key cryptography are welcome, including but not limited
to the following areas: Theory of public key cryptography; Design of new
public key cryptosystems; Analysis of public key cryptosystems; Efficient
implementation of public key cryptographic algorithms; Applications of
public key cryptography and PKI. More information can be found on the
conference web page at
http://www.i2r.a-star.edu.sg/pkc2004/
====================================================================
Conferences and Workshops
(the call for papers deadline has passed)
====================================================================
NDSS'03 www.isoc.org/isoc/conferences/ndss/03/index.shtml
The 10th Annual Network and Distributed System Security Symposium, San Diego
CA, USA, February 5-7, 2002.
SPC-2003 www.dfki.de/SPC2003.
First International Conference on Security in Pervasive Computing, Boppard,
Germany, March 12-14, 2003.
www.ieee-tfia.org/iwia2003/
The First International Workshop on Information Assurance, Darmstadt,
Germany, March 24, 2003.
Workshop on Privacy Enhancing Technologies 2003, Dresden, Germany,
March 26-28, 2003. www.petworkshop.org/.
IPCCC'2003 www.ipccc.org.
The International Performance, Computing, and Communications Conference,
Phoenix, Arizona, USA, April 9-11, 2003
CT-RSA 2003 reg2.lke.com/rs3/rsa2003/crypto.html.
Cryptographers' Track RSA Conference 2003, San Francisco, CA, USA,
April 13-17, 2003.
ICEIS'2003 www.iceis.org.
5th International Conference on Enterprise Information System, Angers,
France, April 23-26, 2003.
ITCC 2003 www.cs.clemson.edu/~srimani/itcc2003/cfp.html
International Conference on Information Technology: Coding
and Computing, Las Vegas, Nevada, April 28-30, 2003.
S&P2003 www.research.att.com/~smb/oakland03-cfp.html
The 2003 IEEE Symposium on Security and Privacy, Oakland, California,
USA, May 11-14, 2003.
IRMA 2003 www.irma-international.org.
Information Resources Management Association International Conference,
Philadelphia, Pennsylvania, USA, May 18-21, 2003
WWW2003 www.www2003.org/.
The Twelfth International World Wide Web Conference,
Security & Privacy Track, Budapest, Hungary, May 20-24, 2003
18th ACM Symposium on Access Control Models and Technologies, Como,
Italy, June 2-3, 2003. www.acm.org/sigsac/sacmat/
WISE 3/ WECS 5 Third World Conference on Information Security Education
and, Workshop on Education in Computer Security, Naval Postgraduate School,
Monterey California, USA, June 26-28, 2003. http://cisr.nps.navy.mil/wise3/.
USENIX Security 2003 12th USENIX Security Symposium Washington, DC,
USA August 4-8, 2003. http://www.usenix.org
16th IEEE Computer Security Foundations Workshop, Asilomar, Pacific
Grove, CA, USA, June 30-July 2, 2003. www.csl.sri.com/csfw/csfw16.
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
www.ieee-security.org/Cipher/NewsBriefs.html
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at www.ieee-security.org/Cipher/ConfReports.html.
____________________________________________________________________
Book Review By Robert Bruen
January 13, 2002
____________________________________________________________________
Schweitzer, Douglas. Securing the Network from Malicious Code. Wiley
2002. ISBN 0-7645-4958-8. 338 pages. $40.00. Index, Glossary, 6 Appendices.
Schweitzer has given us a pretty good introductory book on malicious code,
viruses, worms and trojans, with a good breadth of topics, which ranges
from the infamous worms to server-side exploits. The book does not
provide depth in what the code looks like or how one goes about writing
such code. The approach is to explain the idea, then suggest some ways
to protect against the attack. If you are not very familiar with malicious
code, you will get a good overview of what it's all about.
The author spends more time with Microsoft issues, such as the registry
and email, but does mention Linux and the Raman worm. He also covers
PDAs web sites and wireless issues. The book is good for quick references
for all of these issues, with some pointers to more detailed information.
It is a quick read for anyone with some knowledge of security.
The history of viruses is good in terms of what is described. Fred Cohen's
work going back to 1983 is even present, although I remember him being
called a loon by a several people back then, but that is not mentioned.
Recent viruses are also described, along with the arrests of some of the
folks involved in their release into the wild.
Adding to the technical issues, the author delves into social issues,
such as crime, Hactivism, forensics, and warfare. Apparently malicious
code is not just for fun anymore. The disruptive nature has been harnessed
by the organized people with agendas allowing for targeting specific
entities. It is not enough to simply let loose an email worm. Now
political and criminal players have added malicious code to their
arsenal of weapons.
As far as the book goes, it is good. It is recommended for those who are
just getting into the business of security. If you need depth for any of
the concepts, you will need to go elsewhere. It is helpful that there are
good books at all levels.
____________________________________________________________________
Book Review By Robert Bruen
January 13, 2002
____________________________________________________________________
Pfleeger, Charles and Shari Pfleeger. Security in Computing, 3rd ed.
Prentice Hall 2003. ISBN 0-13-035548-8 LoC QA76.9.A25 P45 2003.
746 pages. $79.00. Index, bibliography.
There are very few security books that qualify as a real textbook. Most
security books seem to be written by authors who have a specific agenda,
such as how defend against hackers or PKI or crytpo. They are generally
practical in nature, not to say this bad, but security has moved past the
headlines into the everyday world which includes coursework in colleges
and universities. Textbooks differ in they try to cover enough of the
discipline with enough depth, plus have exercises and problems. It is
harder to write a good textbook than an ordinary book. There needs to be
a particular style of organization and supplemental material, like a good
bibliography - something that is hard to find. The bibliography reflects
the amount of research effort.
The Pfleegers' third edition meets all the standards for a really good
textbook for security. Moreover, the textbook characteristics do not take
away from the value of the book as a general book on security. As we all
know, sometimes textbooks are a little dry or to pedantic, but not so with
this book. This is an enjoyable time in the world of security books, as we
see the quality on the rise. Several books have become cornerstones of the
discipline of security, such as Schneier's Applied Cryptography and Bishop's
new Computer Security. This book fits into this category because of the
unique qualities that will allow it to be of value longer than the books
which look like headlines in the news media.
Security has moved past just looking at the technical aspects to the
management of the security operation. The chapter on administering security
is one that is often ignored. The chapter sections cover planning, risk
analysis, policies and physical security. The following chapter is titled
"Legal, Privacy, and Ethical Issues in Computer Security." I would change
that to "Ethical, Legal, and Social Issues in Computer Security" because
privacy is not the only social issue. Besides, the acronym ELSI can be used
as it is in the Human Genome Project. Both areas are having and will continue
to have a tremendous impact on society. In any case, the chapter covers
copyrights, patents and trade secrets, crime and privacy, with several
ethical case studies. It is about time that a serious look at ethics in
computer security appeared. This section would provide a perfect starting
point.
The remainder of the book has good chapters covering database security,
writing secure code, operating system security and cryptography. The
balance in coverage is excellent and the addition of database security
is welcome. The preparation and knowledge of the authors are abundantly
clear. This is a highly recommended book, one I will use the next time I
teach a security course.
____________________________________________________________________
Book Review By Robert Bruen
January 8, 2002
____________________________________________________________________
Bishop, Matt. Computer Security Art and Science. Addison-Wesley 2003.
ISBN 0-201-44099-7. LoC QA76.9.A25B56 20021084 pages. $74.99. Bibliography.
Index.
Professor Bishop's has raised the level of the field of digital security
with this book. Although there are many good security books available,
none has pulled together the theoretical side like this one. No
discipline is really a discipline unless it has a fundamental, theoretical
reference available. This is a signal that the field
has reached a level of maturity beyond worrying about juvenile attacks
like Denial of Service and Web Page Defacement. Some of the other good
security books have offered theoretical approaches, but Bishop has
provided the most comprehensive of all.
No one who practices computer security should ignore this book, in spite
of its billing as a theoretical work. Theoretical means there is math and
models at a the deeper levels, not all of which a practitioner requires
to secure a system. However, the deeper levels of understanding provide
abstract methods of dealing with novel problems, a step beyond knowing
that a particular operating system version needs a specific patch to be
protected against single attack. More emphasis will be placed on proper
design of systems to meet security requirements and without a strong
theoretical basis to work from, it just will not happen.
Mathematics gives us a couple of things. On the one hand there are proofs,
theorems and formulas, which seem to be the playground of the
professionals, and on the other hand, we have a way of thinking about
ideas. Bishop has produced an wonderful example of both. The chapters
are well organized with definitions that are clearly drawn out into
the more complex ideas in a style which is quite readable. The teaching
approach is evident throughout the book.
It is a long book, over 1000 pages, with little white space and lots of
figures. It is organized into nine parts consisting of thirty-five chapters.
The first two parts are the requisite introduction and the all important
foundations. The third part is a wonderful coverage of policy ,which
contains practical matter, but we find the use of
specialized language and several models present, which do not appear
in other policy texts for computer security. Parts four and five are
dedicated to implementation, first cryptography, then systems. Obviously,
since cryptography is covered in many other places, just enough of the
basics are here. Assurance, the topic of part six, was contributed by
Elisabeth Sullivan. These four chapters follow the pattern of the rest
of the book without a bump. The Common Criteria is discussed, along
with systems evaluation and formal methods for assurance. Parts seven
and eight more practical in nature such as malicious code, auditing,
security for programs, web servers and users. The last part is a
collection of interesting areas, among them are lattices, the Euclidean
Algorithm, and Entropy.
The book is intended as a textbook. Every chapter has sections on
research issues, further reading and exercises. There is an extensive
bibliography and many examples. Computer security is a game of
knowledge and expertise. The underpinnings of the game are here for the
taking. A must for anyone in the field, even if you are not in school
as a student or a teacher. Bishop's Computer Security will have the same
kind of impact on computer security that Bruce Schneier's Applied
Cryptography has on cryptography. One of the best security books written.
====================================================================
Reader's Guide to Current Technical Literature in Security and Privacy,
by Anish Mathuria
====================================================================
The Reader's Guide from Past issues of Cipher is archived at
www.ieee-security.org/Cipher/ReadersGuide.html
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm
Florida International University, Miami, Florida
Assistant/Associate Professor of Computer Science
Evaluation begins January 9, 2003 and continues until the positions are
filled. www.cs.fiu.edu/cgi-bin/portal/index.pl?iid=9668&isa=Bulletin&op=show
The George Washington University
Computer Science Dept.
Washington DC 20052
202 994-4955
fax 202 994-4875
Two full-time security assistant professor faculty positions
Fall 2003 - Open until filled
Contact Prof. Lance J. Hoffman
lhoffma1@gwu.edu
http://www.cs.gwu.edu/prospective/faculty2/
GWU is recognized by the National Security Agency as a Center of Academic
Excellence in Information Assurance Education
Foundations of Programming Languages Research Group
School of Computer Science, Telecommunications and Information Systems
DePaul University
Chicago, IL, USA
Postdoctoral Research Associate on NSF-funded Trusted Computing project
Cryptyc: Cryptographic Protocol Type Checker
Position to start on 1 January 2003
Details at http://cryptyc.cs.depaul.edu/hiring.html
Information Security Group,
Laboratories for Information Technology
Singapore
Postdoc/Associate Research Staff
Cryptography and Information Security
Contact email: baofeng@lit.org.sg
CASE Center
Syracuse University, Syracuse, NY 13244-4100, USA
Visiting SUPRIA position
http://www.ecs.syr.edu/dept/eecs/positions/supria.html
Max-Planck Institute for Computer Science
Saarbruecken, Germany
Postdoc / Research associate position
Areas of particular interest: static program analysis, verification,
security, cryptographic protocols, and critical software.
Applications begin immediately.
http://www.mpi-sb.mpg.de/units/nwg1/offers/positions.html
James Madison University, Harrisonburg, VA
Department of Computer Science
Tenure-Faculty position
The James Madison University Department of Computer Science is
seeking applications of faculty that specialize in INFOSEC or closely related
areas. http://www.cs.jmu.edu/faculty_openings.htm
Vrije Universiteit, Amsterdam, The Netherlands
Postdoc / Assistant Professor
Internet security. Position is available immediately.
http://www.cs.vu.nl/%7East/jobs
Department of Information and Software Engineering
George Mason University, Fairfax, VA
1 Tenure-track, 1 visiting position
Positions are in security. Areas of particular interest: Computer
security, networking, data mining, and software engineering.
Search will continue until positions are filled.
http://ise.gmu.edu/hire/
Purdue University, West Lafayette, IN
Department of Computer Science
Emphasis on Assistant Professor Positions, but more senior
applicants will be considered. Areas of particular interest:
Computer security and INFOSEC. Positions beginning August 2000.
http://www.cs.purdue.edu/announce/faculty2001.html
Renesselaer Polytechnic Institute Troy, NY
Department of Computer Science
Tenure Track, Teaching, and Visiting Positions
Areas of particular interest: Computer security, networking,
parallel and distributed computing, and theory. Positions
beginning Fall 2000.
http://www.cs.rpi.edu/faculty-opening.html
Swiss Federal Institute of Technology
Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris
General Director
Areas of particular interest: Education and research in
telecommunications. Applications begin immediately.
http://admwww.epfl.ch/pres/dir_eurecom.html
Florida State University, Tallahassee, FL
Department of Computer Science
Tenure-track positions at all ranks, several positions available.
Available (1/00) Areas of particular interest: Trusted Systems,
security, cryptography, software engineering, provability and
verification, real-time and software engineering, provability
and verifications, real-time and safety-critical systems, system
software, databases, fault tolerance, and computational/simulation-based
design. http://www.cs.fsu.edu/positions
--------------
This job listing is maintained as a service to the academic community.
If you have an academic position in computer security and would like
to have in it included on this page, send the following information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Interesting Links and Reports Available via FTP and WWW
====================================================================
"Reports Available" links from previous issues of
Cipher are archived at www.ieee-security.org/Cipher/NewReports.html
and www.ieee-security.org/Cipher/InterestingLinks.html
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher@issl.iastate.edu (which is NOT automated) with subject line
"subscribe".
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher@issl.iastate.edu (which is NOT automated) with subject line
"subscribe postcard".
To remove yourself from the subscription list, send e-mail to
cipher@issl.iastate.edu with subject line "unsubscribe". Those with
access to hypertext browsers may prefer to read Cipher that way. It
can be found at URL www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a
bulletin board or forum. It has a fixed set of departments, defined
by the Table of Contents. Please indicate in the subject line for
which department your contribution is intended. For Calendar entries,
please include a URL and/or e-mail address for the point-of-contact.
For Calls for Papers, please submit a one paragraph summary. See this
and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL
COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material
should respect stated copyright notices, and should cite the sources
explicitly; as a courtesy, publications using Cipher material should
obtain permission from the contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
www.ieee-security.org/Cipher/AddressChanges.html
______________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
________________________________________________________________________
You may easily join the TC on Security & Privacy by completing the on-line
for at IEEE at http://www.computer.org/TCsignup/index.htm.
_____________________________________________________________
TC Publications for Sale
_____________________________________________________________
Proceedings of the IEEE CS Symposium on Security and Privacy
The Technical Committee on Security and Privacy has copies of its
publications available for sale directly to you. You may pay for
Proceedings by credit card or check.
Proceedings of the IEEE Symposium on Security and Privacy
Year(s) Format Price
2001 Hardcopy $25.00*
2000 Hardcopy $15.00*
1999 Hardcopy SOLD OUT
1998 Hardcopy $10.00*
2000-2001 CD-ROM $25.00*
* Plus shipping charges
Payment by Check:
Please specify the items and quantities that you wish to receive,
your shipping address, and the method of shipping (for overseas orders)
Mail your order request and a check, payable to the 2002 IEEE Symposium
on Security and Privacy to:
Terry L. Hall
Treasurer, IEEE Security and Privacy
14522 Gravelle Lane
Florissant, Mo 63034
U S A
Please include the appropriate amount to cover shipping charges as
noted in the table below.
Domestic shipping: $4.00 per order for 3 volumes or fewer
Overseas surface mail: $6.00 per order for 3 volumes or fewer
Overseas air mail: $12 per volume
Credit Card Orders:
For a limited time, the TC on Security and Privacy can charge orders
to your credit card. Send your order by mail to the address above or
send email to terry.l.hall2@boeing.com specifying the items and quantities
that you wish to receive, your shipping address, method of shipping
(surface or air for overseas orders) along with
* the name of the cardholder,
* credit card number, and
* the expiration date.
Exact shipping charges will be charged to your credit card and included
in your receipt. Shipping charges may approximated from the table above.
IEEE CS Press
You may also order some back issues from IEEE CS Press at
www.computer.org/cspress/catalog/proc9.htm.
Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings
of the IEEE CS Computer Security Foundations Workshop
The most recent Computer Security Foundation Workshop (CSFW15) took place
June 2002. Topics included formal specification of security protocols,
protocol engineering, distributed systems, information flow, and security policies.
Copies of the proceedings are available from the publications chair for
$25 each. Copies of earlier proceedings starting with year 3 (1990) are
available at $10. Photocopy versions of year 1 are also $10.
Checks payable to Joshua Guttman for CSFW may be sent to:
Joshua Guttman, MS S119
The MITRE Corporation
202 Burlington Rd.
Bedford, MA 01730-1420 USA
guttman@mitre.org
________________________________________________________________________
TC Officer Roster
________________________________________________________________________
Chair: Past Chair:
Mike Reiter Thomas A. Berson
Carnegie Mellon University Anagram Laboratories
ECE Department P.O. Box 791
Hamerschlag Hall, Room D208 Palo Alto, CA 94301
Pittsburgh, PA 15213 USA (650) 324-0100 (voice)
(412) 268-1318 (voice) berson@anagram.com
reiter@cmu.edu
Vice Chair: Chair,Subcommittee on Academic Affairs:
Heather Hinton Cynthia Irvine
IBM Software Group - Tivoli U.S. Naval Postgraduate School
11400 Burnett Road Computer Science Department
Austin, TX 78758 Code CS/IC
(512)436 1538 (voice) Monterey CA 93943-5118
hhinton@us.ibm.com (408) 656-2461 (voice)
irvine@cs.nps.navy.mil
Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences:
David Aucsmith Jonathan Millen
Intel Corporation SRI International EL233
JF2-74 Computer Science Laboratory
2111 N.E. 25th Ave 333 Ravenswood Ave.
Hillsboro OR 97124 Menlo Park, CA 94025
(503) 264-5562 (voice) (650) 859-2358 (voice)
(503) 264-6225 (fax) (650) 859-2844 (fax)
awk@ibeam.intel.com millen@csl.sri.com
Newsletter Editor:
Jim Davis
Department of Electrical and Computer Engineering
2413 Coover Hall
Iowa State University
Ames, Iowa 50011
(515) 294-0659 (voice)
davis@iastate.edu
BACK ISSUES:
Cipher is archived at: www.ieee-security.org/cipher.html
========end of Electronic Cipher Issue #52, January 20, 2003===========