Planning an attack or test on a network has been a cornerstone of the process, unless you just want to release something to Internet without consideration for what happens. The more you know, the better off you will be. War-driving/walking are only part of the process, and they have some subtle complications of their own. For example, when you return to a target rich environment, how do single out a particular network that you found previously? (GPS is a good start). The detailed planning process in WI-FOO is is nicely done. The steps are there, the tools are there and what to do with what you get is there as well. Lots of extra resource pointers are given, but you get enough in the book to carry out a plan.
When starting to gather up the equipment for your penetration test, you will need to select some hardware. Clearly, you will need a laptop, unless you have built in a machine/power in your vehicle's trunk (yes, people do this) and some sort of wireless card, but which card? WI-FOO covers several common cards, with schematics of one Prism device, to help you decide on what you want. RF and antenna basics are presented, without the Pringles can. One of the nice features of this book is the broad coverage of operating systems, Linux, BSD, Windows, etc. The reader is walked through setting up a card on Linux from kernel compiling through drivers, configurations and usage.
While I tout the value of understanding the underlying principles, I also value the tools which are available. The tools covered in WI-FOO range over encryption cracking, discovery, sniffing and attacking. Where to get them, both free and commercial, what they do and how you can use them are detailed in a very accessible manner.
WI-FOO is a book that you want to own if you care at all about
wireless operations, security or penetration testing. It is the one
book you should have for wireless.
____________________________________________________________________
Book Review By Bob Bruen
July 18, 2004
____________________________________________________________________
HARDENING Windows Systems
by Roberta Bragg
McGraw-Hill Osborne 2004.
ISBN 0-07-225354-1 Appendix, index, $39.99
Microsoft Windows administrators and users can use all the help they
can get, especially for security. It seems to me that you can break
down MS security into two parts: one is the day-to-day issues around
security breeches, attacks, and patching, and the other is hardening
systems. If you have neither under control there is little you can do
to make your life bearable. If your systems are hardened properly,
then there will be fewer fires to put out so that you can concentrate
on finding a replacement for Internet Explorer.
A network of hardened Windows PCs and servers can reduce the level of
attacks from the outside, possibly even from the inside. It also
stands to reason that this environment would benefit from a better
managed network because of what must be done to harden all of it.
What is hardening? Naturally, there is more than one definition, but
in general, one tightens control using policies which affect
authorization, authentication and permissions. Nothing happens by
default. You only give out permission after thinking about it,
something like "deny all" to everyone, then "allow" with
justification. Shut off everything, then only turn on that which must
be turned on. It is not unlike locking every single door, window and
access point in your house, then unlocking only those that need to
be. It is quite common for users to take all the defaults when their
new system gets turned on making for instant vulnerability. A major
problem is trying to figure out where all those details are that need
to be turned off, without making the system unusable.
This is where "Hardening Windows" comes in. Bragg starts out with the
requisite password policy problem. Since Windows still owns the desktop,
it is more likely that Windows users will need more reminding about this
problem, which is exacerbated by the earlier Windows versions that
permitted blank passwords and the ability to click cancel. More
interesting is the explanation of how policies work for users, groups,
domains, etc. Having watched knowledgeable Windows admins suffer trying to
make policies work properly for long periods of time, I can appreciate the
help. She has posted warnings in appropriate places where a click causes
unintended behavior. It is also helpful to see what Microsoft actually
meant when you see one of their policies' settings.
The book is full of little tips, like "do not show the last user name
in the login box." The book also has detailed registry settings for
application access control. This range of detail is a sign of the
thoroughness of the book. I liked the list of services that are
candidates for disabling, even though it was six pages in
length. Securing Windows seems to be a better way to learn about
Windows than those many other books of screen shots.
Hardening Windows is a must for anyone administering a Windows
environment. It is well written, helpful and priced right.
____________________________________________________________________
Book Review By Bob Bruen
July 18, 2004
____________________________________________________________________
Know Your Enemy. 2nd ed. Learning About Security Threats
by The Honeynet Project
Addison-Wesley 2004
ISBN 0-321-16646-9 6 appendices, Resources and References, Index,
CD-ROM. 768 pages, $49.99
The Honeynet Project has come a long way in the two years since the first
edition of "Know Your Enemy". The table of contents is still divided into
three parts (The Honeynet, The Analysis and The Enemy), but the content
shows great progress. The underlying idea of the honeynet is to have a
place that crackers could break into while being observed. The idea is
simple, but the architecture of the system has evolved into a sophisticated
one. Moreover, the observation methodology has evolved significantly.
Not only are the tools are better, but so are the applications of the
tools. This edition has expanded and improved sections on forensics, which
seems rather an obvious outgrowth of the research. As with the rest of
Honeynet tools, forensics is carried out with open source tools. In this
case it is Sleuth Kit, Autopsy, netcat and built-in unix commands like dd.
They also list a number of other useful tools, such as CDs that can boot a
system for analysis or acquisition.
The new material on reverse engineering is a welcome addition. It has
always been my opinion that analysis such as this is not complete without
reverse engineering binary code or data files. Since blackhats generally
do not leave source around, figuring out what they did can only be
accomplished by reverse engineering. This section includes material on
making reverse engineering more difficult, along with descriptions of code
that will do this. It looks like one of those constantly escalating
battles. An excellent tutorial on The Honeynet Reverse Challenge from the
binary through disassembly to source code provides a practical
demonstration on how reverse engineering works.
Since the first edition, Honeynets have gone into generations, GenI and
GenII. Each is explained thoroughly, as are Sebek and other additional
approaches such virtual honeynets, User Mode Linux and VMWare. There seems
to be no limit to what can be done to learn about what happens to our
systems. There is also no reason why the same tools and techniques can not
be used to analyze normal systems that have not been compromised, but only
failed or exhibited unexpected behavior.
The end goal of this work is to learn and understand the behavior of the
blackhat. My sense is that the blackhat of today is somewhat different
from the blackhat of several years ago, even though the basic techniques
have evolved rather than made revolutionary advances. There seems to be
more criminal intent now and this is reflected in how the Honeynet
Project describes the events. The section on The Enemy has been expanded
to include profiling. The psychological analysis has given way to the
sociological analysis, that is to say the view has moved from the
individual to the group.
The Enemy section has a wonderful analysis of the life cycle of an
exploit that alone is worth the price of the book. I highly recommend this
edition of "Know Your Enemy" for all the lessons provided. This is a great
project that deserves the attention of all security people. The future
looks better because of them.
====================================================================
Conference Reports
====================================================================
____________________________________________________________________
Review of
17th IEEE Computer Security Foundations Workshop
Asilomar, CA, June 28, 2004
by Jon Millen
____________________________________________________________________
Technical Program
MONDAY June 28, 2004
8:45 - 9:00 WELCOME
George Dinolt (Naval Postgraduate School), General Chair
Riccardo Focardi (University of Venice), Program Chair
9:00 - 10:30 Protocols I
Session Chair: Jon Millen
A Theory of Dictionary Attacks and its Complexity
Stephanie Delaune, Florent Jacquemard (Laboratoire Specification et
Verification)
In a dictionary attack, the attacker wants to confirm that his guess
of a user's password is correct, by computing some term in two ways
and comparing the results. This can be formalized by adding some
inference rules to the attacker's capability. The approach is not new,
but this paper proves for the first time that security in this model
is NP-complete.
Generic Insecurity of Cliques-Type Authenticated Group Key Agreement
Protocols
Olivier Pereira, Jean-Jacques Quisquater (UCL Crypto Group)
Cliques-type protocols create and distribute a common key among a
group of arbitrary size. They exchange Diffie-Hellman exponentiated
terms to a common base, authenticated between parties by including a
pairwise shared key in the exponent. This paper shows the remarkable
result that any protocol constructed this way can be attacked if the
group has four or more parties.
Abstraction and Refinement in Protocol Derivation
Anupam Datta, Ante Derek, John Mitchell (Stanford University),
Dusko Pavlovic (Kestrel Institute)
This latest paper in a series extends the protocol refinement process
by allowing protocol "templates" with function variables. This approach
does not affect proof difficulty, but it facilitates comparison between
related protocols like some different proposed versions of JFK
(a proposed standard key exchange protocol).
11:00 - 12:00 Access Control
Session Chair: Andre Scedrov
A Distributed Calculus for Role-Based Access Control
Chiara Braghin (Universita' Ca' Foscari di Venezia), Daniele Gorla
(Universita' di Firenze), Vladimiro Sassone (University of Sussex)
This is an application of pi-calculus to RBAC. An RBAC schema assigns
possible roles to users and permitted access modes of roles to
objects. A type system is set up whereby a successful type check
implies that the schema is satisfiable by some nontrivial system in
which each process is associated with a user and a role.
From Stack Inspection to Access Control: A Security Analysis for Libraries
Frederic Besson (Microsoft Research), Tomasz Blanc (INRIA), Cedric
Fournet, Andrew Gordon (Microsoft Research)
They have a tool to analyze code that must be trusted and is written
in a subset of IL, the intermediate language for CLR (Common Language
Runtime), the .NET analogue of bytecode on JVM.
The tool generates a call graph and looks for various known
problems. Thus, this method goes beyond stack inspection.
2:00 - 3:00
Intrusion Detection
Session Chair: Catherine Meadows
Selecting Appropriate Counter-Measures in an Intrusion Detection
Framework; Frederic Cuppens, Thierry Sans, Sylvain Gombault (ENST
Bretagne)
They formally define "anti-correlation" for this purpose and have
implemented it in a system called DIAMS.
Using Active Learning in Intrusion Detection
Magnus Almgren, Erland Jonsson (Chalmers University)
Active learning, in which an expert labels those training examples
that are likely to improve the performance of the intrusion
classifier, is shown to outperform the traditional self-learning
substantially, both in accuracy and in the ability to train with less
data.
3:30 - 4:30 Information Flow
Session Chair: Andrew Myers
Secure Information Flow by Self-Composition
Gilles Barthe (INRIA Sophia-Antipolis), Pedro R. D'Argenio (Universite
de Provence), Tamara Rezk (INRIA Sophia-Antipolis)
Information flow is analyzed using an extension of Hoare logic
called separation logic, used to reason about shared mutable data
structures. This approach is more accurate than information flow
based on type systems, can sometimes be sound and complete,
and is amenable to mechanization.
Lenient Array Operations for Practical Secure Information Flow
Zhenyue Deng, Geoffrey Smith (Florida International University)
New simple and permissive typing rules are proposed for array
operations, to enforce noninterference. (Information flow
involving array indices can be subtle.)
4:30 - 5:30 Business meeting
The next CSFW will be held in Aix-en-Provence, France, near Marseilles.
The program chair is Joshua Guttman, and the general chair is Roberto
Amadio. There was considerable discussion about how to create a
conference (rather than a workshop) for theoretical computer security.
Oakland and ESORICs were deemed unsatisfactory, in their current mode.
Growing CSFW had mixed reactions. A small, informal meeting has benefits,
but greater access for students and researchers in related fields was
considered important. Removing the "invitational" restriction is
probably not harmful.
------------------------------------------------------------------------
TUESDAY June 29, 2004
9:00 - 10:30 Security Policies
Session Chair: Andy Gordon
Owned Policies for Information Security
Hubie Chen, Stephen Chong (Cornell University)
The Myers-Liskov decentralized label model, in which each label is a
set of (owner, reader-set) permission pairs, is extended so that a
reader-set is replaced by a lattice of policy labels (like the
combined mandatory sensitivity-integrity lattice proposed by Biba) and
the owners are roles in an "acts-for" hierarchy. It is assumed that
permissions of a role are included in higher roles.
Cassandra: Flexible Trust Management, Applied to Electronic Health Records
Moritz Y. Becker, Peter Sewell (Computer Laboratory, University of
Cambridge)
Cassandra expresses policies in an extension of Datalog with
constraints. It uses a top-down evaluation algorithm that is sound,
complete, terminating, and efficient enough to deal with the 310-rule
health application. It handles RBAC, trust negotiation, and remote
entities.
The Consistency of Task-Based Authorization Constraints in Workflow Systems
Kaijun Tan (University of Pennsylvania), Jason Crampton (Royal Holloway,
University of London), Carl Gunter (University of Pennsylvania)
In a workflow schema with RBAC authorizations, role permissions are
qualified by where they are in the task flow graph. Authorization
constraints (such as separation of duty) can conflict with task role
requirements. An algorithm is given for checking consistency.
11:00 - 12:00 Declassification & Information Flow
Session Chair: Heiko Mantel
Enforcing Robust Declassification
Andrew Myers (Cornell University), Andrei Sabelfeld (Chalmers University
of Technology), Steve Zdancewic (University of Pennsylvania)
A security-type-checking approach on programs is used to allow
"robust declassification," in which high-integrity code is allowed
to explicitly declassify or downgrade expressions. (Integrity is
part of the security level.) Robustness means that low-integrity code
may not cause downgrading by, for example, affecting a branch.
Modelling Downgrading in Information Flow Security
Annalisa Bossi, Carla Piazza, Sabina Rossi (Universita' Ca' Foscari di
Venezia, Italy)
This is a process algebra (SPA) approach for expressing forms of
noninterference that allow downgrading. They mention a 1992 Rushby
report and other intransitive noninterference notions for
deterministic systems. Their extension is expressive enough to handle
various nondeterministic possibilistic formulations. They support
unwinding, compositionality, and refinement under given conditions.
2:00 - 3:00 Formal Methods & Cryptography
Session Chair: John Mitchell
Symmetric Encryption in a Simulatable Dolev-Yao Style Cryptographic Library
Michael Backes, Birgit Pfitzmann (IBM Zurich Research Laboratory)
It is shown how to add symmetric encryption to the ideal cryptographic
library proposed earlier by this group. The library allows
cryptographically sound security proofs with a symbolic Dolev-Yao
approach. Symmetric encryption was difficult for their simulatability
approach because secret keys can be sent as data.
On Universally Composable Notions of Security for Signature,
Certification and Authentication
Ran Canetti (IBM Research)
The basic security properties of a signature scheme are captured as a
stand-alone module, in contrast with the the common library approach of,
e.g., the IBM Zurich work. This formulation is chosen-message-attack-
(CMA-) secure. The paper in the proceedings has an appendix reviewing
the universally-composable (UC) security framework.
3:30 - 5:00 Panel: Formal Methods & Cryptography
Panel Chair: Cathy Meadows (Naval Research Laboratory)
Panelists: Ran Canetti, Michael Backes, and Andre Scedrov
The discussion included a reminder from Scedrov not to forget
Shannon's basic information flow approach, as in the proof of
one-time-pad security, in the context of computational models.
Mitchell (in a question) challenged Canetti's use of interactive
Turing machines as a model, suggesting that other models are
more standard and better suited to model concurrent systems.
Restrained, learned fireworks ensued.
------------------------------------------------------------------------
WEDNESDAY June 30, 2004
9:00 - 10:00 Authorization
Session Chair: Geoff Smith
By Reason and Authority: A System for Authorization of Proof-Carrying Code
Nathan Whitehead, Martin Abadi (University of California, Santa Cruz),
George Necula (University of California, Berkeley)
This approach presupposes that Java or typed assembly language is
downloaded along with a proof that it satisfies a security property.
It is shown here how to verify authorization properties with a type
check. Properties are expressed in BLF, a combination of Binder and
LF, a modal logic based on Datalog with "says" and "believe"
operators.
A Formal Foundation for XrML Licenses
Joseph Halpern, Vicky Weissman (Cornell University)
XrML, used for writing license policies, does not have a formal
semantics, and there are startling problems in the way groups are
handled. A semantics for a fragment of XrML is provided, along with a
decision procedure for inferring access permission from licenses.
10:30 - 11:30 Protocols II
Session Chair: Michael Backes
Formal analysis of multi-party contract signing
Rohit Chadha (University of Sussex), Steve Kremer (Universite Libre de
Bruxelles), Andre Scedrov (University of Pennsylvania)
Mocha was used to analyze two published protocols. In the Garay-Mackenzie
protocol there is a fairness problem that shows up only with four or
more signers. (This is the second example of a multi-party protocol
problem that requires four participants; the other was for Cliques
protocols.)
Symbolic Model Checking the Knowledge of the Dining Cryptographers
Kaile Su (Zhongshan University, China), Ron van der Meyden (University
of New South Wales, Sydney)
Chaum's Dining Cryptgraphers problem is a multiparty anonymity
protocol (involving coin flips but no cryptography). Surprisingly,
there is no general proof; this paper is about model checking
knowledge formulas using BDDs, and gets up to around 1000 diners.
(Croquet winner: Millen; 2nd was Mantel)
Summary by Jon Millen. (Corrections, additions welcomed)
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/NewsBriefs.html
___________________________________________________________________
June 16, 2004
Akamai Outage Raises DNS Questions
By Sean Michael Kerner
In http://www.internetnews.com/security/article.php/3369371
As distributed platform host provider Akamai scrambled to manage the
fallout from a brief outage that hit some Web hosting customers
Tuesday, a DNS expert (Paul Vixie) argued that global domain name
servers are not at risk.
Akamai called the distributed denial of serviceattack that hit its
network Tuesday "sophisticated" and large-scale, but said it was
limited to 4 percent of its customer base.
Hilarie Orman comments: this outage has raised many questions about
how the infrastructure of service providers has become entwined with
the reliability and survivability of the Internet.
___________________________________________________________________
June 1, 2004, Associated Press
http://www.msnbc.msn.com/id/5112838/,
"Simple passwords no longer suffice"
In perilous online world, complex passwords needed"
This AP article describes a Swedish bank's use of one-time passwords,
ala Phil Karn's SKEY software of many years ago. Several experts
weigh in this weighty subject, noting that it is difficult to remember
passwords.
___________________________________________________________________
Executives complain about software vulnerability
CNN (AP), May 19, 2004
The Business Roundtable, an organization of executives from 150 of
America's largest companies, has begun a lobbying campaign criticizing
the technology industry for creating vulnerable, expensive, and
difficult to use software, making it a challenge to protect networks
for consumers.
http://www.cnn.com/2004/TECH/biztech/05/19/computer.security.ap/index.html
====================================================================
Conference and Workshop Announcements
====================================================================
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
http://home.adelphi.edu/~spock/cipher/cfp.html
The Cipher event Calendar is at
http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html
Contribute CFP's by sending them to cipher-cfp @ ieee-security.org
______________________________________________________________________
DRM2004 ACM Workshop on Digital Rights Management, Wyndham City Hotel,
Washington, DC, October 25, 2004. (submissions due 1 July 2004)
This workshop seeks submissions from academia and industry presenting
novel research on all aspects of security for ad hoc and sensor
networks, as well as experimental studies of fielded systems.
Submission of papers based on work-in-progress is encouraged. Topics
of interest include, but are not limited to, the following as they
relate to wireless networks,mobile ad hoc networks, or sensor
networks:
- Security under resource constraints, e.g., energy, bandwidth,
memory, and computation constraints
- Performance and security tradeoffs
- Secure roaming across administrative domains
- Key management
- Cryptographic protocols
- Authentication and access control
- Trust establishment, negotiation, and management
- Intrusion detection and tolerance
- Secure location services
- Privacy and anonymity
- Secure routing
- Secure MAC protocols
- Denial of service
- Prevention of traffic analysis
For more info, see http://mollie.engr.uconn.edu/DRM2004/
_____________________________________________________________________
ACM MOBIWAC ACM International Workshop on Mobility Management and
Wireless Access (with Mobicom 2004), Philadelphia, PA, USA, October
25, 2004. (Extended: submissions due 4 July 2004)
This workshop solicits papers, both form researchers and
practitioners, dealing with mobile computing and wireless access
technologies, with an emphasis on mobility and location management,
ubiquitous and ad hoc access, awareness, mobile computational ambient
agents, natural interaction and seamless access.
The workshop will include contributed technical papers, invited
papers, panel discussions and tools demonstrations.
Authors are encouraged to submit both theoretical and practical
results of significance on all aspects of wireless and mobile access
technologies with an emphasis on mobility management and wireless
access.
The scope of this workshop includes, but is not limited, to:
- Wireless/Mobile Access Protocols
- Wireless Web Access
- Fault Tolerance in Wireless Access Networks
- Application development for embedded electronics and mobile devices
(with J2ME Wireless Devices, etc.)
- Wireless Multimedia Protocols
- Design and architecture of wireless communication and mobile computing
- Mobile service and QoS management
- Localization and tracking of mobile users
- Modeling of wireless devices and networks
- Large scale simulation
- Channel Allocation
- Analysis of correctness and efficiency of protocols
- Pervasive Computing
- Ubiquitous and mobile access
- Security and privacy issues
- Awareness-dependent wireless applications
- Interactive applications
- Awareness-dependent wireless applications
- Interactive applications
- Context-awareness
- Wireless, ad hoc and sensor access devices
- Wireless internet access technologies
- Mobile commerce technologies
For more info, see http://ru1.cti.gr/mobiwac04/
______________________________________________________________________
ISWC2004 3rd Workshop on Trust, Security, and Reputation on the
Semantic Web, Hiroshima, Japan, November 7, 2004. (submissions due 16
July 2004)
This workshop will bring together researchers from different
communities to examine cutting-edge approaches towards the
establishment of these security, trust, and reputation
infrastructures. The emphasis will be to advance and integrate
security and trust related research from the semantic web, logical
reasoning, grid, agent, peer-to-peer, and web services.
The workshop will include both presentations of research papers and
demonstrations of implemented systems. We envisage a wide variety of
contributions both from the area of traditional security and access
control research as well as from the area of reputation propagation
and social network theory.
Workshop topics include, but are not limited to, the following:
- rule-based policies, contracts and business rules
- natural-language and visual interfaces for policy languages
- rules and ontologies for security, trust and privacy
- digitally signed RDF
- security requirements engineering
- trust establishment and automated trust negotiation
- decentralized trust infrastructures for semantic web and
grid environments
- trust metrics and models
- trust and provenance
- trust and reputation management and propagation
- friends of a friend networks / FOAF
- distributed computation of trust
- security and trust for agents, peer-to-peer, grid and web services
- case studies on security and trust applications
For more info, see http://trust.mindswap.org/trustWorkshop/
_______________________________________________________________________
SPC2005 2nd International Conference on Security in Pervasive
Computing, Boppard, Germany, April 6-8, 2005. (submissions due 15
October 2004)
The ongoing shrinking of computing facilities to small and mobile
devices like handhelds, portables or even wearable computers will
enhance an ubiquitous information processing. The basic paradigm of
such a pervasive computing is the combination of strongly
decentralized and distributed computing with the help of diversified
devices allowing for spontaneous connectivity. Computers will become
invisible to the users awareness and exchange of information between
devices will effectively defy users control. The objective of this
conference is to develop new security concepts for complex application
scenarios based on systems like handhelds, phones, smartcards,
RF-chips and smart labels hand in hand with the emerging technology of
ubiquitous and pervasive computing. Particular topics include but are
not limited to methods and technologies concerning:
- the identification of risks,
- the definition of security policies, and
- the development of security and privacy measures especially
cryptographic protocols related to the specific aspects of
ubiquitous and pervasive computing like mobility, location based
services, ad-hoc networking, resource allocation/restriction,
invisibility and secure hardware/software platforms.
For more info, please see : http://www.spc-conf.org
______________________________________________________________________
Cipher Event Calendar
______________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, web page for more info.
* 7/16/04: TSRSW, Trust, Security, and Reputation on the Semantic Web,
Hiroshima, Japan; submissions are due;
http://trust.mindswap.org/trustWorkshop;
* 7/30/04- 7/31/04: CEAS, Conference on Email and Anti-spam, Mountain
View, CA; http://www.ceas.cc
--------
* 8/ 2/04: Nordsec, Espoo, Finland;
http://www.tml.hut.fi/Nordsec2004/; Submissions are due; information
nordsec2004@tml.hut.fi
* 8/ 9/04- 8/13/04: USENIX Security, San Diego, California;
http://www.usenix.org/events/sec04/
* 8/15/04- 8/19/04: CRYPTO, Santa Barbara, CA, http://www.iacr.org
* 8/23/04- 8/25/04: WISA, Workshop on Information Security
Applications, Jeju Island, Korea; http://dasan.sejong.ac.kr/~wisa04
* 8/23/04: NDSS, Network and Distributed System Security Symposium,
San Diego, California; http://crypto.stanford.edu/ndss05/;
submissions are due; information kseo@bbn.com
* 8/26/04- 8/27/04: FAST, Workshop on Formal Aspects in Security and
Trust, Toulouse, France; http://www.iit.cnr.it/FAST2004
* 8/30/04- 9/ 3/04: SIGCOMM, Portland, Oregon;
http://www.acm.org/sigcomm/sigcomm2004
* 8/30/04- 9/ 3/04: TRUSTBUS, Trust and Privacy in Digital Business,
Zaragoza, Spain; http://www-ifs.uni-regensburg.de/trustbus04/
* 8/30/04: SecCo, Security Issues in Coordination Models, Languages
and Systems, London, UK; http://cs.unibo.it/secco04
--------
* 9/ 3/04: SAC-TRUSTCOLLAB, ACM SAC, Track on Trust, Recommendations,
Evidence and other Collaboration Know-how, Santa Fe, NM;
http://www.trustcomp.org/treck/; Submissions are due;
information sac.treck.info@trustcomp.org
* 9/ 6/04- 9/11/04: FOSAD, School on Foundations of Security Analysis
and Design, Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad
* 9/10/04: FC, Financial Cryptography, Roseau, The Commonwealth Of Dominica;
http://www.ifca.ai/fc05/; Submissions are due;
information stuart@eecs.harvard.edu
* 9/13/04- 9/15/04: ESORICS, European Symposium on Research in
Computer Security, French Riviera, France;
http://esorics04.eurecom.fr
* 9/15/04- 9/17/04: RAID, Recent Advances in Intrusion Detection,
French Riviera, France http://raid04.eurecom.fr
* 9/15/04- 9/17/04: PDSC, International Workshop on Security in
Parallel and Distributed Systems, San Francisco, CA;
http://securityworkshop.ece.iastate.edu
* 9/20/04- 9/23/04: NSPW, New Security Paradigms Workshop, Nova Scotia, Canada
http://www.nspw.org
* 9/20/04- 9/22/04: ECC, Elliptic Curve Cryptography,
http://www.cacr.math.uwaterloo.ca/conferences/2004/ecc2004/announcement.html
* 9/20/04- 9/25/04: SAPS, Specification and Automated Processing of
Security Requirements, Linz, Austria; http://www.lcc.uma.es/SAPS04
* 9/20/04: WSRS, Workshop on Safety, Reliability, and Security of
Industrial Computer Systemsm, University of Ulm, Germany
http://www.cs.utah.edu/flux/cipher/cfps/cfp-WSRS04.html
* 9/23/04- 9/24/04: SKM, Workshop on Secure Knowledge Management,
http://www.cse.buffalo.edu/caeiae/skm2004.html,
information mailto:shambhu@acsu.buffalo.edu>shambhu@acsu.buffalo.edu
* 9/27/04- 9/29/04: ISC, Information Security Conference, Palo Alto, CA,
http://isc04.uncc.edu
--------
* 10/ 1/04: WiSe, Workshop on Wireless Security, Philadelphia, PA,
A HREF=http://www.ece.cmu.edu/~adrian/wise2004
* 10/25/04-10/29/04: CCS-11, ACM Conference On Computer And
Communications Security, Washington DC,
http://www.acm.org/sigsac/ccs/CCS2004
* 10/25/04: SASN, Security of Ad Hoc and Sensor Networks, Washington, DC;
http://www.cs.gmu.edu/sasn
* 10/27/04-10/29/04: ICICS, International Conference on Information
and Communications Security, Malaga, Spain; http://icics04.lcc.uma.es
* 10/28/04: WPES, Workshop on Privacy in the Electronic Society, Washington, DC
http://seclab.dti.unimi.it/wpes200
* 11/ 4/04-11/ 5/04: Nordsec, Nordic Workshop on Secure IT Systems,
Espoo, Finland; http://www.tml.hut.fi/Nordsec2004/
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
____________________________________________________________________
Journal of Privacy Technology (JOPT), Editor-in-Chief: Michael Shamos.
This online-only Journal, started in 2004 and operated by Carnegie
Mellon University, is a forum for the publication of original current
research in privacy technology. It encourages the submission of any
material dealing primarily with the technological aspects of privacy
or with the privacy aspects of technology, which may include analysis
of the interaction between policy and technology or the technological
implications of legal decisions. More information can be found at
http://www.jopt.org/
====================================================================
Conferences and Workshops
(the call for papers deadline has passed)
====================================================================
IFIP WG 11.3 18th Annual IFIP WG 11.3 Working Conference on Data and
Application Security, Sitges, Spain, July 25-28, 2004.
The conference provides a forum for presenting original
unpublished research results, practical experiences, and innovative
ideas in data and applications security. Papers and panel proposals
are solicited. The conference is limited to about forty participants
so that ample time for discussion and interaction may occur. Papers
may present theory, technique, applications, or practical experience
on topics of interest of IFIP WG11.3.
More information can be found at http://seclab.dti.unimi.it/~ifip113/2004/
CEAS The First Conference on Email and Anti-Spam, Mountain View, CA,
USA, July 30-31, August 1, 2004.
The Conference on Email and Anti-Spam invites the submission of papers
for its first meeting, held in cooperation with AAAI (the American
Association for Artificial Intelligence). Papers are invited on all
aspects of email and spam, including research papers (Computer science
oriented academic-style research), industry reports (Descriptions of
important or innovative products), and law and policy papers. A full
list of topics can be found on the conference web site at http://www.ceas.cc
CHES 2004 Cryptographic Hardware and Embedded Systems, Cambridge
(Boston), USA, August 11-13,2004.
The focus of this workshop is on all aspects of cryptographic hardware
and security in embedded systems. Of special interest are
contributions that describe new methods for efficient hardware
implementations and high-speed software for embedded systems, e.g.,
smart cards, microprocessors, DSPs, etc. We hope that the workshop
will help to fill the gap between the cryptography research community
and the application areas of cryptography.
More information can be found at http://www.chesworkshop.org.
WISA 2004 The 5th International Workshop on Information Security
Applications, Ramada Plaza, Jeju Island, Korea, August 23-25, 2003.
The 5th International Workshop on Information Security Applications (WISA 2004)
will be held in Jeju Island, Korea on August 23-25, 2004. It is sponsored by
the Korea Institute of Information and Cryptology (KIISC), Electronics &
Telecommunications Research Institute (ETRI), and Ministry of Information and
Communication (MIC). The focus of this workshop is on all technical and
practical aspects of cryptographic and non-cryptographic security applications.
The workshop will serve as a forum for new results from the academic research
community as well as from the industry.
More information can be found at http://dasan.sejong.ac.kr/~wisa04
I-NetSec04 Third Working Conference on Privacy and Anonymity Issues
in Networked and Distributed Systems (special track at the 19th IFIP
International Information Security Conference), Toulouse, France,
August 23-26, 2004.
Privacy and anonymity are increasingly important aspects in electronic
services. The workshop will focus on these aspects in advanced
distributed applications, such as m-commerce, agent-based systems,
P2P, etc.
More information can be found at http://www.sec2004.org.
IFIP/Sec 2004 The 19th IFIP International Information Security
Conference (IFIP/Sec 2004), Centre de Congres Pierre Baudis, Toulouse,
France, (as part of the 18th IFIP World Computer Congress), August
23-26, 2004.
Papers offering novel research contributions in any aspect of computer
security are solicited for submission to the 19th IFIP International
Information Security Conference. More information can be found
at http://www.sec2004.org.
CARDIS 2004 The 6th Smart Card Research and Advanced Application IFIP
Conferencet, Toulouse, France, (as part of the 18th IFIP World
Computer Congress), August 23-26, 2004.
The program committee seeks papers describing the design, development,
application, and validation of smart card technologies. Submissions
across a broad range of smart card development phases are encouraged,
from exploratory research and proof-of-concept studies to practical
application and deployment of smart card technology.
More information can be found at http://www.sec2004.org.
CSES 2004 2nd International Workshop on Certification and Security in
Inter-Organizational E-Services, Toulouse, August 26-27, 2004.
The workshop is within IFIP-WCC 2004, the 18th World Computer Congress
of the IFIP. This is a uniquely rich event featuring a variety of
initiatives on key issues in Information Technology. For more
information on it see http://www.wcc2004.org/.
VLDB2004 Workshop "Secure Data Management in a Connected World", Royal
York Hotel, Toronto, Canada, August 30, 2004.
The Aim of the workshop is to bring together people from the security
research community and data management research community in order to
exchange ideas on the secure management of data in the context of
emerging networked services and applications. The workshop will
provide forum for discussing practical experiences and theoretical
research efforts that can help in solving these critical problems in
secure data management. Authors from both academia and industry are
invited to submit papers presenting novel research on the topics of
interest. For further info, please see
http://www.extra.research.philips.com/sdm-workshop/
SecCo2004 2nd International Workshop on Security Issues in
Coordination Models, Languages and Systems, London, United
Kingdom. August 30, 2004.
Coordination models, languages and middlewares, which advocate a
distinct separation between the internal behaviour of the entities and
their interaction, represent a promising approach. However, due to the
openness of these systems, new critical aspects come into play, such
as the need to deal with malicious components or with a hostile
environment. Current research on network security issues (eg. secrecy,
authentication, etc.) usually focuses on opening cryptographic
point-to-point tunnels. Therefore, the proposed solutions in this area
are not always exploitable to support the end-to-end secureinteraction
between entities whose availability or location is not known
beforehand. For more information, please see: http://cs.unibo.it/secco04
Trustbus'04 Trust and Privacy in Digital Business, Zaragoza, Spain,
August 30 - September 3, 2004. The First International Conference on
Trust and Privacy in Digital Business (TrustBus '04) will be held in
conjunction with the 15th International Conference on Database and
Expert Systems Applications (DEXA'04),
(http://dexa.org/dexa2004/). TrustBus '04 shall bring together
researchers from different disciplines, developers, and users all
interested in the critical success factors of digital business
systems. We invite papers, work-in-progress reports, industrial
experiences describing advances in all areas of digital business
applications. A complete list of topics of interest and instructions
for submitting a paper can be found on the conference web site at
http://www-ifs.uni-regensburg.de/trustbus04/
SCN'04 Fourth Conference on Security in Communication Networks,Amalfi,
Italy, September 8-10, 2004.
The Fourth Conference on Security in Communication Networks (SCN '04)
will be held in Amalfi (Italy) on September 8-10 2004. SCN '04 aims at
bringing together researchers in the field of security in
communication networks to foster cooperation and exchange of
ideas. Original papers on all technical aspects of cryptology and
network security are solicited for submission to SCN04.
For more information, please see http://www.dia.unisa.it/conferences/SCN04/
ESORICS 2004 9th European Symposium on Research in Computer Security,
Institut Eurecom, Sophia-Antipolis, French Riviera, France, September
13-15, 2004.
Papers offering novel research contributions in any aspect of computer
security are solicited for submission to ESORICS 2004. Organized in a
series of European countries, ESORICS is confirmed as the European
research event in computer security. The primary focus is on
high-quality original unpublished research, case studies and
implementation experiences. We encourage submissions of papers
discussing industrial research and development. Information on topics
of interest, and instructions for submitting a paper can be found at
http://esorics04.eurecom.fr.
RAID'2004 Seventh International Symposium on Recent Advances in
Intrusion Detection, Institut Eurecom, Sophia-Antipolis, French
Riviera, France, September 15-17, 2004.
For RAID 2004 there is a special theme: the interdependence between
intrusion detection and society. Thus, we will also welcome papers
that address issues that arise when studying intrusion detection,
including information gathering and monitoring, as a part of a larger,
not necessarily purely technical, perspective. The RAID 2004 program
committee invites three types of submissions: full papers presenting
mature research results; practical experience reports describing a
valuable experience or a case study; and panel proposals for
presenting and discussing hot topics in intrusion detection
systems. The RAID 2004 web site elaborates on these themes and also
provides a full list of topics of interest (http://raid04.eurecom.fr)
PDCS 2004 International Workshop on Security in Parallel and
Distributed Systems (in conjunction with the 17th International
Conference on Parallel and Distributed Computing Systems), San
Francisco, CA, USA, September 15-17,2004.
In recent years, interest has increased in the field of security of
parallel and distributed systems, which include the control
mechanisms, mobile code security, denial-of-service attacks, trust
management, modeling of information flow and its application to
confidentiality policies, system composition, and covert channel
analysis. We will focus our program on issues related to important
properties of system security, such as measurability, sustainability,
affordability, and usability in parallel and distributed systems.
More information can be found at the conference web site at
http://securityworkshop.ece.iastate.edu
NSPW2004 New Security Paradigms Workshop 2004, White Point Beach
Resort, Nova Scotia, Canada, September 20-23, 2004.
For twelve years the New Security Paradigms Workshop (NSPW) has
provided a stimulating and highly interactive forum for innovative
approaches to computer security. The workshop offers a constructive
environment for experienced researchers and practitioners as well as
newer participants in the field. The result is a unique opportunity to
exchange ideas. NSPW 2004 will take place September 20 - 23 at
theWhite Point Beach Resort, located on the southern shore of
beautiful Nova Scotia. The resort can be reached by air via Halifax or
by ferry from Portland, Maine. More information can be found at
http://www.nspw.org/
====================================================================
Reader's Guide to Current Technical Literature in Security and
Privacy
====================================================================
The Reader's Guide from Past issues of Cipher is archived at
http://www.ieee-security.org/Cipher/ReadersGuide.html
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
Listed at http://cisr.nps.navy.mil/jobscipher.html
--------------
National ICT Australia, Formal Methods Program
Researcher/Senior Researcher
Formal Methods for Computer Security
http://nicta.com.au
National ICT Australia
Program Leader
Security and Trust Management Program
http://nicta.com.au
--------------
This job listing is maintained as a service to the academic
community. If you have an academic position in computer security and
would like to have in it included on this page, send the following
information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Interesting Links and Reports Available via FTP and WWW
====================================================================
"Reports Available" links from previous issues of
Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html
and http://www.ieee-security.org/Cipher/InterestingLinks.html
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options, each with two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe".
OR
send a note to cipher-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher-admin@ieee-security.org (which is NOT automated) with subject line
"subscribe postcard".
OR
send a note to cipher-postcard-request@mailman.xmission.com with the
subject line "subscribe"
(this IS automated - thereafter you can manage your subscription
options, including unsubscribing, yourself)
To remove yourself from the subscription list, send e-mail to
cipher-admin@ieee-security.org with subject line "unsubscribe"
or, if you have subscribed directly to the xmission.com mailing list,
use your password (sent monthly) to unsubscribe per the instructions
at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or
http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL http://www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher @ ieee-security.org are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended.
Calendar and Calls-for-Papers entries should be sent to
cipher-cfp @ ieee-security.org
and they will be automatically included in both departments. To
facilitate the semi-automated handling, please send either a text
version of the CFP or a URL from which a text version can be easily
obtained. For Calendar entries, please include a URL and/or e-mail
address for the point-of-contact. For Calls for Papers, please submit
a one paragraph summary. See this and past issues for examples. ALL
CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS
APPLY. All reuses of Cipher material should respect stated copyright
notices, and should cite the sources explicitly; as a courtesy,
publications using Cipher material should obtain permission from the
contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
http://www.ieee-security.org/Cipher/AddressChanges.html
Bill Bartgis
SPAWAR Systems Center Charleston
Code 723BB - Bldg. 3113
POB 190022
North Charleston, South Carolina 29419-9022
843- 218-4173
bill.bartgis @ navy.mil
_____________
Mr. Lee Imrey, CPP CISA CISSP
isc2 @ imrey.com
Telephone: +1-312-467-6282
P.O. Box 10309
Chicago, IL 60610
USA
_________________________________________________________
How to become <