_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 71 March 15, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor, Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year This issue is in two parts, this is part 1 Contents: * Letter from the Editor * News o IEEE Computer Society Symposium on Security and Privacy, program o NIST issues 2 drafts on cryptographic methods, requests comments and issues on final FIPS on key establishment o Email signature verification bug in GNU Privacy Guard o US Navy lab wins network-centric warfare award o Cryptologia announces undergraduate paper competition o US Air Force lab seeks information assurance leader * Commentary and Opinion o Robert Bruen's review of Hands-On Ethical Hacking and Network Defense by Simpson, Michael o Robert Bruen's review of Penetration Tester's Open Source Toolkit by Long, Johnny et al. o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This issue of Cipher has the list of papers accepted for the venerable IEEE Computer Society Symposium on Security and Privacy, often known as "Oakland". This year's program features several short papers and a full program of regular length papers. Attendees will receive a CD with several years of past proceedings and the usual ambiance of the Claremont Resort. I am seeking a volunteer reporter become famous by writing a Cipher article about the Symposium --- arms will be twisted. Bob Bruen has contributed two book reviews, Yong Guan has continued his great work in keeping the Calls-for-Papers pages up-to-date, and there are several news articles. I found myself completely bemused by the End User License Agreement for a well-known software product that protects communication using cryptography. It has an audit clause requiring the user to open up his computers to on-site inspection twice a year. Yes, your communication may be safe from the eyes of governments, but the vendor gets free access to your home. This is a definition of privacy with which I am not familiar. Still searching for security and privacy, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== ------------------------------------------------------------------- Symposium on Security and Privacy Program ------------------------------------------------------------------- The Symposium will be held May 21-24 at the Claremont Resort in Berkeley, California. See http://www.ieee-security.org/TC/SP2006/oakland06.html Session: Signature Generation (Christopher Kruegel) Towards Automatic Generation of Vulnerability-Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha Carnegie Mellon University, USA, and University of Wisconsin, USA Misleading Worm Signature Generators Using Deliberate Noise Injection Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif University of Cagliari, Italy, and Georgia Institute of Technology, USA Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian Chavez Northwestern University, USA Session: Detection (Robert Cunningham) Dataflow Anomaly Detection Sandeep Bhatkar, Abhishek Chaturvedi and R. Sekar Stony Brook University, USA Towards a Framework for the Evaluation of Intrusion Detection Systems Alvaro A. Cardenas, Karl Seamon and John S. Baras University of Maryland, USA Siren: Detecting Evasive Malware (Short Paper) Kevin Borders, Xin Zhao and Atul Prakash University of Michigan, USA Session: Privacy (Carl Landwehr) Fundamental Limits on the Anonymity Provided by the MIX Technique Dakshi Agrawal, Dogan Kesdogan, Vinh Pham, Dieter Rautenbach IBM T J Watson Research Center, USA, RWTH Aachen, Germany, and University of Bonn, Germany Locating Hidden Servers Lasse O/verlier and Paul Syverson Norwegian Defence Research Establishment, Norway, Gjøvik University College, Norway, and Naval Research Laboratory, USA Practical Inference Control for Data Cubes (Extended Abstract) Yingjiu Li, Haibing Lu and Robert H. Deng Singapore Management University, Singapore Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks Philippe Golle, Xiaofeng Wang, Markus Jakobsson and Alex Tsow Palo Alto Research Center, USA, and Indiana University, Bloomington, USA New Constructions and Practical Applications for Private Stream Searching (Extended Abstract) John Bethencourt, Dawn Song and Brent Waters Carnegie Mellon University, USA, and SRI International, USA 5-minute Work-in-Progress Talks Session: Formal Methods (Susan Landau) A Computationally Sound Mechanized Prover for Security Protocols Bruno Blanchet CNRS, Ecole Normale Supe'rieure, Paris, France A Logic for Constraint-based Security Protocol Analysis Ricardo Corin, Ari Saptawijaya and Sandro Etalle University of Twente, The Netherlands, and University of Indonesia, Indonesia Simulatable Security and Concurrent Composition Dennis Hofheinz and Dominique Unruh CWI, The Netherlands, and University of Karlsruhe, Germany Session: Analyzing and Enforcing Policy (Tuomas Aura) Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell and Helen Nissenbaum Stanford University, USA, and New York University, USA FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Lihua Yuan, Jianning Mai, Zhendong Su, Hao Chen, Chen-Nee Chuah and Prasant Mohapatra University of California, Davis, USA Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy, Trent Jaeger and Somesh Jha University of Wisconsin-Madison, USA, and Pennsylvania State University, USA Session: Analyzing Code (Doug Tygar) Deriving an Information Flow Checker and Certifying Compiler for Java Gilles Barthe, David A. Naumann and Tamara Rezk INRIA Sophia-Antipolis, France, and Stevens Institute of Technology, USA Discovering Malicious Disks with Symbolic Execution Paul Twohey, Junfeng Yang, Can Sar, Cristian Cadar, and Dawson Engler Stanford University, USA Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel and Engin Kirda Vienna University of Technology, Austria Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions Amit Vasudevan and Ramesh Yerraballi University of Texas Arlington, USA Session: Authentication (Paul Van Oorschot) Integrity (I) codes: Message Integrity Protection and Authentication Over Insecure Channels Mario Cagalj, Srdjan Capkun, Ramkumar Rengaswamy, Ilias Tsigkogiannis, Mani Srivastava and Jean-Pierre Hubaux École Polytechnique Fédérale de Lausanne (EPFL), Switzerland, Technical University of Denmark, Denmark, and University of California, Los Angeles, USA Cognitive Authentication Schemes Safe Against Spyware Daphna Weinshall Hebrew University of Jerusalem, Israel Cache Cookies for Browser Authentication (Extended Abstract) Ari Juels, Markus Jakobsson and Tom N. Jagatic RSA Laboratories, USA, RavenWhite Inc., USA, and Indiana University, USA Secure Device Pairing based on a Visual Channel Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen and N. Asokan University of California, Irvine, USA, and Nokia Research Center, Finland Session: Attacks (Kevin Fu) SubVirt: Implementing malware with virtual machines Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch University of Michigan, USA, and Microsoft Research, USA Practical Attacks on Proximity Identification Systems (Short Paper) Gerhard P. Hancke University of Cambridge, UK On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques Pai Peng, Peng Ning and Douglas S. Reeves North Carolina State University, USA Session: Systems (Helen Wang) A Safety-Oriented Platform for Web Applications Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy University of Washington, USA, and University of Copenhagen, Denmark Tamper-Evident, History-Independent, Subliminal-Free Data Structures on PROM Storage -or- How to Store Ballots on a Voting Machine (Extended Abstract) David Molnar, Tadayoshi Kohno, Naveen Sastry and David Wagner University of California, Berkeley, USA, and University of California, San Diego, USA Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas and Tzachy Reinman Hebrew University, Israel, Haifa University, Israel, and Safend, Israel The Final Nail in WEP's Coffin Andrea Bittau, Mark Handley and Joshua Lackey University College London, UK, and Microsoft, USA ------------------------------------------------------------------- NIST Issues 2 Drafts and One Final FIPS on Cryptographic Standards http://csrc.nist.gov/publications/drafts.html March 13, 2006 ------------------------------------------------------------------- Elaine Barker wrote: A draft of Federal Information Processing Standard (FIPS) 186-3, Digital Signature Standard (DSS), is available for public comment as announced in the Federal Register. The draft is available at http://csrc.nist.gov/publications/drafts.html. Please submit comments to ebarker@nist.gov with "Comments on Draft 186-3" in the subject line. The comment period closes on June 12, 2006. A draft of an accompanying document to the proposed FIPS 186-3, NIST Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, is also available for public comment at http://csrc.nist.gov/publications/drafts.html. Please submit comments to ebarker@nist.gov with "Comments on SP 800-89" in the subject line. The comment period closes on April 28, 2006. NIST Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, has been posted as a final document at http://csrc.nist.gov/publications/nistpubs/index.html Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 ------------------------------------------------------------------- GNU Privacy Guard Signature Bug March 9, 2006 forwarded by Rich Schroeppel ------------------------------------------------------------------- The GNU Privacy Guard is an implementation of the OpenPGP standard for secure email. Recently it was noticed that given a signed email you can change the message to prepend and append arbitrary data to the message without disturbing the signature verification report to the user. It appears this bug has existed for years without anybody finding it. The bug arises from the complexity of parsing the message formats while preserving backward compatibility with older implemenations. http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html ------------------------------------------------------------------- Cryptologia Offers Undergraduate Paper Competition Press Release February 16, 2006 ------------------------------------------------------------------- Undergraduate Paper Competitions: Cash Prizes and Publication Cryptologia is the only scholarly journal dealing with the history and technology of communications intelligence with specific attention to the mathematics of cryptology. The journal sponsors two undergraduate paper competitions in cryptology, each with a $300 cash prize and publication of the winning article. The journal's articles have broken many new paths in technical and mathematical cryptology as well as areas such as intelligence history by fostering the study of all aspects of cryptology -- technical as well as historical and cultural. Editor-in-Chief Brian Winkel, Dept of MathSci, United States Military Academy at West Point, and a renowned international editorial board of the world's foremost scholars in cryptology plan to disseminate papers of lasting appeal to mathematicians, security specialists, computer scientists, historians, political scientists, and teachers. For more information, please visit the journal's website at http://tandf.co.uk/journal/titles/01611194.asp. Starting in 2006, Cryptologia will be published by Taylor & Francis. ------------------------------------------------------------------- Navy Lab Wins Network-Centric Warfare Award Press Release February 6, 2006 ------------------------------------------------------------------- Charleston, SC, (February 6, 2006) - The Test and Validation Lab of the Net Centric Programs Office at SPAWAR Systems Center Charleston was honored recently by the Institute for Defense and Government Advancement (IDGA) with a 2006 Net Centric Warfare Award for outstanding contributions to the development of network centric warfare theory. According to IDGA Executive Director Megan Knapp, IDGA's Network Centric Warfare (NCW) Awards were established to "honor, recognize and promote initiatives in the US Department of Defense, Coalition Governments, and Defense Industry that exemplify the principles of networkcentric warfare and support information age transformation. A panel of respected defense sector leaders evaluated the nominees and determined the winners. Randall Shirley, Director of the Net Centric Programs Office, said As this award signifies, the Test and Validation Lab exemplifies the best in current initiatives and sets new standards of excellence for incorporating an innovative concept into future work for the Department of Defense. The innovative methods developed by the Test and Validation Lab have supported development of network-centric warfare theory by enabling developers to integrate computer network defensive principles to create robust and secure Service Oriented Architecture (SOA) functionality in a minimal amount of time. As an SOA Center of Excellence for Engineering Services, the Test and Validation Lab will use its experience to help other developers of network centric warfare release their tested, certified, and accredited applications rapidly into the battlefield. For more information on IDGA and the annual NCW Awards and Conference, visit www.idga.org or www.ncwawards.com. ------------------------------------------------------------------- Air Force Lab Seeks Information Assurance Leader February 24, 2006 Contributed by Gene Spafford ------------------------------------------------------------------- The position is for a new senior-level position in Information Assurance (IA) at the Air Force Research Laboratory, Information Directorate (AFLR/IF). The search is not yet officially open, but informal inquiries can be directed to the chief scientist of the lab at this location, John Bay john.bay@rl.af.mil ------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Robert Bruen March 14, 2006 ____________________________________________________________________ Hands-On Ethical Hacking and Network Defense by Simpson, Michael Thomson Course Technology 2006. ISBN: 0-619-21709-1 Index, glossary, 3 appendices, Bootable CDRom Textbooks get reviewed primarily by trade publications, but every now and then I review choose to review an exceptional textbook. Some security professionals teach in an academic environment and it has been difficult to find good textbooks for their security courses. The run-of-the-mill textbooks contain the usual content, often presented somewhat better than the trade equivalent because of the pedagogical slant. Sadly, a number of them have been dumbed down to meet the needs of the current crop of college students. When done well, textbooks are gems because the standard fare for them includes lots of extras that just do not appear in trade books. The teacher looking to reduce the burden of preparation is happy because presentation slides are included, along with review questions, projects for students, detailed chapter summaries and lots of definitions. Nothing is taken for granted, even in the middle of a chapter you find activities than can run for 10 minutes to 30 minutes to make sure that you understand the related concept. This particular book extensively uses the work of several organizations, including the Institute for Security and Open Methodologies (ISECOM) and the Independent Computer Consultants Associations (ICCA). With many of the community colleges looking more like a certification organization, these organizations are important. As the field of hacking becomes mainstream, customers want to be assured that the professional being hired will not end up in prison for unethical behavior. Trust is important as is the use of standards with meaning. Simpson and ISECOM adhere to the Open Source Security Testing Methodology Manual. The security students in college today were born about the same time as the Morris worm and were in grammar school when Netscape changed the World Wide Web forever. They are coming of age at time when law enforcement is struggling to keep up with a cyber crimes environment that is out of control. They need to have good technical resources, ethical standards and a sense of grounding in a virtual world. This textbook aims at the advanced student who has, perhaps, a couple of public keys with certificates, a good understanding of networks and the elements of computer security. If you need a hacking textbook, this is it. ____________________________________________________________________ Book Review By Robert Bruen March 14, 2006 ____________________________________________________________________ Penetration Tester's Open Source Toolkit by Long, Johnny et al. Syngress 2006. ISBN 1-59749-021-0 $59.95 ($35.97 at www.syngress.com), bootable CDRom with many tools), index, 704 pages. Books with useful penetration testing information are still few and far between. Although there are several good ones available, some are four years old now. I am always happy to see good books come out in areas which need more. This book is an all-inclusive tutorial for almost everything you need to know about "pen testing." The chapters really show you step-by-step instructions for making things work. If you are new to pen testing, then this is a valuable resource. If you are experienced you should still find some new tidbits. The chapters breakdown into several groups. The first few explain what the business is all about and what you do, starting with the basics: reconnaissance, enumeration and scanning. The standard Unix commands are demonstrated, such as "whois", "host" and "dig", as well standard tools like "NMap" and "Sam Spade." In addition, the free BiLE (Bi-Directional Link Extractor) Software Suite from Sense Post is given a lot of attention. It is a set of Perl scripts that can be used to gain information from web sites. Unfortunately, at the time of this writing, Sense Post no longer provides the suite. On the other hand, http://www-remote-exploit.org still does offer the Auditor CD iso image. Auditor is the collection of open source tools that forms the basis of the book. The latest collection is large, close to 200 titles, none of which is the BiLE suite. The value of a collection comes in saving you the time and effort of collecting them all yourself. Sometimes even good tools are not well known so you miss them in your search. The other value is a book with good instructions for using the tools. The next chapter group is about the specific targets, databases, web servers and wireless. The wireless set has really grown from the early days of the Netstumbler tool to software which will grab latitude and longitude of a wireless signal which can then be fed into a digital map with an overlay of the signal range. The last part is the group of chapters that cover tools in depth. There is also a chapter on writing code for your own tools. I thank the authors for including a chapter to encourage people to write code and I was happy to see the Java IDE Eclipse highlighted. Eclipse is a big piece of software with its own book, but the brief introduction here is helpful Nessus and Metasploit get the most coverage for individual tools. The Nessus version in the book is an older version, but for the beginner it is still worthwhile and it can be run from the CD. The explanation and instructions are good enough to get it installed and working. Metasploit deserves whatever publicity it can get, so my apologies to HDM [Ed. try Google]. The last two chapters are a good introduction to Metasploit, although not to the latest version. This book generally does a very good job of detailing the usage of the tools, especially if you are just starting out or need to expand your knowledge. In spite of a few problems, I recommend purchasing the book for the broad coverage, free tools and detailed instructions. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 3/15/06: Machine Learning for Computer Security, Journal Special Issue, http://www.cs.fit.edu/~pkc/mlsec/ submissions are due 3/15/06- 3/17/06: Fast Software Encryption (FSE), Graz, Austria http://fse2006.iaik.tugraz.at/ 3/20/06: Workshop on the Economics of Information Security (WEIS), University of Cambridge, England; Submissions are due; http://www.cl.cam.ac.uk/~twm29/WEIS06/, 3/21/06- 3/23/06: ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Taipei, Taiwan; http://www.iis.sinica.edu.tw/asiaccs06/ 3/23/06: Conference on Email and Anti-Spam (CEAS), Mountain View, California; http://www.ceas.cc, Submissions are due; info: information@ceas.cc 3/26/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany; http://www.nspw.org, submissions are due 3/30/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado; http://www.isi.edu/sensys2006/, submissions are due 3/30/06: Workshop on Web Services Security (WSSS), Berkeley, CA; (no proceedings); Submissions are due; info: info: singhal@nist.gov 3/31/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany; http://www.raid06.tu-harburg.de/, Submissions are due; info info: diego@tu-harburg.de 3/31/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany; http://www.esorics06.tu-harburg.de/, submissions are due ------ 4/ 1/06: Journal of Computer Security (JCS), Special Issue on Security of Ad Hoc and, Sensor Networks (JCS-SI-AdHoc-Sensor-Nets), submissions are due; http://discovery.csc.ncsu.edu/JCS-SASN06/ 4/ 1/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA; http://www.securecomm.org Submissions are due; info baras@isr.umd.edu 4/ 2/06: Security Issues in Adaptive Distributed Systems (SIADS), Orlando, Florida; peer review, printed proceedings; submissions are due; 4/ 4/06- 4/6/04: NIST PKI, Gaithersburg, MD, USA http://middleware.internet2.edu/pki06/ 4/ 5/06: International Journal of Information and Computer Security, Special Issue on Security and Privacy Aspects of Data Mining, Journal special issue, submissions are due http://www.site.uottawa.ca/~zhizhan/psdmspecialissue2006/index.htm 4/ 5/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France; http://www.iaria.org/conferences/ICNS06.html, Submissions are due; info: petre@iaria.org 4/10/06- 4/12/06: Workshop on Information Assurance (WIA), Phoenix, AZ http://www.sis.pitt.edu/~lersais/WIA2006 4/13/06- 4/14/06: Information Assurance Workshop (IWIA), Royal Holloway, UK; http://iwia.org/2006/ 4/15/06: Workshop on the Value of Security through Collaboration (SECOVAL), Baltimore, MD; http://www.securecomm.org, Submissions are due; info secoval@trustcomp.or 4/16/06: Workshop on Formal and Computational Cryptography (WFCC), Venice, Italy; http://www.lsv.ens-cachan.fr/FCC2006/, Submissions are due; info fcc2006@lsv.ens-cachan.fr 4/18/06: Workshop on Secure Software Engineering Education and Training (WSSEET), Turtle Bay, Oahu, HI; http://www.jmu.edu/iiia/wsseet/ 4/20/06- 4/22/06: Availability, Reliability and Security (ARES), Vienna, Austria; http://www.ares-conf.org 4/20/06: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI); San Jose, CA; http://www.usenix.org/events/sruti06/, submissions are due 4/20/06- 4/22/06: Dependability Aspects on Data WArehousing and Mining Applications (DAWAM), Vienna, Austria; http://www.ares-conf.org/?q=dawam 4/23/06- 4/27/06: ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Dijon, France; http://www.acm.org/conferences/sac/sac2006/ 4/23/06: Privacy and HCI: Methodologies for Studying Privacy Issues (P&HCI), Montreal, Canada; http://www.privacymethodologies.tk ------ 5/ 1/06: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; http://www.cms.livjm.ac.uk/acsf1/, Submissions are due; info: Haggerty@ljmu.ac.uk 5/ 1/06: Thread Verification (TV), Seattle, Washington; http://www.cs.utah.edu/tv06, submissions are due 5/12/06: NIST Cryptographic Hash Workshop (NIST-CHW2), Santa Barbara, CA; http://www.nist.gov/hash-function, submissions are due 5/16/06- 5/19/06: Conference on Trust Management (iTrust), Pisa, Tuscany, Italy; http://www.iit.cnr.it/iTrust2006 5/16/06- 5/19/06: Workshop on Cluster Security (ClusterSec), Singapore; http://www.ncassr.org/projects/cluster-sec/ccgrid06/ 5/21/06: Workshop on Web Services Security (WSSS), Berkeley, CA; info: singhal@nist.gov 5/21/06: Workshop on Web Services Security (WSSS),Berkeley, CA 5/21/06- 5/24/06: Symposium on Security and Privacy (S&P), Berkeley/Oakland, California; http://www.ieee-security.org/TC/SP2006/oakland06.html 5/22/06- 5/24/06: IFIP TC-11 International Information Security Conference (SEC), Karlstad University, Sweden; http://www.sec2006.org 5/28/06- 6/01/06: IACR Eurocrypt, St. Petersburg, Russia http://www.iacr.org/conferences/eurocrypt2006/ 5/29/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany; http://www.crysys.hu/ESAS2006, submissions are due 5/31/06: School on Foundations of Security Analysis and Design (FOSAD), Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad06, applications are due ------ 6/ 3/06: USENIX Annual Technical Conference, Boston, Massachusetts; http://www.usenix.org/events/usenix06/cfp/papers.html 6/ 4/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/2006/cfp_2006.pdf, submissions are due 6/ 5/06- 6/ 7/06: Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC), Taichung, Taiwan; http://SUTC2006.asia.edu.tw/ 6/ 5/06- 6/ 7/06: Workshop on Policies for Distributed Systems and Networks (PDSN); London, Ontario, Canada; http://www.csd.uwo.ca/Policy2006 6/ 6/06- 6/ 9/06: Applied Cryptography and Network Security (ACNS), Singapore; http://acns2006.i2r.a-star.edu.sg/ 6/10/06: Programming Languages and Analysis for Security (PLAS), Ottawa, Canada; http://www.cis.upenn.edu/~stevez/plas06.html 6/19/06- 6/20/06: European PKI workshop: theory and practice (EuroPKI), Torino, Italy; http://security.polito.it/europki2006 6/26/06- 6/28/06: Workshop on the Economics of Information Security (WEIS), Cambridge, England; http://www.cl.cam.ac.uk/~twm29/WEIS06/ 6/26/06: Workshop on Trust, Security and Privacy for Ubiquitous Computing (TSPUC), Niagra-Falls, NY http://www.ieee-security.org/Calendar/cfps/cfp-TSPUC2006.html 6/28/06- 6/30/06: Privacy Enhancing Technologies (PET), Robinson College, Cambridge, UK; http://petworkshop.org/2006/ ------ 7/ 3/06- 7/ 5/06: Australasian Conference on Information Security and Privacy (ACISP), Melbourne, Australia; http://acisp2006.it.deakin.edu.au/ 7/ 6/06- 7/ 7/06: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), San Jose, CA; http://www.usenix.org/events/sruti06/ 7/ 9/06: Workshop on Formal and Computational Cryptography (WFCC), Venice, Italy ;http://www.lsv.ens-cachan.fr/FCC2006/ 7/10/06- 7/12/06: Information Hiding (IH), Old Town Alexandria, Virginia, info: ih2006@jjtc.com 7/13/06- 7/14/06: Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Berlin, Germany; http://www.dimva.org/dimva2006 7/13/06- 7/14/06: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; http://www.cms.livjm.ac.uk/acsf1/ 7/20/06- 7/23/06: Security Issues in Adaptive Distributed Systems (SIADS), a session at CITSA, Orlando, Florida; peer review, printed proceedings 7/27/06- 7/28/06: Conference on Email and Anti-Spam (CEAS), Mountain View, CA; http://www.ceas.cc 7/3106- 8/ 4/06: USENIX Security Symposium (USENIX-Security), Vancouver, BC, Canada; http://www.usenix.org/sec06/cfpc/, info: sec06chair@usenix.org ------ 8/ 1/06- 8/ 4/06: Workshop on Security in Ubiquitous Computing Systems (SecUbiq), Seoul, Korea; http://www.sitacs.uow.au/secubiq06/ 8/ 6/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; http://wesii.econinfosec.org/, submissions are due 8/ 7/06- 8/10/06: Conference on Security and Cryptography (SECRYPT), Setubal, Portugal http://www.secrypt.org/ 8/21/06- 8/27/06: Symposium on formal methods (FM), Ontario, Canada; http://fm06.mcmaster.ca/ 8/21/06- 8/22/06: Thread Verification (TV), Seattle, Washington; http://www.cs.utah.edu/tv06 8/20/06- 8/23/06: IACR CRYPTO, Santa Barbara, CA http://www.iacr.org/conferences/crypto2006/ 8/24/06- 8/25/06: NIST Cryptographic Hash Workshop (NIST-CHW2), Santa Barbara, CA; http://www.nist.gov/hash-function 8/27/06- 8/29/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France; http://www.iaria.org/conferences/ICNS06.html 8/28/06- 9/ 1/06: Workshop on the Value of Security through Collaboration (SECOVAL); Baltimore, MD; http://www.securecomm.org 8/30/06- 9/ 2/06: Information Security Conference (ISC), Pythagoras, Greece; http://www.aegean.gr/ISC06 ------ 9/10/06- 9/16/06: School on Foundations of Security Analysis and Design (FOSAD); Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad06 9/11/06- 9/15/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA; http://www.securecomm.org 9/18/06- 9/21/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany; http://www.nspw.org 9/18/06- 9/20/06: Workshop on Elliptic Curve Cryptography (ECC), Toronto, Canada http://www.ieee-security.org/Calendar/cfps/cfp-ECC2006.html 9/18/06- 9/20/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany; http://www.esorics06.tu-harburg.de/ 9/20/06- 9/22/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany; http://www.raid06.tu-harburg.de/ 9/20/06- 9/21/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany; http://www.crysys.hu/ESAS2006 ------ 10/23/06-10/24/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; http://wesii.econinfosec.org/ ------ 11/ 1/06-11/ 3/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado; http://www.isi.edu/sensys2006/ ------ 12/11/06-12/15/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/2006/cfp_2006.pdf [end of part 1]