To: cipher@mailman.xmission.com Subject: IEEE CIPHER, Issue 77, March 19, 2007 --text follows this line-- ----------------------------------------------------------------------- Subject: Electronic CIPHER, Issue 77, March 19, 2007 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 77 March 19, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o IEEE Security and Privacy Symposium, preliminary program o IETF Domain Keys Identified Mail (DKIM) standardization status o Richard Austin's review of The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd, John McDonald and Justin Schuh o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar entries o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes, Jeff Demello * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: It is March, the month in which Cipher always extols the virtues of the IEEE Symposium on Security and Privacy. We have the program with the 29 accepted papers, a mixture of short and long expositions, and it represents the great research that we expect from the event. The quality comes from the hard work and dedication of the volunteers who serve the community each year, and they deserve our thanks. We also have a book review from Richard Austin, who is becoming a Cipher regular with his readings in security literature. Jim Fenton brings us news from the IETF, where a new tool in the fight for secure email is emerging in the form of Domain Keys Identified Email. This year's Security and Privacy Symposium caused several of us to carefully consider the policy concerning papers submitted to more than one conference review committee. Generally committees require exclusive review rights to the papers during their deliberations. Several complaints about authors who violate this restriction by submitting their paper to several committees simultaneously have surfaced during the last few years, and various proposals for policing submissions have been proposed. Authors want to have their papers published and reviewers don't want to waste their time on the same papers over and over. There is, as yet, no consensus on what to do, and the Cipher website will soon carry an editorial on the subject from someone who has served on several recent committees. Watch for it. This may also be a topic for discussion during the Security and Privacy Symposium. For the time being, keep your firewall dry and don't fire until you see their buffers overflow. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Conference and Workshop Announcements ==================================================================== Preliminary Program of the 2007 IEEE Symposium on Security and Privacy May 20-23, 2007 The Claremont Resort Berkeley/Oakland, California, USA http://www.ieee-security.org/TC/SP2007/oakland07.html Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy in co-operation with The International Association for Cryptologic Research (IACR) Sunday, May 20, 2007 16:00-19:00 Registration and Reception Monday, May 21, 2007 8:00-9:00 Continental breakfast 9:00-9:15 Opening Remarks (Deborah Shands, Birgit Pfitzmann) 9:15-10:15 Keynote Talk, "Reflections on the Future of Security and Privacy" Peter G. Neumann 10:45-12:15 Session: Network Security "Accurate Real-time Identification of IP Prefix Hijacking" Xin Hu and Z. Morley Mao "DSSS-Based Flow Marking Technique for Invisible Traceback" Wei Yu, Xinwen Fu, Steve Graham, Dong Xuan and Wei Zhao "On the Safety and Efficiency of Firewall Policy Deployment" Charles Z. Zhang, Marianne Winslett and Carl A. Gunter 12:15-13:45 Lunch 13:45-15:30 Session: Authentication "The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies" Stuart Schechter, Rachna Dhamija, Andy Ozment and Ian Fischer "Cryptanalysis of a Cognitive Authentication Scheme" Philippe Golle and David Wagner "A Systematic Approach to Uncover Security Flaws in GUI Logic" Shuo Chen, José Meseguer, Ralf Sasse, Helen J. Wang and Yi-Min Wang "Forward-Secure Sequential Aggregate Authentication" Di Ma and Gene Tsudik "Extended abstract: Provable-Security Analysis of Authenticated Encryption in Kerberos" Alexandra Boldyreva and Virendra Kumar 16:00-17:30 Session: 5-minute Work-in-Progress Talks 18:00-20:00 Reception Tuesday, May 22, 2007 8:00-9:00 Continental breakfast 9:00-10:30 Session: Privacy "Endorsed E-Cash" Jan Camenisch, Anna Lysyanskaya and Mira Meyerovich "Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems" Xinyuan Wang, Shiping Chen and Sushil Jajodia "Improving the Robustness of Private Information Retrieval Ian Goldberg 11:00-12:15 Session: Access Control and Audit "Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model" Marco Pistoia, Anindya Banerjee and David A. Naumann "Usable Mandatory Integrity Protection for Operating Systems" Ninghui Li, Ziqing Mao and Hong Chen "Enforcing Semantic Integrity on Untrusted Clients in Networked Virtual Environments (Extended abstract)" Somesh Jha, Stefan Katzenbeisser, Christian Schallhart, Helmut Veith and Stephen Chenney 12:15-13:45 Lunch 13:45-15:15 Session: Information Flow "Information Flow in the Peer-Reviewing Process (Extended Abstract) Michael Backes, Markus Duermuth and Dominique Unruh (15 minutes) "A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic "Gradual Release: Unifying Declassification, Encryption and Key Release Policies" Aslan Askarov and Andrei Sabelfeld "Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control" Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, Angela Schuett Reninger 15:45-17:30 Session: Host Security "Exploring Multiple Execution Paths for Malware Analysis" Andreas Moser, Christopher Kruegel and Engin Kirda "Lurking in the Shadows: Identifying Systemic Threats to Kernel Data" Arati Baliga, Pandurang Kamat and Liviu Iftode "ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing" Weidong Cui, Marcus Peinado, Helen J. Wang and Michael Locasto "Minimal TCB Code Execution Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter and Arvind Seshadri "Using Rescue Points to Navigate Software Recovery (Short Paper) Stelios Sidiroglou, Oren Laadan, Angelos Keromytis and Jason Nieh 17:45-18:30 Business Meeting Wednesday, May 23, 2007 8:00-9:00 Continental breakfast 9:00-10:30 Session: Hardware and Replication "Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems Ted Huffmire, Brett Brotherton, Gang Wang, Tim Sherwood, Ryan Kastner, Timothy Levin, Thuy Nguyen and Cynthia Irvine "Trojan Detection using IC Fingerprinting" Dakshi Agrawal, Selcuk Baktir, Deniz Karakoyunlu, Pankaj Rohatgi and Berk Sunar "On the Optimal Communication Complexity of Multiphase Protocols for Perfect Communication" Kannan Srinathan, N. R. Prasad and C. Pandu Rangan 11:00-12:30 Session: Encryption "Ciphertext-Policy Attribute-Based Encryption" John Bethencourt, Amit Sahai and Brent Waters "Attacking the IPsec Standards in Encryption-only Configurations" Jean Paul Degabriele and Kenneth Graham Paterson "Multi-Dimensional Range Query over Encrypted Data" Elaine Shi, John Bethencourt, T.-H. Hubert Chan, Dawn Song and Adrian Perrig 12:30-14:00 Boxed lunch ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ IETF Domain Keys Identified Mail Status Special to Cipher by Jim Fenton (Cisco Systems, Inc.) Mar. 15, 2007 ____________________________________________________________________ DomainKeys Identified Mail (DKIM) is a specification for cryptographically signing email messages, permitting a signing domain to claim responsibility for a message in the mail stream. Message recipients (or agents acting in their behalf) can verify the signature by querying the signer's domain directly to retrieve the appropriate public key, and thereby confirm that the message was attested to by a party in possession of the private key for the signing domain. An explicit goal of DKIM is to be minimally disruptive to existing email users. Unexpected changes to message appearance or functionality would likely result in confusion among less-sophisticated users and reluctance to deploy on the part of signing domains. As a result, the signature itself is a field in the message header, where it is not normally visible in most mail user agents (MUAs) unless requested. Under most circumstances, DKIM signatures are applied and verified at the domain level so that individual users do not need to implement DKIM other than possibly to act on the results of message authentication performed by their domains. DKIM is intended to be complementary to (and can be used with) existing message security technologies such as PGP [RFC2440] and S/MIME [RFC3851]. DKIM makes very carefully considered compromises between robustness and the brittleness of cryptographic signatures in environments, such as email, where the material being signed is subject to possible modification en route. Common, innocuous modifications such as changing the end-of-line wrapping can be accommodated through the use of a canonicalization algorithm that removes such spacing features from the input to the signature calculation. DKIM also allows the signer to specify particular message header fields as part of the signature, bypassing others that may be modified in transit. These robustness features are available for use at the option of the signer, which can nevertheless choose not to permit such modifications as appropriate for the application. Another approach to robustness in DKIM is for the modifier of a message to re-sign the message following the modification. This would typically be the case for mailing lists and commercial services that add advertising, mailing list instructions, or other material to messages. These "third-party" signatures take advantage of trust that certain known third parties will sign only messages that have been legitimately introduced into the mail system. While provisions have been made for a number of key management systems, the initial key management that has been defined for DKIM is through the use of TXT records stored in the signer's Domain Name System (DNS) hierarchy. The location of a key record is specified by a "selector", an arbitrary name for the key and associated information. For example, if example.com uses the selector named "march2007", the public key would be obtained by retrieving the TXT record from march2007._domainkey.example.com. In addition to the public key itself, the key record contains information such as the algorithms that are used to calculate the signature. This is intended to guard against downgrade attacks, should any of the algorithms currently in use be insufficiently secure at some point in the future. It is recognized that DNS is not currently a secure key distribution mechanism. While in the longer term DNSSEC [RFC4033] holds the promise of improving that situation, possible DNS attacks such as cache poisoning and name chaining [RFC3833] currently limit the security that is available through DKIM. However, the choice of DNS greatly enhances deployability by not introducing a new public-key infrastructure. Many email applications depend on the ability of a sending domain to authorize external parties to send email on their behalf. This is frequently done by enterprises that outsource some of their services, such as technical support, benefits, and company newsletters. DKIM provides several different ways of delegating signing authority to such parties. One approach is for the external party to provide a public key that the domain registers by creating a selector for it. If desired, the validity of the key can be restricted to particular addresses within the domain through the use of a tag in the key record. Signing authority for a given domain can also be granted by using NS records to delegate the entire _domainkey subdomain. This might be done to permit keys to be managed directly by an external entity, such as an email service provider, or an internal one, like a separate IT messaging organization. Within the IETF, the DKIM base protocol specification [DKIM-BASE] was approved by the IESG as a standards-track RFC in February 2007, and publication is expected in the very near future. An analysis of threats relating to DKIM [RFC4686] has also been published. The IETF DKIM Working Group is continuing to develop guidance on deployment and usage of DKIM. A related protocol, Sender Signing Policy (SSP), is under discussion that would allow a sending domain to publish information about its usage of DKIM. SSP will allow domains to publish assertions such as, "we sign all messages leaving our domain" which may be useful information to verifiers receiving a message from that domain which lack a valid DKIM signature. DKIM is a valuable tool in the fight against malicious email. While not a complete solution to spam and phishing, the existence of a verified indication of the source of email messages is an important tool enabling reputation, accreditation, and whitelist systems to aid in more accurate message evaluation. A number of commercial and open-source products have already implemented DKIM, greatly facilitating its deployment. Several large domains are already using DKIM, and DKIM signatures are appearing in email messages in ever-greater numbers. For more information on DKIM, please consult the DKIM website at http://dkim.org or contact Jim Fenton (fenton@cisco.com). References [RFC2440] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer, "OpenPGP Message Format," RFC 2440, November 1998 [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain Name System (DNS)," RFC 3833, August 2004. [RFC3851] Ramsdell, B., "S/MIME Version 3 Message Specification," RFC 3851, June 1999. [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "DNS Security Introduction and Requirements," RFC 4033, March 2005. [RFC4686] Fenton, J., "Analysis of Threats Motivating DomainKeys Identified Mail (DKIM)," RFC 4686, September 2006. [DKIM-BASE] Allman, E., Callas, J., Delany, M., Libbey, M., Fenton, J., and M. Thomas, "DomainKeys Identified Mail (DKIM) Signatures", Internet-Draft draft-ietf-dkim-base-10 (work in progress), February 2007. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin Mar. 11, 2007 ____________________________________________________________________ The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities by Mark Dowd, John McDonald and Justin Schuh Pearson Education 2007. ISBN 0-321-44442-6 Amazon.com $54.99. Bookpool.com $43.50. One might think that after excellent books such as "Writing Secure Code" by Howard and LeBlanc (reviewed by Fred Cohen in Issue 55) and "19 Deadly Sins of Software Security" by Howard, LeBlanc and Viega, the waters of software security books were in danger of becoming over fished, but this book offers the conversation on software security by looking at how real software audits are conducted for identifying defects. At over 1,100 pages this work offers broad coverage and opens in Part I with a comprehensive introduction to the review process itself. This introduction is welcome because too many of us when faced with the necessity of performing a software audit tend to jump directly into the technical process of reviewing the code without a clear plan of how we're going to conduct the assessment. Chapters that review design and operational aspects are followed by a presentation of the overall application review process to establish a firm foundation that helps to assure the ensuing examination will result in good coverage of both how the software is structured as well as how it is used in practice. This section concludes with a case study based on the popular SSH protocol that ties the preceding chapters together in the context of a real assessment. Part II delves into the particular classes of vulnerabilities with examples drawn from real-world code (a noticeable benefit of the Open Source movement). The chapter on memory corruption pays particular attention to buffer overflows and opens with a piece of sage advice that "all memory corruption vulnerabilities should be regarded as exploitable until proved otherwise" (p. 167) which is an excellent counter to the oft heard lament that developers would gladly fix the issue if the auditor will just provide them with an example of how it could be exploited. This is followed by a good introduction to stack layouts, procedure calling conventions and the actual process an attacker uses to exploit memory corruption vulnerabilities. Protective measures such as stack "cookies" (or "canaries") and DNX (Do Not Execute) are reviewed and their limitations assessed to point out that there is no such thing as a "silver bullet" for these types of problems. The authors then delve into the details of some issues with C that have mystified your humble correspondent on more than one occasion despite 3 decades of software experience. Representation issues that can give rise to boundary value problems are followed by a clear explanation of the bewildering rules governing type conversions. Issues such as the myriad ways that pesky sign bits can cause trouble when converting between signed and unsigned types are clearly demonstrated. Succeeding chapters cover how programs are assembled from building blocks and the ways assembly can go wrong including unexpected control flows and the perennial problem of side effects. The many potential issues with strings and metacharacters are covered in the contexts of format strings, shell metacharacters and SQL queries. The subtleties in attempting to filter or escape metacharacters are effectively demonstrated. Succeeding chapters cover UNIX files and processes with clear description of the UNIX privilege model, file security and interprocess communication with clear demonstrations culled from actual vulnerabilities to illustrate what types of things the code auditor should be watching out for. Windows is not neglected and the menagerie of Windows objects, permissions, security descriptors and interprocess communication are toured again with demonstrations and sage advice on auditing COM and DCOM interfaces. Part II concludes with another personal favorite: synchronization and state. Race conditions and starvation are ably described and followed by a review of the common synchronization techniques from both UNIX and Windows. Part III is entitled "Software Vulnerabilities In Practice" and surveys the landscape of technologies that make up the modern application infrastructure. Network protocols are briefly reviewed, followed by a good discussion of firewall technologies and how they can be bypassed or subverted. The main application protocols such as HTTP, ASN, and DNS are reviewed with attention paid to the ways an attacker can leverage the protocol to their advantage. A chapter on web technologies gives a sound introduction to the way web applications work ranging from the simple static web content to the bewildering ways dynamic content is generated and presented. Vulnerability classes such as SQL injection, cross-site scripting, etc. are reviewed from the auditor's point of view with, again, good advice on what to watch for during testing and code review. The book concludes with a whirlwind tour of web technologies such as SOAP and AJAX, the venerable CGI interface, Perl, Java and ASP. Coverage is briefer here than in earlier chapters likely because of the complexity of the technologies (and the desire to keep the book under 5,000 pages). Summarizing a book this large and with such a wide ranging subject is difficult but I think it makes a valuable contribution to the subject of software security by providing clear guidance and advice on the oft-neglected subject of how one conducts a software audit. With it, an auditor has some hope of getting both good coverage and meaningful recommendations that might improve the security of the software. If auditing software for security vulnerabilities is of interest, either because you perform it or consume its results, this book is a valuable addition to your bookshelf. Developers might also find it of interest to better understand the viewpoint and processes of those "audit people" that descend on one's premises, usually in the late stages of the project and seemingly with the agenda of wreaking maximum havoc on the schedule and release train. The technical details will mystify many managers that might attempt to read it. However, I think that time spend perusing Part I (Introduction to Software Security Assessment) will pay dividends in helping them to both understand the assessment process and better appreciate the motives and processes of the assessment team. ### Richard Austin is a resident curmudgeon at a Fortune 100 company who continues to wage a battle with a tottering tower of new security tomes. Periodically he takes a break from the fray and shares his opinion of the latest book to migrate from the tower to the shelf. He can be reached at rda7838@kennesaw.edu ++++++++++++++++++++ Create this file +++++++++++++++++++++++++++++ ../../../BookReviews/2007/Dowd_by_Austin.html ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 3/19/07- 3/21/07: IFIP-CIP, 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA; http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp 3/20/07: IWSSE, 1st IEEE International Workshop on Security in Software Engineering, Held in conjunction with the 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), Beijing, China; http://conferences.computer.org/compsac/2007/workshops/IWSSE.html; Submissions are due 3/20/07: IAS, 3rd International Symposium on Information Assurance and Security, Manchester, United Kingdom; http://www.ias07.org/ Submissions are due 3/20/07- 3/22/07: ASIACCS, ACM Symposium on InformAtion, Computer and Communications Security, Singapore; http://asiaccs07.i2r.a-star.edu.sg/ 3/23/07: WRAITS, Workshop on Recent Advances on Intrusion-Tolerant Systems, Held in conjunction with the European Conference on Computer Systems (EuroSys 2007), Lisbon, Portugal; http://wraits07.di.fc.ul.pt/ 3/23/07: W2SP, Workshop on Web 2.0 Security and Privacy, Held in conjunction with the IEEE Symposium on Security and Privacy, Oakland, California, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html; Submissions are due 3/26/07: SECRYPT, International Conference on Security and Cryptography, Barcelona, Spain; http://www.secrypt.org; Submissions are due 3/29/07: SecPerU, 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Held in conjunction with the EEE International Conference on Pervasive Services (ICPS 2007), Istanbul, Turkey; http://www.icsd.aegean.gr/SecPerU2007/; Submissions are due 3/30/07: CNSS, Computer and Network Security Symposium, Held in conjunction with the International Wireless Communications & Mobile Computing Conference (IWCMC 2007), Honolulu, Hawaii, USA; http://www.cs.ndsu.nodak.edu/~xdu/CNSS_IWCMC07.htm; Submissions are due 3/30/07: ESORICS, 12th European Symposium on Research in Computer Security, Dresden, Germany; http://esorics2007.inf.tu-dresden.de/; Submissions are due 3/31/07: RAID, 10th International Symposium on Recent Advances in Intrusion Detection; Gold Coast, Queensland, Australia; http://www.isi.qut.edu.au/go/raid07; Submissions are due 4/ 1/07: PLAS, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, CA, USA; http://www.cs.umd.edu/~mwh/PLAS07/; Submissions are due 4/ 2/07: DFRWS, 7th Annual Digital Forensic Research Workshop, Pittsburgh, PA, USA; http://www.dfrws.org/; Submissions are due 4/ 2/07: GOCP, 1st International Workshop on Group-Oriented Cryptographic Protocols, Held in conjunction with the 34th International Colloquium on Automata, Languages and Programming (ICALP 2007), Wroclaw, Poland; http://www.hgi.rub.de/gocp07/; Submissions are due 4/10/07- 4/12/07: SADFE, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA; http://conf.ncku.edu.tw/sadfe 4/10/07- 4/13/07: SecSE, 1st International Workshop on Secure Software Engineering, Vienna, Austria; http://www.ares-conference.eu/conf/ 4/11/07- 4/12/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; http://www.security-conference.org 4/11/07- 4/13/07: NETCRI, 1st International Workshop on Research Challenges in Next Generation Networks for First Responders and Critical Infrastructures, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.cs.umd.edu/~sharno/NetCri07 4/11/07- 4/13/07: WIA, 3rd International Workshop on Information Assurance, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.sis.pitt.edu/~lersais/WIA2007/ 4/13/07: IWSEC, 2nd International Workshop on Security, Nara, Japan; http://www.iwsec.org/; Submissions are due 4/13/07: USM, Workshop on Usable IT Security Management, Held in conjunction with the 3rd Symposium On Usable Privacy and Security (SOUPS 2007), Pittsburgh, PA, USA; http://cups.cs.cmu.edu/soups/2007/usm.html; Submissions are due 4/14/07: NSS, IFIP International Workshop on Network and System Security, Dalian, China; http://nss2007.cqu.edu.au/; Submissions are due 4/17/07- 4/19/07: PKI R&D, 6th Annual PKI R&D Workshop, Gaithersburg, MD, USA; http://middleware.internet2.edu/pki07/ 4/26/07- 4/28/07: GPC, Workshop on Grid and Pervasive Computing Security, Held in conjunction with the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE 2007), Seoul, Korea; http://www.sersc.org/MUE2007/contents/page/GPCS07.html 4/30/07: ACSF, 2nd Conference on Advances in Computer Security and Forensics, Liverpool, UK; http://www.cms.livjm.ac.uk/acsf2/; Submissions are due 4/30/07: WSNS, 3rd IEEE International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 4th IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2007), Pisa, Italy; http://www7.informatik.uni-erlangen.de/~dressler/wsns07/; Submissions are due 4/30/07: WDFIA, 2nd Annual Workshop on Digital Forensics and Incident Analysis, Samos, Greece; http://www.aegean.gr/wdfia07; Submissions are due 5/ 1/07: Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System; http://www.sitacs.uow.edu.au/jucs/; Submissions are due 5/ 8/07: CCS, 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA; http://www.acm.org/sigs/sigsac/ccs/CCS2007/; Submissions are due 5/ 8/07- 5/10/07: SIN, International Conference on Security of Information and Networks, Gazimagusa (TRNC), North Cyprus; http://www.sinconf.org 5/ 8/07- 5/12/07: WWW-SPRE, 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada; http://www2007.org/cfp-SPaE.php 5/ 9/07- 5/11/07: WISTP, Workshop in Information Security Theory and Practices: Smart Cards, Mobile and Ubiquitous Computing Systems, Heraklion, Crete, Greece; http://wistp2007.xlim.fr/ 5/11/07: ICISS, 3rd International Conference on Information Systems Security, Delhi, India; http://siis.cse.psu.edu/iciss07/cfp.htm; Submissions are due 5/14/07- 5/16/07: IFIP-SEC, 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa; http://www.sbs.co.za/ifipsec2007/ 5/15/07: eCrime, 2nd APWG eCrime Researchers Summit, Pittsburgh, PA, USA; http://www.ecrimeresearch.com/2007/cfp.html; Submissions are due 5/19/07: WISA, 8th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr/; Submissions are due 5/20/07- 5/23/07: Oakland, The 2007 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html 5/21/07- 5/25/07: AusCERT, Asia Pacific Information Technology Security Conference, Gold Coast, Queensland, Australia; http://www.isi.qut.edu.au/go/ 5/24/07: W2SP, Workshop on Web 2.0 Security and Privacy, Held in conjunction with the IEEE Symposium on Security and Privacy, Oakland, California, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html ----- 6/ 1/07: SISW, 4th International IEEE Security in Storage Workshop, San Diego, California, USA; http://ieeeia.org/sisw/2007/; Submissions are due 6/ 3/07: SECOVAL, 3rd Annual Workshop on the Value of Security through Collaboration in cooperation, Held in conjunction with the 3rd International Conference on Security and Privacy in Communication Networks (SecureComm 2007), Nice, France; http://www.trustcomp.org/secoval/; Submissions are due 6/ 5/07- 6/ 8/07: ACNS, 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/ 6/ 7/07- 6/ 8/07: WEIS, 6th Workshop on the Economics of Information Security, Carnegie Mellon University, Pittsburgh, PA, USA; http://weis2007.econinfosec.org/ 6/13/07- 6/15/07: Policy, 8th IEEE International Workshop on Policies for Distributed Systems and Networks, Bologna, Italy; http://www.policy-workshop.org/2007 6/14/07: PLAS, ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, CA, USA; http://www.cs.umd.edu/~mwh/PLAS07/ 6/15/07: DIM, 3rd ACM Workshop on Digital Identity Management, Held in conjunction with the 14th ACM Conference on Computer and Communications Security (CCS 2007), Fairfax, VA, USA; http://www2.pflab.ecl.ntt.co.jp/dim2007/; Submissions are due 6/17/07- 6/22/07: FIRST, 19th FIRST Global Computer Security Network Conference, Seville, Spain; http://www.first.org/conference/2007/papers/ 6/20/07- 6/22/07: PET, 7th workshop on Privacy Enhancing Technologies, Ottawa, Canada; http://petworkshop.org/2007/ 6/20/07- 6/22/07: IAW, 8th Annual IEEE SMC Information Assurance Workshop, West Point, New York, USA; http://www.itoc.usma.edu/workshop/2007/index.htm 6/25/07- 6/29/07: ICDCS, 27th International Conference on Distributed Computing Systems, Toronto, Canada; http://www.eecg.utoronto.ca/icdcs07/ 6/27/07: HotDep, Workshop on Hot Topics in System Dependability, Held in conjunction with the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2007), Edinburgh, Scotland - UK; http://www.hotdep.org/2007 6/27/07: DSN-ACS, Workshop on Assurance Cases for Security - The Metrics Challenge, Held in conjunction with the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2007), Edinburgh, Scotland - UK; http://www.dsn.org/call/workshops/assurance/ 6/28/07- 6/30/07: EUROPKI, 4th European PKI Workshop: Theory and Practice, Mallorca, Spain; http://dmi.uib.es/europki07 ----- 7/ 1/07: IEEE Software, Special Issue on Security for the Rest of Us: An Industry Perspective on the Secure Software Challenge; http://www.computer.org/portal/site/software/menuitem.538c87f5131e26244955a4108bcd45f3/index.jsp?&pName=software_level1&path=software/content&file=edcal.xml&xsl=article.xsl&; Submissions are due 7/ 2/07- 7/ 3/07: ESAS, 4th European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Sidney Sussex College, Cambridge, England; http://www.netlab.nec.de/esas/ 7/ 2/07- 7/ 4/07: PAIRING, 1st International Conference on Pairing-based Cryptography, Tokyo, Japan; http://www.pairing-conference.org/ 7/ 6/07- 7/ 8/07: CSF, 20th IEEE Computer Security Foundations Symposium, Venice, Italy; http://www.cs.chalmers.se/~andrei/CSFW07/cfp.html 7/ 8/07- 7/11/07: IFIP-DBSEC, 21st Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Redondo Beach, CA, USA; http://www.dcs.kcl.ac.uk/staff/steve/ifip07/index.html 7/ 9/07: GOCP, 1st International Workshop on Group-Oriented Cryptographic Protocols, Held in conjunction with the 34th International Colloquium on Automata, Languages and Programming (ICALP 2007), Wroclaw, Poland; http://www.hgi.rub.de/gocp07/ 7/12/07- 7/13/07: DIMVA, 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland; http://www.dimva.org/dimva2007 7/12/07- 7/13/07: ACSF, 2nd Conference on Advances in Computer Security and Forensics, Liverpool, UK; http://www.cms.livjm.ac.uk/acsf2/ 7/18/07- 7/20/07: SOUPS, Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA; http://cups.cs.cmu.edu/soups/2007/cfp.html 7/18/07: USM, Workshop on Usable IT Security Management, Held in conjunction with the 3rd Symposium On Usable Privacy and Security (SOUPS 2007), Pittsburgh, PA, USA; http://cups.cs.cmu.edu/soups/2007/usm.html 7/19/07- 7/20/07: IPTComm, Principles, Systems and Applications of IP Telecommunications, Columbia University, New York, NY, USA; http://iptcomm.org 7/20/07: SecPerU, 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Held in conjunction with the EEE International Conference on Pervasive Services (ICPS 2007), Istanbul, Turkey; http://www.icsd.aegean.gr/SecPerU2007/ 7/23/07: NordSec, 12th Nordic Workshop on Secure IT Systems, Reykjavik, Iceland; http://www.ru.is/nordsec2007/; Submissions are due 7/24/07- 7/27/07: IWSSE, 1st IEEE International Workshop on Security in Software Engineering, Held in conjunction with the 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), Beijing, China; http://conferences.computer.org/compsac/2007/workshops/IWSSE.html 7/28/07- 7/31/07: SECRYPT, International Conference on Security and Cryptography, Barcelona, Spain; http://www.secrypt.org 7/30/07- 8/ 2/07: IFIPTM, Joint iTrust and PST Conferences on Privacy, Trust Management and Security, Moncton, New Brunswick, Canada; http://pstnet.unb.ca/itrust-pst2007 ---- 8/ 6/07- 8/10/07: USENIX-SECURITY, 16th USENIX Security Symposium, Boston, MA, USA; http://www.usenix.org/events/sec07/ 8/12/07- 8/15/07: PODC, 26th Annual ACM SIGACT-SIGOPS Symposium on the Principles of Distributed Computing, Portland, Oregon, USA; http://www.podc.org/podc2007 8/12/07- 8/16/07: CNSS, Computer and Network Security Symposium, Held in conjunction with the International Wireless Communications & Mobile Computing Conference (IWCMC 2007), Honolulu, Hawaii, USA; http://www.cs.ndsu.nodak.edu/~xdu/CNSS_IWCMC07.htm 8/13/07- 8/15/07: DFRWS, 7th Annual Digital Forensic Research Workshop, Pittsburgh, PA, USA; http://www.dfrws.org/ 8/19/07- 8/23/07: CRYPTO, 27th Annual International Cryptology Conference, Santa Barbara, California, USA; http://www.iacr.org/conferences/crypto2007/ 8/27/07- 8/28/07: WDFIA, 2nd Annual Workshop on Digital Forensics and Incident Analysis, Samos, Greece; http://www.aegean.gr/wdfia07 8/27/07- 8/29/07: WISA, 8th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr/ 8/29/07- 8/31/07: IAS, 3rd International Symposium on Information Assurance and Security, Manchester, United Kingdom; http://www.ias07.org/ ---- 9/ 3/07- 9/ 7/07: TrustBus, 4th International Conference on Trust, Privacy & Security in Digital Business, Held in conjunction with the 18th International Conference on Database and Expert Systems Applications (DEXA 2007), Ottawa, Canada; http://www.icsd.aegean.gr/trustbus07/ 9/ 3/07- 9/ 7/07: WICS, 5th International Workshop on Internet Communications Security, Held in conjunction with the International Conference on Database and Expert Systems Applications (DEXA 2007), Regensburg, Germany; http://aspects.uc3m.es/wics07/ 9/ 5/07- 9/ 7/07: RAID, 10th International Symposium on Recent Advances in Intrusion Detection, Gold Coast, Queensland, Australia; http://www.isi.qut.edu.au/go/raid07 9/10/07- 9/13/07: CHES, 9th Workshop on Cryptographic Hardware and Embedded Systems, Vienna, Austria; http://www.chesworkshop.org/ 9/16/07- 9/18/07: MMM–ACNS, International Conference on Mathematical Methods, Models and Architectures for Computer Networks Security, St. Petersburg, Russia; http://www.comsec.spb.ru/mmm-acns07/ 9/17/07- 9/21/07: SecureComm, 3rd International Conference on Security and Privacy in Communication Networks, Nice, France; http://www.securecomm.org/2007/ 9/17/07- 9/21/07: SECOVAL, 3rd Annual Workshop on the Value of Security through Collaboration in cooperation, Held in conjunction with the 3rd International Conference on Security and Privacy in Communication Networks (SecureComm 2007), Nice, France; http://www.trustcomp.org/secoval/ 9/20/07: NSS, IFIP International Workshop on Network and System Security, Dalian, China; http://nss2007.cqu.edu.au/ 9/24/07- 9/26/07: ESORICS, 12th European Symposium on Research in Computer Security, Dresden, Germany; http://esorics2007.inf.tu-dresden.de/ 9/27/07: SISW, 4th International IEEE Security in Storage Workshop, San Diego, California, USA; http://ieeeia.org/sisw/2007/ ---- 10/ 4/07-10/ 5/07: eCrime, 2nd APWG eCrime Researchers Summit, Pittsburgh, PA, USA; http://www.ecrimeresearch.com/2007/cfp.html 10/ 8/07: WSNS, 3rd IEEE International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 4th IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2007), Pisa, Italy; http://www7.informatik.uni-erlangen.de/~dressler/wsns07/ 10/11/07-10/12/07: NordSec, 12th Nordic Workshop on Secure IT Systems, Reykjavik, Iceland; http://www.ru.is/nordsec2007/ 10/29/07-10/31/07: IWSEC, 2nd International Workshop on Security, Nara, Japan; http://www.iwsec.org/ 10/29/07-11/ 2/07: CCS, 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA; http://www.acm.org/sigs/sigsac/ccs/CCS2007/ ---- 11/ 2/07: DIM, 3rd ACM Workshop on Digital Identity Management, Held in conjunction with the 14th ACM Conference on Computer and Communications Security (CCS 2007), Fairfax, VA, USA; http://www2.pflab.ecl.ntt.co.jp/dim2007/ ---- 12/16/07-12/20/07: ICISS, 3rd International Conference on Information Systems Security, Delhi, India; http://siis.cse.psu.edu/iciss07/cfp.htm ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E76) ____________________________________________________________________ IWSSE 2007 1st IEEE International Workshop on Security in Software Engineering, Held in conjunction with the 31st Annual International Computer Software and Applications Conference (COMPSAC 2007), Beijing, China, July 24-27, 2OO7. http://conferences.computer.org/compsac/2007/workshops/IWSSE.html (Submissions due 20 March 2007) The ever growing demand in software security has made it a well recognized multi-disciplinary sub-area across software engineering, security engineering, and programming languages. Software security has thus become a fundamental problem in software engineering, as it mainly focuses on developing secure software and understanding the security risks and managing these risks throughout the lifecycle of software. The purpose of the workshop is to bring together researchers and practitioners in software and application security in order to create a forum for discussing recent advances in improving security in software engineering and inspiring research on new methods and techniques to advance security engineering in industrial practice. Researchers and practitioners worldwide are invited to present their research expertise and experience, and discuss the issues and challenges in security from software engineering perspective. Submissions are invited of quality papers in the following non-exhaustive list of topics: - Management of software security in industrial practice - Security requirements and policies - Abuse cases and threat modeling - Architecture and design for security - Model-based security - Language-based security - Malicious code prevention and code safety - Security risk analysis - Security taxonomy and metrics - Testing for security - Application security: detection and protection - Software piracy and protection ------------------------------------------------------------------------- IAS 2007 3rd International Symposium on Information Assurance and Security, Manchester, United Kingdom, August 29-31, 2007. http://www.ias07.org/ (Submissions due 20 March 2007) Information assurance and security has become an important research issue in networked and distributed information sharing environments. Finding effective ways to protect information systems, networks and sensitive data within the critical information infrastructure is challenging even with the most advanced technology and trained professionals. The International Symposium on Information Assurance and Security aims to bring together researchers, practitioners, developers, and policy makers involved in multiple disciplines of information security and assurance to exchange ideas and to learn the latest development in this important field. Previously unpublished work offering novel research and application contributions in any aspect of information assurance, security and privacy are solicited for submission to the IAS'07 symposium. Proposals for workshops, panels and tutorials are also welcome. Topics of interest include, but are not limited to, the following: - Agent and Mobile Code Security - Anonymity and User Privacy - Authentication and Identity Management - Authorization and Access Control - Biometrics Security and Applications - Computer Forensics - Cryptographic Protocols - Data Integrity and Privacy - Database Security - Denial of Service and Intrusion Detection - Distributed System Security - E-Commerce and E-Government Security - Fraud Control - Information Warfare and Cyber-terrorism - Intellectual Property Protection - Internet and Web Services Security - Key Management and Recovery - New Ideas and Paradigms for Security - Operating System Security - Secure Hardware and Smartcards - Secure Software Technologies - Security Education and Training - Security Management and Strategy - Security Models and Architectures - Security Verification, Evaluations and Measurements - Trust Negotiation, Establishment and Management - Ubiquitous Computing Security ------------------------------------------------------------------------- W2SP 2007 Workshop on Web 2.0 Security and Privacy , The Claremont Resort, Oakland, California, USA, May 24, 2007. http://www.ieee-security.org/TC/SP2007/oakland07.html (Submissions due 23 March 2007) The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas. Web 2.0 is about connecting people and amplifying the power of working together. The goal of connecting people is bringing together a broad range of technologies and social forces. We have witnessed a rapid proliferation of social computing web sites and content. This mixing of technology and social interaction is also occurring in the context of a wave of technologies supporting rapid development of these interpersonal interactions. Many of these new web technologies rely on the composition of content and services from multiple sources. On one end of the technology spectrum we have simple services such as blogs and wikis. However there are far more complex technology composition (mash-up) examples. The content composition trend is likely to continue. The lure is the promise of inexpensive and easy ways to compose software service and content. However, there are issues with respect to management of identities, reputation, privacy, anonymity, transient and long term relationships, and composition of function and content, both on the server side and inside the web browser. While the security and privacy issues are not new (many of these issues already exist with portal servers and browsers), the security issue is increasingly becoming acute as the technologies are adopted and adapted to appeal to a wider developer audience. Some of these technologies deliberately bypass existing security mechanisms. This workshop is intended to discuss the limitations of the current technologies and explore alternatives. The scope of W2SP 2007 includes, but is not limited to: - Identity, privacy, reputation and anonymity - End-to-end security architectures - Security of content composition - Security and privacy policy definition and modeling of content composition - Provenance and governance - Usable security and privacy models - Static and dynamic analysis for security - Security as a service ------------------------------------------------------------------------- SECRYPT 2007 International Conference on Security and Cryptography, Barcelona, Spain, July 28-31, 2007. http://www.secrypt.org (Submissions due 26 March 2007) The purpose of SECRYPT 2007 the International Conference on Security and Cryptography is to bring together researchers, mathematicians, engineers and practitioners interested on security aspects related to information and communication. Theoretical and practical advances in the fields of cryptography and coding are a key factor in the growth of data communications, data networks and distributed computing. In addition to the mathematical theory and practice of cryptography and coding, SECRYPT also focus on other aspects of information systems and network security, including applications in the scope of the knowledge society in general and information systems development in particular, especially in the context of e-business, internet and global enterprises. Papers describing original work are invited in any of the areas listed below: - Access Control and Intrusion Detection - Network Security and Protocols - Cryptographic Techniques and Key Management - Information Assurance - Security in Information Systems ------------------------------------------------------------------------- SecPerU 2007 3rd International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Held in conjunction with the EEE International Conference on Pervasive Services (ICPS 2007), Istanbul, Turkey, July 20, 2007. http://www.icsd.aegean.gr/SecPerU2007/ (Submissions due 29 March 2007) Ambient assisted living concept is envisioned through a new paradigm of interaction inspired by constant provision to information and computational resources. This provision will be enabled through invisible devices that offer distributed computing power and spontaneous connectivity. A nomad traversing residential, working, and advertising environments will seamlessly and constantly be served by small mobile devices like portables, handheld, embedded or wearable computers. This paradigm of leaving and interacting introduces new security, trust and privacy risks. Thus, methods and technology to support confidence in this concept are revisited. The objectives of the SecPerU2007 Workshop are to develop new security, privacy and trust concepts for complex application scenarios based on systems like handhelds, phones, smart cards, sensors, actuators and RF tags, with the emerging technology of ubiquitous and pervasive computing. We welcome the submission of papers from the full spectrum of issues related with security, privacy and trust in pervasive and ubiquitous computing. Papers may focus on architectures, methods, technologies, protocols, prototype developments, case studies, applications, practical experiences, simulation results and analysis, theory and validation on pervasive and ubiquitous computing topics include, but not limited to: - Reasoning about Security, Privacy and Trust - Access control and authorization - Key management and authentication - Identity management - Authorization - Threat and vulnerability - Denial of service attacks - Intrusion detection and protection systems - Malware in pervasive environments ands services - Privacy, anonymity, pseudonymity, and unlinkability - Location privacy and secure localization - Network security issues and protocols - Information hiding and watermarking - Trust and reputation management - Role of RFID, sensors and biometrics to enable security - Deploying security policies - Developing secure infrastructures - Auditing and forensic information management in pervasive settings - Ethics and law for pervasive services - Case Studies ------------------------------------------------------------------------- CNSS 2007 Computer and Network Security Symposium, Held in conjunction with the International Wireless Communications & Mobile Computing Conference (IWCMC 2007), Honolulu, Hawaii, USA, August 12-16, 2007. http://www.cs.ndsu.nodak.edu/~xdu/CNSS_IWCMC07.htm. (Submissions due 30 March 2007) The main objective of this symposium is to promote further research interests and activities on computer and network security. It is also aimed at increasing the synergy between academic and industrial researchers working in this area. We are interested in theoretic, experimental, and systems-related papers in all aspects of computer and network security. Scope of the Computer and Network Security Symposium includes, but is not limited to: - Novel and emerging secure architecture - Cryptographic algorithms and applications - Study of attack strategies, attack modeling - Key management - Intrusion detection techniques - Intrusion response, alarm management, and correlation analysis - Study of tradeoffs between security and system performance - Intrusion tolerance systems - Denial of service - Distributed system security - Wireless network security (WiFi, WiMAX, WiMedia and others) - Sensor network security - Mobile ad hoc network security ------------------------------------------------------------------------- ESORICS 2007 12th European Symposium on Research in Computer Security, Dresden, Germany, September 24-26, 2007. http://esorics2007.inf.tu-dresden.de/ (Submissions due 30 March 2007) Papers offering novel research contributions on any aspect of computer security are solicited for submission to the Twelfth European Symposium on Research in Computer Security (ESORICS 2007). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. Papers may present theory, mechanisms, applications, or practical experience on all traditional or emerging topics relevant for security in computing systems. For example, the submissions might treat any innovative aspects of one or several topics listed in the following: - security architecture and secure components (trusted computing modules, smartcards, personal computing devices, networks, information systems, applications, peer-to-peer connections, language-based security, ... ) - access control (authorization, privileges, delegation, revocation, credentials, authentication, accountability, safety analysis, ... ) - information control (data flows, information flows, inferences, covert channel analysis, ... ) - applied cryptography (protocol design, protocol verification, authentication protocols, identity management, key distribution, ... ) - tolerance and survivability (attack models, vulnerability analysis, intrusion detection, malware collection and analysis, ... ) - security management (requirements engineering, policy specification, trust evaluation, policy enforcement, ... ) - secure electronic commerce, administration, and government (digital rights management, intellectual property protection, privacy-enhancing technologies, e-voting, ... ) - formal methods in security (security models, security verification, ... ) ------------------------------------------------------------------------- RAID 2007 10th International Symposium on Recent Advances in Intrusion Detection, Gold Coast, Queensland, Australia, September 5-7, 2007. http://www.isi.qut.edu.au/go/raid07 (Submissions due 31 March 2007) This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: - Intrusion detection and prevention techniques - High-performance intrusion detection - Intrusion detection in special environments (e.g., mobile networks) - IDS cooperation and event correlation - Formal models and analysis - Attack response, countermeasures, and intrusion tolerance - Survivability and self-protection - Attacks against IDS and evasion - Insider threat detection and mitigation - Deception systems and honeypots - Malicious code detection and containment - Visualization techniques - Intrusion detection assessment and benchmarking - IDS interoperability standards and standardization - Vulnerability analysis and risk assessment - Legal and social issues ------------------------------------------------------------------------- PLAS 2007 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, CA, USA, June 14, 2007. http://www.cs.umd.edu/~mwh/PLAS07/ (Submissions due 1 April 2007) PLAS aims to provide a forum for exploring and evaluating ideas on the use of programming language and program analysis techniques to improve the security of software systems. Strongly encouraged are proposals of new, speculative ideas; evaluations of new or known techniques in practical settings; and discussions of emerging threats and important problems. The scope of PLAS includes, but is not limited to: - Language-based techniques for security - Verification of security properties in software - Automated introduction and/or verification of security enforcement mechanisms - Program analysis techniques for discovering security vulnerabilities - Compiler-based security mechanisms, such as host-based intrusion detection and in-line reference monitors - Specifying and enforcing security policies for information flow and access control - Model-driven approaches to security - Applications, examples, and implementations of these security techniques ------------------------------------------------------------------------- DFRWS 2007 7th Annual Digital Forensic Research Workshop, Pittsburgh, PA, USA, August 13-15, 2007. http://www.dfrws.org/ (Submissions due 2 April 2007) DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting- edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. We invite original contributions as research papers (long and short), panel proposals, and demo proposals. All papers are evaluated through a double-blind peer-review process, and those accepted will be published in printed proceedings by Elsevier. Topics of Interest are: - Incident response and live analysis - Digital evidence storage and preservation - Event reconstruction methods and tools - File system and memory analysis - Application analysis - Network traffic analysis, traceback and attribution - Embedded systems - Mobile devices - Large-scale investigations - Data mining and information discovery - Data hiding and recovery - Multimedia analysis - Tool testing and development - Digital evidence and the law - Case studies and trend reports - Non-traditional approaches to forensic analysis ------------------------------------------------------------------------- GOCP 2007 1st International Workshop on Group-Oriented Cryptographic Protocols, Held in conjunction with the 34th International Colloquium on Automata, Languages and Programming (ICALP 2007), Wroclaw, Poland, July 9, 2007. http://www.hgi.rub.de/gocp07/ (Submissions due 2 April 2007) Group-oriented cryptographic protocols are foundational for the security of various group applications, like digital conferencing, groupware, group communication systems, computer-supported collaborative work-flow systems, multi-user information distribution and sharing, data base and server replication systems, peer-to-peer and ad-hoc groups, group-based admission and access management, electronic voting and election, applications in federative or distributed environment, etc. A variety of cryptographic techniques and assumptions provides a solid basis for the design of provably secure group-oriented cryptographic protocols, which is an important and challenging task. Formal security models for group-oriented cryptographic protocols require consideration of a large number of potential threats resulting from the attacks on the communication channel and from the misbehavior of some protocol participants. These challenges and the emerging development of multi-party and group-oriented applications are just some reasons for setting up a new cryptographic workshop, solely dedicated to the security issues of cryptographic protocols used in these scenarios. The GOCP 2007 workshop encourages submissions concerning cryptographic foundations, formal security models, and actual design of all kinds of group-oriented cryptographic protocols, schemes, and applications. Topics of interest include (in alphabetical order): - Access and admission control in groups - Anonymity and privacy in group communications - Broadcast and multicast communication security - Cryptographic group-oriented protocols - Electronic election and voting - Formal security models (proofs) for group-oriented cryptographic protocols - Group key exchange/distribution - Group-oriented signatures - Secure multi-party computation - Security in distributed group applications - Security in mobile and ad hoc groups - Security in peer-to-peer groups - Trust management in groups ------------------------------------------------------------------------- IWSEC 2007 2nd International Workshop on Security, Nara, Japan, October 29-31, 2007. http://www.iwsec.org/ (Submissions due 13 April 2007) The complex structure of networks, middleware, agents, P2P applications and ubiquitous computing for commercial, personal, communal and public use, brought forth the advent of information society in the cyberspace. However the system poses new and diverse threats to the world. It is imperative for the security researchers to look into the issues from an interdisciplinary perspective. Papers may present theory, applications or practical experiences on topics including, but not limited to: - Fundamental Tools for Information Security - Network and Distributed Systems Security - Privacy Enhancing Technology - Secure Living and Working Environments - Security in Commerce and Government - Security Management - Software and System Security - Protection of Critical Infrastructures - Testing, Verification and Certification - Law, Policy, Ethics and Related Technologies ------------------------------------------------------------------------- USM 2007 Workshop on Usable IT Security Management, Held in conjunction with the 3rd Symposium On Usable Privacy and Security (SOUPS 2007), Pittsburgh, PA, USA, July 18, 2007. http://cups.cs.cmu.edu/soups/2007/usm.html (Submissions due 13 April 2007) USM '07 solicits short position papers from academia and industry about all aspects of IT security management usability. The workshop will provide an opportunity for interdisciplinary researchers and practitioners to discuss this fascinating and important topic. Those interested in presenting at the workshop should submit a position paper of up to four pages along with a cover letter describing their research interests, experience, and background in the area of usable IT security management. Workshop papers will be posted on the SOUPS website and distributed to attendees on the SOUPS 2007 CD. However, workshop papers will not be formally published, and therefore may include work the authors plan to publish elsewhere. ------------------------------------------------------------------------- NSS 2007 IFIP International Workshop on Network and System Security, Dalian, China, September 20, 2007. http://nss2007.cqu.edu.au/ (Submissions due 14 April 2007) In recent years, there has been significant increase in Internet attacks, such as DDoS, viruses, worms, spyware, and malware, etc, causing huge economical and social damage. While the attack systems have become more easy-to-use, sophisticated, and powerful, interest has greatly increased in the field of building more effective, intelligent, and active defense systems which are distributed and networked. We will focus our program on issues related to Network and System Security, such as authentication, access control, availability, integrity, privacy, confidentiality, dependability and sustainability of network defense systems. We also welcome research reports on network attack systems; because we believe only by fully understanding the attack mechanisms can we perform effective and comprehensive defense. The aim of this workshop is to provide a leading edge forum to foster interaction between researchers and developers with the network and system security communities, and to give attendees an opportunity to network with experts in network and system security. Topics include, but not limited to: - Active Defense Systems - Benchmark, Analysis and Evaluation of Security Systems - Distributed Access Control and Trust Management - Distributed Attack Systems and Mechanisms - Distributed Database Security - Distributed Intrusion Detection/Prevention Systems - Denial-of-Service Attacks and Countermeasures - Identity Management and Authentication - Implementation, Deployment and Management of Security Systems - Intelligent Defense Systems - Internet and Network Forensics - Security Architectures in Distributed Network Systems - Security for Large-scale Systems and Critical Infrastructures - Security for P2P systems and Grid Systems - Security for Ad-Hoc and Sensor Networks - Security in E-Commerce - Secure Mobile Agents and Mobile Code - Security Theory and Tools in Network Systems - Viruses, Worms, and Other Malicious Code - World Wide Web Security ------------------------------------------------------------------------- ACSF 2007 2nd Conference on Advances in Computer Security and Forensics, Liverpool, UK, July 12-13, 2007. http://www.cms.livjm.ac.uk/acsf2/ (Submissions due 30 April 2007) Computer security and computer forensics are at the forefront in the fight against malicious activity facilitated by our increased use of computer and network technologies. Computer security preserves system integrity whilst computer forensics aims to explain the cause for an event or set of events. Computer security is an established field of computer science, whilst computer forensics is receiving an increased amount of attention amongst the research community. Due to the degree of overlap in the raw material used by both fields, they have much to learn from one another. The purpose of this conference is to bring together researchers and practitioners to present and share the latest developments in research and applications from both fields. The topics below are for guidance only and not as an exhaustive list: - Incident Response and Management - Legal issues in computer forensics - Mobile device forensics - Collecting evidence - Network forensics - Practitioner case studies - Storage media and file forensic techniques - Intrusion Detection Systems - Wireless and ad hoc network security - Mobile agents for secure systems - Web security - Distributed Denial-of-Service attack countermeasures - Network Security - Viruses and hostile code - Cryptography - Privacy and anonymity - Digital Rights Management (DRM) and intellectual property - Access control, auditing and accountability ------------------------------------------------------------------------- WSNS 2007 3rd IEEE International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 4th IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2007), Pisa, Italy, October 8, 2007. http://www7.informatik.uni-erlangen.de/~dressler/wsns07/ (Submissions due 30 April 2007) Wireless networks have experienced an explosive growth during the last few years. Nowadays, there is a large variety of networks spanning from the well-known cellular networks to non-infrastructure wireless networks such as mobile ad hoc networks and sensor networks. Security issue is a central concern for achieving secured communication in these networks. This one day workshop aims to bring together researchers and practitioners from wireless and sensor networking, security, cryptography, and distributed computing communities, with the goals of promoting discussions and collaborations. We are interested in novel research on all aspects of security in wireless and sensor networks and tradeoff between security and performance such as QoS, dependability, scalability, etc. Topics include, but not limited to: - Authentication and Access Control - Cryptographic Protocol - Experimental Studies - Key Management - Information Hiding - Intrusion Detection and Response - Privacy and Anonymity - Secure Localization and Synchronization - Security and Performance tradeoff - Security Policy and Enforcement Issues - Security Protocols Design, Analysis and Verification - Secure Routing/MAC - Surveillance and Monitoring - Trust Management ------------------------------------------------------------------------- WDFIA 2007 2nd Annual Workshop on Digital Forensics and Incident Analysis, Samos, Greece, August 27-28, 2007. http://www.aegean.gr/wdfia07 (Submissions due 30 April 2007) The field of digital forensics is rapidly evolving and continues to gain significance in both the law enforcement and the scientific community. The field is intrinsically interdisciplinary, drawing upon fields such as information & communication technologies, law, social sciences and business administration. The second workshop on digital forensics and incident analysis, hosted by the University of the Aegean in the island of Samos, aims to provide a forum for researchers and practitioners focusing on different aspects of digital forensics and incident analysis to present original, unpublished research results and innovative ideas. We welcome the submission of papers from the full spectrum of issues relating to the theory and practice of digital forensics and incident analysis. Areas of special interest include, but are not limited to: - Digital forensics tools - Forensic procedures - Network forensics - Network traffic analysis, traceback and attribution - Legal, ethical and policy issues related to digital forensics - Integrity of digital evidence and live investigations - Multimedia analysis - Incident response and investigation - Portable electronic device forensics - Data hiding and recovery - Data mining and information discovery - Digital evidence visualisation and communication - Digital evidence storage and preservation - Digital forensics case studies ------------------------------------------------------------------------- Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System, February 2008. http://www.sitacs.uow.edu.au/jucs/ (Submission Due 1 May 2007) Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Ed Dawson (Queensland University of Technology, Australia), Xuejie Lai (Shanghai Jiao Tong University, China), Masahiro Mambo (Tsukuba University, Japan), Atsuko Miyaji (JAIST, Japan), Yi Mu (University of Wollongong, Australia), David Pointcheval (Ecole Normale Sup?ieure, France), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Nigel Smart (Bristol University, UK), Willy Susilo (University of Wollongong, Australia), Huaxiong Wang (Macquarie University, Australia), and Duncan Wong (City University of Hong Kong, China) Cryptography has been playing an important role to ensure the security and reliability of modern computer systems. Since high speed and broad bandwidth have been becoming the keywords for modern computer systems, new cryptographic methods and tools must follow up in order to adapt to these new and emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in computer systems. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Authentication - Cryptographic algorithms and their applications - Cryptanalysis - Email security - Electronic commerce - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography - IP security - Key management - Multicast security - Computer network security - Privacy protection - Security in Peer-to-Peer networks - Security in sensor networks - Smartcards ------------------------------------------------------------------------- CCS 2007 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, October 29 - November 2, 2007. http://www.acm.org/sigs/sigsac/ccs/CCS2007/ (Submissions due 8 May 2007) The conference seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Topics of interest include, but are not limited to: - access control - trust models - smartcards - key management - information warfare - authentication - anonymity - applied cryptography - secure networking - security management - accounting and audit - peer-to-peer security - database security - intrusion detection - electronic fraud relating to phishing - privacy-enhancing technology - data and application security - inference/controlled disclosure - intellectual property protection - commercial and industry security - trust management policies - digital rights management - secure location services - security for mobile code - cryptographic protocols - data/system integrity - identity management - security in IT outsourcing ------------------------------------------------------------------------- ICISS 2007 3rd International Conference on Information Systems Security, Delhi, India, December 16-20, 2007. http://siis.cse.psu.edu/iciss07/cfp.htm (Submissions due 11 May 2007) After the successful organization of ICISS 2006 at the Indian Statistical Institute, Kolkata, India, the 3nd conference will be organized by the University of Delhi. ICISS presents a forum for disseminating the latest research results in Information Systems Security and related areas. Topics of interest include but are not limited to: - Authentication and Access Control - Mobile Code Security - Key Management and Cryptographic Protocols - E-business / E-commerce Security - Privacy and Anonymity - Intrusion Detection and Avoidance - Security Verification - Network Security - Database and Application Security and Integrity - Digital Rights Management - Security in P2P, Sensor and Ad hoc Networks - Digital Forensics - Biometric Security - Secure Web Services - Fault Tolerance and Recovery Methods for Security Infrastructure - Threats, Vulnerabilities and Risk Management - Commercial and Industrial Security ------------------------------------------------------------------------- eCrime 2007 2nd APWG eCrime Researchers Summit, Pittsburgh, PA, USA, October 4-5, 2007. (Submissions due 15 May 2007) The second Anti-Phishing Working Group (APWG) eCrime Researchers Summit will be hosted by Carnegie Mellon CyLab, October 4-5, 2007, in Pittsburgh, PA. Original papers on all aspects of electronic crime are solicited for submission to eCrime '07. Topics of relevance include but are not limited to: - Phishing, pharming, click-fraud, crimeware, extortion and emerging attacks. - Technical, legal, political, social and psychological aspects of fraud and fraud prevention. - Techniques to assess the risks and yields of attacks and the success rates of countermeasures. - Delivery techniques, including spam, voice mail and rank manipulation; and countermeasures. - Spoofing of different types, and applications to fraud. - Techniques to avoid detection, tracking and takedown; and ways to block such techniques. - Honeypot design, datamining, and forensic aspects of fraud prevention. - Design and evaluation of user interfaces in the context of fraud and network security. - Best practices related to digital forensics tools and techniques, investigative procedures, and evidence acquisition, handling and preservation. ------------------------------------------------------------------------- WISA 2007 8th International Workshop on Information Security Applications, Jeju Island, Korea, August 27-29, 2007. http://www.wisa.or.kr/ (Submissions due 19 May 2007) The focus of the 8th International Workshop on Information Security Applications (WISA 2007) is on all technical and practical aspects of cryptographic and non-cryptographic security applications. The workshop will serve as a forum for new results from the academic research community as well as from the industry. The areas of interest include, but are not limited to: - Internet & Wireless Security - E-Commerce Protocols - Access Control & Database Security - Biometrics & Human Interface - Network Security & Intrusion Detection - Security & Trust Management - Digital Rights Management - Secure Software & Systems - Information Hiding & Watermarking - Information Security Management - Computer Forensics & Cyber Indication - Smart Cards & Secure Hardware - Mobile & Application Security - Privacy & Anonymity - Public Key Crypto Applications - Threats & Information Warfare - Virus Protection & Applications - Ubiquitous Computing Security - Peer-to-Peer Security & Applications ------------------------------------------------------------------------- SISW 2007 4th International IEEE Security in Storage Workshop, San Diego, California, USA, September 27, 2007. http://ieeeia.org/sisw/2007/ (Submissions due 1 June 2007) Stored information critical to individuals, corporations and governments must be protected, but the continually changing uses of storage and the exposure of storage media to adverse conditions make meeting that challenge increasingly difficult. Example uses include employment of large shared storage systems for cost reduction and, for convenience, wide use of transiently-connected storage devices offering significant capacities and manifested in many forms, often embedded in mobile devices. Protecting intellectual property, personal records, health records, and military secrets when media or devices are lost, stolen, or captured is critical to information owners. To remain or become viable, activities that rely on storage technology require a comprehensive systems approach to storage security. This workshop serves as an open forum to discuss storage threats and the technology and deployment of countermeasures. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of designing, building and managing secure storage systems; possible topics include, but are not limited to the following: - Cryptographic Algorithms for Storage - Cryptanalysis of Systems and Protocols - Key Management for Sector and File based Storage Systems - Balancing Usability, Performance and Security concerns - Unintended Data Recovery - Attacks on Storage Area Networks and Storage - Insider Attack Countermeasures Security for Mobile Storage - Defining and Defending Trust Boundaries in Storage - Relating Storage Security to Network Security - Database Encryption - Search on Encrypted Information ------------------------------------------------------------------------- SECOVAL 2007 3rd Annual Workshop on the Value of Security through Collaboration in cooperation, Held in conjunction with the 3rd International Conference on Security and Privacy in Communication Networks (SecureComm 2007), Nice, France, September 17-21, 2007. http://www.trustcomp.org/secoval/ (Submissions due 3 June 2007) This year SECOVAL is focusing upon a special research subtopic within the scope of collaborative security, namely, Privacy and Data Sanitization. Any useful collaboration is at some point sharing data. Unfortunately, data sharing is one of the greatest hurdles getting in the way of otherwise beneficial collaborations. Data regarding one's security stance is particularly sensitive, often indicating ones own security weaknesses. This data could include computer or network logs of security incidents, architecture documents, or sensitive organizational information. Even when the data may not compromise the data owner's security stance, sharing may violate a customer's privacy. Data sanitization techniques such as anonymization and other mechanisms such as privacy-preserving data mining and statistical data mining try to address this tension between the need to share information and protect sensitive information and user privacy. Topics of interest to the workshop include, but are not limited to: - Legal aspects of privacy and anonymization - Economic issues of privacy enhancing tech - Data sanitizing and privacy enhancing tools - Data sharing and anonymization case studies - Real-time anonymization issues - Anonymization policy creation & negotiation - Data sharing & sanitizing best practices - Anonymity in Peer-to-Peer networks - Classification of attacks against anonymization - Metrics of utility, anonymization strength and information loss - Anonymization / privacy-preserving algorithms - Data injection and inference attacks - Identification of sensitive fields and data - Privacy-preserving Data Mining - Statistical databases and protection of sensitive information - Data mining multiple anonymized data sources - Consistent pseudonym mappings in multi-party anonymization - Identification of data sources and types useful to share for collaborative computer security - Insights from industry and case studies - Usability issues of current anonymization tools ------------------------------------------------------------------------- DIM 2007 3rd ACM Workshop on Digital Identity Management, Held in conjunction with the 14th ACM Conference on Computer and Communications Security (CCS 2007), Fairfax, VA, USA, November 2, 2007. http://www2.pflab.ecl.ntt.co.jp/dim2007/ (Submissions due 15 June 2007) To ensure that the emerging identity management technologies are accepted by end-users, we must reconcile (or strike the right balance between) two goals that are generally thought to be contradictory: the usability of the systems on one hand and their security and privacy on the other. The aim of this workshop is to gather vendors, users, and researchers, in the areas of identity management, to discuss and provide recommendations for the best approaches for making implementable and deployable improvements to the usability of identity management. Topics of particular interest include (but are not limited to): - User interaction design for identity management - Social identity - User centric identity - Expressing trustworthiness of identity management to users - Empirical analysis of usability problems with identity management systems - Evaluation methodologies for usability of identity management systems - Novel user interface technologies for identity management - Privacy enhanced user interaction - User education on identity management - Elicitation of privacy preferences from end users - Identity theft prevention - User-readable privacy policies - Methodologies and interfaces for managing multiple identities including delegation - Identity theft prevention - Privacy-enhancing identity management - Consistent UI for identity transactions ------------------------------------------------------------------------- IEEE Software, Special Issue on Security for the Rest of Us: An Industry Perspective on the Secure Software Challenge, January/February 2008. . http://www.computer.org/portal/site/software/menuitem.538c87f5131e26244955a4108bcd45f3/index.jsp?&pName=software_level1&path=software/content&file=edcal.xml&xsl=article.xsl&. (Submission Due 1 July 2007) Guest editors: Konstantin Beznosov (University of British Columbia, Canada) and Brian Chess (Fortify Software) The public need for good software security becomes more acute every day. Typical activities - including selecting, purchasing, and consuming services and products, conducting business, and holding national elections - increasingly depend on secure software. While security was once a specialty of interest to only a small number of developers, it's now a critical topic for almost all software developers, project managers, and decision makers. The world's software industry includes thousands of software vendors from humongous enterprises to one-person shops, and the industry as a whole must face the software security challenge. This special issue will report on the state of practice and recent advances related to software security in a wide range of industrial application domains. It will explore practical and pragmatic ways of engineering secure software that can be applied by a wide range of development teams. The issue will report on: - Practical tools and methods for detecting or preventing security-relevant defects - Practical approaches to incorporating security as part of different stages of the software development process (requirements, architecture, design, implementation, testing, etc.) - The economic motivation for creating secure software - Attacks and vulnerabilities: common ways that security fails in modern industrial software ------------------------------------------------------------------------- NordSec 2007 12th Nordic Workshop on Secure IT Systems, Reykjavik, Iceland, October 11-12, 2007. http://www.ru.is/nordsec2007/ (Submissions due 23 July 2007) Since 1996, the NordSec workshops have brought together computer security researchers and practitioners from the Nordic countries, Northern Europe, and elsewhere. The workshop is focused on applied computer security and is intended to encourage interchange and cooperation between research and industry. Topics include, but are not limited to, the following areas of computer security: - Applied Cryptography - Commercial Security Policies and Enforcement - Communication and Network Security - Computer Crime and Information Warfare - Hardware and Smart Card Applications - Internet and Web Security - Intrusion Detection - Language-based Techniques for Security - New Ideas and Paradigms in Security - Operating System Security - PKI Systems and Key Escrow - Privacy and Anonymity - Security Education and Training - Security Evaluations and Measurements - Security Management and Audit - Security Models - Security Protocols - Social-Engineering and Phishing - Software Security, Attacks, and Defenses - Trust and Trust Management ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html Jeff DeMello Owner DeMello Video & Photo Services 6110 Garnica Court Stockton, CA 95215-1200 209.931.9700 - office 209.931.9701 - fax 877.DEMELLO - toll free www.demellovideo.com jeff@demellovideo.com ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2006 Symposium proceedings and 11-year CD are sold out. The 2005 Symposium proceedings are available for $20 plus shipping and handling. The 2004 proceedings are $15 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the Symposium Treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Hilarie Orman The MITRE Corporation Purple Streak, Inc. Mail Stop S119 500 S. Maple Dr. 202 Burlington Road Rte. 62 Salem, UT 84653 Bedford, MA 01730-1420 oakland06-chair@ieee-security.org 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2007 General Chair: and Technical Committee Treasurer: Deborah Shands Hilarie Orman The Aerospace Corporation Purple Streak, Inc. El Segundo, CA 500 S. Maple Dr. oakland07-chair@ieee-security.org Salem, UT 84653 cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year