_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 79 July 19, 2007 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News o SIGSAC award nominations are open o NIST requests comments on three drafts related to cryptography o National Academies release cybersecurity report * Commentary and Opinion o Reviews of selected 5-minute talks of the Security and Privacy Symposium 2007 (Oakland/Berkeley, California, May 20-23, 2007) by Tom Hinke o Richard Austin's review of "Security Metrics: Replacing Fear, Uncertainty and Doubt" by Andrew Jacquith o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine o Doctoral position in cryptography at INRIA * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We have a good selection of articles for the summer doldrums, and I hope that many of you are traveling to cool climates to attend security conferences during the season. Please consider donating a conference review to Cipher. Staying at home and reading a good book? If it is a computer security book, consider writing a review for Cipher. And if the latest news about security flaws in operating systems or applications causes you to shake your head in dismay, send it on to Cipher for the enjoyment of our readers. Thought for the summer: are firewalls contributing to global warming? Discuss amongst yourselves. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== ____________________________________________________________________ ACM SIGSAC Awards Contributed by Pierangela Samarati ____________________________________________________________________ ACM SIGSAC AWARDS ACM SIGSAC is offering two annual awards: SIGSAC Outstanding Innovation Award and SIGSAC Outstanding Contributions Award. At most one award is given each year in each category. The award criteria are as follows: - SIGSAC Outstanding Innovation Award: This award is given for outstanding and innovative technical contributions to the field of computer and communication security that have had lasting impact in furthering or understanding the theory or development of secure systems. - SIGSAC Outstanding Contribution Award: This award is given for significant contribution to the field of computer and communication security through fostering research and development activities, educating students, or providing professional services such as the running of professional societies and conferences. The SIGSAC Awards Committee is now open to receiving nominations for the awards. The awards will be presented at ACM Conference on Computer and Communication Security, Alexandria, VA, USA, October 29 - November 2, 2007. NOMINATION PROCESS: Each nomination should be co-sponsored by at least 3 people. Email co-sponsorship is accepted. Nominations should include a proposed citation (up to 25 words), a succinct (100-250 words) description of the innovation/contribution, and a detailed statement (1-2 page) to justify the nomination as well as other supporting materials. Nominations should be submitted via e-mail (with subject "SIGSAC Innovation/Contribution Award nomination") to the chair of the SIGSAC Awards Committee: Pierangela Samarati (samarati@dti.unimi.it). DEADLINE FOR NOMINATIONS: Deadline for receiving nomination is August 18, 2007. EXCLUSIONS: The SIGSAC Awards Committee chair and members are not eligible to be nominated for either Award. The details related to the nomination process and administration of the awards are posted at http://www.acm.org/sigs/sigsac/awards.html. SIGSAC AWARDS COMMITTEE Pierangela Samarati, University of Milan (Chair) Virgil Gligor, University of Maryland John McLean, Naval Research Laboratory Jon Millen, The MITRE Corporation ------------------------------------------------------------------ 2006 SIGSAC AWARDS RECIPIENTS SIGSAC Outstanding Innovation Award: Michael Schroeder SIGSAC Outstanding Contributions Award: Eugene Spafford 2005 SIGSAC AWARDS RECIPIENTS SIGSAC Outstanding Innovation Award: Whitfield Diffie SIGSAC Outstanding Contribution Award: Peter G. Neumann News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html _________________________________________________________________________ NIST Releases New Reports received June 28, 2007 from Elaine Barker _________________________________________________________________________ NIST has recently revised the Draft "NIST Special Publication 800-38D" which specifies the Galois/Counter Mode (GCM). The document is available for your review from the draft publications page on the NIST web site, via http://csrc.nist.gov/publications/drafts.html . NIST welcomes public comments on the draft until July 30, 2007; comments may be sent to EncryptionModes@nist.gov. NIST announces the release of Draft FIPS 198-1, "The Keyed-Hash Message Authentication Code (HMAC)". The draft FIPS 198-1 is the proposed revision of FIPS 198. Comments will be accepted through September 10, 2007. Comments may be sent to proposed198-1@nist.gov with "Comments on Draft 198-1" in the subject line. The draft is available at http://csrc.nist.gov/publications/drafts.html NIST announces the release of Draft FIPS 180-3, "Secure Hash Standard (SHS)". The draft FIPS 180-3 is the proposed revision of FIPS 180-2. Comments will be accepted through September 10, 2007. Comments may be sent to Proposed180-3@nist.gov with "Comments on Draft 180-3" in the subject line. The draft is available at http://csrc.nist.gov/publications/drafts.html Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 _________________________________________________________________________ National Academies Report on Cyber Security Received June 26, 2007 Contributed by Gene Spafford _________________________________________________________________________ The National Academies today released a major report on the state of cyber security and cyber security research. The news announcement is here: htt://www.nas.edu/morenews/20070626.html . The url for the report is http://books.nap.edu/catalog.php?record_id=11925. You can read it online for free, or purchase print or PDF copies. The table of contents is available at that URL. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Selected 5-Minutes Talks from Security and Privacy Symposium 2007 Oakland/Berkeley, California, May 20-23, 2007 by Tom Hinke ____________________________________________________________________ FIND (Future Internet Design) by Darleen Fisher, NSF program manager. NSF is interested in research topics not constrained by features of the current Internet and seeks input from all sources (not just potential PIs). Check NSF CISE Directorate pages or the program manager for more information. ------------- Cyber Trust by Karl Levitt, NSF program manager. His program areas include GENI and FIND. He is interested in research that looks ar into the future. Congress wants solutions to spam and phishing. NSF provides 86% of computer security research money. GENI - Global Environment of Networking Innovations, which will use state-of-the-art technology. Grand challenge competition to eliminate spam, support internet voting, support for unhackable servers. Held a Safe Computing workshop in November 2006. Check NSF CISE Directorate pages or the program manager for more information. ------------- SEED: Developing a Suite of Instructional Labs for Computer Security Wenliang (Kevin) Du, Syracuse University This is an NSF funded project to develop laboratory for computer security teaching. Labs support rule-based-access-control, capabilities, encrypted file system, access control lists, sandbox, IPSec, mandatory access control, firewalls, intrusion detection systems, vulnerabilities. ------------- Verification Across Intellectual Property Boundaries, Helmut Veith, Technical University Munich Tis addresses how to do verification of software without viewing source code. See their CAV07 (http://www.sei.cmu.edu/staff/chaki/publications/CAV-2007.html) paper. ------------- Whitelisting: the Future of Intrusion Detection Kevin Borders This is an approach to security that tries to identify all good activities, and then flag everything else. See http://www. webtapsecurity.com . Every organization will have a different white list, while blacklists are usually the same for everyone. Mimicry is the problem - bad looking like good. See their CCS 2004 paper, Web Tap: Detecting Covert Web Traffic. ------------- Development of Compositionally Verifiable Trustworthy Systems Rance Delong This is the use of separation kernels as originally suggested by John Rusby. Mentioned that there was a separation kernel Common Criteria Protection Profile. Also mentioned that separation kernels are actually being used or proposed for some next-generation DoD aircraft projects, such as the F-22 and F-35. There exists a draft Common Criteria Protection Profile [http://niap.bahialab.com/pp/draft_pps/pp_draft_skpp_hr_v0.621.pdf] for separation kernels entitled "U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness." The following taken from this Protection Profile provides a good description of the function of a separation kernel: "Unlike the traditional Security Kernel that performs all trusted functions for a secure operating system, a Separation Kernel's primary security function is to partition (viz. separate) the subjects and resources of a system into policy-based equivalence classes, and to control information flows between partitions. The partitions and information flow policies are defined by the Separation Kernel's configuration data. A Separation Kernel evaluated against this PP provides the trusted foundation for use in security critical and complex applications whose security requirements are not addressed by this PP." Note that separation kernels can be used for more that separation of processing by confidentiality levels. It can also be used to separate processing for integrity.   ------------- CyberCIEGE: A Computer Security Video Game Cynthia Irvine, Naval Postgraduate School A SIM-like computer security game in which players attempt to defend their virtual sites against malicious activities. See http://cisr.nps.edu/cyberciege/ ____________________________________________________________________ Book Review By Richard Austin 07/17/07 Security Metrics: Replacing Fear, Uncertainty and Doubt by Andrew Jacquith ____________________________________________________________________ Addison Wesley 2007. ISBN 0-321-34998-9 Amazon $32.99 (USD) Bookpool $31.50 (USD) We continuing our quest for numeracy in this month's review. At just over 300 pages, this is a much less imposing tome than Herrmann's "Complete Guide" (reviewed in Cipher E78) and will be an easier read for the busy security manager or professional. The book opens with a charming description of the "Hamster Wheel of Pain" which describes security programs where the efforts are locked in a never ending cycle of identifying vulnerabilities, applying fixes, enjoying a brief respite, reassessing to find new vulnerabilities, panic, apply more fixes and repeat. This process generates a lot of numbers and can document a lot of activity but it really doesn't answer the troubling question "So how ARE we doing, really?" Jaquith takes this question a bit further when he alleges that the time for risk management as a guiding principle of information security has passed. He bases this rather astonishing observation on the fact that "nobody has a handle on the asset valuation part of the equation" (p.5) which renders any value-based assessment of risk highly questionable. He proposes to replace what has passed as "risk management" with key indicators that measure the health of the security operations directly. The next chapter delves into how one defines realistic security metrics and also unfortunately reveals the lackluster technical editing which will plague the entire book. He dismisses qualitative metrics as unreliable because of difficulties in defining and measuring them in a consistent fashion and prefers metrics that refer to things that can be quantitatively measured or counted. The first editing faux pas occurs on p. 32 where a web page on annualized loss expectancy (ALE) calculations is reproduced with many errors including the startling statement that it is worthwhile to implement the example control even though its cost is "less than the expected losses due to the threat." Fortunately, the included web citation allows one to retrieve the correct version of the page. Chapter 3 begins the presentation of actual metrics with those relevant to measuring technical security measures. He begins by walking the reader through a realistic case study that illustrates his approach to metrics in general as providing answers to relevant questions. The basic question for the case study is "Are my Internet facing applications secure?" Jaquith treats this question as an overall hypothesis (that Internet-facing applications are secure) that can be falsified by measurement. He breaks the overall hypothesis into sub-hypotheses that must hold for the overall hypothesis to be true. Each sub-hypothesis must be falsifiable by measurement or it is rejected from consideration. From each sub-hypothesis, diagnostic questions are developed to guide the selection or development of metrics. Suggested metrics dealing with each question are defined and clearly explained. However this excellent foundation does get a bit marred by some of the examples. On page 50, for example, "stopping 70,000 inbound viruses" and stopping 500 outbound viruses is used to conclude that the internal network is "cleaner than the outside environment by a factor of 140 to 1" by taking the ratio of 70,000 to 140. Since it is not at all surprising that an internal network of perhaps a few thousand hosts would produce fewer viruses than the Internet composed of millions of hosts, the differing scales of the two measurements makes this a glaring example of comparing mice and elephants when concluding that one is "cleaner" than the other. Some of the metrics also exhibit a naivete' that is surprising - for example, on page 70, we are told that "host uptime for critical hosts helps characterize the overall availability of these resources." Host uptime is an easily gathered metric, but we're typically more interested in whether the host is providing the relevant services which can be much harder to measure. Chapter 4 provides a welcome look at how one can measure the effectiveness of a security program and is likely the most useful chapter in the book. Using broad categories taken from COBIT, realistic metrics are defined for each of the control objectives. For example, to deal with the control objective of "Assess and manage IT risks," he proposes metrics that count the number of critical assets and functions that reside on systems compliant with the organization's security policies and standards, that have estimates of the costs of compromise, documented risk assessments and so on. While not as exotic as many metrics that have been proposed in this area, these have the virtues of being easily defined and realistically measured. Chapter 5 presents a very brief introduction to the subject of data analysis. The usual statistical measures are trotted out and some of the weaknesses of averages, assuming the Gaussian distribution (the normal assumption), etc, are very lightly covered. I would have liked to see more coverage of the limitations of means/standard deviations for real-life distributions that seldom exhibit Gaussian perfection. While he does introduce the median and quartiles, the treatment is sketchy and would have benefited from more background and details. Chapter 6 provides a quick romp through the important subject of visualization of information. Good advice on avoiding the common gaffes of 3-D charts, superfluous labels and other "chart junk" is given and illustrated. Unfortunately, the slap-dash editing weakens the presentation - Jaquith discusses some illustrations as if they were shown in color as opposed to grayscale and some of the illustrations were so mangled in their reproduction that they produce the very sins he counsels us to avoid. Chapter 7 discusses automating metric calculations and provides good advice on requirements and process. He presents a tabular metrics life cycle which would be a useful tool for organizing the metrics process in general. The final chapter discusses the design of security scorecards which summarize the entire purpose of the book - we must be able to present the results of a security program in a concise and meaningful form to the organization's management. Niven's "Balanced Scorecard" is used as a model and the presentation would have been strengthened by a case study with an example balanced scorecard. In summary, this is a good introductory book to the metrics process in information security and is a recommended read for the professional new to the area or a manager seeking guidance on how a security metrics program should be designed and built. While it lacks the structured detail of Herrmann's "Complete Guide" it is nonetheless a gentler introduction that will likely introduce many more readers to this important area. ------------ Richard Austin recently retired from his position as the SAN security architect for a Fortune 25 company and now earns his bread and cheese as an iterant university instructor and private consultant. He can be reached at rda7838@kennesaw.edu and welcomes your thoughts and comments. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil --------------------------------------------- _________________________________________________________________________________________ Received June 29, 2007: At the INRIA Sophia-Antipolis (France), a PhD position for three years is available on a research project devoted to Code-based techniques for proved provable cryptography Starting date of this PhD position: as soon as possible. _________________________________________________________________________________________ Background information ============================================================================================ No matter how carefully crafted cryptographic systems are, experience has shown that effective attacks can remain hidden for years. Thus, cryptographers increasingly advocate provable security, where new systems are published with a rigorous definition of their security goals and a mathematical proof that they meet their goals. While the adoption of provable security significantly enhances confidence in cryptosystems, the increasing complexity and diversity of the and diversity tends to increase, the community has become aware that the point has been reached where it is no longer viable to construct or verify cryptographic proofs by hand. Shoup [Shoup04] Bellare and Rogaway [BeRo04], and [Halevi05] advocate the construction of cryptographic proofs as sequences of probabilistic games as a natural solution for taming the complexity of the task. The basic idea of these works is to use a fully-specified programming language to code those games and to use language-based techniques (observational equivalence, program transformations) for manipulating and reasoning about them. Detailed description ============================================================================================= The objective of the thesis is to provide the necessary infrastructure to formalize game-based proofs, and to use the infrastructure to prove the correctness of cryptographic schemes and information flow type systems for languages with cryptographic primitives. During the first year of the thesis, the objective is to contribute to the formalization of a probabilistic programming language of games, to develop the machinery required for game-based proofs (e.g. reflective tactics that synthesize necessary conditions for guaranteeing observational equivalence) and to formalize a library of security properties expressed in a game-based setting. The objective of the second year is to develop tactics for the game transformations described in [BeRo04] (thus dealing with program optimizations, as well transformations specific to game-based proofs). In order to validate the applicability of the setting, the student shall simultaneously perform small-size case studies. At the end of the second year, a formalization of security proofs of selected cryptographic schemes should be complete. The objective of the third year is to extend these results to the verification of cryptographic protocols. We also expect the student to be marginally involved in machine checking proofs of computational soundness of information flow type systems for languages with cryptographic primitives, since many of the libraries that will be developed by the student will also be useful for this purpose. At the end of the thesis, the student will have a double expertise in cryptography and machine-checked proofs using the Coq proof assistant, and have published in conferences in cryptography, programming languages, and verification. Candidates should preferrely have experience in using Coq or similar proof assistants. Background knowledge in cryptography is greatly appreciated but not required. Relevant literature [Shoup04] V. Shoup. Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332. November 2004. [] [BeRo04] M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. /Advances in Cryptology/ Eurocrypt 2006, LNCS 4004, Springer, pp. 409-426, 2006. [] [Halevi05] S. Halevi. A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181. June 2005. [] Information and application --------------------------- For further information about these positions please contact either: Gilles Barthe Gilles.Barthe@sophia.inria.fr Benjamin Gre'goire Benjamin.Gregoire@sophia.inria.fr _________________________________________________________________________________________ ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 7/18/07- 7/20/07: Symposium On Usable Privacy and Security (SOUPS), Pittsburgh, PA; http://cups.cs.cmu.edu/SOUPS/ 7/18/07: Workshop on Usable IT Security Management (USM), Carnegie Mellon University in Pittsburgh, PA; no proceedings; http://cups.cs.cmu.edu/soups/2007/usm.html 7/23/07: Nordic Workshop on Secure IT Systems (NordSec), Reykjavik, Iceland; Submissions are due; http://www.ru.is/nordsec2007/ 7/27/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), Dohar, Qatar; Submissions are due; info: asian07@qatar.cmu.edu; http://www.qatar.cmu.edu/asian07 ------- 8/ 1/07- 8/ 3/07: Wireless Algorithms, Systems and Applications (WASA), Chicago, IL; http://www.wasaconf.org/index.html 8/ 3/07: Trustworthy Global Computing (TGC), Sophia-Antipolis, France; Submissions are due; http://www-sop.inria.fr/everest/tgc/tgc07 8/ 6/07- 8/10/07: USENIX Security Symposium (USENIXSEC), Boston, MA; info: sec07chair@usenix.org; http://www.usenix.org/sec07/cfpa/ 8/ 6/07: USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), Boston, Massachusetts; info: evt07chairs@usenix.org; 8/ 6/07- 8/ 7/07: DETER Expermentors' Workshop, Boston, MA; http://www.usenix.org/sec07 8/12/07- 8/15/07: Symposium on the Principles of Distributed Computing (PODC), Portland, Oregon; http://www.podc.org/podc2007 8/13/07- 8/15/07: Digital Forensic Research Workshop (DFRWS), Pittsburgh, PA; http://www.dfrws.org/ 8/22/07- 8/24/07: CHINACOM (CHINACOM), Shanghai, China; http://www.chinacom.org 8/19/07- 8/23/07: IACR CRYPTO (CRYPTO), Santa Barbara, CA; http://www.iacr.org/conferences/crypto2007/cfp.html 8/26/07- 8/31/07: School for PhD and Researchers on Security for Wireless Networking (SWING), Bertinoro, Italy; http://www.dsi.uniroma1.it/~swing07 8/27/07- 8/31/07: ACM Special Interest Group on Communications (SIGCOMM), Kyoto, Japan; info: francis@cs.cornell.edu; http://www.sigcomm.org/sigcomm2007/ 8/27/07- 8/29/07: Workshop on Information Security Applications (WISA), Jeju Island, Korea; http://www.wisa.or.kr 8/27/07- 8/28/07: Workshop on Digital Forensics and Incident Analysis (WDFIA), Samos, Greece; info: wdfia07@aegean.gr; http://www.aegean.gr/wdfia07 8/29/07- 8/31/07: Information Assurance and Security (IAS), Manchester, United Kingdom; http://www.ias07.org/ ------- 9/ 1/07 EURASIP Journal on Advances in Signal Processing, Special Issue on Advances in Signal Processing in Network Intrusion Detection Systems http://www.ieee-security.org/Calendar/cfps/cfp-SI-NetwkIntrus.html Submissons are due 9/ 3/07- 9/ 7/07: Trust, Privacy, and Security in Digital Business (TrustBus), Regensburg, Germany; info: AMin@ifs.tuwien.ac.at; http://www.icsd.aegean.gr/trustbus07/ 9/ 3/07- 9/ 7/07: Workshop on Internet Communications Security (WICS), Regensburg, Germany; http://aspects.uc3m.es/wics07 9/ 3/07: Security Issues in Concurrency (SecCo), Lisboa, Portugal; http://www.dsi.uniroma1.it/~gorla/SecCo07/ 9/ 5/07- 9/ 7/07: Recent Advances in Intrusion Detection (RAID), Brisbane, Australia; info: g.mohay@qut.edu.au; http://www.isi.qut.edu.au/go/raid07 9/ 5/07- 9/ 7/07: Workshop on Elliptic Curve Cryptography (ECC), University College Dublin, Ireland; info: gary.mcguire@ucd.ie; http://www.shannoninstitute.ie/conferences.htm 9/ 8/07: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceara', Brazil; Submissions are due; info: Jean-Marc.Seigneur@trustcomp.org; http://www.acm.org/conferences/sac/sac2008/ 9/ 9/07- 9/15/07: International School on Foundations of Security Analysis and Design (FOSAD), Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad07 9/10/07- 9/13/07: Workshop on Cryptographic Hardware and Embedded Systems (CHES), Vienna, Austria; info: pascal.paillier@gemalto.com; http://www.chesworkshop.org/ 9/13/07- 9/15/07: Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS), Petersburg, Russia; info: spiiran@mail.iias.spb.su; http://www.comsec.spb.ru/mmm-acns07/ 9/15/07: Wireless Network Security (WiSec) Alexandria, Virginia; Submissions are due; http://discovery.csc.ncsu.edu/WiSec08/ 9/17/07- 9/21/07: Security and Privacy for Communication Networks (SecureComm), Nice, France; http://www.securecomm.org 9/18/07- 9/21/07: New Security Paradigms Workshop (NSPW), North Conway, New Hampshire; http://www.nspw.org/ 9/20/07: Workshop on Network and System Security (NSS), Dalian, China; info: wanlei@deakin.edu.au; http://nss2007.cqu.edu.au 9/25/07- 9/27/07: Dependable, Autonomic and Secure Computing (DASC), Columbia, MD; info: mike.hinchey@usa.net; http://www.DASC-conference.org/ 9/25/07: Financial Cryptography and Data Security (FC) Cozumel, Mexico; Submissions are due; http://fc08.ifca.ai 9/26/07: Workshop on Security and Trust Management (STM), Dresden, Germany; info: stm07 at item.ntnu.no; http://www.item.ntnu.no/infosik/stm07/ ------- 10/ 4/07: Workshop on Embedded Systems Security (WESS), Salzburg, Austria; http://netsys.ece.upatras.gr/emsoft07/ 10/ 4/07-10/ 5/07: Anti-Phishing Working Group (APWG) eCrime Researchers Summit (APWG), Pittsburgh, PA; http://www.ecrimeresearch.com/2007/cfp.html 10/ 4/07-10/ 5/07: European Conference on Computer Network Defence (EC2ND), Crete, Greece; http://2007.ec2nd.org/ 10/ 8/07: Asynchronous Circuits and Systems (ASYNC) Newcastle upon Tyne, UK; Abstracts are due; http://async.org.uk/async2008/ 10/ 9/07-10/12/07: Information Security Conference (ISC), Valparaiso, Chile; info: info@isc07.cl; http://www.isc07.cl 10/11/07-10/12/07: Nordic Workshop on Secure IT Systems (NordSec), Reykjavik, Iceland; http://www.ru.is/nordsec2007/ 10/15/07-10/17/07: Secure Information Systems (SIS), Wisla, Poland; http://www.imcsit.org/ 10/28/07-10/30/07: Autonomic Computing and Communication Systems (AUTONOMICS), Rome, Italy; http://www.autonomics-conference.eu/ 10/28/07: Workshop on Privacy Aspects of Data Mining (PADM), Omaha, NE; info: padm@cimic.rutgers.edu; http://cimic.rutgers.edu/~padm 10/29/07-10/31/07: Workshop on Security (IWSEC), Nara, Japan; info@iwsec.org; http://www.iwsec.org/ 10/29/07-11/ 2/07: 10/29/07: ACM Conference on Computer and Communications Security (CCS), Alexandria, VA; http://www.acm.org/sigsac/ccs/CCS2007 10/29/07: Quality of Protection (QoP), Alexandria, VA; http://www.qop-workshop.org 10/29/07: ACM Digital Rights Management Workshop (DRM), Alexdrandria, VA; http://www.cse.uconn.edu/~drm2007 10/29/07: Information and Communications Security Standards and Regulations (StaR_SEC), Alexandria, VA; info: StaR_SEC_2007@aegean.gr; http://www.aegean.gr/StaR_SEC_2007 ------- 11/ 2/07: Digital Identity Management (DIM), Fairfax, VA; no proceedings; http://www2.pflab.ecl.ntt.co.jp/dim2007/ 11/ 2/07: Workshop on Recurring Malcode (WORM), George Mason University, VA; http://www.auto.tuwien.ac.at/~chris/worm07.html 11/ 2/07: Computer Security Architecture Workshop (CSAW), Fairfax, VA; http://www.rites.uic.edu/csaw 11/ 2/07: Workshop on Scalable Trusted Computing (STC), Alexandria, VA; http://www.cs.utsa.edu/~shxu/stc07/ 11/ 2/07: Formal Methods in Security Engineering: From Specifications to Code (FMSE), George Mason University, Fairfax, VA; http://www.fmis.informatik.tu-darmstadt.de/fmse07/ 11/ 5/07-11/ 6/07: Trustworthy Global Computing (TGC), Sophia-Antipolis, France; http://www-sop.inria.fr/everest/tgc/tgc07 ------- 12/ 2/07-12/ 6/07: ASIACRYPT (ASIACRYPT), Kuching, Sarawak, Malaysia; info: asiacrypt2007@iacr.org; http://www.swinburne.edu.my/asiacrypt2007/ 12/ 9/07-12/11/07: Asian Computing Science Conference, Focusing on Computer and Network Security (ASIAN), Dohar, Qatar; info: asian07@qatar.cmu.edu; http://www.qatar.cmu.edu/asian07 12/10/07-12/14/07: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/ 12/16/07-12/20/07: Information Systems Security (ICISS), Delhi, India; http://siis.cse.psu.edu/iciss07 ------- 1/28/08- 1/31/08: Financial Cryptography and Data Security (FC), Cozumel, Mexico; http://fc08.ifca.ai 3/16/08- 3/20/08: Symposium on Applied Computing, Track on Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Ceara', Brazil; info: Jean-Marc.Seigneur@trustcomp.org; http://www.acm.org/conferences/sac/sac2008/ 3/18/08- 3/20/08: Symposium on Information, Computer and Communications Security (ASIACCS), Tokyo, Japan; http://www.rcis.aist.go.jp/asiaccs08/ 3/31/08- 4/ 2/08: Wireless Network Security (WiSec), Alexandria, VA; http://discovery.csc.ncsu.edu/WiSec08/ 4/ 7/08- 4/11/08: Asynchronous Circuits and Systems (ASYNC), Newcastle upon Tyne, UK; http://async.org.uk/async2008/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E78) ____________________________________________________________________ ------------------------------------------------------------------------- NordSec 2007 12th Nordic Workshop on Secure IT Systems, Reykjavik, Iceland, October 11-12, 2007. http://www.ru.is/nordsec2007/ (Submissions due 23 July 2007) Since 1996, the NordSec workshops have brought together computer security researchers and practitioners from the Nordic countries, Northern Europe, and elsewhere. The workshop is focused on applied computer security and is intended to encourage interchange and cooperation between research and industry. Topics include, but are not limited to, the following areas of computer security: - Applied Cryptography - Commercial Security Policies and Enforcement - Communication and Network Security - Computer Crime and Information Warfare - Hardware and Smart Card Applications - Internet and Web Security - Intrusion Detection - Language-based Techniques for Security - New Ideas and Paradigms in Security - Operating System Security - PKI Systems and Key Escrow - Privacy and Anonymity - Security Education and Training - Security Evaluations and Measurements - Security Management and Audit - Security Models - Security Protocols - Social-Engineering and Phishing - Software Security, Attacks, and Defenses - Trust and Trust Management ------------------------------------------------------------------------- ASIAN 2007 12th Annual Asian Computing Science Conference Focusing on Computer and Network Security, Carnegie Mellon University, Doha, Qatar, December 9-11, 2007. http://www.qatar.cmu.edu/asian07 (Submissions due 27 July 2007) The ASIAN conference series provides a forum for researchers throughout Asia to present cutting-edge results in yearly-themed areas of Computer Science, to discuss advances in these fields, and to interact with researchers from other continents. The 2007 edition focuses on computer and network security. New results in the fields of computer and network security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories and practices. Topics of interest include, but are not limited to: - Access control - Database security - Privacy and Anonymity - Cryptographic protocols - Trust and trust management - Authentication - Digital rights management - Executable content - Language-based security - Formal methods for security - Data and system integrity - Distributed systems security - Security for mobile computing - Wireless network security - Denial-of-service and prevention - Intrusion detection and avoidance - Digital forensics - Vulnerabilities and risk management - Secure electronic commerce - Secure software engineering ------------------------------------------------------------------------- TGC 2007 The Symposium on Trustworthy Global Computing, Sophia-Antipolis, France, November 5-6, 2007. http://www-sop.inria.fr/everest/tgc/tgc07 (Submissions due 27 July 2007) The Symposium on Trustworthy Global Computing is an international annual venue dedicated to safe and reliable computation in global computers. It focuses on providing tools and frameworks for constructing well-behaved applications and for reasoning about their behaviour and properties in models of computation that incorporate code and data mobility over distributed networks with highly dynamic topologies and heterogeneous devices. We solicit paper in all areas of global computing, including (but not limited to): - theories, models and algorithms for global computing and service - oriented computing - language concepts and abstraction mechanisms - security through verifiable evidence - information flow and resource usage policies - verification of cryptographic protocols and their use - trust, access control and security enforcement mechanisms - self configuration, adaptation, and dynamic components management - software principles to support debugging and verification - test generators, symbolic interpreters, type checkers - model checkers, theorem provers - privacy, reliability and business integrity ------------------------------------------------------------------------- ICICS 2007 9th International Conference on Information and Communications Security, Zhengzhou, Henan Province, China, December 12-15, 2007. http://www.icics2007.org.cn/ (Submissions due 1 August 2007) The 2007 International Conference on Information and Communications Security will be the 9th event in the ICICS conference series, started in 1997, that brings together individuals involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. Original papers on all aspects of information and communications security are solicited for submission to ICICS 2007. Areas of interests include but not limited to: - Access Control - Anti-Virus and Anti-Worms - Anonymity - Authentication and Authorization - Applied Cryptography - Biometric Security - Data and System Integrity - Database Security - Distributed Systems Security - Electronic Commerce Security - Fraud Control - Grid Security - Information Hiding and Watermarking - Intellectual Property Protection - Intrusion detection - Key Management and Key Recovery - Language-based Security - Operating System Security - Network Security - Risk Evaluation and Security Certification - Security for Mobile Computing - Security Models - Security Protocols - Trusted Computing ------------------------------------------------------------------------- SAC-TRECK 2008 23rd ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how, Fortaleza, Ceara', Brazil, March 16-20, 2008. http://www.trustcomp.org/treck/ (Submissions due 8 September 2007) Computational models of trust and online reputation mechanisms have been gaining momentum. The goal of the ACM SAC 2008 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions, virtual organisations and even combined with trusted computing hardware modules. The TRECK track covers all computational trust applications, especially those used in real-world applications. The topics of interest include, but are not limited to: - Recommender and reputation systems - Trust-enhanced collaborative applications - Trust and identity management - Combined computational trust and trusted computing - Tangible guarantees given by formal models of trust and risk - Trust metrics assessment and threat analysis - Pervasive computational trust and use of context-awareness - Autonomic and adaptive trust - Trade-off between privacy and trust - Trust/risk-based security frameworks - Automated collaboration and trust negotiation - Trust in peer-to-peer and open source systems - Technical trust evaluation and certification - Impacts of social networks on computational trust - Evidence gathering and management - Real-world applications, running prototypes and advanced simulations - Applicability in large-scale, open and decentralised environments - Legal and economic aspects related to the use of trust engines - User-studies and user interfaces of computational trust applications ------------------------------------------------------------------------- WiSec 2008 1st ACM Conference on Wireless Network Security, Alexandria, Virginia, USA, March 31 - April 2, 2008. http://discovery.csc.ncsu.edu/WiSec08/ (Submissions due 15 September 2007) As wireless communications are becoming ubiquitous, their security is gaining in importance. The ACM Conference on Wireless Network Security (WiSec) aims at exploring attacks on wireless networks as well as techniques to thwart them. Topics of interest include, but are not limited to: - Naming and addressing vulnerabilities - Key management in wireless/mobile environments - Secure neighbor discovery - Secure PHY and MAC protocols - Trust establishment - Intrusion detection, detection of malicious behavior - Revocation of malicious parties - Denial of service - User privacy, location privacy - Anonymity, prevention of traffic analysis - Identity theft and phishing in mobile networks - Charging - Cooperation and prevention of non-cooperative behavior - Economics of wireless security - Vulnerability and attacker modeling - Incentive-aware secure protocol design - Jamming - Cross-layer design for security - Monitoring and surveillance - Computationally efficient cryptographic primitives ------------------------------------------------------------------------- http://www.ifip119-kyoto.org IFIP-DF 2008 4th Annual IFIP WG 11.9 International Conference on Digital Forensics, Kyoto, Japan, January 27-30, 2008. (Submissions due 15 September 2007) The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Fourth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network forensics - Portable electronic device forensics - Digital forensic proceses and workflow models - Digital forensic case studies - Legal, ethical and policy isues related to digital forensics ------------------------------------------------------------------------- http://fc08.ifca.ai FC 2008 12th International Conference on Financial Cryptography and Data Security, Cozumel, Mexico, January 28-31, 2008. (Submissions due 25 September 2007) Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance in the context of finance and commerce. The conference covers all aspects of securing transactions and systems. Submissions focusing on both theoretical (fundamental) and applied real-world deployments are solicited. The goal of the conference is to bring security/cryptography researchers and practitioners together with economists, bankers, implementers, and policy-makers. Topics include (but are not limited to): - Anonymity and Privacy - Auctions and Audits - Authentication and Identification - Biometrics - Certification and Authorization - Commercial Applications - Transactions and Contracts - E-Cash and Payment Systems - Incentive and Loyalty Systems - Digital Rights Management - Regulation and Reporting - Fraud Detection - Game Theoretic Security - Identity Theft - Spam, Phishing - Social Engineering - Infrastructure Design - Legal and Regulatory Issues - Microfinance and Micro-payments - Monitoring, Management and Operations - Reputation Systems - RFID/Contact-less Payment Systems - Risk Assessment and Management - Secure Banking, Financial Web Services - Securing New Computation Paradigms - Security and Risk Perceptions - Security Economics - Smartcards and Secure Tokens - Trust Management - Underground-Market Economics - Virtual Economies - Voting systems ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog Department of Computer Science Naval Postgraduate School 1 University Circle Monterey, CA 93943 jcherzog@nps.edu ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Deborah Shands The MITRE Corporation The Aerospace Corporation Mail Stop S119 El Segundo, CA 202 Burlington Road Rte. 62 oakland07-chair@ieee-security.org Bedford, MA 01730-1420 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2008 General Chair: and Technical Committee Treasurer: Yong Guan Hilarie Orman Iowa State University Purple Streak, Inc. oakland08-chair@ieee-security.org 500 S. Maple Dr. cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year