_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 89 March 16, 2009 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of How Much Does Google Know About You? by Greg Conti o Review of the NIST SHA-3 Round One Conference (KU, Leuven, Belguim, 2/25/09-2/28/09) by Hilarie Orman and Richard Schroeppel o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events o New Calls-for-Papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This month's book review emphasizes the "Privacy" part of the Technical Committee's sphere of interest. Just how much does Google "know" about us? And how much does our concept of what is "knowable" change as the Internet and storage technology bring masses of real data online? My review of the SHA3 conference addresses the other linchpin of the Technical Committee's interests: security. Applied cryptography faces continual challenges as analysts chip away at algorithms and computers bring more computing power to bear on searches. The SHA3 hash function competition is meant to elicit an algorithm for the ages, and there are dozens of competitors. Please note that registration is open for the annual Security and Privacy Symposium at the Claremont Hotel in Oakland/Berkeley, California. This year the conference features two workshops and tutorials. Also, the Computer Security Foundations Symposium will be held in July, and that is another way to learn about the latest research and to meet the minds behind the words. Finally, it is sobering to see the chaotic disruption of the economy, a man-made system of immense complexity, crippled by poorly understood forces. Is there a lesson here about the inevitability of similar collapses in our global information systems? As assuredly as bad money drives out good, will bad security always undermine good security? Hilarie Orman cipher-editor @ ieee-security.org ____________________________________________________________________ Book Review By Richard Austin 3/13/2009 ____________________________________________________________________ Googling Security: How Much Does Google Know About You? by Greg Conti Addison-Wesley 2009. ISBN 13-978-0-321-51866-8 Amazon.com USD 31.49 Bookpool.com USD 27.25 Although most security professionals have some awareness that we disclose information when we make use of "free" online services, I don't think we really realize many "micropayments of privacy" we make in order to fund their availability. Conti has written a profoundly disturbing book that explores this subject in detail. Though Google is highlighted both in the title and the text, he emphasizes that it is a convenient example and is careful to note that many other information-starved denizens lurk in the Internet landscape. Chapter 1, "Googling" delves into just how dependent we have become on the idea of "just google it". Conti notes that he, like many of us, foregoes a large personal library in favor of the instant accessibility and organization offered by online resources. He then explores the darker side of this dependence and identifies how our use of these services discloses significant information to search engines, advertising providers, and even ISPs. He then reminds us that this information can be deliberately disclosed (sold, compelled by legal process) or revealed inadvertently through human error or deliberate attack (malware, information theft). In chapter 2, "Information Flows and Leakage", he explores how information flows occur with the aid of an excellent "thought experiment" of drawing a chalk line around your PC and enumerating the myriad ways information flows into and out of the circle. I think that you will find some of these flows surprising. Chapter 3, "Footprints, Fingerprints and Connections", is a frankly frightening look at how the traces left by interactions with online resource (server logs, cookies, etc) can be linked and cross-referenced to develop a surprisingly accurate view of identities, intentions and connections between identities. The next five chapters explore the details of our interactions in the contexts of "Search", "Communications", "Mapping, Directions and Imagery", "Advertising and Embedded Content" and "Googlebot". In each case, he describes how the small "micro-leaks" of information provided in normal use of the service can be linked and analyzed to produce an individual picture that is much more revealing than the sum of its parts. Chapter 9, "Countermeasures", explores what we can do to limit the amount of information we reveal when we're online. In describing the tactics and techniques, he gives the important caveat that it is a continual balancing act between desired privacy and functionality. For example, browsing the web through a cascade of 10 Tor nodes might assure we remain anonymous but at the expense of a frustratingly slow browsing experience. In chapter 10, "Conclusions and a Look to the Future", he rounds out the book with some suggestions for action and a look at how the future of the online world could develop. This book is a must-read for all types of information security professionals because it clearly identifies how use of ubiquitous information "utilities" can potentially leak copious amounts of information. It is also a book that should be read by general consumers of online services so they can begin to understand the "privacy economy" that economically supports those services and intelligently participate in the public policy debates that are sure to ensue as these services more deeply touch our lives. Bottom line: read this book and recommend it to your friends! -------- Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu ____________________________________________________________________ Review of NIST SHA-3 Round One Conference KU, Leuven, Belguim, 2/25/09-2/28/09 by Hilarie Orman and Richard Schroeppel ____________________________________________________________________ Where would you find "Blue Midnight Wish", "ECHO", "ECOH", "Luffa", "Skein", "Sandstorm", and "ARIRANG"? Not at a horserace, nor a craft fair, nor a rock concert, but at the SHA-3 conference in Leuven, Belgium. For several years cryptographers have agreed that the world needs a new standard for a hash function. The widely used MD5 function has serious demonstrated flaws, and its replacement, SHA-1, is not good enough. The replacement for SHA-1, named SHA-2, is unsatisfactory in its performance/security ratio. That sets the stage for yet another hash function. The US agency responsible for cryptographic standards is NIST, and they recently launched a design competition similar to their highly successful block cipher competition of a decade ago, that resulted in the adoption of the AES cipher. The hash competition is named SHA-3, the eventual name for the standard algorithm. At the end of February NIST held the first public meeting unveiling many of the hash function submissions. For two full days and two half days attendees heard from the organizers and the competitors, but that was barely enough time to cover the unexpectedly high number of entries. Over 50 submissions from around the globe met the minimum criteria for acceptance into the competition, and of those, 10 are conceded as "broken". A few of the remaining entries are "seriously damaged", at least in the opinion of several cryptographers. That still leaves dozens of viable entries, and NIST admitted that they do not have the resources to do a detailed analysis of the dozens of remaining competitors, so they hope that the cryptographic community will pitch in and publish analyses to assist them in pruning down to 15 candidates. The NIST SHA-3 website lists all the submissions: http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/submissions_rnd1.html and the Leuven conference presentations are also online at http://csrc.nist.gov/groups/ST/hash/sha-3/Round1/Feb2009/program.html Many of the candidates use functional components from the inner workings of the AES block cipher. The designers reason that the components are well-understood, supported by high-performance software, and Intel processors will soon include an new instructions that will make software even faster. Other designers used ARX (add-rotate-xor) structures to achieve compact and/or very fast methods. There were many claims to "fastest" entry, and it was clear that the title will be tightly contested during the coming months. Some designers used novel construction methods, though perhaps not to good effect. One function (ECOH) used elliptic curve methods, resulting in what might be the slowest entry. The Spectral hash, designed by undergraduates at UC Santa Barbara, used FFTs, and was also slow. MIT, led by Ron Rivest, submitted a design using an old idea in a new form. Non-linear feedback shift registers were used in early ciphers but have fallen by the wayside. MIT's MD6 revives them for hashing, using a large number of state bits and mixing them repeatedly with a NLFSR function. The AURORA entry suffered a severe blow to one part of its design. The entry rules require that the hash support multiple output widths: 224, 256, 384, and 512 bits. The 512-bit version of AURORA had a weakness in its construction that was noted by Stefan Lucks and Niels Ferguson during the presentation, leading to that dread question "Could you go back to slide 13?" NIST representatives were non-committal about how they might refine their selection criteria. However, Bill Burr of NIST did suggest an interesing way to cope with the problem of speed vs. security. He encouraged competitors to submit reduced-round versions of their algorithms that were at least as fast as SHA-2, if not as secure. Ferguson had an "engineering considerations" presentation that seemed somewhat slanted towards the entry he contributed to: Skein. In rebuttal, several other competitors had a rump session entry that humorously detracted from all design techniques, before continuing on to counter each of Ferguson's points. The next generation of cryptographers had a representative in 15 year old Peter Schmidt Nielson. Although his entry was not complete enough to meet criteria, NIST invited him to the conference so that he could present his work and meet the crowd. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman 3/15/09: ACM Transactions on Autonomous and Adaptive Systems, Special Issue on Adaptive Security Systems; http://nss.cqu.edu.au/FCWViewer/getFile.do?id=23880 Submissions are due 3/16/09: DFRWS, 9th Digital Forensics Research Workshop, Montreal, Canada; http://www.dfrws.org/2009/cfp.shtml; Submissions are due 3/16/09- 3/19/09: PSAI, 2nd Workshop on Privacy and Security by means of Artificial Intelligence, Held in conjunction with ARES 2009, Fukoka, Japan; http://crises-deim.urv.cat/psai/ 3/16/09- 3/19/09: SecSE, 3rd Workshop on Secure Software Engineering, Held in conjunction with conjunction with ARES 2009, Fukuoka, Japan; http://www.sintef.no/secse 3/18/09: Elsevier Journal on Computer Networks, Special Issue on Performance Sensitive Security for Very Large Scale Collaboration; http://home.fnal.gov/~maltunay/ComNet.html Submissions are due 3/18/09- 3/20/09: PKC, 12th IACR International Workshop on Practice and Theory in Public Key Cryptography, Irvine, California, USA; http://www.iacr.org/workshops/pkc2009 3/22/09: MIST, International Workshop on Managing Insider Security Threats, Held in conjunction with the 3rd IFIP International Conference on Trust Management (IFIPTM 2009), West Lafayette, IN, USA; http://isyou.hosting.paran.com/mist09/; Submissions are due 3/22/09- 3/25/09: IFIP-CIP, Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA; http://www.ifip1110.org 3/25/09: SADFE, 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe09/ Submissions are due 3/26/09- 3/27/09: ICIW, 4th International Conference on Information Warfare and Security, Breakwater Lodge, Cape Town, South Africa; http://academic-conferences.org/iciw/iciw2009/iciw09-home.htm 3/30/09: DaSECo, 1st International Workshop on Defence against Spam in Electronic Communication, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.dexa.org/files/CfP_DaSECo_15.Jan_.pdf Submissions are due 3/31/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece; http://www.securecomm.org Submissions are due 3/31/09: ISC, 12th Information Security Conference, Pisa, Italy; http://isc09.dti.unimi.it/ Submissions are due 4/ 3/09: IWSEC, 4th International Workshop on Security, Toyama, Japan; http://www.iwsec.org Submissions are due 4/ 3/09: SRDS, 28th International Symposium on Reliable Distributed Systems, Niagara Falls, New York, USA; http://www.cse.buffalo.edu/srds2009/ Submissions are due 4/ 6/09- 4/ 8/09: Trust, 2nd International Conference on Trusted Computing, St. Hugh's College, University of Oxford, UK; http://www.trust2009.org 4/13/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus; http://www.sinconf.org/cfp/cfp.htm ; Submissions are due 4/13/09- 4/15/09: ISPEC, 5th Information Security Practice and Experience Conference, Xi'an, China; http://www.ispec2009.net/ 4/14/09- 4/16/09: IDtrust, 8th Symposium on Identity and Trust on the Internet Gaithersburg, Maryalnd, USA; http://middleware.internet2.edu/idtrust/ 4/15/09: NSS, 3rd International Conference on Network & System Security, Gold Coast, Australia; http://nss2007.cqu.edu.au/FCWViewer/view.do?page=8494 Submissions are due 4/17/09: ESORICS, 14th European Symposium on Research in Computer Security, Saint Malo, France; http://www.esorics.org Submissions are due 4/17/09: NSPW, New Security Paradigms Workshop, The Queen's College, University of Oxford, UK; http://www.nspw.org/current/cfp.shtml Submissions are due 4/17/09: HOST, 2nd IEEE International Workshop on Hardware-Oriented Security and Trust, San Francisco, CA, USA; http://www.engr.uconn.edu/HOST/ Submissions are due 4/19/09: WISTP, Workshop on Information Security Theory and Practices (Smart Devices, Pervasive Systems, and Ubiquitous Networks), Bruxelles, Belgium; http://www.wistp.org/ Submissions are due 4/20/09: CCS, 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA; http://sigsac.org/ccs/CCS2009/index.shtml Submissions are due 4/20/09: DMM, 1st International Workshop on Denial of service Modelling and Mitigation, Held in conjunction with 3rd International Conference on Network & System Security (NSS 2009), Gold Coast, Australia; http://conf.isi.qut.edu.au/dmm2009 Submissions are due 4/24/09: VizSec, Workshop on Visualization for Cyber Security, Atlantic City, NJ, USA; http://vizsec.org/vizsec2009/ Submissions are due 4/30/09: LISA, 23rd USENIX Large Installation System Administration Conference Baltimore, MD, USA; http://usenix.org/events/lisa09/ Submissions are due 4/30/09: ICDF2C, International Conference on Digital Forensics & Cyber Crime, Albany, NY, USA; http://www.d-forensics.org/ Submissions are due 5/ 1/09: IEEE Transactions on Software Engineering, Special Issue on Exception Handling: From Requirements to Software Maintenance; http://www.computer.org/portal/cms_docs_transactions/transactions /tse/CFP/cfp_tse_eh_web.pdf; Submissions are due 5/ 4/09: HotSec, 4th USENIX Workshop on Hot Topics in Security, Held in conjunction with the 18th USENIX Security Symposium (USENIX-Security 2009), Montreal, Canada; http://www.usenix.org/events/hotsec09/cfp/ Submissions are due 5/ 4/09- 5/ 8/09: SSDU, 3rd International Symposium on Service, Security and its Data management technologies in Ubi-comp, Geneva, Switzerland; http://www.sersc.org/SSDU2009/ 5/17/09- 5/20/09: SP, 30th IEEE Symposium on Security and Privacy, Oakland/Berkeley, California, USA; http://oakland09.cs.virginia.edu 5/21/09: SADFE, 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland/Berkeley, CA, USA; http://conf.ncku.edu.tw/sadfe/sadfe09 5/22/09: WIFS, 1st IEEE International Workshop on Information Forensics and Security, London, UK; http://www.wifs09.org Submissions are due 5/24/09- 5/28/09: ICIMP, 4th International Conference on Internet Monitoring and Protection, Venice, Italy; http://www.iaria.org/conferences2009/ICIMP09.html 5/28/09: MetriSec, 5th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2009), Lake Buena Vista, Florida, USA; http://www.cs.kuleuven.be/conference/MetriSec2009/ Submissions are due 5/29/09: SSN, 5th International Workshop on Security in Systems and Networks, Held in conjunction with the International Parallel and Distributed Processing Symposium (IPDPS 2009), Rome, Italy; http://www4.comp.polyu.edu.hk/~csbxiao/ssn09/ 5/31/09: InSPEC, 2nd International Workshop on Security and Privacy in Enterprise Computing, Held in conjunction with the 13th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2009), Auckland, New Zealand; http://sesar.dti.unimi.it/InSPEC2009/ Submissions are due 6/ 1/09: CANS, 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan; http://www.rcis.aist.go.jp/cans2009/ Submissions are due 6/ 1/09: ACSAC, 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA; http://www.acsac.org Submissions are due 6/ 2/09- 6/ 5/09: ACNS, 7th International Conference on Applied Cryptography and Network Security, Paris, France; http://acns09.di.ens.fr/ 6/ 3/09- 6/ 5/09: MobiSec, 1st International Conference on Security and Privacy in Mobile Information and Communication Systems, Turin, Italy; http://www.mobisec.org/ 6/ 3/09- 6/ 5/09: SACMAT, 14th ACM Symposium on Access Control Models and Technologies, Hotel La Palma, Stresa, Italy; http://www.sacmat.org 6/ 7/09- 6/10/09: IH, 11th Information Hiding Workshop, Darmstadt, Germany; http://www.ih09.tu-darmstadt.de/ 6/14/09- 6/18/09: CISS, Communication and Information Systems Security Symposium, Held in conjunction with the IEEE International Conference on Communications (ICC 2009), Dresden, Germany; http://www.ieee-icc.org/2009/ 6/14/09- 6/19/09: SECURWARE, 3rd International Conference on Emerging Security Information, Systems and Technologies, Athens, Greece; http://www.iaria.org/conferences2009/SECURWARE09.html 6/15/09- 6/19/09: MIST, International Workshop on Managing Insider Security Threats, Held in conjunction with the 3rd IFIP International Conference on Trust Management (IFIPTM 2009), West Lafayette, IN, USA; http://isyou.hosting.paran.com/mist09/ 6/25/09- 6/27/09: WNGS, 4th International Workshop on Security, Korea University, Seoul, Korea; http://www.sersc.org/WNGS2009/ 7/ 1/09- 7/ 3/09: ACSISP, 14th Australasian Conference on Information Security and Privacy; Brisbane, Australia; http://conf.isi.qut.edu.au/acisp2009/ 7/ 7/09- 7/10/09: SECRYPT, International Conference on Security and Cryptography, Milan, Italy; http://www.secrypt.org/ 7/ 7/09- 7/10/09: ATC, 6th International Conference on Autonomic and Trusted Computing; Brisbane, Australia; http://www.itee.uq.edu.au/~atc09 7/ 7/09- 7/10/09: CTC, Cybercrime and Trustworthy Computing Workshop, Held in conjunction with the 6th International Conference on Autonomic and Trusted Computing (ATC 2009), Brisbane, Australia; http://www.cybercrime.com.au/ctc09 7/ 8/09- 7/10/09: CSF, 22nd IEEE Computer Security Foundations Symposium, Port Jefferson, New York, USA; http://www.cs.sunysb.edu/csf09/ 7/12/09- 7/15/09: DBSEC, 23rd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, Montreal, Canada; http://www.ciise.concordia.ca/dbsec09/ 7/20/09- 7/22/09: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Imperial College London, UK;http://ieee-policy.org 7/27/09: HOST, 2nd IEEE International Workshop on Hardware-Oriented Security and Trust, San Francisco, CA, USA; http://www.engr.uconn.edu/HOST/ 8/11/09: HotSec, 4th USENIX Workshop on Hot Topics in Security, Held in conjunction with the 18th USENIX Security Symposium (USENIX-Security 2009), Montreal, Canada; http://www.usenix.org/events/hotsec09/cfp/ 8/12/09- 8/14/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada; http://www.usenix.org/events/sec09/cfp/ 8/14/09: Information Systems Frontiers, Special Issue on Security Management and Technologies for Protecting Against Internal Data Leakages; http://www.som.buffalo.edu/isinterface/ISFrontiers/forthcoming1 /InfoSec09-SI-CFP.pdf; Submissions are due 8/15/09: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong; http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf Submissions are due 8/17/09- 8/19/09: DFRWS, 9th Digital Forensics Research Workshop, Montreal, Canada; http://www.dfrws.org/2009/cfp.shtml 8/31/09- 9/ 4/09: TrustBus, 6th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.icsd.aegean.gr/trustbus2009/ 8/31/09- 9/ 4/09: DaSECo, 1st International Workshop on Defence against Spam in Electronic Communication, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.dexa.org/files/CfP_DaSECo_15.Jan_.pdf 8/31/09- 9/ 4/09: InSPEC, 2nd International Workshop on Security and Privacy in Enterprise Computing, Held in conjunction with the 13th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2009), Auckland, New Zealand; http://sesar.dti.unimi.it/InSPEC2009/ 9/ 2/09- 9/ 4/09: WISTP, Workshop on Information Security Theory and Practices (Smart Devices, Pervasive Systems, and Ubiquitous Networks), Bruxelles, Belgium; http://www.wistp.org/ 9/ 7/09- 9/ 9/09: ISC, 12th Information Security Conference, Pisa, Italy; http://isc09.dti.unimi.it/ 9/ 8/09- 9/11/09: NSPW, New Security Paradigms Workshop, The Queen's College, University of Oxford, UK; http://www.nspw.org/current/cfp.shtml 9/14/09- 9/18/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece; http://www.securecomm.org 9/21/09- 9/25/09: ESORICS, 14th European Symposium on Research in Computer Security, Saint Malo, France; http://www.esorics.org 9/27/09- 9/30/09: SRDS, 28th International Symposium on Reliable Distributed Systems, Niagara Falls, New York, USA; http://www.cse.buffalo.edu/srds2009/ 9/30/09-10/ 2/09: ICDF2C, International Conference on Digital Forensics & Cyber Crime, Albany, NY, USA; http://www.d-forensics.org/ 10/ 6/09-10/10/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus; http://www.sinconf.org/cfp/cfp.htm 10/11/09: VizSec, Workshop on Visualization for Cyber Security, Atlantic City, NJ, USA; http://vizsec.org/vizsec2009/ 10/14/09: MetriSec, 5th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2009), Lake Buena Vista, Florida, USA; http://www.cs.kuleuven.be/conference/MetriSec2009/ 10/19/09-10/21/09: NSS, 3rd International Conference on Network & System Security, Gold Coast, Australia; http://nss2007.cqu.edu.au/FCWViewer/view.do?page=8494 10/19/09-10/21/09: DMM, 1st International Workshop on Denial of service Modelling and Mitigation, Held in conjunction with 3rd International Conference on Network & System Security (NSS 2009), Gold Coast, Australia; http://conf.isi.qut.edu.au/dmm2009 10/28/09-10/30/09: IWSEC, 4th International Workshop on Security, Toyama, Japan; http://www.iwsec.org 11/ 1/09-11/ 6/09: LISA, 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA; http://usenix.org/events/lisa09/ 11/ 9/09-11/13/09: CCS, 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA; http://sigsac.org/ccs/CCS2009/index.shtml 12/ 6/09-12/ 9/09: WIFS, 1st IEEE International Workshop on Information Forensics and Security, London, UK; http://www.wifs09.org 12/ 7/09-12/11/09: ACSAC, 25th Annual Computer Security Applications Conference Honolulu, Hawaii, USA; http://www.acsac.org 12/12/09-12/14/09: CANS, 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan; http://www.rcis.aist.go.jp/cans2009/ 1/ 3/10- 1/ 6/10: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong; http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since E88) ____________________________________________________________________ ACM Transactions on Autonomous and Adaptive Systems, Special Issue on Adaptive Security Systems, 2010. (Submission Due 15 March 2009) http://nss.cqu.edu.au/FCWViewer/getFile.do?id=23880 Guest editor: Yang Xiang (Central Queensland University, Australia) and Wanlei Zhou (Deakin University, Australia) This special issue on Adaptive Security Systems in ACM TAAS focuses on autonomous and adaptive security system theories, technologies, and reallife applications. Original papers are solicited for this special issue. Suggested topics include, but are not limited to: Adaptive Security System Theories - Adaptive security architectures, algorithms, and protocols - Autonomic learning mechanisms in security systems - Intelligent attack systems and mechanisms - Interactions between autonomic nodes of security systems - Modeling of adaptive attack and defense mechanisms - Theories in adaptive security systems Adaptive Security System Technologies - Adaptive security systems design - Adaptive security systems implementation - Adaptive intrusion detection/prevention systems - Self-organizing identity management and authentication - Adaptive defense against large-scale attacks - Simulation and tools for adaptive security systems Adaptive Security System Applications - Benchmark, analysis and evaluation of adaptive security systems - Distributed autonomous access control and trust management - Autonomous denial-of-service attacks and countermeasures - Autonomous wireless security systems - Autonomous secure mobile agents and middleware - Adaptive defense against viruses, worms, and other malicious codes ------------------------------------------------------------------------- DFRWS 2009 9th Digital Forensics Research Workshop, Montreal, Canada, August 17-19, 2009. (Submissions due 16 March 2009) http://www.dfrws.org/2009/cfp.shtml DFRWS brings together leading researchers, developers, practitioners, and educators interested in advancing the state of the art in digital forensics from around the world. As the most established venue in the field, DFRWS is the preferred place to present both cutting-edge research and perspectives on best practices for all aspects of digital forensics. As an independent organization, we promote open community discussions and disseminate the results of our work to the widest audience. Topics of interest include, but are not limited to the following: - Incident response and live analysis - Network-based forensics, including network traffic analysis, traceback and attribution - Event reconstruction methods and tools - File system and memory analysis - Application analysis - Embedded systems - Small scale and mobile devices - Large-scale investigations - Digital evidence storage and preservation - Data mining and information discovery - Data hiding and recovery - File extraction from data blocks ("file carving") - Multimedia analysis - Tool testing and development - Digital evidence and the law - Anti-forensics and anti-anti-forensics - Case studies and trend reports - Non-traditional approaches to forensic analysis ------------------------------------------------------------------------- Elsevier Journal on Computer Networks, Special Issue on Performance Sensitive Security for Very Large Scale Collaboration, December 2009. (Submission Due 18 March 2009) http://home.fnal.gov/~maltunay/ComNet.html Guest editor: Deborah A. Frincke (PNNL, University of Washington, USA), Frank Siebenlist (Argonne National Laboratory, University of Chicago, USA), and Mine Altunay (Fermi National Laboratory, USA) It is anticipated that this trend towards very large-scale collaboration will continue and that these virtual organizations will become increasingly complex and diverse. Exascale computing is predicted by some to be a necessity to support scientific as well as business activities by 2018. It will be important for security solutions to scale equally well, so that the collaboration is enriched by usable, management-friendly, performance-sensitive security solutions, rather than hindered by them. In this special issue, we emphasize research approaches that show promise in providing performance sensitive security for very large scale collaboration. Performance sensitivity here refers both to traditional computer performance measures as well as the usability of the security solution being proposed - collaboration should be supported, rather than hindered, by the security solutions. Topics of interest include, but are not limited to: - Security for very large datasets (petascale through exascale), where very large scale data sets can be shared without loss of important security properties, such as integrity, confidentiality. - Secure remote access to unique instrumentation; e.g., where scientists and the computer-based instrumentation they use are geographically and organizationally dispersed. - Security validation techniques that can provide some measure of assurance that a shared infrastructure meets the collaboration's and the individual organization's security requirements. - New architectures and methods supporting shared intrusion detection/prevention, situational awareness, threat containment and/or response needed to defend geographically and organizationally dispersed shared computational resources, including shared code. - User privilege and user trust negotiation within very large federated environments, both for brief access (minutes) and for long term access (years) ------------------------------------------------------------------------- MIST 2009 International Workshop on Managing Insider Security Threats, Held in conjunction with the 3rd IFIP International Conference on Trust Management (IFIPTM 2009), West Lafayette, IN, USA, June 15-19, 2009. (Submissions due 22 March 2009) http://isyou.hosting.paran.com/mist09/ The objective of this workshop is to showcase the most recent challenges and advances in security technologies and management systems to address insider security threats. It may also include state-of-the-art surveys and case analyses of practical significance. Topics of interest include, but are not limited to the following: - Theoretical foundations and algorithms for addressing insider threats - Insider threat assessment and modeling - Security technologies to prevent, detect and avoid insider threats - Validating the trustworthiness of staff - Post-insider threat incident analysis - Data breach modeling and mitigation techniques - Registration, authentication and identification - Certification and authorization - Database security - Device control system - Digital forensic system - Digital right management system - Fraud detection - Network access control system - Intrusion detection - Keyboard information security - Information security governance - Information security management systems - Risk assessment and management - Log collection and analysis - Trust management - IT compliance (audit) and continuous auditing ------------------------------------------------------------------------- SADFE 2009 4th International Workshop on Systematic Approaches to Digital Forensic Engineering, Held in conjunction with the 2009 IEEE Symposium on Security and Privacy (SP 2009), Oakland, CA, USA, May 21, 2009. (Submissions due 25 March 2009) http://conf.ncku.edu.tw/sadfe/sadfe09/ The SADFE (Systematic Approaches to Digital Forensic Engineering) International Workshop promotes systematic approaches to computer investigations, by furthering the advancement of digital forensic engineering as a disciplined practice. Most previous SADFE papers have emphasized cyber crime investigations, and this is still a key focus of the meeting. However, we also welcome papers on forensics that do not necessarily involve a crime: general attack analysis, insider threat, insurance and compliance investigations, and similar forms of retrospective analysis are all viable topics. Digital forensic engineering is characterized by the application of scientific and mathematical principles to the investigation and establishment of facts or evidence, either for use within a court of law or to aid in understanding past events on a computer system. Past speakers and attendees of SADFE have included computer scientists, social scientists, forensic practitioners, law enforcement, lawyers, and judges. The synthesis of hard technology and science with social science and practice forms the foundation of this conference. To advance the state of the art, SADFE-2009 solicits broad-based, innovative digital forensic engineering technology, techno-legal and practice-related submissions in the following four areas: Digital Data and Evidence Management: advanced digital evidence discovery, collection, and storage - Identification, authentication and collection of digital evidence - Post-collection handling of evidence and the preservation of data integrity - Evidence preservation and storage - Forensic-enabled architectures and processes, including network processes - Managing geographically, politically and/or jurisdictionally dispersed data - Data and web mining systems for identification and authentication of relevant data Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on scientific, technical and legal grounds - Legal and technical aspects of admissibility and evidence tests - Examination environments for digital data - Courtroom expert witness and case presentation - Case studies illustrating privacy, legal and legislative issues - Forensic tool validation: legal implications and issues - Legal and privacy implications for digital and computational forensic analysis Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation - Advanced search, analysis, and presentation of digital evidence - Progressive cyber crime scenario analysis and reconstruction technology - Legal case construction & digital evidence support - Cyber-crime strategy analysis & modeling - Combining digital and non-digital evidence - Supporting qualitative or statistical evidence - Computational systems and computational forensic analysis Forensic-support technologies: forensic-enabled and proactive monitoring/response - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA) - Innovative forensic engineering tools and applications - Forensic-enabled support for incident response - Forensic tool validation: methodologies and principles - Legal and technical collaboration - Digital Forensics Surveillance Technology and Procedures - "Honeypot" and other target systems for data collection and monitoring ------------------------------------------------------------------------- DaSECo 2009 1st International Workshop on Defence against Spam in Electronic Communication, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria, August 31 - September 4, 2009. (Submissions due 30 March 2009) http://www.dexa.org/files/CfP_DaSECo_15.Jan_.pdf The workshop on Defence against Spam in Electronic Communication invites the submission of papers. Researchers and practitioners are encouraged to submit papers on all aspects of misuse and protection concerning electronic communication including email, instant messaging, text messaging, and voice over internet protocol. Topics of interest include novel applications of electronic messaging, abatement of abuses of electronic messaging, spam, spit (spam over internet telephony), spim (spam over instant messenger), spom (spam over mobile phone), phishing, identify theft via messaging, viruses, and spyware. ------------------------------------------------------------------------- SECURECOMM 2009 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece, September 14-18, 2009. (Submissions due 31 March 2009) http://www.securecomm.org Securecomm seeks high-quality research contributions in the form of well developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. However, topics in other areas (e.g., formal methods, database security, secure software, foundations of cryptography) will be considered only if a clear connection to private or secure communications/networking is demonstrated. The aim of Securecomm is to bring together security and privacy experts in academia, industry and government as well as practitioners, standards developers and policy makers, in order to engage in a discussion about common goals and explore important research directions in the field. TOPICS of interest include, but are not limited to, the following: - Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks - Network Intrusion Detection and Prevention, Firewalls, Packet Filters - Malware and botnets - Communication Privacy and Anonymity - Distributed denial of service - Public Key Infrastructures, key management, credentials - Web security - Secure Routing, Naming/Addressing, Network Management - Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs - Security & Privacy for emerging technologies: VoIP, peer-to-peer and overlay network systems, Web 2.0 ------------------------------------------------------------------------- ISC 2009 12th Information Security Conference, Pisa, Italy, September 7-9, 2009 (Submissions due 31 March 2009) http://isc09.dti.unimi.it/ ISC is an annual international conference covering research in and applications of information security. The twelfth Information Security Conference (ISC 2009) will be held in Pisa, Italy. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of information security. Topics of interest include, but are not limited to: - access control - accountability - anonymity and pseudonymity - applied cryptography - authentication - biometrics - computer forensics - cryptographic protocols - database security - data protection - data/system integrity - digital right management - economics of security and privacy - electronic frauds - formal methods in security - identity management - information dissemination control - information hiding and watermarking - intrusion detection - network security - peer-to-peer security - privacy - security and privacy in pervasive/ubiquitous computing - security in information flow - security in IT outsourcing - security for mobile code - security of grid computing - security of eCommerce, eBusiness and eGovernment - security in location services - security modeling and architectures - security models for ambient intelligence environments - security in social networks - trust models and trust management policies ------------------------------------------------------------------------- IWSEC 2009 4th International Workshop on Security, Toyama, Japan, October 28-30, 2009. (Submissions due 3 April 2009) http://www.iwsec.org The aim of IWSEC2009 is to contribute to research and development of various security topics: theory and applications of traditional and up-to-date security issues. Topics include but are not limited to: - Network and Distributed Systems Security - Security Issues in Ubiquitous/Pervasive Computing - Authorization and Access Control - Software and System Security - Usable Security - Privacy Enhancing Technology - Digital Identity Management - Digital Forensics - Biometrics - Cryptography - Information Hiding - Quantum Security - Secure and Efficient Implementation - Other Scientific Approaches for Security ------------------------------------------------------------------------- SRDS 2009 28th International Symposium on Reliable Distributed Systems, Niagara Falls, New York, USA, September 27-30, 2009. (Submissions due 3 April 2009) http://www.cse.buffalo.edu/srds2009/ For 28 years, the Symposium on Reliable Distributed Systems has been a traditional forum for researchers and practitioners who are interested in distributed systems design and development, particularly with properties such as reliability, availability, safety, security, and real time. We welcome original research papers as well as papers that deal with design, development and experimental results of operational systems. We are also soliciting papers for an experience track that presents on-going industrial projects, prototype systems and exploratory or emerging applications. The major areas of interest include, but are not limited to, dependability, security and/or real-time aspects within the following topics: - Security and privacy issues in wireless ad hoc and sensor networks - Dependability in autonomic, pervasive and ubiquitous computing - Security and high-confidence systems - Resilient ad hoc and sensor networks - Internet dependability and Quality of Service - Safety-critical systems and critical infrastructures - Dependability of high-speed networks and protocols - Fault-tolerance in embedded systems, mobile systems and multimedia systems - Dependable wireless networks and peer-to-peer networks - Intrusion-tolerant, survivable, and self-stabilizing systems - Dependability in Grid-, Cluster-, and Cloud-Computing - Measurement, monitoring and prediction in distributed systems - Analytical or experimental evaluations of dependable distributed systems - Formal methods and foundations for dependable distributed computing - Performance and dependability assessing techniques, tools and results ------------------------------------------------------------------------- SIN 2009 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus, October 6-10, 2009. (Submissions due 13 April 2009) http://www.sinconf.org/cfp/cfp.htm The 2nd International Conference on Security of Information and Networks (SIN 2009) provides an international forum for presentation of research and applications of security in information and networks. SIN 2009 conference features contributed as well as invited papers, special sessions, workshops, and tutorials on theory and practice. Its drive is to convene a high quality, well-attended, and up-to-date conference on scientific and technical issues of security in information, networks, and systems. The main theme of SIN 2009 is Intelligent Systems for Information Assurance, Security, and Public Policy in the Age of e-Euphoria. ------------------------------------------------------------------------- NSS 2009 3rd International Conference on Network & System Security, Gold Coast, Australia, October 19-21, 2009. (Submissions due 15 April 2009) http://nss2007.cqu.edu.au/FCWViewer/view.do?page=8494 While the attack systems have become more easy-to-use, sophisticated, and powerful, interest has greatly increased in the field of building more effective, intelligent, adaptive, active and high performance defense systems which are distributed and networked. We will focus our program on issues related to Network and System Security, such as authentication, access control, availability, integrity, privacy, confidentiality, dependability and sustainability of computer networks and systems. The aim of this conference is to provide a leading edge forum to foster interaction between researchers and developers with the network and system security communities, and to give attendees an opportunity to interact with experts in academia, industry and governments. Topics of interest include, but not limited to: - Active Defense Systems - Adaptive Defense Systems - Benchmark, Analysis and Evaluation of Security Systems - Distributed Access Control and Trust Management - Distributed Attack Systems and Mechanisms - Distributed Intrusion Detection/Prevention Systems - Denial-of-Service Attacks and Countermeasures - High Performance Security Systems - Identity Management and Authentication - Implementation, Deployment and Management of Security Systems - Intelligent Defense Systems - Internet and Network Forensics - Large-scale Attacks and Defense - RFID Security and Privacy - Security Architectures in Distributed Network Systems - Security for Critical Infrastructures - Security for P2P systems and Grid Systems - Security in E-Commerce - Security and Privacy in Wireless Networks - Secure Mobile Agents and Mobile Code - Security Protocols - Security Simulation and Tools - Security Theory and Tools - Standards and Assurance Methods - Trusted Computing - Viruses, Worms, and Other Malicious Code - World Wide Web Security ------------------------------------------------------------------------- ESORICS 2009 14th European Symposium on Research in Computer Security, Saint Malo, France, September 21-25, 2009. (Submissions due 17 April 2009) http://www.esorics.org Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Fourteenth European Symposium on Research in Computer Security (ESORICS 2009). The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including, but not limited to: - access control - anonymity - authentication - authorization and delegation - cryptographic protocols - data integrity - dependability - information flow control - smartcards - systems security - digital right management - accountability - applied cryptography - covert channels - cybercrime - denial of service attacks - formal methods in security - inference control - information warfare - steganography - transaction management - data and application security - intellectual property protection - intrusion tolerance - peer-to-peer security - language-based security - network security - non-interference - privacy-enhancing technology - pseudonymity - subliminal channels - trustworthy user devices - identity management - security as quality of service - secure electronic commerce - security administration - security evaluation - security management - security models - security requirements engineering - security verification - survivability - information dissemination control - trust models and trust management policies ------------------------------------------------------------------------- NSPW 2009 New Security Paradigms Workshop, The Queen's College, University of Oxford, UK, September 8-11, 2009. (Submissions due 17 April 2009) http://www.nspw.org/current/cfp.shtml The New Security Paradigms Workshop (NSPW) is seeking papers that address the current limitations of information security. Today's security risks are diverse and plentiful--botnets, database breaches, phishing attacks, distributed denial-of-service attacks--and yet present tools for combatting them are insufficient. To address these limitations, NSPW welcomes unconventional, promising approaches to important security problems and innovative critiques of current security practice. We are particularly interested in perspectives from outside computer security, both from other areas of computer science (such as operating systems, human-computer interaction, databases, programming languages, algorithms) and other sciences that study adversarial relationships such as biology and economics. We discourage papers that offer incremental improvements to security and mature work that is appropriate for standard information security venues. By encouraging researchers to think ``outside the box'' and giving them an opportunity to communicate with open-minded peers, NSPW seeks to foster paradigm shifts in the field of information security. ------------------------------------------------------------------------- HOST 2009 2nd IEEE International Workshop on Hardware-Oriented Security and Trust, San Francisco, CA, USA, July 27, 2009. (Submissions due 17 April 2009) http://www.engr.uconn.edu/HOST/ The emergence of a globalized, horizontal semiconductor business model raises a set of concerns involving the security and trust of the information systems on which modern society is increasingly reliant for mission-critical functionality. Hardware-oriented security and trust (HOST) issues span a broad range including threats related to the malicious insertion of Trojan circuits designed, e.g., to act as a `kill switch' to disable a chip, to integrated circuit (IC) piracy, to attacks designed to extract encryption keys and IP from a chip, and to malicious system disruption and diversion. HOST covers security and trust issues in all types of electronic devices and systems such as ASICs, COTS, FPGAs, microprocessors/DSPs, and embedded systems. The mission of HOST is to provide a forum for the presentation and discussion of research that is of critical significance to the security of, and trust in, modern society's microelectronic-supported infrastructures. The IEEE International Workshop on Hardware-Oriented Security and Trust (HOST 2009) is an open forum for discussions and innovations on all issues related to hardware security and trust. Paper presentations on topics given below will highlight the challenges faced with authenticating hardware for security and trust. - Trojan detection and isolation - Authenticating foundry of origin - Side channel analysis/attacks - Watermarking - IP security/FPGA design security - Cryptographic techniques for hardware security - IC Metering - Physical unclonable functions (PUFs) - Embedded and distributed systems security - Hardware intrusion detection and prevention - Security engineering - Scan-chain encryption - IP trust ------------------------------------------------------------------------- WISTP 2009 Workshop on Information Security Theory and Practices (Smart Devices, Pervasive Systems, and Ubiquitous Networks), Bruxelles, Belgium, September 2-4, 2009. (Submissions due 19 April 2009) http://www.wistp.org/ With the rapid technological development of information technologies and with the transition from the common to the next generation networks, computer systems and especially embedded systems are becoming more mobile and ubiquitous, increasingly interfacing with the physical world. Ensuring the security of these complex and yet, resource constraint systems has emerged as one of the most pressing challenges. Protecting the privacy of the user immersed in such systems is a similarly pressing concern. The aim of this third workshop is to bring together researchers and practitioners in related areas and to encourage interchange and cooperation between the research community and the industrial/consumer community. The workshop will consist of technical paper presentations, one special session for student papers and several invited talks. ------------------------------------------------------------------------- CCS 2009 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA, November 9-13, 2009. (Submissions due 20 April 2009) http://sigsac.org/ccs/CCS2009/index.shtml The annual ACM Computer and Communications Security Conference is a leading international forum for information security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of computer and communications security, as well as case studies and implementation experiences. Papers should have relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make a convincing argument for the practical significance of the results. All topic areas related to computer and communications security are of interest and in scope. ------------------------------------------------------------------------- DMM 2009 1st International Workshop on Denial of service Modelling and Mitigation, Held in conjunction with 3rd International Conference on Network & System Security (NSS 2009), Gold Coast, Australia, October 19-21, 2009. (Submissions due 20 April 2009) http://conf.isi.qut.edu.au/dmm2009 Denial of service attacks represent an increasing threat to the security of networks and systems critical to commercial, industrial and government enterprises. Addressing the denial-of-service problem is proving to be an ongoing challenge and further advances are needed in: the design and analysis of denial of service resistant protocols and architectures; effective tools and techniques for detecting and responding to attacks; forensic attribution of attacks; and the application of trust and reputation schemes in formulating attack responses. This workshop actively solicits recent advances from industrial, academic and government researchers and engineers in the areas of: - Denial of service attacks and countermeasures - Detection and mitigation of high-rate flooding attacks - Design and analysis of denial of service resistant architectures - Design and analysis of denial of service resistant protocols - Distributed trust and reputation systems - Intrusion detection and response systems - Intelligent defence systems - Network and computer forensics - Emerging vulnerabilities - Security in Web services and service-oriented architectures - Simulation and analysis of attacks - Honeypots - Reverse engineering of malware - Disruption of botnet command and control - Wireless network denial of service attacks and defences - Next generation threats and responses - Legal and policy responses to denial of service - Threat intelligence ------------------------------------------------------------------------- VizSec 2009 Workshop on Visualization for Cyber Security, Atlantic City, NJ, USA, October 11, 2009. (Submissions due 24 April 2009) http://vizsec.org/vizsec2009/ The 6th International Workshop on Visualization for Cyber Security is a forum that brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques. Co-located this year with IEEE InfoVis/Vis/VAST, VizSec will continue to provide opportunities for the two communities to collaborate and share insights into providing solutions for security needs through visualization approaches. This year our focus is on advancing Visualization for Cyber Security as a scientific discipline. While art, engineering, and intuitions regarding the human element will always remain important if we are to obtain useful cyber security visualizations, advances in the scientific practice of research are needed. The scientific aspects of visualization for cyber security draw both on empirical observation (similar to many natural and social sciences) and formal science (such as the formal derivations in mathematics). Barriers confronting current researchers include concerns about available data, lack of a common agreement about what constitutes sound experimental design, the difficulties of measuring the relative effectiveness of security visualizations in practice, and the lack of a common understanding of user requirements. While many researchers are making progress in these and other critical areas, much work yet remains. Papers offering novel contributions in security visualization are solicited. Papers may present technique, applications, practical experience, theory, or experiments and evaluations. Papers are encouraged on technologies and methods that have been demonstrated to be useful for improving information systems security and that address lessons from actual application. We encourage papers that report results on visualization techniques and systems in solving all aspects of cyber security problems, including how visualization applies to: - Different aspects of security: software, networks and log files (e.g., Internet routing, packet traces and network flows, intrusion detection alerts, attack graphs, application security, etc.) - Application of visualization techniques in formalizing, defining and analyzing security policies - Forensic analysis, correlating events, cyber-defense task analysis - Computer network defense training and offensive information operations - Building rules, feature selection, and detecting anomalous activity - Software, software security, and viruses - Deployment and field testing of VizSec systems - Evaluation and user testing of VizSec systems - User and design requirements for VizSec systems - Lessons learned from development and deployment of VizSec systems - "Field Research" Best Practices - Interaction with domain experts - best practices, lessons learned - Differentiating the needs of different domains and time frames - Best practices for obtaining and sharing potentially sensitive data for purposes of visualization and assessment, including how to approach personal privacy, regulatory, and organizational issues - Metrics and measurements (e.g., criteria for the relative effectiveness of cyber visualizations) - Handling large datasets, scalability issues, and providing real time or near-real time visualizations ------------------------------------------------------------------------- LISA 2009 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA, November 1-6, 2009. (Submissions due 30 April 2009) http://usenix.org/events/lisa09/ Effective administration of a large site requires a good understanding of modern tools and techniques, together with their underlying principles but the human factors involved in managing and applying these technologies in a production environment are equally important. Bringing together theory and practice is an important goal of the LISA conference, and practicing system administrators as well as academic researchers all have valuable contributions to make. Topics of interest include, but are not limited to the following: - Authentication and authorization: "Single sign-on" technologies, identity management - Autonomic computing: Self-repairing systems, zero administration systems, fail-safe design - Configuration management: Specification languages, configuration deployment - Data center design: Modern methods, upgrading old centers - Data management: DBMS management systems, deployment architectures and methods, real world performance - Email: Mail infrastructures, spam prevention - Grid computing: Management of grid fabrics and infrastructure - Hardware: Multicore processor ramifications - Mobile computing: Supporting and managing laptops and remote communications - Multiple platforms: Integrating and supporting multiple platforms (e.g., Linux, Windows, Macintosh) - Networking: New technologies, network management - Security: Malware and virus prevention, security technologies and procedures, response to cyber attacks targeting individuals - Standards: Enabling interoperability of local and remote services and applications - Storage: New storage technologies, remote filesystems, backups, scaling - Web 2.0 technologies: Using, supporting, and managing wikis, blogs, and other Web 2.0 applications - Virtualization: Managing and configuring virtualized resources ------------------------------------------------------------------------- ICDF2C 2009 International Conference on Digital Forensics & Cyber Crime, Albany, NY, USA, September 30 - October 2, 2009. (Submissions due 30 April 2009) http://www.d-forensics.org/ The Internet has made it easier to perpetrate traditional crimes by providing criminals an alternate avenue for launching attacks with relative anonymity. The increased complexity of the communication and networking infrastructure is making investigation of the crimes difficult. Clues of illegal activities are often buried in large volumes of data that needs to be sifted through in order to detect crimes and collect evidence. The field of digital forensics is becoming very important for law enforcement, network security, and information assurance. This is a multidisciplinary area that encompasses multiple fields, including: law, computer science, finance, networking, data mining, and criminal justice. The applications of this technology are far reaching including: law enforcement, disaster recovery, accounting frauds, homeland security, and information warfare. This conference brings together practitioners and researchers from diverse fields providing opportunities for business and intellectual engagement among attendees. Suggested topics for submission of papers are (but not limited to): - Computer Forensics Electronic Money Laundering - Forensic Accounting Watermarking & Intellectual Property Theft - Incident Response & Evidence Handling Network Data Analysis - Data Analytics, Mining & Visualization Identity Theft & Online Fraud - Mobile Device Forensics Digital Forensics and the Law - Data Log Analysis (Computer, Network, Devices, etc) Forensics Training & Education - Natural Language Processing Cyber Crime Investigations - Continuous Assurance Internet Crime Against Children Investigation - Data Recovery & Business Continuity Standardization & Accreditation - Multimedia Forensics Digital Signatures and Certificates ------------------------------------------------------------------------- IEEE Transactions on Software Engineering (TSE), Special Issue on Exception Handling: From Requirements to Software Maintenance, November 2009. (Submission Due 1 May 2009) http://www.computer.org/portal/cms_docs_transactions/transactions/tse/CFP/cfp_tse_eh_web.pdf Guest editor: Alessandro Garcia (Lancaster University, UK), Valerie Issarny (INRIA, France), and Alexander Romanovsky (Newcastle University, UK) With the complexity of contemporary software systems increasingly growing, we still have much to learn on how software engineering practice can contribute to improving specification, design, testing, and evolution of exception handling. Our body of knowledge on effective exception handling in software projects is still limited and fragmented. It is not surprising that recent field studies have identified that error handling design in industrial applications typically exhibits poor quality independently of the underlying programming language and application domain. A holistic application of software engineering principles and techniques can certainly improve the treatment of exception handling across the software lifecycle. In this context, one of the underlying motivations of this special issue is to revisit the research directions involving exception handling in software engineering after one decade the first successful issue on this topic has appeared in IEEE TSE. This special issue will serve as a key reference for researchers, practitioners and educators to understand the most recent innovations, trends, experiences and concerns involving exception handling aspects in software engineering. We invite submissions approaching exception handling on all areas of software development and maintenance, such as model-driven development, requirements engineering, refactoring, software evolution, reverse engineering, contemporary modularity techniques (e.g., aspect-oriented programming and feature-oriented programming), and formal methods. The special issue is intended to cover a wide range of topics, from theoretical foundations to empirical studies, with all of them presenting innovative ideas on the interplay of exception handling and software engineering. Topics of interest include (but are not limited to) the following: - Exceptions in software processes - Empirical studies of exception handling - Exception documentation - Exception handling and requirements engineering - Exception handling and architectural design - Design patterns and anti-patterns, architectural styles, and good programming practice cookbooks - Static analysis and testing of exception handling - Refactoring and evolution of exception handling code - Exceptions and variability management - Comparative studies of innovative exception handling techniques and conventional ones - Exception handling and contemporary modularization techniques (e.g., aspect-oriented programming and feature-oriented programming) - Exception handling and variability mechanisms - Metrics and quality models for abnormal behaviour - Exception handling and middleware design - Model-driven engineering for exception handling - Exception handling in multi-agent systems - Development of predictive models of defect rates - Checked versus unchecked exceptions ------------------------------------------------------------------------- HotSec 2009 4th USENIX Workshop on Hot Topics in Security, Held in conjunction with the 18th USENIX Security Symposium (USENIX-Security 2009), Montreal, Canada, August 11, 2009. (Submissions due 4 May 2009) http://www.usenix.org/events/hotsec09/cfp/ HotSec '09 will bring together innovative practitioners and researchers in computer security and privacy, broadly defined, to tackle the challenging problems in this space. While pragmatic and systems-oriented, HotSec takes a broad view of security and privacy and encompasses research on topics including but not limited to large-scale threats, network security, hardware security, software security, programming languages, applied cryptography, anonymity, human-computer interaction, sociology, economics, and law. To ensure a vigorous workshop environment, attendance will be by invitation only. Participants will be invited based on their submissions' originality, technical merit, topical relevance, and likelihood of leading to insightful technical discussions that will influence future security research. Submissions may not be under consideration for publication at any other venue. ------------------------------------------------------------------------- WIFS 2009 1st IEEE International Workshop on Information Forensics and Security, London, UK, December 6-9, 2009. (Submissions due 22 May 2009) http://www.wifs09.org The IEEE International Workshop on Information Forensics and Security (WIFS) is the first workshop to be organized by the IEEE's Information Forensics and Security Technical Committee. Our aspiration is to create a venue for knowledge exchange that encompasses a broad range of disciplines and facilitates the exchange of ideas between various disparate communities that constitute information security. By so doing, we hope that researchers will identify new opportunities for collaboration across disciplines and gain new perspectives. Appropriate topics of interest include, but are not limited to: - Biometrics: emerging modalities, recognition techniques, multimodal decision, attacks and countermeasures - Computer security: intrusion detection, vulnerability analysis, system security - Cryptography for multimedia content: perceptual hash function, multimedia encryption, signal processing in the encrypted domain, traitor tracing codes, key distribution - Data hiding: watermarking, steganography and steganalysis, legacy system enhancement - Digital Rights Management (DRM): DRM primitives (secure clocks, proximity detection, etc), DRM architectures, DRM interoperability - Forensic analysis: device identification, data recovery, validation of forensic evidence - Network security: privacy protection, network tomography and surveillance, system recovery from security/privacy failure - Non technical aspects of security: legal, ethical, social and economical issues - (Video) surveillance: arrays of sensors design and analysis, content tracking, events recognition, large crowd behaviour analysis - Secure Applications: e-voting, e-commerce ------------------------------------------------------------------------- MetriSec 2009 5th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2009), Lake Buena Vista, Florida, USA, October 14, 2009. (Submissions due 28 May 2009) http://www.cs.kuleuven.be/conference/MetriSec2009/ Quantitative assessment is a major stumbling blocks for software and system security. Although some security metrics exist, they are rarely adequate. The engineering importance of metrics is intuitive: you cannot consistently improve what you cannot measure. Economics is an additional drive for security metrics: customers should be enabled to quantify which of two IT products is more appropriate. The goals of this workshop are to showcase and foster research into security measurements and metrics and to keep building the community of individuals interested in this area. MetriSec continues the tradition started by the Quality of Protection (QoP) workshop series. This year, the new co-location with ESEM is an opportunity for the security metrics folks to meet the metrics community at large. The organizers solicit original submissions from industry and academic experts on the development and application of repeatable, meaningful measurements in the fields of software and system security. The topics of interest include, but are not limited to: - Security metrics - Security measurement and monitoring - Development of predictive models - Experimental validation of models - Formal theories of security metrics - Security quality assurance - Empirical assessment of security architectures and solutions - Mining data from attack and vulnerability repositories, CVE, CVSS - Static analysis metrics - Simulation and statistical analysis - Stochastic modeling - Security risk analysis - Industrial experience ------------------------------------------------------------------------- InSPEC 2009 2nd International Workshop on Security and Privacy in Enterprise Computing, Held in conjunction with the 13th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2009), Auckland, New Zealand, August 31 - September 4, 2009. (Submissions due 31 May 2009) http://sesar.dti.unimi.it/InSPEC2009/ In recent years several technologies have emerged for enterprise computing. Workflows are now widely adopted by industry and distributed workflows have been a topic of research for many years. Today, services are becoming the new building blocks of enterprise systems and service-oriented architectures are combining them in a flexible and novel way. In addition, with wide adoption of e-commerce, business analytics that exploits multiple, heterogeneous data sources have become an important field. Ubiquitous computing technologies, such as RFID or sensor networks change the way business systems interact with their physical environment, such as goods in a supply chain or machines on the shop floor. All these technological trends are accompanied also by new business trends due to globalization that involve innovative forms of collaborations such as virtual organizations. Further, the increased speed of business requires IT systems to become more flexible and highly dynamic. All of these trends bring with them new challenges to the security and privacy of enterprise computing. New concepts for solving these challenges require the combination of many disciplines from computer science and information systems, such as cryptography, networking, distributed systems, process modeling and design, access control, privacy etc. The goal of this workshop is to provide a forum for exchange of novel research in these areas among the experts from academia and industry. Completed work as well as research in progress is welcome, as we want to foster the exchange of novel ideas and approaches. ------------------------------------------------------------------------- CANS 2009 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan, December 12-14, 2009. (Submissions due 1 June 2009) http://www.rcis.aist.go.jp/cans2009/ The main goal of this conference is to promote research on all aspects of network security, as well as to build a bridge between research on cryptography and on network security. We therefore welcome scientific and academic papers with this focus. Areas of interest for CANS 2009 include, but are not limited to: - Ad Hoc and Sensor Network Security - Access Control for Networks - Anonymity and Pseudonymity - Authentication Services - Cryptographic Protocols and Schemes - Denial of Service Protection - Digital Rights Management - Fast Cryptographic Algorithms - Identity and Trust Management - Information Hiding and Watermarking - Internet and Router Security - Intrusion Detection and Prevention - Mobile and Wireless Network Security - Multicast Security - Phishing and Online Fraud Prevention - Peer-to-Peer Network Security - PKI - Security Modeling and Architectures - Secure Protocols (SSH, SSL, ...) and Applications - Spam Protection - Spyware Analysis and Detection - Virtual Private Networks ------------------------------------------------------------------------- ACSAC 2009 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA, December 7-11, 2009. (Submissions due 1 June 2009) http://www.acsac.org We solicit papers offering novel contributions in computer and application security. Papers should present techniques or applications with practical experience. Papers are encouraged on technologies and methods that have been demonstrated to improve information systems security and that address lessons from actual application. We are especially interested in papers that address the application of security technology, the implementation of systems, and lessons learned. Suggested topics: - access control - applied cryptography - audit and audit reduction - biometrics - certification and accreditation - cybersecurity - database security - denial of service protection - distributed systems security - electronic commerce security - enterprise security management - forensics - identification & authentication - identify management - incident response planning - information survivability - insider threat protection - integrity - intellectual property rights - intrusion detection - mobile and wireless security - multimedia security - operating systems security - peer-to-peer security - privacy and data protection - product evaluation/compliance - risk/vulnerability assessment - securing cloud infrastructures - security engineering and management - security in IT outsourcing - service oriented architectures - software assurance - trust management - virtualization security - VOIP security - Web 2.0/3.0 security ------------------------------------------------------------------------- Information Systems Frontiers, Special Issue on Security Management and Technologies for Protecting Against Internal Data Leakages, Spring or Summer 2010. (Submission Due 14 August 2009) http://www.som.buffalo.edu/isinterface/ISFrontiers/forthcoming1/InfoSec09-SI-CFP.pdf Guest editor: David Chadwick (University of Kent, UK), Hang Bae Chang (Daejin University, South Korea), Ilsun You (Korean Bible University, South Korea), and Seong-Moo Yoo (University of Alabama in Huntsville, USA) During the past decades, information security developments have been mainly concerned with preventing illegal attacks by outsiders, such as hacking, virus propagation, and spyware. However, according to a recent Gartner Research Report, information leakage caused by insiders who are legally authorized to have access to some corporate information is increasing dramatically. These leakages can cause significant damages such as weakening the competitiveness of companies (and even countries). Information leakage caused by insiders occurs less frequently than information leakage caused by outsiders, but the financial damage is much greater. Countermeasures in terms of physical, managerial, and technical aspects are necessary to construct an integral security management system to protect companies' major information assets from unauthorized internal attackers. The objective of this special issue is to showcases the most recent challenges and advances in security technologies and management systems to prevent leakage of organizations' information caused by insiders. It may also include state-of-the-art surveys and case analyses of practical significance. We expect that the special issue will be a trigger for further research and technology improvements related to this important subject. Topics(include but are not limited to): - Theoretical foundations and algorithms for addressing insider threats - Insider threat assessment and modeling - Security technologies to prevent, detect and avoid insider threats - Validating the trustworthiness of staff - Post-insider threat incident analysis - Data breach modeling and mitigation techniques - Registration, authentication and identification - Certification and authorization - Database security - Device control system - Digital forensic system - -Digital right management system - Fraud detection - Network access control system - Intrusion detection - Keyboard information security - Information security governance - Information security management systems - Risk assessment and management - Log collection and analysis - Trust management - IT compliance (audit) and continuous auditing ------------------------------------------------------------------------- IFIP-DF 2010 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong, January 3-6, 2010. (Submissions due 15 August 2009) http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network forensics - Portable electronic device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine Yong Guan U.S. Naval Postgraduate School Iowa State University Computer Science Department Computer Engineering and Code CS/IC University and Information Monterey CA 93943-5118 Assurance Center (831) 656-2461 (voice) Ames, IA 50011 irvine@nps.edu (515) 294-8378 (voice) guan@iastate.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2009 General Chair: Hilarie Orman David Du Purple Streak, Inc. Department of Computer Science 500 S. Maple Dr. and Engineering Salem, UT 84653 University of Minnesota cipher-editor@ieee-security.org Minneapolis, MN 55455 oakland09-chair@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year