_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 91 July 20, 2009 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News o Technical Committee on Security and Privacy Names Officers for 2010-2012 o "Oakland" (Security and Privacy Symposium) Plans 30th Anniversary Gala o Announcement of SIGSAC Awards nominations process from Pierangela Samarati o NIST Announces Digital Signature Standard o NIST Requests Comments on Key Size Transitions * Commentary and Opinion o Review of the Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), (Como, Italy, July 9-10, 2009) by Martin Apel and Michael Meier o Richard Austin's review of "Windows Forensic Analysis DVD Toolkit (2ed)" by H. Carvey o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: These are the summer security doldrums, the time when people attend conferences in pleasant vacation spots but do not announce many new conferences. But, for some, this is the season of national cyberwarfare, and the fog of war was never more murky than in this arena. Has a north attacked a south? Or has a third-party, acting through one nation, attacked another? We may never know, and that is cause for concern --- could one lose a war without ever knowing it had started? Our Cipher contributors have been writing through the July heat, and we are pleased to have a Richard Austin book review and a detailed set of notes for the recent DIMVA ("Detection, Intrusion, Malware, and Vulnerability Assessment" conference. The Technical Committee on Security and Privacy is planning to honor the many people who have made the "Oakland" conference so successful over the last many years by holding a special anniversary event next year. Watch Cipher for more news about the plans. My parting thought concerns the news about a software error that charged some 17,000 people the sum of 23 quadrillion dollars each. First of all, we should all be practicing the sequence "million-billion-trillion-quadrillion" if we want to be able to discuss global finance coherently. Second of all, if mistakes of this magnitude fall through the cracks, what hope to we have of producing verifiably secure software to prevent hacking? About one chance in 2 to the power 23 quadrillion, by my reckoning. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== Technical Committee on Security and Privacy Names Officers for 2010-2012 At the Symposium on Security and Privacy in May of this year, the IEEE Technical Committee on Security and Privacy held their annual business meeting. Cynthia Irvine, the committee chair, conducted the meeting. At the start of 2010, Hilarie Orman, the current vice chair, will become chair. Sven Dietrich, currently the Cipher associate editor, will assume the duties of vice chair. Terry Benzel will continue as treasurer. --------------------------------------------------------------------- "Oakland" (Security and Privacy Symposium) Plans 30th Anniversary Gala The Security and Privacy Symposium held its 30th meeting this past May, and that means that next year's meeting will be the 30th anniversary. To note the event, the organizers are planning festivities for May of 2010. Two subcommittees are in charge of organizing events, including an evening dinner and a respective look at the research and notable goings-on over the 3 decades at the Claremont Hotel. The call-for-papers is now available (see the calendar and CFP section of this newsletter), and it includes a new category for "systemization of knowledge". Worth noting is the deadline for workshop proposals, which is in August. -------------------------------------------------------------------- From Pierangela Samarati, Chair, SIGSAC Awards Committee: ACM SIGSAC is offering two annual awards: SIGSAC Outstanding Innovation Award and SIGSAC Outstanding Contributions Award. At most one award is given each year in each category. The award criteria are as follows: - SIGSAC Outstanding Innovation Award: This award is given for outstanding and innovative technical contributions to the field of computer and communication security that have had lasting impact in furthering or understanding the theory or development of secure systems. - SIGSAC Outstanding Contribution Award: This award is given for significant contribution to the field of computer and communication security through fostering research and development activities, educating students, or providing professional services such as the running of professional societies and conferences. The SIGSAC Awards Committee is now open to receiving nominations for the awards. The awards will be presented at the 16th ACM Computer and Communication Security Conference, Chicago, IL, USA, on November 9-13, 2009 NOMINATION PROCESS: Each nomination should be co-sponsored by at least 3 people. Email co-sponsorship is accepted. Nominations should include a proposed citation (up to 25 words), a succinct (100-250 words) description of the innovation/contribution, and a detailed statement (1-2 page) to justify the nomination as well as other supporting materials. Nominations should be submitted via e-mail (with subject "SIGSAC Innovation/Contribution Award nomination") to the chair of the SIGSAC Awards Committee: Pierangela Samarati (pierangela.samarati@unimi.it). DEADLINE FOR NOMINATIONS: Deadline for receiving nomination is August 7, 2009. EXCLUSION: Members of the ACM SIGSAC Awards Committee are not eligible to be nominated. The details related to the nomination process and administration of the awards are posted at http://www.acm.org/sigs/sigsac/awards.html SIGSAC Awards Committee: Vijay Atluri, Rutgers University Virgil Gligor, Carnegie Mellon University John McLean, Naval Research Laboratory Pierangela Samarati, University of Milan (chair) --------------------------------------------------------------- NIST Digital Signature Standard NIST announces the adoption of FIPS 186-3, The Digital Signature Standard (see the Federal Register Notice). FIPS 186-3 is a revision of FIPS 186-2. The FIPS specifies three techniques for the generation and verification of digital signatures: DSA, ECDSA and RSA. This revision increases the length of the keys allowed for DSA, provides additional requirements for the use of ECDSA and RSA, and includes requirements for obtaining assurances necessary for valid digital signatures. URL to FIPS 186-3: http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf URL to Federal Register Notice (FRN): http://csrc.nist.gov/publications/fips/fips186-3/frn-fips_186-3.pdf --------------------------------------------------------------- NIST Requests Comments on Key Size Transitions Comments are requested on the white paper "The Transitioning of Cryptographic Algorithms and Key Sizes http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transitioning_CryptoAlgos_070209.pdf by August 3, 2009. Please provide comments to CryptoTransitions@nist.gov with the subject line "Transitions Comment" ================================================================ 2008 SIGSAC AWARDS RECIPIENTS ----------------------------------------------------- SIGSAC Outstanding Innovation Award: Dorothy Denning SIGSAC Outstanding Contribution Award: Ravi Sandhu 2007 SIGSAC AWARDS RECIPIENTS ----------------------------------------------------- SIGSAC Outstanding Innovation Award: Martin Abadi SIGSAC Outstanding Contribution Award: Sushil Jajodia 2006 SIGSAC AWARDS RECIPIENTS ----------------------------------------------------- SIGSAC Outstanding Innovation Award: Michael Schroeder SIGSAC Outstanding Contribution Award: Eugene Spafford 2005 SIGSAC AWARDS RECIPIENTS ----------------------------------------------------- SIGSAC Outstanding Innovation Award: Whitfield Diffie SIGSAC Outstanding Contribution Award: Peter G. Neumann News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== ____________________________________________________________________ Review of Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) Como, Italy, July 9-10, 2009 by Martin Apel and Michael Meier ____________________________________________________________________ The Sixth Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) Introduction by Sven Dietrich ------------------------------ DIMVA 2009 took place in Como, Italy. About 40-45 attendees from various sectors huddled in a beautiful villa, Villa Gallia, next to Lake Como. An occasional glance to the side through the large doors gave a view on the seaplanes taking off, the funicular on the opposite lakeside, and the ferryboats bringing more visitors to town. The session breaks were held either inside the villa, casually outside on the lawn, or right by the lake. The conference dinner was held at a remote lakeside restaurant, where we were taken by a small boat and shown the sights (mostly villas owned by the rich and famous) on the way. Without further ado, the conference notes... Review by Martin Apel and Michael Meier. ---------------------------------------- The conference was opened by the General Chair Danilo Bruschi and the Program Chair Ulrich Flegel presented statistics on submissions, selection and attendance broken down to countries and sectors. The first session on Malware and SPAM was chaired by Toralv Dirro. A Case Study on Asprox Infection Dynamics ----------------------------------------- Youngsang Shin presented results of their work studying the Asprox botnet. They studied Asprox bots, infected web servers, and the infrastructure behind asprox propagation using real world data sets. Due to the use of JavaScript obfuscation, multi-layer fast flux, and redirects they conclude that a take-down of the malware-delivery hosts seem unlikely to succeed. They nevertheless identified the specific URLs that are injected as part of the SQL injection phase as the most vulnerable part of Asprox. These URLs pointing to malware delivery hosts can be blacklisted. Google actually blacklists them. How good are malware detectors at remediating infected systems? --------------------------------------------------------------- Emanuele Passerini presented a fully automated testing methodology to evaluate remediation capabilities of malware detectors. They used their method to evaluate six well known commercial malware detectors and found out that none of them remediates all modifications done to the system by the malware. After the talk one attendee remarked that the command line versions of the malware detection tools, which were used for the evaluation, often provide limited remediation functionality compared to the GUI versions. Q: Why did you choose different samples for each malware detector? A: Our goal was not to compare the six malware detectors, but a survey how good the malware detectors manage to remediate. Towards Proactive-Spam Filtering -------------------------------- In his talk Jan Goebel presented a methodology to infer email-templates used by spam bots from the mails send by the bots, which can later be used to filter spam. They monitored the bots in a SandNet and used an approach which is based on the determination of the longest common substrings and regular expressions. Q: What is the "proactive" part? A: The mails are collected when they are sent and not when they are received. Q: Have you compared your results to spam assassin? A: No. The session Emulation-based Detection was moderated by Peter Szor. Sheparding Loadable Kernel Module through On-demand Emulation ------------------------------------------------------------- As the authors (Xuan Chaoting, John Copeland, and Raheem Beyah) could not attend the conference, this talk was given by John McHugh using their slides. The rootkit prevention system DARK was introduced which combines program monitoring (using on demand emulation) with rootkit detection techniques. The suspicious kernel code is monitored and its interactions with the rest of the kernel are checked against a group of well-selected manually crafted security policies. DARK was evaluated using 13 kernel rootkits and 20 benign kernel modules showing 0 false negatives and one false positive (5%). The runtime performance penalty has been measured on only one module (iptable_filter) and is around 10%. Q: When is the emulation started, meaning when is the code regarded suspicious? A: Static analysis is used to decide, whether code is suspicious or not. Yataglass: Network-level Code emulation for analyzing memory scanning --------------------------------------------------------------------- Makoto Shimamura discussed exploit-/shellcode that uses instructions from the victims memory-image. Thus for analyzing the shellcode the victims memory-image is required. He presented Yataglass, a network-level code emulator, which emulates the victims memory-image by responding to memory scan requests of the shellcode. It uses symbolic execution to infer the instructions that are scanned for. It cannot infer instructions if the shellcode scans for a value in a range or if it scans for a function signature. Q: How do you determine the bytes in the stream, where you start the emulation? A: Every possible position is tested. Q: Can the stream be crafted in a way, that makes Yataglass fork "very often" and thus enables a denial of service attack? A: Yataglass takes some countermeasures ... extensive answer will be given offline. Defending Browsers against Drive-by Downloads: Mitigating Heap-spraying Code Injection Attacks ---------------------------------------------------------------------------- The talk was given by Manuel Egele who discussed drive by downloads which inject shellcode into the browsers addressspace using javascript and executes it by triggering a browser vulnerability. He further presented an approach for detecting such shellcode injections by checking any javascript variable for shellcode using libemu. The approach was implemented by instrumentation of the spidermonkey javascript-engine and evaluated for malicious webpages, which were collected using the CaptureHPC honeyclient. Q: CaptureHPC is based on Internet Explorer and your approach uses Firefox. Wouldn't this lead to a problem with malicious webpages that use browser fingerprinting? A: To circumvent this problem ActiveX has been implemented for Firefox to make it look like an Internet Explorer. Q: Would the approach classify a javascript based webpage as malicious which just shows shellcode for demonstration purposes? A: Yes. Keynote by Richard Kemmerer (UCSB) ---------------------------------- "How to Steal a Botnet and What Can Happen When You Do" In his interesting and entertaining talk Richard Kemmerer told the story of the torpig botnet, which was controlled by researchers of his group for ten days. This was done by reverse engineering the domain generation algorithm and registering the domains for the torpig C&C Server. He gave an interesting overview on gained insights during this ten days and concluded that - Previous evaluations of botnet sizes based on distinct IPs may be grossly overestimated - Botnet victims are users with poorly maintained machines and choose easily guessable passwords to protect sensitive data - Interacting with registrars, hosting facilities, victim institutions, and law enforcement can be a complicated process The session Software Diversity was chaired by John McHugh. Polymorphing Software by Randomizing Data Structure Layout ---------------------------------------------------------- Zhiqiang Lin presented a technique to polymorphing software, which randomizes data-structure layout of programs. This can be used to avoid attacks that are based on knowledge of data-structure layout but also to evade signature based detection. The technique has been implemented for the gcc. The software is licensed under GPL and available at http://www.cs.purdue.edu/homes/zlin/dimva09.html On the effectiveness of software diversity: A systematic study on Real-World Vulnerabilities ---------------------------------------------------------------------------- Many systems which utilize diverse off-the-shelf software usually assume that these software products are diverse enough not to be compromised simultaneously with the same exploit. The work presented by Jin Han investigates, if this assumption is valid. Therefore they investigated the following questions: How many software has potential substitutes with the same functionality that cannot be exploited with the same attack? Can vulnerabilities of one software be exploited on different OS simultaneously? Results on an analysis of the vulnerabilities published in 2007 show that more than 98.5% of vulnerable applications have substitutes with a very low chance being compromised by the same attack. 50% of the applications are supported to run on multiple OS and different OS distributions of the same application have more than 80% chance to suffer from the same vulnerability but their attack code is quite different. Q: Are the system-calls issued from an IIS on a windows machine really comparable to an apache running on a linux? A: How the comparison is made is not part of the paper, but has been described elsewhere. The program of day 1 ended with an open meeting of SIG SIDAR chaired by Michael Meier. In the first session of day 2 Henry Stern (Cisco IronPort Systems LLC) was giving a keynote on "A new Era in Security Collaboration: Turning the Tables on Botnets". He introduced a reputation based collaboration framework for routers. It can be used to defeat attacks (even distributed ones) and is being used successfully by Cisco. The 2nd session of day 2 on "Harnessing Context" was moderated by Engin Kirda. Using Contextual Information for IDS Alarm Classification --------------------------------------------------------- Since intrusion detection systems are known to generate many non-critical alerts context-information may be exploited to classify the alerts. In his talk Francois Gagnon presented results on a study of the effectiveness of incorporating context information on the target operating system and application configuration. Also they analyzed whether existing tools are good enough to gather such context information automatically. Based on their experimental results they conclude that target information is valuable information for alert classification but also that existing operating system discovery tools are not adequate for IDS context gathering. Q: How many packets/alarms can the system handle? A: There is no testing data yet. Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implementations -------------------------------------------------------------------- In her talk Ting-Fang Yen presented an approach for browser finger-printing that does not rely on payload data but on behavioral features evidenced in flows. She also discussed two applications of the finger-printing approach. First the extension of network ids allows detecting a broader range of malware by incorporating browser platform characteristics to find similar traffic. Second browser fingerprints can be used for deanonymization of website in flow records that have been anonymized. Q: Have different Browser Versions and configurations been evaluated? A: Only one version has been tested. A service dependency modeling framework for policy based response enforcement ------------------------------------------------------------------------------ Nizar Kheir presented a modeling framework for services and their dependencies, which allows formally defining dependency attributes. He also demonstrated the use of the service dependency framework for providing appropriate candidates for intrusion responses. Q: Is there any tool support? A: Yes. ------------------------------------------------------------------ The Rump Session was chaired by Sven Dietrich. A few short presentations were given: Peter Wurzinger gave a short presentation of an upcoming paper on "Automatically Generating Models for Botnet Detection". In his short talk "Are botnets used to run phishing over the phone?" Frederico Maggi gave an overview on the Phone Phishing Project (http://phonephishing.info/) Christian Bockermann gave a short presentation on the idea of fingerprinting web browsers by SSL cipher suites. Thorsten Holz gave a short talk on "Bypassing Kernel-Integrity Protection Mechanisms" by using return-oriented programming. Philipp Trinius gave a talk on "Visualization of Malware Behavior" and showed various ways to visualize CWSandbox reports. Angelo Dell'Aera gave an overview on the Tracking Intelligence Project (TIP), which is an information gathering framework whose purpose is to autonomously collect Internet threat trends. The system is composed of a number of independent modules, currently blacklist, spamtrap and fast flux modules. Sven DIetrich announced a workshop on ethics in computer security research, to take place in Tenerife, Canary Islands, Spain, in January 2010, co-located with FC'10. Marko Jahnke (general chair of DIMVA 2010) announced that DIMVA 2010 will take place in Bonn, Germany. The session on anomaly detection was chaired by Pavel Laskov. Learning SQL for Database Intrusion Detection using Context-Sensitive Modeling ------------------------------------------------------------------------------ In his talk Christian Bockermann started with a motivation showing the prevalence of SQL injection attacks. He further presented an approach for modeling SQL statements to apply for machine learning in order to detect malicious behavior at the database transaction level. The approach incorporates the parse tree structure of SQL queries as characteristic feature. The presented experimental results demonstrate and compare the separation capabilities of different feature models. Q: Hasn't this been "solved" already? A: Yes there are methods, but this vulnerability is still out there. Selecting and Improving System Calls Models for Anomaly Detection ----------------------------------------------------------------- Frederico Maggi started his presentation with an introduction to system call based anomaly detection and analysis of two detectors based on different approaches, a deterministic (FSA-DF) and a stochastic one (S2A2DE). Further he discussed the combination of the two complementary approaches which incorporates deterministic as well as stochastic models. Experimental comparison of two combined detectors and the two original ones showed that all detectors have the same detection rate but that the combined versions have significantly lower false positive rates. Q: Why have you used SOMs (which are performance intensive) to group the string arguments and not simpler measures like Edit-Distance? A: Edit-Distance also has its problems and SOMs are an interesting technique we wanted to try. In the last session of DIMVA 2009 Lexi Pimenidis presented the results of the fifth CIPHER CTF ("Capture-the-Flag), which took place in parallel to the DIMVA conference. Results are available at http://www.cipher-ctf.org/cipher5/ Proceedings of DIMVA2009 were published as Springer LNCS 5587 and are available online at http://www.springerlink.com/content/978-3-642-02917-2 Slides of the DIMVA 2009 presentation will be soon available at http://www.dimva.org/dimva2009 See you next year in Bonn! ____________________________________________________________________ Book Review By Richard Austin "Windows Forensic Analysis DVD Toolkit (2ed)" July 17, 2009 ____________________________________________________________________ Windows Forensic Analysis DVD Toolkit (2ed) by H. Carvey Syngress 2009. ISBN 978-1-59749-422-9 Amazon.com USD 62.95 Digital technology touches many facets of our personal and professional lives, and with this contact comes the important realization that events in the physical world increasingly leave traces in the digital world. The practice of digital forensics (the collection, preservation and analysis of digital information for use in legal proceedings) deals with finding and interpreting these digital traces to answer important questions of fact ("Did John send Jane several threatening EMAILs before her disappearance?", "How did the intruder gain access to the engineering server and what did she do with that access?", etc). Carvey's book is a treasure trove of information and tools dealing with the forensic analysis of Windows systems. It is organized into nine chapters and includes a similarly organized DVD that includes tools and multimedia presentations relevant to each chapter. The book devotes its first three chapters to the important topic of "live response" which deals with collecting information from a running system. Traditional computer forensics has predominantly limited itself to collecting and examining images of the disks collected after a system was powered down. Live response is a critical activity based on the recognition that much information (the list of running processes, open network connections, etc) would not be found in a disk image. Chapter 3, "Windows Memory Analysis", covers the recent development of tools for collecting a copy of system memory and, equally important, tools for analyzing it to retrieve important information. Since volatile data collection makes use of the running system, the possibility always exists that malware (e.g., a rootkit) may be modifying the information retrieved to conceal its activities. Collecting the contents of memory (without the necessity of halting the system) for later analysis make it less likely that important information will be hidden. Chapter 4 , Registry Analysis, is another gem that delves into the information that can be retrieved from the Windows registry and the tools that reveal it. It gives an excellent introduction to RegRipper, written by Carvey, which simplifies the process of retrieving and interpreting the overwhelming wealth of information from the registry. The next two chapters, "File Analysis" and "Executable File Analysis", introduce the tools and techniques for making sense of the various types of files encountered on the system including topics ranging from event logs to metadata found in Word and PDF files. The chapter on executables provides an excellent introduction how executables are structured and how malware authors conceal their activities using things like "cryptors" and "packers". Chapter 7, "Rootkits and Rootkit Detection", provides a good introduction and discussion of this frightening type of malware (as Hercule Poirot said "When someone is lying to you, watch out!") as well as the various ways of detecting their presence on a system. Chapter 8, "Tying It All Together", pulls the techniques together in a series of 7 case studies followed by sound advice on how to actually get started using them in practice. The final chapter, "Performing Analysis on a Budget", gives sound advice on how to "bootstrap" your forensic capability on a limited budget while still delivering genuine capability and real results. This is particularly important as a forensic capability in incident response is becoming less of a luxury and more of a necessity. As Carvey points out, simply wiping and reinstalling a server after a compromise without understanding how the compromise was affected is just an invitation to be "p0wned" again in the same way. This book is extremely practical and is written for the working IT professional. Most of the tools are written in Perl, and Carvey is very faithful to provide references to where the information underlying the tools came from. This is important because forensics is inseparably linked with the legal system and it is critical that an analyst be able to clearly explain not only the results from a tool but also how those results were generated. More managerially-focused professionals may find the book hard sledding but the introductory material in each chapter will reward skimming to understand the available types of information and the practical uses that can be made of it. Definitely a recommended read and worthy of a place on your bookshelf. -------------------------- Before beginning life as an itinerant university instructor and cybersecurity consultant, Richard Austin was the storage network security architect for a Fortune 25 company. He welcomes your thoughts and comments at rausti19 at Kennesaw dot edu --------------------------------------------------------------------- Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html 7/17/09: F2GC, 2nd International Workshop on Forensics for Future Generation Communication environments, Jeju, Korea; http://www.ftrg.org/F2GC2009/; Submissions are due 7/20/09: MPIS, 2nd International Workshop on Multimedia, Information Privacy and Intelligent Computing Systems, Jeju, Korea; http://www.ftrg.org/MPIS2009/; Submissions are due 7/20/09- 7/22/09: POLICY, IEEE International Symposium on Policies for Distributed Systems and Networks, Imperial College London, UK; http://ieee-policy.org 7/24/09: FAST, 6th International Workshop on Formal Aspects in Security and Trust, Eindhoven, the Netherlands; http://www.iit.cnr.it/FAST2009/; Submissions are due 7/27/09: HOST, 2nd IEEE International Workshop on Hardware-Oriented Security and Trust, San Francisco, CA, USA; http://www.engr.uconn.edu/HOST/ 7/31/09: ReConFig, International Conference on ReConFigurable Computing and FPGAs, Special Track on Reconfigurable Computing for Security and Cryptography, Cancun, Mexico; http://www.reconfig.org; Submissions are due 8/ 1/09: MidSec, 2nd Workshop on Middleware Security, Held in conjunction with the 10th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE 2009), Urbana Champaign, Illinois, USA; http://www.cs.kuleuven.be/conference/MidSec2009/; Submissions are due 8/ 1/09: IEEE Design and Test of Computers, Special Issue on Verifying Physical Trustworthiness of Integrated Circuits and Systems; http://www.engr.uconn.edu/~tehrani/CFP-D&T-SI.pdf; Submissions are due 8/10/09: CSET, Workshop on Cyber Security Experimentation and Test, Held in conjunction with the USENIX Security Symposium (USENIX-Security 2009), Montreal, Canada; http://www.usenix.org/event/cset09/ 8/11/09: HotSec, 4th USENIX Workshop on Hot Topics in Security, Held in conjunction with the 18th USENIX Security Symposium (USENIX-Security 2009), Montreal, Canada; http://www.usenix.org/events/hotsec09/cfp/ 8/12/09- 8/14/09: USENIX-SECURITY, 18th USENIX Security Symposium, Montreal, Canada; http://www.usenix.org/events/sec09/cfp/ 8/14/09: Information Systems Frontiers, Special Issue on Security Management and Technologies for Protecting Against Internal Data Leakages; http://www.som.buffalo.edu/isinterface/ISFrontiers/forthcoming1 /InfoSec09-SI-CFP.pdf; Submissions are due 8/15/09: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong; http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf; Submissions are due 8/15/09: UbiSafe, 2nd IEEE International Symposium on Ubisafe Computing, Chengdu, China; http://cs.okstate.edu/ubisafe09/; Submissions are due 8/17/09: INTRUST, The International Conference on Trusted Systems, Beijing, P. R. China; http://www.tcgchina.org; Submissions are due 8/17/09- 8/19/09: DFRWS, 9th Digital Forensics Research Workshop, Montreal, Canada; http://www.dfrws.org/2009/cfp.shtml 8/25/09: Inscrypt, 5th China International Conference on Information Security and Cryptology, Beijing China; http://www.inscrypt.cn/; Submissions are due 8/31/09- 9/ 4/09: TrustBus, 6th International Conference on Trust, Privacy, and Security in Digital Business, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.icsd.aegean.gr/trustbus2009/ 8/31/09- 9/ 4/09: DaSECo, 1st International Workshop on Defence against Spam in Electronic Communication, Held in conjunction with the 20th International Conference on Database and Expert Systems Applications (DEXA 2009), Linz, Austria; http://www.dexa.org/files/CfP_DaSECo_15.Jan_.pdf 8/31/09- 9/ 4/09: InSPEC, 2nd International Workshop on Security and Privacy in Enterprise Computing, Held in conjunction with the 13th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2009), Auckland, New Zealand; http://sesar.dti.unimi.it/InSPEC2009/ 9/ 1/09: International Journal of Communication Networks and Information Security, Special Issue on Composite and Integrated Security Solutions for Wireless Sensor Networks; http://ijcnis.kust.edu.pk/announcement; Submissions are due 9/ 1/09: Journal of System Architecture, Special Issue on Security and Dependability Assurance of Software Architectures; http://ees.elsevier.com/jsa/; Submissions are due 9/ 2/09- 9/ 4/09: WISTP, Workshop on Information Security Theory and Practices (Smart Devices, Pervasive Systems, and Ubiquitous Networks), Bruxelles, Belgium; http://www.wistp.org/ 9/ 7/09- 9/ 9/09: ISC, 12th Information Security Conference, Pisa, Italy; http://isc09.dti.unimi.it/ 9/ 8/09: SAC-CF, 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland; http://comp.uark.edu/~bpanda/sac2010cfp.pdf; Submissions are due 9/ 8/09: SAC-TRECK, 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track, Sierre, Switzerland; http://www.trustcomp.org/treck/; Submissions are due 9/ 8/09: SAC-ISRA, 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland; http://www.albany.edu/~er945/CfP_SAC2010_ISRA.html; Submissions are due 9/ 8/09- 9/11/09: NSPW, New Security Paradigms Workshop, The Queen's College, University of Oxford, UK; http://www.nspw.org/current/cfp.shtml 9/ 9/09- 9/11/09: EuroPKI, 6th European Workshop on Public Services, Applications and Infrastructures; Pisa, Tuscany, Italy; http://www.iit.cnr.it/EUROPKI09 9/10/09- 9/11/09: ARO-DF, ARO Workshop on Digital Forensics, Washington DC., USA; http://www.engineering.iastate.edu/~guan/ARO-DF/ARO-DF.html 9/11/09: NDSS, 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/10/cfp.shtml; Submissions are due 9/14/09- 9/18/09: SECURECOMM, 5th International ICST Conference on Security and Privacy for Communication Networks, Athens, Greece; http://www.securecomm.org 9/15/09: EC2ND, 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy; http://2009.ec2nd.org/; Submissions are due 9/15/09: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain; http://fc10.ifca.ai/; Submissions are due 9/21/09: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA; http://www.sigsac.org/wisec/WiSec2010; Submissions are due 9/21/09- 9/25/09: ESORICS, 14th European Symposium on Research in Computer Security, Saint Malo, France; http://www.esorics.org 9/24/09: DPM, 4th International Workshop on Data Privacy Management, Saint Malo, Britany, France; http://dpm09.dyndns.org/ 9/24/09- 9/25/09: SETOP, International Workshop on Autonomous and Spontaneous Security, Held in conjunction with ESORICS 2009, Saint Malo, Britany, France; http://conferences.telecom-bretagne.eu/setop-2009 9/24/09- 9/25/09: STM, 5th International Workshop on Security and Trust Management, Held in conjunction with ESORICS 2009 Saint Malo, France; http://stm09.dti.unimi.it 9/27/09- 9/30/09: SRDS, 28th International Symposium on Reliable Distributed Systems, Niagara Falls, New York, USA; http://www.cse.buffalo.edu/srds2009/ 9/28/09: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China; http://www.dacas.cn/asiaccs2010; Submissions are due 9/30/09: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy; http://distrinet.cs.kuleuven.be/events/essos2010; Submissions are due 9/30/09-10/ 2/09: ICDF2C, International Conference on Digital Forensics & Cyber Crime, Albany, NY, USA; http://www.d-forensics.org/ 10/ 6/09-10/10/09: SIN, 2nd ACM International Conference on Security of Information and Networks, Eastern Mediterranean University, Gazimagusa, TRNC, North Cyprus; http://www.sinconf.org/cfp/cfp.htm 10/11/09: VizSec, Workshop on Visualization for Cyber Security, Atlantic City, NJ, USA; http://vizsec.org/vizsec2009/ 10/12/09: SecPri-WiMob, International Workshop on Security and Privacy in Wireless and Mobile Computing, Networking and Communications, Held in the 5th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob 2009), Marrakech, Morocco; http://www.icsd.aegean.gr/SecPri_WiMob_2009/ 10/12/09-10/14/09: TSP, IEEE International Symposium on Trust, Security and Privacy for Pervasive Applications, Held in conjunction with the IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2009), Macau SAR, China; http://trust.csu.edu.cn/conference/tsp2009/ 10/14/09: MetriSec, 5th International Workshop on Security Measurements and Metrics, Held in conjunction with the International Symposium on Empirical Software Engineering and Measurement (ESEM 2009), Lake Buena Vista, Florida, USA; http://www.cs.kuleuven.be/conference/MetriSec2009/ 10/19/09-10/21/09: NSS, 3rd International Conference on Network & System Security, Gold Coast, Australia; http://nss2007.cqu.edu.au/FCWViewer/view.do?page=8494 10/19/09-10/21/09: DMM, 1st International Workshop on Denial of service Modelling and Mitigation, Held in conjunction with 3rd International Conference on Network & System Security (NSS 2009), Gold Coast, Australia; http://conf.isi.qut.edu.au/dmm2009 10/28/09-10/30/09: IWSEC, 4th International Workshop on Security, Toyama, Japan; http://www.iwsec.org 11/ 1/09: Elsevier Computer Communications, Special Issue on Multimedia Networking and Security in Convergent Networks; http://www.elsevier.com/locate/comcom; Submissions are due 11/ 1/09-11/ 6/09: LISA, 23rd USENIX Large Installation System Administration Conference, Baltimore, MD, USA; http://usenix.org/events/lisa09/ 11/ 1/09-11/ 6/09: IS, 4th International Symposium on Information Security, Vilamoura, Algarve-Portugal; http://www.onthemove-conferences.org/index.php? option=com_content&view=article&id=65&Itemid=140 11/ 5/09-11/ 6/09: FAST, 6th International Workshop on Formal Aspects in Security and Trust, Eindhoven, the Netherlands; http://www.iit.cnr.it/FAST2009/ 11/ 9/09-11/13/09: CCS, 16th ACM Conference on Computer and Communications Security, Chicago, IL, USA; http://sigsac.org/ccs/CCS2009/index.shtml 11/12/09-11/13/09: EC2ND, 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy; http://2009.ec2nd.org/ 11/13/09: STC, 4th Annual Workshop on Scalable Trusted Computing, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA; http://projects.cerias.purdue.edu/stc2009/call.html 11/13/09: SWS, ACM Workshop on Secure Web Services, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA; http://sesar.dti.unimi.it/SWS09/ 11/13/09: SPIMACS, ACM Workshop on Security and Privacy in Medical and Home-Care Systems, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA; http://www.infosecon.net/SPIMACS/cfp.php 11/13/09: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the 16th ACM Conference on Computer and Communications Security (CCS 2009), Chicago, IL, USA; http://crypto.cs.stonybrook.edu/ccsw09 11/15/09: IEEE Security & Privacy, Special Issue on Privacy-Preserving Sharing of Sensitive Information; https://mc.manuscriptcentral.com/cs-ieee; Submissions are due 11/18/09: SP, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA; http://oakland10.cs.virginia.edu/cfp.html; Submissions are due 11/18/09-11/20/09: IWNS, International Workshop on Network Steganography, Held in conjunction with the International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, Hubei, China; http://stegano.net/workshop 11/18/09-11/20/09: SECMCS, Workshop on Secure Multimedia Communication and Services, Held in conjunction with the 2009 International Conference on Multimedia Information Networking and Security (MINES 2009), Wuhan, China; http://liss.whu.edu.cn/mines2009/SECMCS.htm 11/30/09: MidSec, 2nd Workshop on Middleware Security, Held in conjunction with the 10th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE 2009), Urbana Champaign, Illinois, USA; http://www.cs.kuleuven.be/conference/MidSec2009/ 12/ 6/09-12/ 9/09: WIFS, 1st IEEE International Workshop on Information Forensics and Security, London, UK; http://www.wifs09.org 12/ 6/09-12/10/09: ASIACRYPT, 15th Annual International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan; http://asiacrypt2009.cipher.risk.tsukuba.ac.jp 12/ 7/09-12/11/09: ACSAC, 25th Annual Computer Security Applications Conference, Honolulu, Hawaii, USA; http://www.acsac.org 12/ 8/09-12/11/09: ICPADS, 15th IEEE International Conference on Parallel and Distributed Systems, Shenzhen, China; http://www.comp.polyu.edu.hk/conference/icpads09/ 12/ 9/09-12/11/09: ReConFig, International Conference on ReConFigurable Computing and FPGAs, Special Track on Reconfigurable Computing for Security and Cryptography, Cancun, Mexico; http://www.reconfig.org 12/10/09-12/12/09: F2GC, 2nd International Workshop on Forensics for Future Generation Communication environments, Jeju, Korea; http://www.ftrg.org/F2GC2009/ 12/10/09-12/12/09: MPIS, 2nd International Workshop on Multimedia, Information Privacy and Intelligent Computing Systems, Jeju, Korea; http://www.ftrg.org/MPIS2009/ 12/12/09-12/14/09: CANS, 8th International Conference on Cryptography and Network Security, Kanazawa, Ishikawa, Japan; http://www.rcis.aist.go.jp/cans2009/ 12/12/09-12/14/09: UbiSafe, 2nd IEEE International Symposium on Ubisafe Computing, Chengdu, China; http://cs.okstate.edu/ubisafe09/ 12/12/09-12/15/09: Inscrypt, 5th China International Conference on Information Security and Cryptology, Beijing China; http://www.inscrypt.cn/ 12/14/09-12/18/09: ICISS, 5th International Conference on Information Systems Security, Kolkata, India; http://www.eecs.umich.edu/iciss09/ 12/17/09-12/19/09: INTRUST, The International Conference on Trusted Systems, Beijing, P. R. China; http://www.tcgchina.org 12/31/09: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; http://www.ifip1110.org; Submissions are due 1/ 3/10- 1/ 6/10: IFIP-DF, 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong; http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf 1/ 5/10- 1/ 8/10: HICSS-DF, 43rd Hawaii International Conference on System Sciences, Digital Forensics Minitrack, Koloa, Kauai, Hawaii; http://www.hicss.hawaii.edu/hicss_43/apahome43.html 1/25/10- 1/28/10: FC, Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain; http://fc10.ifca.ai/ 2/ 3/10- 2/ 4/10: ESSoS, 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy; http://distrinet.cs.kuleuven.be/events/essos2010 2/28/10- 3/ 3/10: NDSS, 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/10/cfp.shtml 3/14/10- 3/17/10: IFIP-CIP, 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA; http://www.ifip1110.org 3/22/10- 3/24/10: WiSec, 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA; http://www.sigsac.org/wisec/WiSec2010 3/22/10- 3/26/10: SAC-CF, 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland; http://comp.uark.edu/~bpanda/sac2010cfp.pdf 3/22/10- 3/26/10: SAC-TRECK, 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track, Sierre, Switzerland; http://www.trustcomp.org/treck/ 3/22/10- 3/26/10: SAC-ISRA, 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland; http://www.albany.edu/~er945/CfP_SAC2010_ISRA.html 4/13/10- 4/16/10: ASIACCS, 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China; http://www.dacas.cn/asiaccs2010 5/16/10- 5/19/10: SP, 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA; http://oakland10.cs.virginia.edu/cfp.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E90) ___________________________________________________________________ F2GC 2009 2nd International Workshop on Forensics for Future Generation Communication environments, Jeju, Korea, December 10-12, 2009. (Submissions due 17 July 2009) http://www.ftrg.org/F2GC2009/ Future Generation Communication environments (FGC) are advanced communication and networking environments where all applications and services are focused on users. In addition, the FGC has emerged rapidly an exciting new paradigm to provide reliable and comfortable life services. Furthermore, the benefits of FGC will only be realized if security issues can be appropriately addressed. Specially, forensics for FGC is very important in the security fields. This workshop is intended to foster state-of-the-art research forensics in the area of FGC including information and communication technologies, law, social sciences and business administration. Topics of interest include but are not limited to following: - Digital forensics tools in FGC - Digital Evidence Management in FGC - Digital Evidence Analytics in FGC - Digital Forensics Surveillance Technology and Procedures in FGC - Digital evidence visualisation and communication for FGC - Digital evidence storage and preservation in FGC - Incident response and investigation in FGC - Forensic procedures in FGC - Portable electronic device forensics for FGC - Network forensics in FGC - Data hiding and recovery in FGC - Network traffic analysis, traceback and attribution in FGC - Legal, ethical and policy issues related to digital forensics in FGC - Integrity of digital evidence and live investigations - Multimedia analysis in FGC - Trends and Challenges for FGC - Evidence Protection in FGC - Forensics case studies in FGC ------------------------------------------------------------------------- MPIS 2009 2nd International Workshop on Multimedia, Information Privacy and Intelligent Computing Systems, Jeju, Korea, December 10-12, 2009. (Submissions due 20 July 2009) http://www.ftrg.org/MPIS2009/ This workshop on Multimedia, Information Privacy and Intelligent Computing Systems is intended to foster the dissemination of state-of-the-art research in the area of multimedia and intelligent computing including multimedia signal processing, information security, soft computing such as neural network, fuzzy theory and genetic algorithm, and novel applications of intelligent computing in multimedia. As a follow-up to the workshop, we plan to publish high quality papers, covering the various theories and practical applications related to multimedia and intelligent computing. We invite new and original submissions addressing theoretical and practical topics in information technology and intelligent computing fields. ------------------------------------------------------------------------- FAST 2009 6th International Workshop on Formal Aspects in Security and Trust, Eindhoven, the Netherlands, November 5-6, 2009. (Submissions due 24 July 2009) http://www.iit.cnr.it/FAST2009/ The FAST2009 workshop aims at continuing the successful efforts of the previous workshops, fostering the cooperation among researchers in the areas of security and trust. As computing and network infrastructures become increasingly pervasive, and as they carry increasing economic activity, society needs well matched security and trust mechanisms. These interactions increasingly span several enterprises and involve loosely structured communities of individuals. Participants in these activities must control interactions with their partners based on trust policies and business logic. Trust-based decisions effectively determine the security goals for shared information and for access to sensitive or valuable resources. FAST focuses on the formal models of security and trust that are needed to state goals and policies for these interactions. We also seek new and innovative techniques for establishing consequences of these formal models. Implementation approaches for such techniques are also welcome. ------------------------------------------------------------------------- ReConFig 2009 International Conference on ReConFigurable Computing and FPGAs, Special Track on Reconfigurable Computing for Security and Cryptography, Cancun, Mexico, December 9-11, 2009. (Submissions due 31 July 2009) http://www.reconfig.org Reconfigurable hardware offers unique opportunities for the design and implementation of secure applications in embedded and high-end computing platforms. High performance, carefully-controlled execution, and physical isolation are just a few of the advantages that hardware brings over software. At the same time, new challenges appear, such as the protection of intellectual property in a reconfigurable fabric, and the protection of soft-hardware against malicious tampering. This special track seeks the latest innovations in reconfigurable computing for security and cryptography. Topics of interest include the following: - Hardware Implementation of Novel Cryptographic Algorithms and Protocols - Reconfigurable Cryptographic Primitives - Special-Purpose Hardware for Cryptanalysis - Hardware Support for Trustworthy Software Execution - True and Pseudo Random Generators - Circuit Identification and Physical Unclonable Functions - Efficient Methods for Protection of Hardware IPs - FPGA Design Security - Fault Attacks and Side-channel Attacks - Hardware Tamper Resistance and Tamper Evidence - Hardware Trojan Detection and Resistance - Design Flows for Hardware-based Secure Systems - Performance Evaluation of Secure Reconfigurable Hardware ------------------------------------------------------------------------- IEEE Design and Test of Computers, Special Issue on Verifying Physical Trustworthiness of Integrated Circuits and Systems, January/February 2010. (Submission Due 1 August 2009) http://www.engr.uconn.edu/~tehrani/CFP-D&T-SI.pdf Guest editor: Mohammad Tehranipoor (University of Connecticut, USA) and Farinaz Koushanfar (Rice University, USA) The emergence of a globalized, horizontal semiconductor business model raises a set of concerns involving the security and trust of the information systems on which modern society is increasingly reliant for mission-critical functionality. Hardware security and trust issues span a broad range including threats related to the malicious insertion of Trojan circuits designed, e.g., to act as a silicon time bomb to disable a chip, to intellectual property (IP) and integrated circuit (IC) piracy, to untrusted 3rd party IPs, to attacks designed to extract encryption keys and IP from a chip, and to malicious system disruption and diversion. Trojans can be inserted into a circuit or system developed by 3rd party IP vendor, system integrator, or foundry. Topics of interest include (but are not limited to): - Trojan detection and isolation - Authenticating foundry of origin - Watermarking - IC Metering - FPGA design security - Physical unclonable functions (PUFs) - Hardware intrusion detection and prevention - Scan-chain encryption ------------------------------------------------------------------------- MidSec 2009 2nd Workshop on Middleware Security, Held in conjunction with the 10th ACM/IFIP/USENIX International Middleware Conference (MIDDLEWARE 2009), Urbana Champaign, Illinois, USA, November 30, 2009. (Submissions due 1 August 2009) http://www.cs.kuleuven.be/conference/MidSec2009/ Modern applications are predominantly built around the distributed programming paradigm. Client-server applications, grids, peer-to-peer networks and event-based systems are examples of architectures that are used by a large share of the present software base. These paradigms expose applications to numerous, ever-growing security threats. However, many areas of security are still only partially addressed w.r.t. middleware. Examples are identity management, privacy and anonymity, accountability, application protection, and so on. While more conventional research results in the above-mentioned areas of middleware security are appreciated, this year the MidSec workshop will particularly welcome papers in the area of security measures for lightweight composition. Papers are sought after from two complementary angles: middleware platforms and software architectures. Mashup editors provide an easy-to-use facility that brings the power of software composition at the fingertips of any Internet-connected user. The mashup model is catching the enterprise world as well; it all started with situational applications and it is currently spreading further. Ready or not, here it comes. We are about to face times where application composition will be less and less rigid and hence will more and more resemble organized chaos. Enforcing sound security principles in such a muddled environment is an interesting research challenge for both the middleware and the software architecture communities. On one hand, software architectures modeling techniques must provide suitable abstractions to represent and address the above (and many other) security concerns. On the other hand, middleware platforms should support such abstractions in a natural, usable way. The topics of interest for papers include, but are not limited to: - Middleware security and privacy - Security and privacy in agent-based platforms - Context-sensitive security middleware - Security and privacy in aspect-based middleware - Security and privacy in service-oriented architectures - Middleware-level security monitoring and measurement - Middleware-driven lightweight secure composition - Architecture-driven lightweight secure composition - Security and privacy in enterprise mashups - Usability and security in lightweight composition ------------------------------------------------------------------------- Information Systems Frontiers, Special Issue on Security Management and Technologies for Protecting Against Internal Data Leakages, Spring or Summer 2010. (Submission Due 14 August 2009) http://www.som.buffalo.edu/isinterface/ISFrontiers/forthcoming1/InfoSec09-SI-CFP.pdf Guest editor: David Chadwick (University of Kent, UK), Hang Bae Chang (Daejin University, South Korea), Ilsun You (Korean Bible University, South Korea), and Seong-Moo Yoo (University of Alabama in Huntsville, USA) During the past decades, information security developments have been mainly concerned with preventing illegal attacks by outsiders, such as hacking, virus propagation, and spyware. However, according to a recent Gartner Research Report, information leakage caused by insiders who are legally authorized to have access to some corporate information is increasing dramatically. These leakages can cause significant damages such as weakening the competitiveness of companies (and even countries). Information leakage caused by insiders occurs less frequently than information leakage caused by outsiders, but the financial damage is much greater. Countermeasures in terms of physical, managerial, and technical aspects are necessary to construct an integral security management system to protect companies' major information assets from unauthorized internal attackers. The objective of this special issue is to showcases the most recent challenges and advances in security technologies and management systems to prevent leakage of organizations' information caused by insiders. It may also include state-of-the-art surveys and case analyses of practical significance. We expect that the special issue will be a trigger for further research and technology improvements related to this important subject. Topics(include but are not limited to): - Theoretical foundations and algorithms for addressing insider threats - Insider threat assessment and modeling - Security technologies to prevent, detect and avoid insider threats - Validating the trustworthiness of staff - Post-insider threat incident analysis - Data breach modeling and mitigation techniques - Registration, authentication and identification - Certification and authorization - Database security - Device control system - Digital forensic system - -Digital right management system - Fraud detection - Network access control system - Intrusion detection - Keyboard information security - Information security governance - Information security management systems - Risk assessment and management - Log collection and analysis - Trust management - IT compliance (audit) and continuous auditing ------------------------------------------------------------------------- IFIP-DF 2010 6th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Hong Kong, Hong Kong, January 3-6, 2010. (Submissions due 15 August 2009) http://www.ifip119.org/Conferences/WG11-9-CFP-2010.pdf The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. The Sixth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network forensics - Portable electronic device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- UbiSafe 2009 2nd IEEE International Symposium on Ubisafe Computing, Chengdu, China, December 12-14, 2009. (Submissions due 15 August 2009) http://cs.okstate.edu/ubisafe09/ The UbiSafe-09 Symposium provides a forum for engineers and scientists in academia, industry, and government to address all safety related profound challenges including technical, social, legal and ethical issues, and to present and discuss their ideas, theories, technologies, systems, tools, applications, work in progress and experience on all aspects of UbiSafe computing. UbiSafe emphasizes the SAFE aspects for ubiquitous, pervasive, AmI, mobile, universal, embedded, wearable, augmented, invisible, hidden, context-aware, sentient, proactive, autonomic, or whatever it is called, computing. UbiSafe computing is focused on theories and technologies for ubiquitous artifacts to function safely for different purposes; for ubiquitous systems to work safely in various situations; and for ubiquitous environments to behave safely with all people. A series of challenges exist to let people benefit from ubiquitous services, and simultaneously guarantee their safety in making ubiquitous safe artifacts, systems, and environments. ------------------------------------------------------------------------- INTRUST 2009 The International Conference on Trusted Systems, Beijing, P. R. China, December 17-19, 2009. (Submissions due 17 August 2009) http://www.tcgchina.org INTRUST 2009 is the first International Conference on the theory, technologies and applications of trusted systems. It is devoted to all aspects of trusted computing systems, including trusted modules, platforms, networks, services and applications, from their fundamental features and functionalities to design principles, architecture and implementation technologies. The goal of the conference is to bring academic and industrial researchers, designers, and implementers together with end-users of trusted systems, in order to foster the exchange of ideas in this challenging and fruitful area. INTRUST 2009 solicits original papers on any aspect of the theory, advanced development and applications of trusted computing, trustworthy systems and general trust issues in modern computing systems. The conference will have an academic track and an industrial track. This call for papers is for contributions to both of the tracks. Submissions to the academic track should emphasize theoretical and practical research contributions to general trusted system technologies, while submissions to the industrial track may focus on experiences on the implementation and deployment of real-world systems. Topics of relevance include but are not limited to: - Fundamental features and functionalities of trusted systems - Primitives and mechanisms for building a chain of trust - Design principles and architectures of trusted modules and platforms - Implementation technologies for trusted modules and platforms - Cryptographic aspects of trusted systems, including cryptographic algorithms and protocols, and their implementation and application in trusted systems - Scalable safe network operation in trusted systems - Mobile trusted systems, such as trusted mobile platforms, sensor networks, mobile (ad hoc) networks, peer-to-peer networks, Bluetooth, etc. - Storage aspects for trusted systems - Applications of trusted systems, e.g. trusted email, web services and various e-commerce services - Trusted intellectual property protection: metering, watermarking and digital rights management - Software protection for trusted systems - Authentication and access control for trusted systems - Key, identity and certificate management for trusted systems - Privacy aspects for trusted systems - Attestation aspects for trusted systems, such as measurement and verification of the behavior of trusted systems - Standards organizations and their contributions to trusted systems, such as TCG, ISO/IEC, IEEE 802.11, etc. - Emerging technologies for trusted systems, such as RFID, memory spots, etc. - Trust metrics and robust trust inference in distributed systems - Usability and reliability aspects for trusted systems - Trust modeling, economic analysis and protocol design for rational and malicious adversaries - Virtualisation for trusted systems - Limitations of trusted systems - Security analysis of trusted systems, including formal method proofs, provable security and automated analysis - Security policies for, and management of, trusted systems - Intrusion resilience and revocation aspects for trusted systems - Scalability aspects of trusted systems - Compatibility aspects of trusted systems - Experiences in building real-world trusted systems - Socio-economic aspects of trusted systems ------------------------------------------------------------------------- Inscrypt 2009 5th China International Conference on Information Security and Cryptology, Beijing China, December 12 - 15, 2009. (Submissions due 25 August 2009) http://www.inscrypt.cn/ Inscrypt 2009 seeks high-quality research contributions in the form of well developed papers. Topics of interest encompass research advances in ALL areas of cryptology, information security and their applications, include: - Access Control - Authentication and Authorization - Biometric Security - Distributed System Security - Database Security - Electronic Commerce Security - Intrusion Detection - Information Hiding and Watermarking - Key Management and Key Recovery - Network Security - Security Protocols and Their Analysis - Security Modeling and Architectures - Provable Security - Secure Multiparty Computation - Foundations of Cryptography - Secret Key and Public Key Cryptosystems - Implementation of Cryptosystems - Hash Functions and MACs - Block Cipher Modes of Operation - Intellectual Property Protection - Mobile System Security - Operating System Security - Risk Evaluation and Security Certification - Prevention and Detection of Malicious Codes ------------------------------------------------------------------------- International Journal of Communication Networks and Information Security, Special Issue on Composite and Integrated Security Solutions for Wireless Sensor Networks, Spring 2010. (Submission Due 1 September 2009) http://ijcnis.kust.edu.pk/announcement Guest editor: Riaz Ahmed Shaikh (Kyung Hee University, Korea), Al-Sakib Khan Pathan (Kyung Hee University, Korea), and Jaime Lloret (Polytechnic University of Valencia, Spain) This special issue is devoted to composite and integrated security solutions for Wireless Sensor Networks (WSNs). In WSNs, researchers have so far focused on the individual aspects (cryptography, privacy or trust) of security that are capable of providing protection against specific types of attacks. However, efforts on achieving completeness via a composite and integrated solution are lacking. That is ultimately necessary to attain because of its wide applicability in various sensitive applications, such as health-care, military, habitat monitoring, etc. The objective of this special issue is to gather recent advances in the area of composite and integrated security solutions of wireless sensor networks. This special issue covers topics that include, but are not limited to: - Adaptive and Intelligent Defense Systems - Authentication and Access control - Data security and privacy - Denial of service attacks and countermeasures - Identity, Route and Location Anonymity schemes - Intrusion detection and prevention techniques - Cryptography, encryption algorithms and Key management schemes - Secure routing schemes - Secure neighbor discovery and localization - Trust establishment and maintenance - Confidentiality and data integrity - Security architectures, deployments and solutions ------------------------------------------------------------------------- Journal of System Architecture, Special Issue on Security and Dependability Assurance of Software Architectures, Spring 2010. (Submission Due 1 September 2009) http://ees.elsevier.com/jsa/ Guest editor: Ernesto Damiani (Università degli Studi di Milano, Italy), Sigrid Gürgens (Fraunhofer Institute for Secure Information Technology, Germany), Antonio MaƱa (Universidad de Málaga, Spain), George Spanoudakis (City University, London, UK), and Claudio A. Ardagna (Università degli Studi di Milano, Italy) The JSA special issue will focus in particular on context, methodologies, techniques, and tools for V&V of software architectures, with particular focus on supporting assurance and compliance, as well as security and dependability certification, for evolving and long-lived systems. Authors are invited to submit papers on a variety of topics, including but not limited to: - foundations and new perspectives of V&V mechanisms and security certifications - solutions, tools, frameworks for S&D assurance and certification - new and/or existing certification processes and tools suitable for challenging contexts (e.g., telecommunications, mobile, real time, process control, and embedded systems), and/or experience with them - new and/or existing modelling techniques which are particularly suited to evolving systems, and/or experience with them - tools and case studies that integrate techniques from different areas, such as V&V mechanisms, including static verification, dynamic verification, testing, product and process certification, empirical software engineering, modeling of evolving and distributed systems ------------------------------------------------------------------------- SAC-CF 2010 25th ACM Symposium on Applied Computing, Computer Forensics Track, Sierre, Switzerland, March 22-26, 2010. (Submissions due 8 September 2009) http://comp.uark.edu/~bpanda/sac2010cfp.pdf With the exponential growth of computer users, the number of criminal activities that involves computers has increased tremendously. The field of Computer Forensics has gained considerable attention in the past few years. It is clear that in addition to law enforcement agencies and legal personnel, the involvement of computer savvy professionals is vital for any digital incident investigation. Unfortunately, there are not many well-qualified computer crime investigators available to meet this demand. An approach to solve this problem is to develop state-of-the-art research and development tools for practitioners in addition to creating awareness among computer users. The primary goal of this track will be to provide a forum for researchers, practitioners, and educators interested in Computer Forensics in order to advance research and educational methods in this increasingly challenging field. We expect that people from academia, industry, government, and law enforcement will share their previously unpublished ideas on research, education, and practice through this track. We solicit original, previously unpublished papers in the following general (non-exhaustive) list of topics: - Incident Response and Live Data Analysis - Operating System and Application Analysis - File System Analysis - Network Evidence Collection - Network Forensics - Data Hiding and Recovery - Digital Image Forensics - Event Reconstruction and Tracking - Forensics in Untrusted Environments - Hardware Assisted Forensics - Legal, Ethical and Privacy Issues - Attributing Malicious Cyber Activity - Design for Forensic Evaluation - Visualization for Forensics ------------------------------------------------------------------------- SAC-TRECK 2010 25th ACM Symposium on Applied Computing, Trust, Reputation, Evidence and other Collaboration Know-how Track (TRECK), Sierre, Switzerland, March 22-26, 2010. (Submissions due 8 September 2009) http://www.trustcomp.org/treck/ Computational models of trust and online reputation mechanisms have been gaining momentum. The goal of the ACM SAC 2010 TRECK track remains to review the set of applications that benefit from the use of computational trust and online reputation. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions, virtual organisations and even combined with trusted computing hardware modules. The TRECK track covers all computational trust/reputation applications, especially those used in real-world applications. The topics of interest include, but are not limited to: - Recommender and reputation systems - Trust management, reputation management and identity management - Pervasive computational trust and use of context-awareness - Mobile trust, context-aware trust - Web 2.0 reputation and trust - Trust-based collaborative applications - Automated collaboration and trust negotiation - Trade-off between privacy and trust - Trust/risk-based security frameworks - Combined computational trust and trusted computing - Tangible guarantees given by formal models of trust and risk - Trust metrics assessment and threat analysis - Trust in peer-to-peer and open source systems - Technical trust evaluation and certification - Impacts of social networks on computational trust - Evidence gathering and management - Real-world applications, running prototypes and advanced simulations - Applicability in large-scale, open and decentralised environments - Legal and economic aspects related to the use of trust and reputation engines - User-studies and user interfaces of computational trust and online reputation applications ------------------------------------------------------------------------- SAC-ISRA 2010 25th ACM Symposium on Applied Computing, Information Security Research and Applications Track, Sierre, Switzerland, March 22-26, 2010. (Submissions due 8 September 2009) http://www.albany.edu/~er945/CfP_SAC2010_ISRA.html As society becomes more reliant on information systems, networks, and mobile communication, we become more vulnerable to security incidents. Our critical infrastructures for energy, communication, and transportation are interconnected via the Internet, bringing with this the efficiencies and economies of scale and the risk associated with open networks. It has turned out that economic and societal interests go beyond technical security, as they also relate to organizational and behavioral security facets. This track provides a venue for holistic security issues related to detecting, mitigating and preventing the threat of attacks against information and communication systems. It brings together security researchers from the areas of computer science, information systems and systems science who are otherwise spread over multiple conferences. Papers that address improving the security of information system- reliant organizations from threats through technical, organizational, or behavioral change are encouraged. These may include simulation studies, case-based research, empirical studies, and other applications of quantitative and qualitative methods. Topics include, but are not limited to: - Internet security - Economics of information security - Identifying modes of misuse - Applications of access policies - Analysis of known and unknown modes of attack - Detecting and mitigating insider threats - Modeling risks and approaches to mitigation - Teaching and training security and business managers about information security - Creating channels and techniques to share confidential information - Modeling and theory building of security issues - Insider threats - Social and business security policy - Intrusion detection/prevention - Electronic commerce security and privacy - Secure software development - Electronic voting - Security metrics - Risk and fraud assessment - Trust - Process Control Systems / SCADA security ------------------------------------------------------------------------- NDSS 2010 17th Annual Network & Distributed System Security Symposium, San Diego, CA, USA, February 28 - March 3, 2010. (Submissions due 11 September 2009) http://www.isoc.org/isoc/conferences/ndss/10/cfp.shtml The Network and Distributed System Security Symposium fosters information exchange among research scientists and practitioners of network and distributed system security services. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation (rather than theory). A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Submissions are solicited in, but not limited to, the following areas: - Security of Web-based applications and services - Anti-malware techniques: detection, analysis, and prevention - Intrusion prevention, detection, and response - Security for electronic voting - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Privacy and anonymity technologies - Network perimeter controls: firewalls, packet filters, and application gateways - Security for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, and personal communication systems - Security for Vehicular Ad-hoc Networks (VANETs) - Security for peer-to-peer and overlay network systems - Security for electronic commerce: e.g., payment, barter, EDI, notarization, timestamping, endorsement, and licensing - Implementation, deployment and management of network security policies - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Integrating security services with system and application security facilities and protocols - Public key infrastructures, key management, certification, and revocation - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost - Security for collaborative applications: teleconferencing and video-conferencing - Software hardening: e.g., detecting and defending against software bugs (overflows, etc.) - Security for large-scale systems and critical infrastructures - Integrating security in Internet protocols: routing, naming, network management ------------------------------------------------------------------------- EC2ND 2009 5th European Conference on Computer Network Defence, Politecnico di Milano, Milano, Italy, November 12-13, 2009. (Submissions due 15 September 2009) http://2009.ec2nd.org/ The theme of the conference is the protection of computer networks. The conference will draw participants from academia and industry in Europe and beyond to discuss hot topics in applied network and systems security. EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results. Topics include but are not limited to: - Intrusion Detection - Denial-of-Service - Privacy Protection - Security Policy - Peer-to-Peer and Grid Security - Network Monitoring - Web Security - Vulnerability Management and Tracking - Network Forensics - Wireless and Mobile Security - Cryptography - Network Discovery and Mapping - Incident Response and Management - Malicious Software - Web Services Security - Legal and Ethical Issues ------------------------------------------------------------------------- FC 2010 Financial Cryptography and Data Security, Tenerife, Canary Islands, Spain, January 25-28, 2010. (Submissions due 15 September 2009) http://fc10.ifca.ai/ Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged. ------------------------------------------------------------------------- WiSec 2010 3rd ACM Conference on Wireless Network Security, Stevens Institute of Technology, Hoboken, NJ, USA, March 22-24, 2010. (Submissions due 21 September 2009) http://www.sigsac.org/wisec/WiSec2010 As wireless networks become ubiquitous, their security gains in importance. The ACM Conference on Wireless Network Security (WiSec) aims at exploring attacks on wireless networks as well as techniques to thwart them. The considered networks encompass cellular, metropolitan, local area, vehicular, ad hoc, satellite, underwater, cognitive radio, and sensor networks, as well as RFID. Topics of interest include, but are not limited to: - Naming and addressing vulnerabilities - Key management in wireless/mobile environments - Secure neighbor discovery / Secure localization - Secure PHY and MAC protocols - Trust establishment - Intrusion detection, detection of malicious behavior - Revocation of malicious parties - Denial of service - User privacy, location privacy - Anonymity, prevention of traffic analysis - Identity theft and phishing in mobile networks - Charging - Cooperation and prevention of non-cooperative behavior - Economics of wireless security - Vulnerability and attack modeling - Incentive-aware secure protocol design - Jamming/Anti-jamming communication - Cross-layer design for security - Monitoring and surveillance - Cryptographic primitives for wireless communication - Formal methods for wireless security - Mobile platform and systems (OS and application) security ------------------------------------------------------------------------- ASIACCS 2010 5th ACM Symposium on Information, Computer and Communications Security, Beijing, China, April 13-16, 2010. (Submissions due 28 September 2009) ASIACCS is a major international forum for information security researchers, practitioners, developers, and users to explore and exchange the latest cyber-security ideas, breakthroughs, findings, techniques, tools, and experiences. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Topics of interest include, but are not limited to: - anonymity - access control - secure networking - accounting and audit - key management - intrusion detection - authentication - smartcards - data and application security - Malware and botnets - privacy-enhancing technology - software security - inference/controlled disclosure - intellectual-property protection - digital-rights management - trusted computing - phishing and countermeasures - commercial and industry security - security management - web security - applied cryptography - mobile-computing security - cryptographic protocols - data/system integrity - information warfare - formal methods for security - identity management - security in ubiquitous computing, e.g., RFIDs - security and privacy for emerging technologies, e.g., VoIP, peer-to-peer and overlay network systems, Web 2.0 ------------------------------------------------------------------------- ESSoS 2010 2nd International Symposium on Engineering Secure Software and Systems, Pisa, Italy, February 3-4, 2010. (Submissions due 30 September 2009) http://distrinet.cs.kuleuven.be/events/essos2010 The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program as well as one day of tutorials. The technical program includes an experience track for which the submission of highly informative case studies describing (un)successful secure software project experiences and lessons learned is explicitly encouraged. Topics of interest include, but are not limited to: - scalable techniques for threat modeling and analysis of vulnerabilities - specification and management of security requirements and policies - security architecture and design for software and systems - model checking for security - specification formalisms for security artifacts - verification techniques for security properties - systematic support for security best practices - security testing - security assurance cases - programming paradigms, models and DLS's for security - program rewriting techniques - processes for the development of secure software and systems - security-oriented software reconfiguration and evolution - security measurement - automated development - trade-off between security and other non-functional requirements - support for assurance, certification and accreditation ------------------------------------------------------------------------- Elsevier Computer Communications, Special Issue on Multimedia Networking and Security in Convergent Networks, Summer 2010. (Submission Due 1 November 2009) http://www.dacas.cn/asiaccs2010 Guest editor: Chang Wen Chen (University at Buffalo, USA), Stefanos Gritzalis (University of the Aegean, Greece), Pascal Lorenz (University of Haute Alsace, France), and Shiguo Lian (France Telecom R&D Beijing, China) Authors are invited to submit detailed technical manuscripts reporting recent developments in the topics related to the special issue. Note the special emphasis on convergent and heterogeneous networks - this special issue is devoted to exploring the challenges and solutions for multimedia communication and security in convergent network environments. The new challenge in network management is to deal with heterogeneous client capabilities as well as dynamic end-to-end resources availability, and to ensure satisfactory service quality for every client. The new challenge in secure communication is to solve the privacy and security issues becoming increasingly important topics in network convergence. Some suggested topics include but are not limited to: - Heterogeneous multimedia networking - Cross-layer multimedia adaptation - Inter-network multimedia adaptation - QoS control in network convergence - Interactive Mobile TV based on network convergence - Mobile community based on network convergence - Smart home networks based on network convergence - Telematics systems based on network convergence - E-healthcare systems based on network convergence - Privacy preserving in network convergence - Multimedia content security in network convergence - Digital rights management in network convergence - Content tracking and filtering in network convergence - Intrusion detection and prevention in network convergence - Other networking or security issues in network convergence ------------------------------------------------------------------------- IEEE Security & Privacy Magazine, Special Issue on Privacy-Preserving Sharing of Sensitive Information, July/August 2010. (Submission Due 15 November 2009) https://mc.manuscriptcentral.com/cs-ieee Guest editor: Sal Stolfo (Columbia University, USA) and Gene Tsudik (UC Irvine, USA) Privacy-Preserving Sharing of Sensitive Information (PPSSI) is motivated by the increasing need for organizations or people who don't fully trust each other to share sensitive information. Many types of organizations must often collect, analyze, and disseminate data rapidly and accurately without exposing sensitive information to wrong or untrusted parties. For example, census-takers collect private data with the understanding that it won't be released in a form traceable to the individual who provided it. Companies might be willing to divulge sensitive financial data to organizations that release only aggregate data for an industry sector. A hospital might share patient information with a state health agency but only to allow the latter to determine the number (and not the identities) of uninsured patients. While statistical methods for protecting data have been in use for decades, they're not foolproof and they generally involve a trusted third party to produce privacy-preserving statistical digests. More recently, techniques employing secure multi-party function evaluation, encrypted keywords, and private information retrieval have been studied and, in a few cases, deployed, However there are no practical tools and technologies to guarantee data privacy, especially, whenever organizations have certain common goals and require exchanges of data. To this end, the objective of PPSSI technology is to enable multiple entities to cooperate and share information without exposing more than what is necessary to complete a common task. Potential submission topics include (but are not limited to) the following: - PPSSI requirements and policy enforcement; prospective policies governing PPSSI, including formal models and policy languages as well as trust models. - Data "cleaning" and obfuscation techniques. - Cryptographic protocols; innovative constructs, their performance and implementation issues, for example, private information retrieval, searching over encrypted data and private set operations. - Data management; storage and data management issues arising in PPSSI settings. - Secure hardware; architectures and technologies in support of PPSSI ------------------------------------------------------------------------- SP 2010 31st IEEE Symposium on Security and Privacy, The Claremont Resort, Oakland, CA, USA, May 16-19, 2010. (Submissions due 18 November 2009) http://oakland10.cs.virginia.edu/cfp.html Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. *Systematization of Knowledge Papers*: In addition to the standard research papers, we are also soliciting papers focused on systematization of knowledge. The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers will provide a high value to our community but would otherwise not be accepted because they lack novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions will be distinguished by a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. *Workshops*: The Symposium is also soliciting submissions for co-located workshops. Workshop proposals should be sent by Friday, 21 August 2009 by email to Carrie Gates (carrie.gates@ca.com). Workshops may be half-day or full-day in length. Submissions should include the workshop title, a short description of the topic of the workshop, and biographies of the organizers. ------------------------------------------------------------------------- IFIP-CIP 2010 4th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Fort McNair, Washington, DC, USA, March 14-17, 2010. (Submissions due 31 December 2009) http://www.ifip1110.org The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first three conferences, the Fourth Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2007 proceedings are available in hardcopy for $30.00, the 28 year CD is $20.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2007 treasurer (below) with the order description, including shipping method, and send email to the 2007 Registration Chair (Yong Guan) (oakland07-registration @ ieee-security.org) with the shipping address, please. Terry Benzel Treasurer, IEEE Security and Privacy USC Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292 (310) 822-1511 IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officer Roster ____________________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Prof. Cynthia Irvine David Du U.S. Naval Postgraduate School Department of Computer Science Computer Science Department and Engineering Code CS/IC University of Minnesota Monterey CA 93943-5118 Minneapolis, MN 55455 (831) 656-2461 (voice) oakland09-chair@ieee-security.org irvine@nps.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Hilarie Orman Prof. Cynthia Irvine Purple Streak, Inc. U.S. Naval Postgraduate School 500 S. Maple Dr. Computer Science Department, Code CS/IC Salem, UT 84653 Monterey CA 93943-5118 hilarie @purplestreak.com (831) 656-2461 (voice) irvine@nps.edu Treasurer: Chair, Subcomm. on Security Conferences: Terry Benzel Jonathan Millen USC Information Sciences Intnl The MITRE Corporation, Mail Stop S119 4676 Admiralty Way, Suite 1001 202 Burlington Road Rte. 62 Los Angeles, CA 90292 Bedford, MA 01730-1420 (310) 822-1511 (voice) 781-271-51 (voice) tbenzel @isi.edu jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2010 General Chair: Hilarie Orman Ulf Lindqvist 500 S. Maple Dr. SRI Salem, UT 84653 Menlo Park, California cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year