Commentary and Opinion
Richard Austin's review of Social Engineering: The Art of Human Hacking by Christopher Hadnagy
NewsBits: Announcements and correspondence from readers (please contribute!)
NIST requests comments on the draft revisions of two publications: NIST Special Publication (SP) 800-57, Part 1 and SP 800-90A.
The revision of SP 800-57, Part 1, Recommendation for Key Management: Part 1: General, is intended to align the document with SP 800-131A, as well as to provide a general update of the document, including references to NIST publications that have been completed since the last revision of the document. A general list of the changes is provided at the end of Appendix D, and except for some editorial changes, the changes within the documented are marked. The document is available at http://csrc.nist.gov/publications/PubsDrafts.html. Please send comments to KeyManagement@nist.gov by July 1, 2011, with "SP 800-57, Part 1 comments" in the subject line.
SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, is intended as a revision of the currently-posted version of SP 800-90. Two of the appendices in SP 800-90 provided information on entropy sources and RBG constructions. These topics will be discussed in further detail in SP 800-90B and SP 800-90C, respectively, which are under development. SP 800-90A takes into account the work on RBGs that has been conducted within Accredited Standards Committee X9 since the original publication of SP 800-90. A general list of the changes is provided at the end of Appendix H, and except for some editorial changes, the changes within the document are marked. The document is available at http://csrc.nist.gov/publications/PubsDrafts.html. Please send comments to RBG_comments@nist.gov by August 1, 2011, with "SP 800-90A comments" in the subject line.
At the 3rd International Conference on Verified Software: Theories, Tools and Experiments (VSTTE 2010), it was announced that Microsoft Research would sponsor an award that recognises significant technological advances towards the goals of the Verified Software Initiative (VSI).
We are delighted to announce that the recipients of the inaugural Microsoft Research Verified Software Milestone Award are Janet Barnes and Rod Chapman for the Tokeneer Project (http://www.altran-praxis.com/security.aspx).
The formal presentation of the Award will be made to Janet and Rod at AVoCS 2011 (http://conferences.ncl.ac.uk/AVoCS2011/), which is being hosted by Newcastle University this September.
"Congratulations to Janet and Rod as well-deserved recipients of this award. And thanks to Altran Praxis and the US National Security Agency for their commitment to their project. It has given a persuasive demonstration of the cost effectiveness of formal methods in application to security software, and complements similar experience at Microsoft"The full award citation is provided along with further details of the award process at the VSI website, i.e. http://dream.inf.ed.ac.uk/vsi. Kind regards,
(Prof. Sir Tony Hoare, Microsoft Research).
Listing of academic positions available by
New Posted May 2011
University of Massachusetts Amherst
Amherst, MA, USA
Positions: Research Scientist, Postdoctoral Research Associate,
Undergraduate Researcher Collaboration with faculty in Computer
Science and Electrical Computer Engineering Open until filled
In the research project
Trust and Access Policies on the Web
there is a vacancy for a 4 year PhD position at the Computer Science Department of the VU University Amsterdam, in a joint project between the Theoretical Computer Science Group (http://www.cs.vu.nl/~tcs), the Knowledge Representation and Reasoning Group (http://krr.cs.vu.nl/), and the Web and Media Group (http://www.few.vu.nl/~guus/). Industrial partners are Rijksmuseum in Amsterdam (http://www.rijksmuseum.nl/) and Naturalis Museum in Leiden (http://www.naturalis.nl/).
Aim of the project is to develop a framework for controlling Web access and evaluating in how far contributed distributed content can be trusted. See the paper http://journal.webscience.org/315/2/websci10_submission_81.pdf for a first step in this direction. More information on the research project can be found at http://www.cs.vu.nl/~tcs/WP8.doc.
This is a work package (WP8) within the project "Socially-Enriched Access to Cultural Media", which itself is part (project P6) of the Dutch national COMMIT research project. The original COMMIT project description can be found at http://www.commit-nl.nl/090929%20COMMIT%20PROGRAMMA.pdf.
To apply for the PhD position, send a CV, letter of motivation, and names of at least two references to Wan Fokkink (firstname.lastname@example.org). Deadline for application is June 14, 2011.
Conference and Workshop Announcements
Cipher calendar announcements are on Twitter; follow "ciphernews"
new calls or announcements added since Cipher E101 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update):
FAST 2011 8th International Workshop on Formal Aspects of Security & Trust, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 1 June 2011)
The eighth International Workshop on Formal Aspects of Security and Trust aims at continuing the successful efforts of the previous FAST workshops, fostering cooperation among researchers in the areas of security and trust. Computing and network infrastructures have become pervasive, and now support a great deal of economic activity. Thus, society needs suitable security and trust mechanisms. Interactions increasingly span several enterprises and involve loosely structured communities of individuals. Participants in these activities must control interactions with their partners based on trust policies and business logic. Trust-based decisions effectively determine the security goals for shared information and for access to sensitive or valuable resources. FAST focuses on the formal models of security and trust that are needed to state goals and policies for these interactions. We also seek new and innovative techniques for establishing consequences of these formal models. Implementation approaches for such techniques are also welcome.
IWSSC 2011 1st International Workshop on Securing Services on the Cloud, Held in conjunction with the 5th International Conference on Network and System Security (NSS 2011), Milan, Italy, September 6-8, 2011. (Submissions due 1 June 2011)
The ongoing merge between Service-Oriented Architectures (SOAs) and the Cloud computation paradigm provides a new environment fostering the integration of services located within company boundaries with those on the Cloud. An increasing number of organizations implement their business processes and applications via runtime composition of services made available on the Cloud by external suppliers. This scenario is changing the traditional view of security introducing new service security risks and threats, and requires re-thinking of current development, testing, and verification methodologies. IWSSC 2011 aims to address the security issues related to the deployment of services on the Cloud, along with evaluating their impact on traditional security solutions for software and network systems. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of security of services implemented on the Cloud, as well as experimental studies in Cloud infrastructures, the implementation of services, and lessons learned. Topics of interest include, but are not limited to:
SETOP 2011 4th International Workshop on Autonomous and Spontaneous Security, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 5 June 2011)
The SETOP Workshop seeks submissions that present research results on all aspects related to spontaneous and autonomous security. Topics of interest include, but are not limited to the following:
DPM 2011 6th International Workshop on Data Privacy Management, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 5 June 2011)
The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Topics of interest include, but are not limited to the following:
WISA 2011 12th International Workshop on Information Security Applications, Jeju Island, Korea, August 22-24, 2011. (Submissions due 6 June 2011)
The focus of this workshop is on all technical and practical aspects of cryptographic and non-cryptographic security applications. The workshop will serve as a forum for new results from the academic research community as well as from the industry. The areas of interest include, but are not limited to:
ACSAC 2011 27th Annual Computer Security Applications Conference, Orlando, Florida, USA, December 5-9, 2011. (Submissions due 6 June 2011)
ACSAC is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. If you are developing practical solutions to problems relating to protecting commercial enterprises' or countries' information infrastructures, consider submitting your work to the Annual Computer Security Applications Conference. We are especially interested in submissions that address the application of security technology, the implementation of systems, and lessons learned. Some example topics are:
CRiSIS 2011 6th International Conference on Risks and Security of Internet and Systems, Timisoara, Romania, September 26-28, 2011. (Submissions due 6 June 2011)
The International Conference on Risks and Security of Internet and Systems 2011 will be the 6th in a series dedicated to security issues in Internet-related applications, networks and systems recent advances on Internet-related security threats and vulnerabilities, and on the solutions that are needed to counter them. The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, passing through security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as telemedicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to:
EuroPKI 2011 8th European Workshop on Public Key Services, Applications and Infrastructures, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2011), Leuven, Belgium, September 15-16, 2011. (Submissions due 10 June 2011)
EuroPKI is a successful series of workshops that started in 2004. For the 2011 edition, the scope will cover all research aspects of Public Key Services, Applications and Infrastructures. In particular, we encourage also submissions dealing with any innovative applications of public key cryptography. Submitted papers may present theory, applications or practical experiences on topics including, but not limited to:
DSPSR 2011 1st IEEE/IFIP EUC Workshop on Data Management, Security and Privacy in Sensor Networks and RFID, Held in conjunction with the 9th IEEE/IFIP International Conference on Embedded and Ubiquitous Computing (EUC 2011), Melbourne, Australia, October 24-26, 2011. (Submissions due 10 June 2011)
As the real world deployment of wireless sensor networks and RFID systems becomes increasingly common place, the issues of data management, security and privacy of these systems need to be addressed. Sensor networks and RFID make possible innovative applications in important areas such as healthcare, homeland security, early warning systems, emergency response and other time and/or life critical situations. These applications demand that the management of data, the security of these systems from a network and application perspective as well as the privacy of these systems from a user and data perspective are efficient and can be guaranteed. Hence the main motivation for this workshop is to bring together researchers and practitioners working on related areas in wireless sensor networks and RFID to present current research advances. The aim of the workshop is to provide a platform for the discussion of the major research challenges and achievements on the following topics of interest but not limited to:
HICSS-ST 2012 45th Annual HAWAI'I International Conference on System Sciences, Software Technology Track, Grand Wailea Maui, Hawaii, USA, January 4-7, 2012. (Submissions due 15 June 2011)
Modern society is irreversibly dependent on software systems of remarkable scope and complexity. Yet methods for assuring the dependability and quality of these systems have not kept pace with their rapid deployment and evolution. The result has been persistent errors, failures, vulnerabilities, and compromises. Research is required in assurance technologies that can meet the needs of 21st century systems. These technologies must scale beyond present labor-intensive practices that are increasingly overwhelmed by the task at hand. Many organizations in academia, industry, and defense are interested in this subject, but often with a focus on specific subject matter areas. The goal of this Minitrack is to bring together researchers from all areas of system assurance to promote sharing and cross-pollination of promising methods and technologies. We will promote a unified assurance discipline characterized by science foundations and substantial automation that can effectively address the scope and scale of the problem. Assurance research focuses on achieving an acceptable level of trust and confidence through auditable evidence that software systems will function as intended in both benign and threat environments to meet organizational objectives. It addresses all aspects of the system development lifecycle in terms of technical, management, and standards-related issues. The following topics will be included in the Minitrack:
SecIoT 2011 2nd Workshop on the Security of the Internet of Things, Held in conjunction with IEEE iThings 2011, Dalian, China, October 19, 2011. (Submissions due 17 June 2011)
While there are many definitions of the Internet of Things (IoT), all of them revolve around the same central concept: a world-wide network of interconnected objects. These objects will make use of multiple technological building blocks, such as wireless communication, sensors, actuators, and RFID, in order to allow people and things to be connected anytime anyplace, with anything and anyone. However, mainly due to the inherent heterogeneity of this vision and its broad scope, there will not be a single silver bullet security solution that will fulfill all the security requirements of the IoT. Therefore: How we can include security as a core element of the IoT? How the IoT will interact with other security mechanisms of the Future Internet? What security requirements will be truly challenged by the ultimate vision of the IoT? It is precisely the goal of this workshop to bring together researchers and industry experts in areas relevant to the security of the Internet of Things to discuss these and other significant issues. Moreover, this workshop also has the objective to serve as a forum for not only presenting cutting-edge research, but also for debating the role of security and its practical implications in the development of the IoT. Topics of interest for the workshop include the following:
WIFS 2011 IEEE Workshop on Information Forensics and Security, Foz do Iguaçu, Brazil, November 29 - December 2, 2011. (Submissions due 22 June 2011)
The IEEE International Workshop on Information Forensics and Security (WIFS) is the primary annual event organized by the IEEE's Information Forensics and Security Technical Committee (IEEE IFS TC). WIFS is a venue for knowledge exchange that encompasses a broad range of disciplines and facilitates the exchange of ideas between various disparate communities that constitute information security. With this focus, we hope that researchers will identify new opportunities for collaboration across disciplines and gain new perspectives. The conference will feature prominent keynote speakers, tutorials, and lecture sessions. Appropriate topics of interest include, but are not limited to:
STC 2011 6th ACM Workshop on Scalable Trusted Computing, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 17, 2011. (Submissions due 27 June 2011)
Built on the continuous success of ACM STC 2006-2010, this workshop focuses on fundamental technologies of trusted and high assurance computing and its applications in large-scale systems with varying degrees of trust. The workshop is intended to serve as a forum for researchers as well as practitioners to disseminate and discuss recent advances and emerging issues. The workshop solicits two types of original papers that are single-column using at least 11pt fonts. The length of the full-paper submissions is at most 15 pages excluding bibliography, appendix etc. The total number of pages should not be more than 20, whereas the reviewers are not required to read the appendix. The length of short/work-in-progress/position-paper submissions is at most 8 pages excluding bibliography. A paper submitted to this workshop must not be in parallel submission to any other journal, magazine, conference or workshop with proceedings. It is up to the authors to decide whether a submission should be anonymous. Topics of interests include but not limited to:
PST 2011 9th International Conference on Privacy, Security and Trust, Montreal, Quebec, Canada, July 19-21, 2011. (Submissions due 20 March 2011)
With rapid development and increasing complexity of computer and communications systems and networks, user requirements for trust, security and privacy are becoming more and more demanding. However, there is a grand challenge that traditional security technologies and measures may not meet user requirements in open, dynamic, heterogeneous, mobile, wireless, and distributed computing environments. Therefore, we need to build systems and networks in which various applications allow users to enjoy more comprehensive services while preserving trust, security and privacy at the same time. As useful and innovative technologies, trusted computing and communications are attracting researchers with more and more attention. IEEE TrustCom-11 is an international conference for presenting and discussing emerging ideas and trends in trusted computing and communications in computer systems and networks from both the research community as well as the industry.
CCSW 2011 ACM Cloud Computing Security Workshop, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 21, 2011. (Submissions due 1 July 2011)
Notwithstanding the latest buzzword (grid, cloud, utility computing, SaaS, etc.), large-scale computing and cloud-like infrastructures are here to stay. How exactly they will look like tomorrow is still for the markets to decide, yet one thing is certain: clouds bring with them new untested deployment and associated adversarial models and vulnerabilities. CCSW aims to bring together researchers and practitioners in all security aspects of cloud-centric and outsourced computing, including (but not limited to):
WPES 2011 10th ACM Workshop on Privacy in the Electronic Society, Held in conjunction with the ACM CCS 2011, Chicago, IL, USA, October 17, 2011. (Submissions due 2 July 2011)
The need for privacy-aware policies, regulations, and techniques has been widely recognized. This workshop discusses the problems of privacy in the global interconnected societies and possible solutions. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of electronic privacy, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to:
EC2ND 2011 7th European Conference on Computer Network Defense, Gothenburg, Sweden, September 6-7, 2011. (Submissions due 4 July 2011)
EC2ND invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results. This year we are especially interested in papers concerning the protection against attacks in "special environments" (such as the ICT component of the smart grid) or protection against attacks that could cause a large societal impact. Topics include but are not limited to:
AISec 2011 4th Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2011, Chicago, IL., USA, October 21, 2011. (Submissions due 6 July 2011)
We invite original research papers describing the use of AI or Machine Learning in security and privacy problems. We also invite position papers discussing the role of AI or Machine Learning in security and privacy. Submitted papers may not substantially overlap papers that have been published or that are simultaneously submitted to a journal or conference with proceedings. Topics of interest include, but are not limited to:
TSCloud 2011 1st IEEE International Workshop on Trust and Security in Cloud Computing, Changsha, China, November 16, 2011. (Submissions due 8 July 2011)
The TSCloud workshop tries to bring together researchers with an interest in theoretical foundations and practical approaches to trust and security in cloud computing. The emphasis is on high-impact, novel/adopted theories and paradigms that address mathematical and logical underpinnings in trust and security in cloud computing, e.g. encryption, obfuscation, virtualisation security, governance, accountability, etc. Topics of interest include, but are not limited to:
eCrime Researchers Summit 2011 6th IEEE eCrime Researchers Summit, Held in conjunction with the 2011 APWG General Meeting, San Diego, CA, USA, November 7-9, 2011. (Submissions due 21 July 2011)
eCRS 2011 will bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it, Topics of interests include (but are not limited to):
NDSS 2012 Network & Distributed System Security Symposium, San Diego, California, USA, February 5-8, 2012. (Submissions due 9 August 2011)
The Network and Distributed System Security Symposium fosters information exchange among research scientists and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Overall, we are looking for not only for solid results but also for crazy out of the box ideas. Areas of interest include (but are not limited to):
WICT-NDF 2011 World Congress on Information and Communication Technologies, Intrusion Detection and Forensics, Mumbai, India, December 11-14, 2011. (Submissions due 15 August 2011)
Authors are invited to submit original papers containing cutting edge research, novel research vision or work-in-progress in any area of intrusion detection and forensics. All accepted papers will be published in the conference proceedings by IEEE. The track will cover a wide range of topics. Topics of interest include but are not limited to:
International Journal of Information Security, Special Issue on SCADA and Control System Security, 2012, (Submission Due 21 August 2011)
Editor: Irfan Ahmed (Queensland University of Technology, Australia),
Martin Naedele (ABB Corporate Research, Switzerland),
Charles Palmer (Dartmouth College, USA),
Ryoichi Sasaki (Tokyo Denki University, Japan),
Bradley Schatz (Queensland University of Technology, Australia),
and Andrew West (Invensys Operations Management, Australia)
Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as manufacturing production lines, water treatment, fuel production and electricity distribution. Such systems are usually built using a variety of commodity computer and networking components, and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, the now famous Stuxnet (which is a Windows-specific computer worm containing a rootkit and four zero-day attacks) was specifically written to attack SCADA systems that alone caused multi-million dollars damages in 2010. The critical requirement for high availability in SCADA and industrial control systems, along with the use of bespoke, resource constrained computing devices, legacy operating systems and proprietary software applications limits the applicability of traditional information security solutions. Thus, research focusing on devising security solutions that are applicable in the control systems context is imperative, as evidenced by the increased focus on the problem by governments worldwide. This Special Issue aims to present the latest developments, trends and research solutions addressing security of the computers and networks used in SCADA and other industrial control systems. The topics of interest include but not limited to, intrusion detection and prevention, malware, vulnerability analysis of control systems protocols, digital forensics, application security and performance impact of security methods and tools in control systems. This list is not exhaustive and other relevant topics will be considered.
IFIP-DF 2012 8th Annual IFIP WG 11.9 International Conference on Digital Forensics, University of Pretoria, Pretoria, South Africa, January 3-5, 2012. (Submissions due 15 September 2011)
The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Eighth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eighth in the series entitled Research Advances in Digital Forensics (Springer) in the summer of 2012. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:
Staying in touch....
IEEE Computer Society's Technical Committee on Security and Privacy
|TC home page||TC Officers|
|How to join the TC||TC publications available online|
|TC Publications for sale||Cipher past issues archive|