_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 110 September 19, 2012 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * News Items o Bank accounts raided by Stuxnet-like malware o Shamoom, from "sinister" to "amateurish" o Dissidents tracked by government spyware * Commentary and Opinion o Richard Austin's review of "Securing the Virtual Environment: How to defend the enterprise against attack" by Davi Ottenheimer and Matthew Wallace * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: I read recently that cellphones are not uncommon in Africa, and companies are developing affordable versions for that continent. Only 20 years ago two thirds of the planet's population had never placed a phone call. This tremendous change means, I believe, that within 25 years, everyone on the planet will be carrying a computing device connected to the Internet. From this I conclude that investment in battery technology is a good idea, but I also wonder if information Armageddon is only a button tap away. This month's trio of news articles about malware show how vulnerable we are to malware; other mainstream news stories show how vulnerable we are to the rapid spread of ideas. Those researchers looking to make a difference in the security of computing devices will know that this is the time of year to consider submitting a paper to the Security and Privacy Symposium. The deadline is November 14, and the CFP in this issue of Cipher explains the kinds of papers sought by the prestigious program committee. Richard Austin weighs in with a review of a timely book about securing virtual environments for enterprises. Sadly, we are learning that even clouds are subject to corruption! I thought I was the master of my desktop, the captain of my cellphone, until they conspired to steal all my money and run off to Venezuela, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== --------------------------------------------------------------------------- Gauss, the funds transfer monitor CNN MoneyTech August 9, 2012 http://money.cnn.com/2012/08/09/technology/gauss-cyberweapon-bank-accounts/index.html?source=cnn_bin The "Gauss" malware is a spy interested in tracking funds: It collects banking login information, sends it back to a server, and quickly self-destructs. It seems to target Lebanese bank accounts. Its design has disturbing similarities to Stuxnet and Flame. --------------------------------------------------------------------------- Shamoom, Once Sinister, Now Amateurish David Jeffers, PCWorld Aug 17, 2012 http://www.pcworld.com/article/261009/a_sinister_new_breed_of_malware_is_growing.html?tk=out IDG News Service September 17, 2012 http://www.techcentral.ie/19856/shamoon-cyberweapon-the-work-of-amateurs The two articles referenced above, a month apart, present two different views of the "Shamoom" malware. The first says: "Shamoon--along with Stuxnet, Duqu, Flame, and Gauss--represents a new era of malware that is designed with specific goals in mind, and programmed to fly under the radar and evade detection in most cases." The second says that the malware, which targeted Saudi Arabian national oil company Aramco, has silly programming errors. Nonetheless, its intended purpose, to steal sensitive data and then self-destruct, seems to have been achieved. --------------------------------------------------------------------------- Dissidents Targeted by Malware New York Times, Nicole Perlroth August 30, 2012 http://www.nytimes.com/2012/08/31/technology/finspy-software-is-tracking-political-dissidents.html Political dissidents in 14 countries around the world may have been monitored by commercial spyware called "FinSpy". Ostensibly marketed for tracking criminals, the software can be turned against anyone, and its use by governments with "questionable" records on human rights caught the attention of two US researchers. ------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin September 13, 2012 ____________________________________________________________________ "Securing the Virtual Environment: How to defend the enterprise against attack" by Davi Ottenheimer and Matthew Wallace Wiley 2012. ISBN 978-1-118-15548-6 amazon.com USD 31.49 Table of Contents: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118155483,descCd-tableOfContents.html Virtualization and its latest offshoot, cloud computing, occupy important places on most IT technology roadmaps these days, either as something that is being looked at, has an implementation in progress, or is planned for future implementation. Ottenheimer and Wallace have written a practical guide to what "securing" virtualization and the cloud actually means. By viewing the cloud as heavily based on virtualization, they tie its implementation to already established principles and map out the new areas where challenges still exist. Like many of the recent books reviewed in this column, this one includes a lengthy appendix on setting up a test environment to follow along with "hands-on" exercises in the text. The created environment makes use of the Xen, ESXi and KVM hypervisors which are either Open Source or available as trials from the vendor. The DVD that accompanies the book includes many of the tools used in the book as well as a pre-configured virtual "attack machine" with the tools already installed. The reader is strongly encouraged to work though this appendix first so as to be ready to explore the "hands on" exercises. While the book's organization offers a logical progression, I really recommend that you read Chapter 10, "Building Compliance into Virtual and Cloud Environments", first. This chapter opens with an eye-opening discussion of the difference between "compliance" and "security" that may surprise those of us who are wont to opine that "compliance is not security". The authors make the sound point that compliance carries the idea of authority - someone with the power to enforce their statement says "you must do x, y, and z". While meeting compliance requirements does not assure that the resulting security posture is appropriate to an organization's risk profile and appetite, compliance does leverage the knowledge of many organizations performing similar sorts of business and can provide a sound starting point. In the authors' view, compliance should not be described "by terms such as follow, accept, bend and agree" bur rather "achieving, meeting, exceeding, delivering or performing" (p. 320). The remainder of the chapter focuses on applying compliance guidance in an environment that is virtualized/cloud-based. The advantage of reading this chapter first is that it rubs most of the "chrome off the dashboard" of the new technology and shows how familiar security requirements are translated into the world of virtualized/cloud-based services. The book's presentation is generally attack-vector based with the chapters describing (and often illustrating in "hands-on" exercises") how the virtual/cloud environment is attacked in particular ways. This is especially helpful because some of these vectors are peculiar to the virtual environment. For example, installing a "rooted" binary or malware is a well-known attack pattern in the physical world but acquires some unique nuances in the virtual environment (e.g., modifying a virtual server's virtual disk or perhaps the "gold" image to provision a class of virtual servers). While the attacks themselves are not particularly new, the ways they can be applied in the virtual/cloud environment were, I found, eye-opening. After presenting the vectors and ensuing attacks, appropriate defensive measures are described. Commendably, the applicable technical defenses are supplemented by appropriate policy and process controls so the defensive recommendations are well rounded. As an aside, the book emphasizes Open Source and VMware products - Microsoft's Hyper-V is occasionally mentioned but the examples, etc., are based on the other hypervisors. This is should not discourage a Microsoft-focused reader as much of the valuable guidance is independent of the specific hypervisor used. The authors are experienced and thoughtful securers of the virtualized/cloud environment. Though there are a few quirks in places, they do an excellent job of clearly and cogently presenting a complex topic. Footnoted references are scattered throughout the chapters and provide a rich field for further exploration. Definitely a recommended read for security professionals needing a substantial and solid introduction to what "security" actually involves in the cloud and other virtualized environments. ---------------------------- It has been said that "of making many books there is no end; and much study is a weariness of the flesh" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the many publishing houses and shares his opinion as to which books might merit your attention. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New listings (Complete list at http://cisr.nps.edu/jobscipher.html) Posted July 2012 Naval Postgraduate School Monterey, California CS Department Faculty Positions Open until filled http://www.nps.edu/Academics/Schools/GSOIS/Departments/CS/Faculty/Openings/CSFacultyOpenings.html Posted July 2012 Imperial College London London, UK Lectureship Closing Date 16 August 2012 http://www3.imperial.ac.uk/computing/vacancies#L Posted June 2011 (still open as of July 2012) University of Waterloo Waterloo, ON, Canada Postdoctoral Research Position Open until filled http://crysp.uwaterloo.ca/prospective/postdoc/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Cipher calendar announcements are on Twitter; follow "ciphernews" Date (Month/Day/Year), Event, Locations, web page for more info. 9/17/12- 9/18/12: CRITIS, 7th International Workshop on Critical Information Infrastructures Security Radisson Blu Lillehammer Hotel, Turisthotellveien 6, 2609 Lillehammer, Norway; http://critis12.hig.no 9/19/12- 9/21/12: NSPW, New Security Paradigms Workshop, Bertinoro, Italy; http://www.nspw.org 9/21/12- 9/23/12: ICDFI, 1st International Conference on Digital Forensics and Investigation, Beijing China; http://secmeeting.ihep.ac.cn 9/26/12- 9/28/12: ProvSec, 6th International Conference on Provable Security, Chengdu, China; http://www.ccse.uestc.edu.cn/provsec/callforpapers.html 9/30/12: ESSoS, 5th International Symposium on Engineering Secure Software and Systems Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ Submissions are due 10/ 1/12: IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks; http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm; Submissions are due 10/ 1/12-10/ 4/12: SSS, 14th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Toronto, Canada; http://www.cs.uwaterloo.ca/sss2012/ 10/ 8/12-10/11/12: SRDS, 31st International Symposium on Reliable Distributed Systems, Irvine, California, USA; http://web.mst.edu/~cswebdb/srds2012/ 10/13/12: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html; Submissions are due 10/15/12: BADGERS, ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; https://researcher.ibm.com/view_project.php?id=3360 10/15/12: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/Conferences/WG11-9-CFP-2013.pdf Submissions are due 10/16/12-10/18/12: ACM-CCS, 19th ACM Conference on Computer and Communications Security, Raleigh, North Carolina, USA; http://www.sigsac.org/ccs/CCS2012/ 10/19/12: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://crypto.cs.stonybrook.edu/ccsw12 10/19/12: STC, 7th ACM Workshop on Scalable Trusted Computing, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://www.cs.utsa.edu/~acmstc/stc2012/ 10/19/12: AISec, 5th ACM Workshop on Artificial Intelligence and Security, Held in conjunction with ACM CCS 2012, Sheraton Raleigh Hotel, Raleigh, NC, USA; http://research.microsoft.com/en-us/events/aisec2012/default.aspx 10/20/12-10/25/12: LCN-SICK, Workshop on Security in Communications Networks, Held in Conjunction with IEEE LCN 2012, Clearwater, FL, USA; http://www.sick-workshop.org/ 10/23/12-10/24/12: eCrime-Summit, 7th IEEE eCrime Researchers Summit, Held in conjunction with the 2012 APWG General Meeting, Las Croabas, Puerto Rico; http://ecrimeresearch.org 10/26/12: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; http://www.idman2013.com; Submissions are due 10/30/12: NPSec, 7th Workshop on Secure Network Protocols, Austin, Texas, USA; http://www.cse.msu.edu/~feichen/NPSec2012/ 10/31/12-11/ 2/12: Nordsec, 17th Nordic Conference in Secure IT Systems, Karlskrona, Sweden; http://www.bth.se/com/nordsec2012.nsf/pages/nordsec2012 11/ 5/12-11/ 6/12: GameSec, 3rd Conference on Decision and Game Theory for Security, Budapest, Hungary; http://www.gamesec-conf.org 11/ 8/12-11/ 9/12: RFIDsec-Asia, Workshop on RFID and IoT Security, Taipei, Taiwan; http://rfidsec2012.cs.ntust.edu.tw 11/10/12: Springer International Journal of Information Security journal, Special Issue on Security in Cloud Computing; http://www.springer.com/computer/security+and+cryptology/journal/10207; Submissions are due 11/14/12: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/ Submissions are due 11/21/12-11/23/12: NSS, 6th International Conference on Network and System Security, Wu Yi Shan, Fujian, China; http://anss.org.au/nss2012/index.html 11/28/12-12/ 1/12: INSCRYPT, 8th China International Conference on Information Security and Cryptology, Beijing, China; http://inscrypt2012.im.pwr.wroc.pl/2012/Inscrypt_2012.html 12/ 2/12-12/ 5/12: WIFS, IEEE International Workshop on Information Forensics and Security Tenerife, Spain; http://www.wifs12.org/ 12/ 3/12-12/ 7/12: ACSAC, 28th Annual Computer Security Applications Conference, Buena Vista Palace Hotel & Spa in the Walt Disney World Resort, Florida, USA; http://www.acsac.org 12/ 3/12-12/ 7/12: MANSEC-CC, 1st International workshop on Management and Security technologies for Cloud Computing, Held in conjunction with the 2012 IEEE GLOBECOM, Disneyland Hotel, Anaheim, California, USA; http://www.icsd.aegean.gr/ccsl/mansec-cc/ 12/ 9/12-12/14/12: LISA, 26th Large Installation System Administration Conference, San Diego, CA, USA; http://www.usenix.org/lisa12/ 12/15/12-12/19/12: ICISS, 8th International Conference on Information Systems Security, Guwahati, India; http://www.iitg.ernet.in/iciss2012/ 12/31/12: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf Submissions are due 1/ 7/13- 1/10/13: HICSS-CSS, 46th HAWAII International Conference on System Sciences, Internet and the Digital Economy Track, Cybercrime and Security Strategy Mini-track, Grand Wailea, Maui, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_46/apahome46.htm 1/28/13- 1/30/13: IFIP119-DF, 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/Conferences/WG11-9-CFP-2013.pdf 2/18/13- 2/20/13: CODASPY, 3nd ACM Conference on Data and Application Security and Privacy, San Antonio, Texas, USA; http://www.codaspy.org 2/24/13- 2/27/13: NDSS, 20th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel and Spa San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2013 2/27/13- 3/ 1/13: ESSoS, 5th International Symposium on Engineering Secure Software and Systems Paris, France; http://distrinet.cs.kuleuven.be/events/essos2013/ 3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html 4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; http://www.idman2013.com 5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/ 5/23/13- 5/24/13: SPW, 2nd IEEE CS Security and Privacy Workshops, Co-located with the IEEE Symposium on Security and Privacy (SP 2013), Westin St. Francis Hotel, San Francisco, CA, USA; http://www.ieee-security.org/TC/SPW2013/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E109) ___________________________________________________________________ ESSoS 2013 5th International Symposium on Engineering Secure Software and Systems, Paris, France, February 27 - March 1, 2013. (Submissions due 30 September 2012) http://distrinet.cs.kuleuven.be/events/essos2013/ Trustworthy, secure software is a core ingredient of the modern world. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to): - scalable techniques for threat modeling and analysis of vulnerabilities - specification and management of security requirements and policies - security architecture and design for software and systems - model checking for security - specification formalisms for security artifacts - verification techniques for security properties - systematic support for security best practices - security testing - security assurance cases - programming paradigms, models and DLS's for security - program rewriting techniques - processes for the development of secure software and systems - security-oriented software reconfiguration and evolution - security measurement - automated development - trade-off between security and other non-functional requirements (in particular economic considerations) - support for assurance, certification and accreditation - empirical secure software engineering ------------------------------------------------------------------------- IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks, May 2013, (Submission Due 1 October 2012) http://www.comsoc.org/files/Publications/Magazines/ni/cfp/cfpnetwork0513.htm Editors: Kui Ren (Illinois Institute of Technology, USA), Haojin Zhu (Shanghai Jiao Tong University, USA), Zhu Han (University of Houston, USA), and Radha Poovendran (University of Washington, USA) Cognitive radio (CR) is an emerging advanced radio technology in wireless access, with many promising benefits including dynamic spectrum sharing, robust cross-layer adaptation, and collaborative networking. Based on a software-defined radio (SDR), cognitive radios are fully programmable and can sense their environment and dynamically adapt their transmission frequencies, power levels, modulation schemes, and networking protocols for improving network and application performance. It is anticipated that cognitive radio technology will be the next wave of innovation in information and communications technologies. Although the recent years have seen major and remarkable developments in the field of cognitive networking technologies, the security aspects of cognitive radio networks have attracted less attention so far. Due to the particular characteristics of the CR system, entirely new classes of security threats and challenges are introduced such as licensed user emulation, selfish misbehaviors and unauthorized use of spectrum bands. These new types of attacks take the advantage the inherent characteristics of CR, and could severely disrupt the basic functionalities of CR systems. Therefore, for achieving successful deployment of CR technologies in practice, there is a critical need for new security designs and implementations to make CR networks secure and robust against these new attacks. Topics of interest include, but are not limited to: - General security architecture for CR networks - Cross-layer security design of CR networks - Secure routing in multi-hop CR networks - Physical layer security for CR networks - Geo-location for security in CR networks - Defending and mitigating jamming-based DoS attacks in CR networks - Defending against energy depletion attacks in resource-constrained CR networks - Attack modeling, prevention, mitigation, and defense in CR systems, including primary user emulation attacks, authentication methods of primary users, spectrum sensing data falsification, spectrum misusage and selfish misbehaviors and unauthorized use of spectrum bands - Methods for detecting, isolating and expelling misbehaving cognitive nodes - Security policies, standards and regulations for CR networks - Implementation and testbed for security evaluation in CR systems - Privacy protection in CR networks - Security issues for database-based CR networks - Security in CR networks for the smart grid - Intrusion detection systems in CR networks ------------------------------------------------------------------------- FC 2013 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan, April 1-5, 2013. (Submissions due 13 October 2012) http://fc13.ifca.ai/cfp.html Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited. Submissions need not be exclusively concerned with cryptography. Systems security and inter-disciplinary efforts are particularly encouraged. Topics include: - Anonymity and Privacy - Auctions and Audits - Authentication and Identification - Biometrics - Certification and Authorization - Cloud Computing Security - Commercial Cryptographic Applications - Data Outsourcing Security - Information Security - Game Theoretic Security - Securing Emerging Computational Paradigms - Identity Theft - Fraud Detection - Phishing and Social Engineering - Digital Rights Management - Digital Cash and Payment Systems - Digital Incentive and Loyalty Systems - Microfinance and Micropayments - Contactless Payment and Ticketing Systems - Secure Banking and Financial Web Services - Security and Privacy in Mobile Devices and Applications - Security and Privacy in Automotive and Transport Systems and Applications - Smartcards, Secure Tokens and Secure Hardware - Privacy-enhancing Systems - Reputation Systems - Security and Privacy in Social Networks - Security and Privacy in Sound and Secure Financial Systems Based on Social Networks - Risk Assessment and Management - Risk Perceptions and Judgments - Legal and Regulatory Issues - Security Economics - Spam - Transactions and Contracts - Trust Management - Underground-Market Economics - Usable Security - Virtual Economies - Voting Systems ------------------------------------------------------------------------- IFIP119-DF 2013 9th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 28-30, 2013. (Submissions due 15 October 2012) http://www.ifip119.org/Conferences/WG11-9-CFP-2013.pdf The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the ninth in the series entitled Research Advances in Digital Forensics (Springer) in the summer of 2013. Revised and/or extended versions of selected papers from the conference will be published in special issues of one or more international journals. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- IDMAN 2013 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK, April 8-9, 2013. (Submissions due 26 October 2012) http://www.idman2013.com IDMAN conference focuses on the theory, technologies and applications of identity management. The world of the 21st century is, more than ever, global and impersonal. As a result of increasing cyber fraud and cyber terrorism, the demand for better technical methods of identification is growing, not only in companies and organisations but also in the world at large. Moreover, in our society digital identities increasingly play a role in the provision of eGovernment and eCommerce services. For practical reasons, Identity Management Systems are needed that are usable and interoperable. At the same time, individuals increasingly leave trails of personal data when using the Internet, which allows them to be profiled and which may be stored for many years to come. Technical trends such as Cloud Computing and pervasive computing make personal data processing non-transparent, and make it increasingly difficult for users to control their personal spheres. As part of this tendency, surveillance and monitoring are increasingly present in society, both in the public and private domains. Whilst the original intention is to contribute to security and safety, surveillance and monitoring might, in some cases, have unintended or even contradictory effects. Moreover, the omnipresence of surveillance and monitoring systems might directly conflict with public and democratic liberties. These developments raise substantial new challenges for privacy and identity management at the technical, social, ethical, regulatory, and legal levels. Identity management challenges the information security research community to focus on interdisciplinary and holistic approaches, while retaining the benefits of previous research efforts. Papers offering research contributions to the area of identity management are solicited for submission to the 3rd IFIP WG-11.6 IDMAN conference. Papers may present theory, applications or practical experience in the field of identity management, from a technical, legal or socio-economic perspective, including, but not necessarily limited to: - Novel identity management technologies and approaches - Interoperable identity management solutions - Privacy-enhancing technologies - Identity management for mobile and ubiquitous computing - Identity management solutions for eHealth, eGovernmeant and eCommerce - Privacy and Identity (Management) in and for cloud computing - Privacy and Identity in social networks - Risk analysis techniques for privacy risk and privacy impact assessment - Privacy management of identity management - Identity theft prevention - Attribute based authentication and access control - User-centric identity management - Legal, socio-economic, philosophical and ethical aspects - Impact on society and politics - Related developments in social tracking, tracing and sorting - Quality of identity data, processes and applications - User centered, usable and inclusive identity management - Attacks on identity management infrastructures - Methods of identification and authentication - Identification and authentication procedures - Applications of anonymous credentials - (Privacy-preserving) identity profiling and fraud detection - Government PKIs - (Possible) role of pseudonymous and anonymous identity in identity management - Electronic IDs: European and worldwide policies and cooperation in the field of identity management - Surveillance and monitoring - (Inter)national policies on unique identifiers /social security numbers / personalisation IDs - Vulnerabilities in electronic identification protocols - Federative identity management and de-perimeterisation - Biometric verification - (Inter)national applications of biometrics - Impersonation, identity fraud, identity forge and identity theft - Tracing, monitoring and forensics - Proliferation/omnipresence of identification - Threats to democracy and political control ------------------------------------------------------------------------- Springer International Journal of Information Security journal, Special Issue on Security in Cloud Computing, Fall 2013, (Submission Due 10 November 2012) http://www.springer.com/computer/security+and+cryptology/journal/10207 Editors: Stefanos Gritzalis (University of the Aegean, Greece), Chris Mitchell (Royal Holloway, University of London, UK), Bhavani Thuraisingham (University of Texas at Dallas, USA), and Jianying Zhou (Institute for Infocomm Research, Singapore) This special issue of the International Journal of Information Security aims at providing researchers and professionals with insights on the state-of-the-art in Security in Cloud Computing. It will publish original, novel and high quality research contributions from industry, government, business, and academia. Topics of interest may include (but are not limited to) one or more of the following themes: - Auditing in Cloud Computing - Business and security risk models - Cloud Infrastructure Security - Cloud-centric security modeling and threats - Copyright protection in the Cloud era - Cryptography in the Cloud era - Emerging threats in Cloud-based services - Forensics in Cloud environments - Legal and regulatory issues in the Cloud era - Multi-tenancy related security/privacy issues - Performance evaluation for security solutions - Privacy in Cloud computing - Secure identity management mechanisms - Secure job deployment and scheduling - Secure virtualization and resource allocation mechanisms - Securing distributed data storage in the Cloud - Security and privacy in big data management - Security and privacy in mobile Cloud - Security and privacy requirements engineering in the Cloud - Security for emerging Cloud programming models - Security management in the Cloud - Security modelling and threats in Cloud computing - Trust and policy management in the Cloud - User authentication and access control in Cloud-aware services ------------------------------------------------------------------------- SP 2013 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA, May 19-22 2013. (Submissions due 14 November 2012) http://www.ieee-security.org/TC/SP2013/ Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of computer security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation of secure systems. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship and censorship-resistance - Distributed systems security - Embedded systems security - Forensics - Hardware security - Intrusion detection - Malware - Metrics - Language-based security - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - System security - Usability and security - Web security This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers Following the success of the previous years' conferences, we are also soliciting papers focused on systematization of knowledge (SoK). The goal of this call is to encourage work that evaluates, systematizes, and contextualizes existing knowledge. These papers can provide a high value to our community but may not be accepted because of a lack of novel research contributions. Suitable papers include survey papers that provide useful perspectives on major research areas, papers that support or challenge long-held beliefs with compelling evidence, or papers that provide an extensive and realistic evaluation of competing approaches to solving specific problems. Submissions are encouraged to analyze the current research landscape: identify areas that have enjoyed much research attention, point out open areas with unsolved challenges, and present a prioritization that can guide researchers to make progress on solving important challenges. Submissions must be distinguished by a checkbox on the submission form. In addition, the paper title must have the prefix "SoK:". They will be reviewed by the full PC and held to the same standards as traditional research papers, except instead of emphasizing novel research contributions the emphasis will be on value to the community. Accepted papers will be presented at the symposium and included in the proceedings. ------------------------------------------------------------------------- IFIP1110-CIP 2013 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Washington, DC, USA, March 18-20, 2013. (Submissions due 31 December 2012) http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Following the success of the first six conferences, the Seventh Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection will again provide a forum for presenting original, unpublished research results and innovative ideas related to all aspects of critical infrastructure protection. Papers and panel proposals are solicited. Submissions will be refereed by members of Working Group 11.10 and other internationally-recognized experts in critical infrastructure protection. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.10. The conference will be limited to seventy participants to facilitate interactions among researchers and intense discussions of research and implementation issues. A selection of papers from the conference will be published in an edited volume - the seventh in the series entitled Critical Infrastructure Protection (Springer) - in the fall of 2013. Revised and/or extended versions of outstanding papers from the conference will be published in the International Journal of Critical Infrastructure Protection (Elsevier). Papers are solicited in all areas of critical infrastructure protection. Areas of interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Risk analysis and risk assessment methodologies - Modeling and simulation of critical infrastructures - Legal, economic and policy issues related to critical infrastructure protection - Secure information sharing - Infrastructure protection case studies - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy: https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robert Cunningham Department of Computer Science MIT Lincoln Laboratories Stevens Institute of Technology http://www.ll.mit.edu/mission +1 201 216 8078 /communications/ist/biographies spock AT cs.stevens.edu /cunningham-bio.html Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor and Security and Privacy Symposium, 2013 Chair: TC Awards Chair: Robin Sommer Hilarie Orman http://www.icir.org/robin Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year