_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 113 March 18, 2013 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Reverse Deception: Organized Cyber Threat Counter-Exploitation" by S. Bodmer, M. Kilger, G. Carpenter and J. Jones o Security in the News: - RC4 Encryption Demonstrably Breakable - Evernote Cloud Storage, User Data Compromised - Warrantless Surveillance Foes Win a Round - Pentagon Announces Cyber Command Expansions - Experts say Chinese are behind cyberbarrage - Cyberespionage Campaign Directed at US - Is All of China's Cyberwarfare Capability Housed in One Building? - US Company Traces Cyberattacks to China - US Weighs Rules for CyberCommand - Military Honors for CyberWarriors? - An Executive Order Gives US Agencies Ability to Share Cyberthread Information with Companies - Companies Talk About CyberTroubles and Share Information - US to China: Stop Hacking! - US Considers Motives for Hack Attacks - President Obama and US Corporate Chiefs Meet, Help Sought for Passing Legislation - US Cybercommand Chief Tells Congress About Defenses - China Asks For International Rules on Hacking - Australian central bank Lightly Hacked - Social Media Editor and the Dark Side o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Calendar of Events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: S&P and S&PW, and CSF are coming! Yes, the IEEE Computer Society's Technical Committee on Security and Privacy's annual flagship conferences are nearly upon us. The "Oakland" event moved to San Francisco's St Francis Hotel last year, and it will be there again in May. The Workshops of Security and Privacy are also at the St. Francis, on the two days following. Registration is available through the conference website (http://ieee-security.org). The list of papers for S&P is available now, over 40 papers showing the best of security research today. In June, the Computer Security Foundations Symposium (http://csf2013.seas.harvard.edu/) will be held in New Orleans. This gathering is has an orientation towards logic and design, and its co-location with the "Logic in Computer Science" conference will result in a logical concentration of some magnitude. The US government's executive branch has embarked on a media blitz in its efforts to get legislation giving it more power to combat cyberattacks and cyberespionage. We count 14 major news articles related to to this subject alone. Privacy advocates do not support the broader powers, and some, notably Bruce Schneier in an opinion piece for CNN, feel that we are already living in an "Internet surveillance state." http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillance/index.html?hpt=hp_bn7 Richard Austin, our widely read book reviewer, recommends a book about defense as deception in this issue. Final note: You are walking around with a "phone" with two 1.2GHz processors, GPS, WiFi, a camera, and 50 random apps, and you ask if it is "secure"? There is probably a reality channel somewhere devoted just to you! Be circumspect in its presence. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 3/14/2013 ____________________________________________________________________ Reverse Deception: Organized Cyber Threat Counter-Exploitation by S. Bodmer, M. Kilger, G. Carpenter and J. Jones McGraw-Hill 2012. ISBN 978-07-177249-5 amazon.com USD 26.40 Though deception in various forms (such as spoofing a network address, posing as a trusted colleague, malware masquerading as a vendor security update) plays a significant part in many successful intrusions, security professionals have likely never considered how deception could become a tool in defending their networks and the assets. Deceptions, whether conducted by an adversary or defender, are complex tasks that rely on a good understanding of goals and tactics. This understanding begins with knowledge of the adversary (capabilities, motivations, and tactics). The authors introduce some useful terminology in the introduction (and develop it fully in later chapters) by distinguishing between advanced persistent threats, persistent threats and opportunistic threats. Most of us are familiar with the "opportunistic threats" (also called "commodity threats"), such as common varieties of malware which target any vulnerable host they happen to encounter. Persistent threats are more targeted at specific types of information and include the capability (persistence) to remain active for an extended period. The dreaded "advanced persistent threat" is a qualitative enhancement of the persistent threat and implies a better funded, technically capable adversary willing to take multiple steps in achieving his objective (for example, compromise the vendor of a common security product used by the target organization in order to illicitly access its sensitive intellectual property). The authors introduce 9 dimensions (e.g., objectives, resources, adversary risk tolerance, etc.) for classifing a threat on the opportunistic-APT continuum. The deception process, as the authors are careful to note, is a two-way street where both sides of the interaction may be actively attempting to deceive the other at various times during the engagement. This maddening situation is aptly called the "hall of mirrors". To be successful in deceiving an adversary, the deception must be carefully planned and supported - for example, a HoneyNet with a trove of fascinating documents will quickly lost its attraction unless the documents have appropriate creation dates and can be seen to change and be updated over time. Readers are frequently reminded that deception always has the purpose (guide the adversary into some preferred action or inaction) of reaching some desirable conclusion, and these purposes must be clearly identified before the deception is undertaken. When one use a phrase like "engage an adversary", visions of lawsuits spring to mind. The vision is possible if one does not prepare appropriately before taking action even within the confines of one's own perimeter. As the authors note, the key is to work with competent legal counsel to assure that the contemplated course of action is legally permissible. This "Duh!" advice is followed by a solid discussion of how to actually talk to an attorney so he understands what you are proposing to do and why it makes sense to do it; then he can advise you appropriately. This attitude of actively partnering with legal advisors would go a long way toward ending the entrenched perception that one "shouldn't bother asking legal because they will just say NO!". Historical examples, relevant case studies (thoroughly sanitized), good illustrations and many examples illustrate the concepts in operation. Copious references are provided so readers can dig deeper into topics of interest. As with any book by multiple authors, there is some unevenness of presentation that should have been addressed in the final editing process. There are also some mystifying statements such as "When it comes to cyber espionage, if your adversary can dive into all your secrets without performing any type of kinetic warfare" (p. 148). Since espionage is not generally considered an act of war, I suspect the author was making the point that cyber espionage does not necessarily require risky real-work actions such as recruiting and operating agents, gaining physical access to an adversary's bases, etc. Acronyms abound so readers are well advised to maintain a list in order to avoid flipping back and forth to decode "SSCT" or "TTP". This book is a masterful presentation of deception, how it works, how to understand it and how it may be used as another tool in defending your organization's assets. Given our constantly evolving threat environment, contributions to increasing our understanding and enhancing our defensive arsenal are sorely needed. Definitely a recommended read. ____________________________________________________________________ It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines on which might profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== News Briefs ==================================================================== RC4 Encryption Demonstrably Breakable Cryptographers show mathematically crackable flaws in common web encryption Andy Greenberg, Forbes Staff, 3/13/2013 http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show-mathematically-crackable-flaws-in-common-web-encryption The RC4 encryption algorithm, widely used on the Internet because of its simple design and speed, is less secure than previously believed. ---------------- Evernote User Data Compromised CNN.com Doug Gross March 4, 2013 50 million compromised in Evernote hack http://www.cnn.com/2013/03/04/tech/web/evernote-hacked/index.html?hpt=hp_t3 Data in the cloud may have pie-in-sky security. The firm Evernote announced that its usernames and email addresses (but not passwords) had been revealed to hackers. The passwords are encrypted, but we hope that RC4 was not the algorithm (see earlier article in this list). ---------------- The Washington Post By Ellen Nakashima Mar 16, 2013 FBI survillance tool is ruled unconstitutional http://www.washingtonpost.com/world/national-security/fbi-survillance-tool-is-ruled-unconstitutional/2013/03/15/d4796396-8db9-11e2-9f54-f3fdd70acad2_story.html National security letters, a warrantless communication surveillance method used by the FBI, has been ruled unconstitional by a Federal Appeals Court in California. ---------------- The Washington Post By Ellen Nakashima Jan 28, 2013 Pentagon to boost cybersecurity force http://www.washingtonpost.com/world/national-security/pentagon-to-boost-cybersecurity-force/2013/01/19/d87d9dc2-5fec-11e2-b05a-605528f6b712_story.html The Pentagon announced plans for a three-pronged "CyberCommand" to utilize 5 times as many people as are currently involved in such activities. ---------------- Chinese cyber attacks on West are widespread, experts say CNN.com By Kevin Voigt Feb 1, 2013 http://www.cnn.com/2013/02/01/tech/china-cyber-attacks/index.html?iid=article_sidebar Apparently successful "spear-phishing" attacks against major US newspapers originate in China, according to unnamed experts. ---------------- U.S. said to be target of massive cyber-espionage campaign The Washington Post By Ellen Nakashima Feb 10, 2013 http://www.washingtonpost.com/world/national-security/us-said-to-be-target-of-massive-cyber-espionage-campaign/2013/02/10/7b4687d8-6fc1-11e2-aa58-243de81040ba_story.html According to a classified report called the "National Intelligence Estimate", the US is the target of cyberespionage mounted by several countries. "Cyber-espionage, which was once viewed as a concern mainly by U.S. intelligence and the military, is increasingly seen as a direct threat to the nation's economic interests." ---------------- China's Army Is Seen as Tied to Hacking Against U.S. New York Times By David E. Sanger, David Barboza and Nicole Perlroth Feb 19, 2013 http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html Is one building in China the source of concerted attacks against US cyberassets? ---------------- Report ties cyberattacks on U.S. computers to Chinese military The Washington Post By William Wan and Ellen Nakashima Feb 19, 2013 http://www.washingtonpost.com/world/report-ties-100-plus-cyber-attacks-on-us-computers-to-chinese-military/2013/02/19/2700228e-7a6a-11e2-9a75-dab0201670da_story.html A 60-page report by a US company, Mandiant, is the first non-governmental assessment of the source of attacks on US computers to lay the blam on the Chinese military. ---------------- Broad Powers Seen for Obama in Cyberstrikes The New York Times By David E. Sanger and Thom Shanker Feb 4, 2013 http://www.nytimes.com/2013/02/04/us/broad-powers-seen-for-obama-in-cyberstrikes.html The US executive branch has been considering rules governing actions of its new "Cyber Command". "The implications of pre-emption in cyberwar were specifically analyzed at length in writing the new rules. One major issue involved in the administration’s review, according to one official involved, was defining "what constitutes reasonable and proportionate force" in halting or retaliating against a cyberattack." ---------------- Pentagon creates new medal for extraordinary work by cyber and drone warriors. The Washington Post Feb 13, 2013 http://www.washingtonpost.com/politics/pentagon-creates-new-medal-to-for-extraordinary-work-by-cyber-drone-warriors/2013/02/13/a0e104e4-75fe-11e2-9889-60bfcbb02149_story.html [Cipher Ed.: This story has been withdrawn from the Washington Post website]. ---------------- Obama Order Gives Firms Cyberthreat Information New York Times By Michael S. Schmidt and Nicole Perlroth February 12, 2013 http://www.nytimes.com/2013/02/13/us/executive-order-on-cybersecurity-is-issued.html A stopgap measure aimed at bolstering US resistance to cyberattacks, the President signed an executive order for sharing threat information between the government and private companies. ---------------- Security tools reveal cyberintruders' trickery USA Today Byron Acohido February 27, 2013 http://www.usatoday.com/story/tech/2013/02/27/proactive-intelligence-corporate-network-breaches/1949879/ The buzz at the annual RSA Conference was about how large organizations are putting more effort into discovering how they were hacked, and they are also starting to share that information. ---------------- U.S. Demands That China End Hacking and Set Cyber Rules New York Times By Mark Landler and David E. Sanger March 11, 2013 http://www.nytimes.com/2013/03/12/world/asia/us-demands-that-china-end-hacking-and-set-cyber-rules.html Tom Donilon, President Obama's national security advisor, said that the White House wants China to crackdown on hackers and enter into a dialogue about standards. ---------------- U.S. Weighs Risks and Motives of Hacking by China or Iran New York Times By Nicole Perlroth, David E. Sanger and Michael S. Schmidt Mar 4, 2013 http://www.nytimes.com/2013/03/04/us/us-weighs-risks-and-motives-of-hacking-by-china-or-iran.html?pagewanted=1 The US government expresses some confusion over the perpetrators of large-scale hacking attacks. Although the countries of origin appear to be China and Iran, the administration is unsure whether individuals, the military, or both, are behind the majority of the attacks. ---------------- Obama Discusses Computer Security With Corporate Chiefs New York Times By Michael D. Shear and Nicole Perlroth Mar 14, 2013 http://bits.blogs.nytimes.com/2013/03/13/obama-discusses-computer-security-with-corporate-chiefs/?src=recg> The White House was the location for a meeting on March 13 for the purpose of enlisting support for pending legislation giving the executive branch powers and funds to combat cyberespionage and to thwart or counter cyberwarfare. The legislation was proposed but not passedin 2011. Last month, an executive order was signed, setting the stage for information sharing with privated companies, and this meeting may have resulted as a consequence of that order. ---------------- Security Chief Says Computer Attacks Will Be Met New York Times By Mark Mazzetti and David E. Sanger Mar 14, 2013 http://www.nytimes.com/2013/03/13/us/intelligence-official-warns-congress-that-cyberattacks-pose-threat-to-us.html?src=recg&_r=0 Gen. Keith Alexander, head of the US Cybercommand, talked to Congress about the defensive part of his 3-part command structure. ---------------- China Calls for Global Hacking Rules New York Times By David Barboza Mar 14, 2013 http://www.nytimes.com/2013/03/11/world/asia/china-calls-for-global-hacking-rules.html?src=recg China joined the media blitz about cyberespionage by calling for new dialogue on rules and cooperation while denying official involvement in misdeeds. ---------------- Australian Central Bank Hit by Cyberattack New York Times Reuters Mar 14, 2013 http://www.nytimes.com/2013/03/12/technology/australian-central-bank-hit-by-cyberattack.html?src=recg The Australian central bank, said that although news reports about it being hacked were partially true, the bank believes that it was successful in isolating the attacks and avoiding any information disclosure. ---------------- Thomson Reuters Editor Is Charged in Hacking of News Site New York Times By Amy Chozick Mar 15, 2013 http://mediadecoder.blogs.nytimes.com/2013/03/14/thomson-reuters-editor-indicted-on-charges-of-aiding-hackers-group/> An admitted Twitter addict, Thomson Reuters' deputy social media editor Matthew Keys may also be a malicious hacker. He has been charged with hacking the Los Angeles Time website and altering headlines. ---------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New since Cipher E112: Posted Mar 2013 University of Versailles-St-Quentin-en-Yvelines PRiSM Laboratory - "Cryptology and Information Security" group Versailles, France Assistant Professor position Deadline for applications: March 28, 2013
http://www.prism.uvsq.fr/~logo/MCF-0781944P-4071_en.htm< -------------- http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 3/18/13: SECRYPT, 10th International Conference on Security and Cryptography, Reykjavik, Iceland; http://secrypt.icete.org; Submissions are due 3/18/13- 3/20/13: IFIP1110-CIP, 7th Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection Washington, DC, USA; http://www.ifip1110.org/Conferences/WG11-10CallForPapers2013.pdf 3/18/13- 3/20/13: SPW, 21st International Workshop on Security Protocols, Sidney Sussex College, Cambridge, England; http://spw.stca.herts.ac.uk/ 3/22/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile, Wireless and Sensor Networks, New Orleans, LA, USA; http://www2.cs.uh.edu/mwsn/; Submissions are due 3/30/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany; http://www.ectcm.net; Submissions are due 4/ 1/13: International Journal of Distributed Sensor Networks, Special Issue on Intrusion Detection and Security Mechanisms for Wireless Sensor Networks; http://www.hindawi.com/journals/ijdsn/si/430493/cfp/; Submissions are due 4/ 1/13: CSAW, Cloud Security Auditing Workshop, Held in conjunction with the IEEE 9th World Congress on Services, Santa Clara, CA, USA; http://www.csaw2013.org; Submissions are due 4/ 1/13- 4/ 5/13: FC, 17th International Conference on Financial Cryptography and Data Security, Bankoku Shinryokan, Busena Terrace Beach Resort, Okinawa, Japan; http://fc13.ifca.ai/cfp.html 4/ 2/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria; http://rfidsec2013.iaik.tugraz.at/; Submissions are due 4/ 8/13- 4/ 9/13: IDMAN, 3rd IFIP WG 11.6 Working Conference on Policies & Research in Identity Management, London, UK; http://www.idman2013.com 4/10/13: FCS, Workshop on Foundations of Computer Security, Tulane University, New Orleans, Louisiana, USA; http://prosecco.inria.fr/personal/bblanche/fcs13/; Submissions are due 4/15/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security Magdeburg, Germany; http://www.cms2013.de; Submissions are due 4/15/13: SeCIHD, 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany; http://isyou.info/conf/secihd13/; Submissions are due 4/15/13: TGC, 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/; Submissions are due 4/29/13: PRISMS, International Conference on Privacy and Security in Mobile Systems Atlantic City, NJ, USA; http://www.gws2013.org/prisms/; Submissions are due 5/ 6/13: ICICS, 15th International Conference on Information and Communications Security Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/; Submissions are due 5/ 6/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home Submissions are due 5/ 7/13: AsiaPKC, ACM Asia Public-Key Cryptography Workshop, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) Hangzhou, China; http://www.cs.utsa.edu/~shxu/acm-asiapkc13/ 5/ 7/13: SESP, 1st International Workshop on Security in Embedded Systems and Smartphones, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) Hangzhou, China; http://doe.cs.northwestern.edu/SESP/ 5/ 7/13: SCC, International Workshop on Security in Cloud Computing, Held in conjunction with the the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013), Hangzhou, China; http://www.cs.cityu.edu.hk/~congwang/asiaccs-scc/ 5/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/; Submissions are due 5/ 8/13- 5/10/13: ASIACCS, 8th ACM Symposium on Information, Computer and Communications Security, Hangzhou, China; http://hise.hznu.edu.cn/asiaccs/index.html 5/10/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks Sydney, Australia; http://securecomm.org/2013/; Submissions are due 5/12/13- 5/14/13: ISPEC, 9th Information Security Practice and Experience Conference, Lanzhou, China; http://icsd.i2r.a-star.edu.sg/ispec2013/ 5/13/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013; Submissions are due 5/19/13- 5/22/13: SP, 34th IEEE Symposium on Security and Privacy, San Francisco, California, USA; http://www.ieee-security.org/TC/SP2013/ 5/23/13- 5/24/13: SPW (Call for Workshop proposals), 2nd IEEE CS Security and Privacy Workshops, Co-located with the IEEE Symposium on Security and Privacy (SP 2013), Westin St. Francis Hotel, San Francisco, CA, USA; http://www.codaspy.org 5/23/13: MoST, Mobile Security Technologies Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://mostconf.org/2013/ 5/24/13: W2SP, Web 2.0 Security & Privacy Workshop, Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2013) and an event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2013), San Francisco, CA, USA; http://www.w2spconf.com/2013/ 5/28/13- 5/30/13: WISTP, 7th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org 5/30/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html; Submissions are due 6/ 2/13- 6/ 3/13: HOST, IEEE International Symposium on Hardware-oriented Security and Trust, Austin Convention Center, Austin, TX, USA; http://www.hostsymposium.org/ 6/ 3/13- 6/ 4/13: NSS, 7th International Conference on Network and System Security, Madrid, Spain; http://anss.org.au/nss2013/index.htm 6/ 3/13- 6/ 7/13: IFIP-TM, 7th IFIP International Conference on Trust Management, Ma'laga, Spain; http://conf2013.ifiptm.org/ 6/ 4/13: D-SPAN, 4th IEEE Workshop on Data Security and Privacy in Wireless Networks, Co-located with the 14th International Symposium on a World of Wireless, Mobile and Multimedia Networks (WoWMoM 2013), Madrid, Spain; http://www.ee.washington.edu/research/nsl/DSPAN_2013/ 6/12/13- 6/14/13: SACMAT, 18th ACM Symposium on Access Control Models and Technologies, Amsterdam, The Netherlands; http://www.sacmat.org/ 6/17/13- 6/19/13: TRUST, 6th International Conference on Trust and Trustworthy Computing, London, UK; http://trust2013.sba-research.org 6/23/13: MWSN, IEEE International Workshop on Security and Privacy of Mobile, Wireless and Sensor Networks New Orleans, LA, USA; http://www2.cs.uh.edu/mwsn/ 6/24/13- 6/27/13: PRISMS, International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA; http://www.gws2013.org/prisms/ 6/25/13- 6/28/13: ACNS, 11th International Conference on Applied Cryptography and Network Security, Banff, Alberta, Canada; http://acns2013.cpsc.ucalgary.ca/ 6/26/13- 6/28/13: CSF, 26th IEEE Computer Security Foundations Symposium, Tulane University, New Orleans Louisiana, USA; http://csf2013.seas.harvard.edu/ 6/27/13- 7/ 2/13: CSAW, Cloud Security Auditing Workshop, Held in conjunction with the IEEE 9th World Congress on Services, Santa Clara, CA, USA; http://www.csaw2013.org 6/29/13: FCS, Workshop on Foundations of Computer Security, Tulane University, New Orleans, Louisiana, USA; http://prosecco.inria.fr/personal/bblanche/fcs13/ 6/30/13: SIN, 6th International Conference on Security of Information and Networks Aksaray, Turkey; http://www.sinconf.org; Submissions are due 7/ 1/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm; Submissions are due 7/ 8/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA; http://www.vizsec.org/; Submissions are due 7/ 8/13: NFSP, 2nd International Workshop on Network Forensics, Security and Privacy, Held in conjunction with the 33rd International Conference on Distributed Computing Systems (ICDCS 2013), Philadelphia, PA, USA; http://www.faculty.umassd.edu/honggang.wang/nfsp2013/ 7/ 9/13- 7/11/13: RFIDSEC, 9th Workshop on RFID Security, Graz, Austria; http://rfidsec2013.iaik.tugraz.at/ 7/10/13- 7/12/13: PST, 11th International Conference on Privacy, Security and Trust, Tarragona, Catalonia; http://unescoprivacychair.urv.cat/pst2013/index.php?m=cfp 7/15/13- 7/17/13: DBSEC, 27th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Rutgers University, Newark, NJ, USA; http://dbsec2013.business.rutgers.edu/ 7/17/13- 7/19/13: VOTE-ID, 4th International Conference on E-voting and Identity, University of Surrey, Guildford, UK; http://www.voteid13.org/ 7/18/13- 7/19/13: DIMVA, 10th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment Berlin, Germany; http://www.dimva.org/dimva2013 7/24/13- 7/26/13: SOUPS, Symposium On Usable Privacy and Security, Northumbria University, Newcastle, UK; http://cups.cs.cmu.edu/soups/ 7/24/13- 7/26/13: SOUPS-RISK, Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK; http://cups.cs.cmu.edu/soups/2013/risk.html 7/29/13- 7/31/13: SECRYPT, 10th International Conference on Security and Cryptography, Reykjavik, Iceland; http://secrypt.icete.org 8/14/13- 8/16/13: USENIX-Security, 22nd USENIX Security Symposium, Washington, DC. USA; https://www.usenix.org/conference/usenixsecurity13 8/20/13- 8/23/13: CHES, Workshop on Cryptographic Hardware and Embedded Systems Co-located with the 33rd Annual International Cryptology Conference (CRYPTO 2013), Santa Barbara, California, USA; http://www.chesworkshop.org/ches2013/ 8/30/13- 8/31/13: TGC, 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina; http://sysma.lab.imtlucca.it/tgc2013/ 9/ 2/13- 9/ 6/13: ECTCM, 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany; http://www.ectcm.net 9/ 2/13- 9/ 6/13: SeCIHD, 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany; http://isyou.info/conf/secihd13/ 9/25/13- 9/26/13: CMS, 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security Magdeburg, Germany; http://www.cms2013.de 9/25/13- 9/27/13: SECURECOMM, 9th International ICST Conference on Security and Privacy in Communication Networks Sydney, Australia; http://securecomm.org/2013/ 9/30/13-10/ 2/13: SeTTIT, Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA; http://settit.bodynets.org/2013/show/home 10/14/13: VizSec, 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA; http://www.vizsec.org/ 10/14/13-10/16/13: CNS, 1st IEEE Conference on Communications and Network Security, Washington D.C., USA; http://www.ieee-cns.org 11/ 4/13-11/ 8/13: CCS, 20th ACM Conference on Computer and Communications Security, Berlin, Germany; http://www.sigsac.org/ccs/CCS2013/ 11/12/13-11/14/13: HST, 13th annual IEEE Conference on Technologies for Homeland Security Waltham, Massachusetts, USA; http://www.ieee-hst.org 11/18/13-11/20/13: IWSEC, 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan; http://www.iwsec.org/2013 11/20/13-11/22/13: ICICS, 15th International Conference on Information and Communications Security Beijing, China; http://icsd.i2r.a-star.edu.sg/icics2013/ 11/26/13-11/28/13: SIN, 6th International Conference on Security of Information and Networks Aksaray, Turkey; http://www.sinconf.org 11/27/13: RFIDsec-Asia, Workshop on RFID and IoT Security, Guangzhou, China; http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E112) ___________________________________________________________________ SECRYPT 2013 10th International Conference on Security and Cryptography, Reykjavik, Iceland, July 29-31, 2013. (Submissions due 18 March 2013) http://secrypt.icete.org SECRYPT is an annual international conference covering research in information and communication security. The 10th International Conference on Security and Cryptography (SECRYPT 2013) will be held in Reykjavik, Iceland. The conference seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of data protection, privacy, security, and cryptography. Papers describing the application of security technology, the implementation of systems, and lessons learned are also encouraged. The conference topics include, but are not limited to: - Access Control - Applied Cryptography - Biometrics Security and Privacy - Critical Infrastructure Protection - Data Integrity - Data Protection - Database Security and Privacy - Digital Forensics - Digital Rights Management - Ethical and Legal Implications of Security and Privacy - Formal Methods for Security - Human Factors and Human Behavior Recognition Techniques - Identification, Authentication and Non-repudiation - Identity Management - Information Hiding - Information Systems Auditing - Insider Threats and Countermeasures - Intellectual Property Protection - Intrusion Detection & Prevention - Management of Computing Security - Network Security - Organizational Security Policies - Peer-to-Peer Security - Personal Data Protection for Information Systems - Privacy - Privacy Enhancing Technologies - Reliability and Dependability - Risk Assessment - Secure Software Development Methodologies - Security and privacy in Complex Systems - Security and Privacy in Crowdsourcing - Security and Privacy in IT Outsourcing - Security and Privacy in Location-based Services - Security and Privacy in Mobile Systems - Security and Privacy in Pervasive/Ubiquitous Computing - Security and Privacy in Smart Grids - Security and Privacy in Social Networks - Security and Privacy in the Cloud - Security and Privacy in Web Services - Security and Privacy Policies - Security Area Control - Security Deployment - Security Engineering - Security in Distributed Systems - Security Information Systems Architecture - Security Management - Security Metrics and Measurement - Security Protocols - Security requirements - Security Verification and Validation - Sensor and Mobile Ad Hoc Network Security - Service and Systems Design and QoS Network Security - Software Security - Trust management and Reputation Systems - Ubiquitous Computing Security - Wireless Network Security ------------------------------------------------------------------------- MWSN 2013 IEEE International Workshop on Security and Privacy of Mobile, Wireless and Sensor Networks, New Orleans, LA, USA, June 23, 2013. (Submissions due 22 March 2013) http://www2.cs.uh.edu/mwsn/ To cope with the rapid increase in mobile users and the increasing demand for mobile, wireless and sensor networks (MWSNs), it is becoming imperative to provide the necessary security protocols and privacy guarantees to users of MWSNs. In turn, these specific demands in security and privacy require new methodologies that are specifically designed to cope with the strict requirements of the networks. In general, the real-world performance of MWSNs crucially depends on the selected protocols, and their suitability and efficiency for the layers of the implementation. A satisfactory security design and protocol are therefore crucial for the performance of MWSNs. It is a great challenge to achieve efficient and robust realizations of such highly dynamic and secure MWSNs. Moreover, the study of security and privacy in the context of MWSNs provides insights into problems and solutions that are orthogonal to programming languages, programming paradigms, computer hardware, and other aspects of the implementation. The objective for this workshop is to address those topics, which we believe will play an important role in current and future research on and education of MWSNs. ------------------------------------------------------------------------- ECTCM 2013 1st International Workshop on Emerging Cyberthreats and Countermeasures, Co-located with ARES 2013, University Regensburg, Germany, September 2-6, 2013. (Submissions due 30 March 2013) The First International Workshop on Emerging Cyberthreats and Countermeasures aims at bringing together researchers and practitioners working in different areas related to cybersecurity. After organizing three informal workshops on Early Warning Systems in IT in the past three years, we strongly believe that the next step is to give the workshop a more formal structure in context of an internationally acclaimed scientific conference. The focus of this year's workshop is on IT Early Warning, Malware Detection and Analysis, Targeted Attacks, Cryptanalysis, and Privacy Protection. Contributions demonstrating both current weaknesses and threats as well as new countermeasures are welcome. ------------------------------------------------------------------------- International Journal of Distributed Sensor Networks, Special Issue on Intrusion Detection and Security Mechanisms for Wireless Sensor Networks, July 2013, (Submission Due 1 April 2013) http://www.hindawi.com/journals/ijdsn/si/430493/cfp/ Editors: S. Khan (Kohat University of Science and Technology, Pakistan), Jaime Lloret (Polytechnic University of Valencia, Spain), and Jonathan Loo (Middlesex University, UK) Wireless sensor networks are gaining significant interest from academia and industry. Wireless sensor networks are multihop, self-organizing, self-healing, and distributed in nature. These characteristics also increase vulnerability and expose sensor networks to various kinds of security attacks. Advance security mechanisms and intrusion detection systems (IDSs) can play an important role in detecting and preventing security attacks. This special issue aims to gather recent advances in the area of security aspect of wireless sensor networks. It welcomes research and review articles that focus on the challenges and the state-of-the-art solutions. The papers will be peer reviewed and will be selected on the basis of their quality and relevance to the topic of this special issue. Potential topics include, but are not limited to: - Intrusion detection systems - Secure neighbor discovery, localization, and mobility - Security architectures, deployments, and solutions - Denial of service attacks and countermeasures - Intrusion prevention techniques - Adaptive defense systems - Trust establishment and privacy - Confidentiality, integrity, and availability assurance - Authentication and access control - Secure routing protocols - Cryptography, encryption algorithms, and key management schemes - Experimental validation and experiences with testbed and/or deployment ------------------------------------------------------------------------- CSAW 2013 Cloud Security Auditing Workshop, Held in conjunction with the IEEE 9th World Congress on Services, Santa Clara, CA, USA, June 27 - July 2, 2013. (Submissions due 1 April 2013) http://www.csaw2013.org Security concerns are a major impediment to the widespread adoption of cloud services. Cloud services often deal with sensitive information and operations. Thus, cloud service providers must provision services to rapidly identify security threats for increased information assurance. In addition, when a threat is identified or an attack is detected, incident reporting should be timely and precise to allow cloud tenants and users to respond appropriately. Detection and reporting require meta-information to be captured across the cloud in order to audit and monitor it for potential threats that may lead to attacks and to discern when and where an attack has already occurred. Capturing security relevant information and auditing the results to determine the existence of security threats in the cloud is challenging for multiple reasons. Cloud tenants rely on the cloud for diverse tasks and have services and data that may require isolation or be provisioned for composition with other services in cloud applications. Organizations may not have the logging capabilities in place for their services or may not be predisposed to share the information. Cloud management services are needed to log relevant events at their endpoints, including user interactions and interactions within the cloud federation. Consistent formats for capturing events and generating logs to be hosted within the cloud are not specified as part of current service level agreements (SLAs). Near real-time analysis is needed for prediction of potential threats in order to respond quickly to prevent an attack. Centralized analysis of information captured may present too much overhead for timely alerts and incident reporting. But distributed analysis must guarantee that the partial information it uses is sufficient to determine a threat. All analyses must consider the configuration of the cloud and its tenant services and resources. The goal of this one day workshop is to bring together researchers and practitioners to explore and assess varied and viable technologies for capturing security relevant events throughout the cloud and performing monitoring and analyses on the captured information to detect, prevent, and mitigate security threats. List of topics include: - Languages and protocols for specifying, composing, and analyzing security-relevant, distributed logs of audit data from a cloud-wide perspective - Cloud security, threat modeling, and analysis, including centralized/distributed attack detection and prediction/prevention algorithms based on audited information, and automated tools for capturing, integrating, and analyzing cloud audit data - Algorithms and protocols for audit data stream delivery, manipulation, and analysis for big cloud audit data - Access control and information flow control models for disclosure and modification of sensitive cloud audit data - Methods for expressing and representing the cloud infrastructure and configuration to influence logging and monitoring processes - Information assurance (authenticity, integrity, confidentiality and availability) of cloud audit data, including security and privacy policies and compliance with security controls such as NIST sp800-53 and Cloud Security Alliance guidance 3.0 - Service-level agreements that formalize and guarantee logging and analysis capabilities ------------------------------------------------------------------------- RFIDSEC 2013 9th Workshop on RFID Security, Graz, Austria, July 9-11, 2013. (Submissions due 2 April 2013) http://rfidsec2013.iaik.tugraz.at/ RFIDsec is the premier workshop devoted to security and privacy in Radio Frequency Identification (RFID) with participants throughout the world. RFIDsec brings together researchers from academia and industry for topics of importance to improving the security and privacy of RFID, NFC, contactless technologies, and the Internet of Things. RFIDsec bridges the gap between cryptographic researchers and RFID developers through invited talks and contributed presentations. Topics of the workshop include but are not limited to: - New applications for secure RFID, NFC, and other constrained systems - Resource-efficient implementations of cryptography o Small-footprint hardware and/or software o Low-power and/or low energy implementations - Attacks on RFID systems: Side-channel attacks, Fault attacks, Hardware tampering - Data protection and privacy-enhancing techniques - Cryptographic protocols: Authentication protocols, Key distribution, Scalability issues - Integration of secure RFID systems: Infrastructures, Middleware and security, Data mining and other systemic approaches to RFID security - RFID hardware security: Physical Unclonable Functions (PUFs), RFID Trojans - Case studies ------------------------------------------------------------------------- FCS 2013 Workshop on Foundations of Computer Security, Tulane University, New Orleans, Louisiana, USA, June 29, 2013. (Submissions due 10 April 2013) http://prosecco.inria.fr/personal/bblanche/fcs13/ The aim of the workshop FCS'13 is to provide a forum for continued activity in different areas of computer security, bringing computer security researchers in closer contact with the LICS community and giving LICS attendees an opportunity to talk to experts in computer security, on the one hand, and contribute to bridging the gap between logical methods and computer security foundations, on the other. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories, as well as in new results on developing and applying automated reasoning techniques and tools for the formal specification and analysis of security protocols. We thus solicit submissions of papers both on mature work and on work in progress. Possible topics include, but are not limited to: - Automated reasoning techniques - Composition issues - Formal specification - Foundations of verification - Information flow analysis - Language-based security - Logic-based design - Program transformation - Security models - Static analysis - Statistical methods - Tools - Trust management ------------------------------------------------------------------------- CMS 2013 14th Joint IFIP TC6 and TC11 Conference on Communications and Multimedia Security, Magdeburg, Germany, September 25-26, 2013. (Submissions due 15 April 2013) http://www.cms2013.de The conference provides a forum for engineers and scientists in information security. Both state-of-the-art issues and practical experiences as well as new trends in these areas will be once more the focus of interest just like at preceding conferences. The conference will address in particular security and privacy issues in mobile contexts, web services (including social networking) and ubiquitous environments. We solicit papers describing original ideas and research results on topics that include, but are not limited to: applied cryptography, biometrics, forensics, secure documents and archives, multimedia systems security, digital watermarking, distributed DRM policies, attack resistant rndering engines, adaptive anomaly detection, censorship resistance, risk management, mobility and security/privacy, mobile identities, privacy enhanced identity management, security/privacy policies and preferences, social networks security/privacy, security/privacy in geo-localized applications, security/privacy in VoIP`, security policies (including usage control), web services security, economics of network and information security (NIS), SOA security, ubiquitous and ambient computing security, cloud computing security/privacy, wireless and ad hoc network security, RFID tags and (multimedia) sensor nodes security, security technology effectiveness, incentivizing security. ------------------------------------------------------------------------- SeCIHD 2013 3rd IFIP International Workshop on Security and Cognitive Informatics for Homeland Defense, Held in conjunction with the 8th ARES Conference (ARES 2013), Regensburg, Germany, September 2-6, 2013. (Submissions due 15 April 2013) http://isyou.info/conf/secihd13/ In the last years significant work has been undertaken by Governments and local agencies with respect to the protection of critical infrastructures and public-private sector coordination in the event of a cyber-attack. Threats to cities and their social infrastructures, e.g. from crime, and terrorism, endanger human life directly and indirectly. Resilience of critical infrastructures is gaining importance as a core concept to cope with such threats. In general, this means strengthening social infrastructures to prevent or mitigate such threats and to consistently deliver the intended services in a trustworthy and "normal" way even in changing situations. Information and communication infrastructure (ICT) is a primary part of the social infrastructure and therefore one of the central objects of these attacks. As a consequence, effective response capabilities must be properly organized and closely coordinated because, at the time of a cyber-attack, it is not possible to immediately determine whether the attacker is a script kiddie, an insider, a rogue actor (organized crime, terrorist organization, or radical), or a nation state. Unlike traditional Defense categories (i.e., land, air, and sea), the capabilities required to respond to an attack on critical infrastructures will necessarily involve infrastructure owned and operated by both the public and the private sector. Exercising for effective digital systems security becomes thus a crucial task in order to strengthen the resilience of IT systems against arising threats. Advanced information technologies that are able to analyze and interpret complex patterns or situations and take the proper decisions in terms on countermeasures the basic building blocks of the above solutions. In this context, it is worth noting research that combines security and defense aspects with achievements in designing advanced systems for the acquisition and sophisticated semantic analysis of complex image patterns and group behaviors. Such systems use cognitive models of semantic interpretation and can be applied to develop e.g., algorithms and protocols used for the security of computer systems themselves, but also to ensure the confidentiality and security of communication networks. Thus, the aim of this workshop is collecting and discussing new ideas and solutions that can be used to develop globally understood safe solutions connected with activities to strengthen national defense capability. The workshop topics include (but are not limited to): - Homeland Security and Information Processing - Investigative and Computer System Related Forensic Techniques, Trends and Methods - Network Forensics, Wireless and Mobile Forensics - Cyber-Defense Threat Analysis - Emergency Management, Including Prevention, Planning, Response, and Recovery - Secure Communications, Cyber-Attack Countermeasures - Vulnerability Analysis and Countermeasures - Anomaly Detection - Information Sharing and Secrecy - Cryptographic Models for Homeland Defense - Personal Security and Biometric - Intelligent Robots and Unmanned Vehicles - Target and Pattern Recognition - Sensor and Data Analysis - Semantic Image and Data Processing - Information Fusion - Emerging Threats in Intelligent Energy Systems - Advanced Vision Algorithms - Security and Privacy in Ambient Intelligence - Context and Location-aware Computing - Embedded Systems in Security - Knowledge-based Systems for Internet Security - Security Issues and Protocols for Internet Services - Privacy and Trust for Internet Services - Artificial Intelligence and Computational Intelligence - Cognitive Informatics - Security and Privacy in Power-Grid Systems - Cognitive Models of the Brain - Mathematical Foundations of Computing and Cryptography - Biologically Inspired Information Systems and Secret Data Management - Cognitive Image and Scene Understanding - Intelligent Health Technologies ------------------------------------------------------------------------- TGC 2013 8th International Symposium on Trustworthy Global Computing, Buenos Aires, Argentina, August 30-31, 2013. (Submissions due 15 April 2013) http://sysma.lab.imtlucca.it/tgc2013/ The Symposium on Trustworthy Global Computing is an international annual venue dedicated to safe and reliable computation in the so-called global computers, i.e., those computational abstractions emerging in large-scale infrastructures such as service-oriented architectures, autonomic systems and cloud computing. The TGC series focuses on providing frameworks, tools, algorithms and protocols for designing open-ended, large-scaled applications and for reasoning about their behaviour and properties in a rigorous way. The related models of computation incorporate code and data mobility over distributed networks that connect heterogeneous devices and have dynamically changing topologies. We solicit papers in all areas of global computing, including (but not limited to): - theories, languages, models and algorithms - language concepts and abstraction mechanisms - security, trust, privacy and reliability - resource usage and information flow policies - software development and software principles - model checkers, theorem provers and static analyzers ------------------------------------------------------------------------- PRISMS 2013 International Conference on Privacy and Security in Mobile Systems, Atlantic City, NJ, USA, June 24-27, 2013. (Submissions due 29 April 2013) http://www.gws2013.org/prisms/ PRISMS is the successor of MobiSec (International Conference on Security and Privacy in Mobile Information and Communication Systems). The conference under a new name (PRISMS) is organized this year with the co-sponsorship of IEEE. Its focus is the convergence of information and communication technology in mobile scenarios. This convergence is realised in intelligent mobile devices, accompanied by the advent of next-generation communication networks. Privacy and security aspects need to be covered at all layers of mobile networks, from mobile devices, to privacy respecting credentials and mobile identity management, up to machine-to-machine communications. In particular, mobile devices such as Smartphones and Internet Tablets have been very successful in commercialization. However, their security mechanisms are not always able to deal with the growing trend of information-stealing attacks. As mobile communication and information processing becomes a commodity, economy and society require protection of this precious resource. Mobility and trust in networking go hand in hand for future generations of users, who need privacy and security at all layers of technology. In addition, the introduction of new data collection practices and data-flows (e.g. sensing data) from the mobile device makes it more difficult to understand the new security and privacy threats introduced. PRISMS strives to bring together the leading-edge of academia and industry in mobile systems security, as well as practitioners, standards developers and policymakers. Contributions may range from architecture designs and implementations to cryptographic solutions for mobile and resource-constrained devices. ------------------------------------------------------------------------- ICICS 2013 15th International Conference on Information and Communications Security, Beijing, China, November 20-22, 2013. (Submissions due 6 May 2013) http://icsd.i2r.a-star.edu.sg/icics2013/ The 2013 International Conference on Information and Communications Security will be the 15th event in the ICICS conference series, started in 1997, that brings together individuals involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. Original papers on all aspects of Information and Communications Security are solicited for submission to ICICS 2013. Areas of interest include, but are not limited to: - Access control - Information Hiding and Watermarking - Anonymity - Intellectual Property Protection - Anti-Virus and Anti-Worms - Intrusion Detection - Authentication and Authorization - Key Management and Key Recovery - Biometric Security - Language-based Security - Cloud Security - Network Security - Computer / Digital Forensics - Operating System Security - Data and System Integrity - Privacy Protection - Database Security - Risk Evaluation and Security Certification - Distributed Systems Security - Security for Mobile Computing - Electronic Commerce Security - Security Models - Engineering issues of Crypto/Security Systems - Security Protocols - Fraud Control - Smartphone Security - Grid Security - Trusted and Trustworthy Computing ------------------------------------------------------------------------- SeTTIT 2013 Workshop on Security Tools and Techniques for Internet of Things, Co-located with the BODYNETS 2013 conference, Boston, Massachusetts, USA, September 30 - October 2, 2013. (Submissions due 6 May 2013) http://settit.bodynets.org/2013/show/home E-health systems have the objective to continuously monitor the state of patients in order to increase knowledge and understanding of their physical status. Being a system of systems, the Internet of Things (IoT) has to master the challenge of integrating heterogeneous systems across technology boundaries. Timely delivery of observation data is a key aspect to identifying potential diseases and anomalies. IoT systems are vulnerable to attacks since communication is mostly wireless and thus vulnerable to eavesdropping, things are usually unattended and thus vulnerable to physical attacks, and most IoT elements are short on both the energy and computing resources necessary for the implementation of complex security-supporting schemes. Among the plethora of applications that can benefit from the IoT, the workshop will have a particular focus on security aspects in eHealth and in the broad-sense of well-being. Security aspects in other application domains of the IoT are also of interest. The workshop will address security issues that are particular to the context of using IoT for eHealth including threat modeling, risk assessment, privacy, access control, and fault-tolerance. Theoretical, modeling, implementation, and experimentation issues will be discussed to build an accurate general view on the security of medical BANs. One of the major challenges that will be underlined by the workshop participants is the combination of different security models needed for the sub-networks of the IoT (e.g., BAN, PAN, LAN, MANET) with consideration of the severe computational, storage, and energy limitations of the elementary smart nodes. We encourage contributions describing innovative work addressing the use of information and communication technologies in medical applications. Topics of interest include, but are not limited to: - Definition of accurate metrics to assess the threats and the risks associated to IoT for eHealth - Identification and description of new attack scenarios that are specific to IoT architectures - Context-awareness for IoT security in eHealth - Soft trust management in IoT - Risk-based adaptive security for IoT - Analytics and predictive models for adaptive security in IoT - Adaptive security decision-making models for IoT - Evaluation and validation models for adaptive security in IoT - Lightweight cryptographic protocols for IoT - Investigation of the security properties that should be fulfilled by the transmission of patient data across body area networks - Designing secure heterogeneous BAN architectures for eHealth applications - Implementing practical testbeds that allow the analysis of the security performance of BANs - Monitoring the security level of the eHealth applications relying on IoT - Analyzing the results of experiments conducted using real patient data and studying the security performance of the associated architectures ------------------------------------------------------------------------- CCS 2013 20th ACM Conference on Computer and Communications Security, Berlin, Germany, November 4-8, 2013. (Submissions due 8 May 2013) http://www.sigsac.org/ccs/CCS2013/ Securecomm seeks high-quality research contributions in the form of well-developed The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. ------------------------------------------------------------------------- SECURECOMM 2013 9th International ICST Conference on Security and Privacy in Communication Networks, Sydney, Australia, September 25-27, 2013. (Submissions due 10 May 2013) http://securecomm.org/2013/. Securecomm seeks high-quality research contributions in the form of well-developed papers. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure software, theoretical cryptography) will be considered only if a clear connection to private or secure communication/networking is demonstrated. Topics of interest include, but are not limited to, the following: - Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks - Network Intrusion Detection and Prevention, Firewalls, Packet Filters - Malware, botnets and Distributed Denial of Service - Communication Privacy and Anonymity - Network and Internet Forensics Techniques - Public Key Infrastructures, Key Management, Credential Management - Secure Routing, Naming/Addressing, Network Management - Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs - Security & Privacy for emerging technologies: VoIP, peer-to-peer and overlay network systems ------------------------------------------------------------------------- IWSEC 2013 8th International Workshop on Security, Okinawaken Shichouson Jichikaikan, Japan, November 18-20, 2013. (Submissions due 13 May 2013) http://www.iwsec.org/2013/ Original papers on the research and development of various security topics, as well as case studies and implementation experiences, are solicited for submission to IWSEC 2013. Topics of interest for IWSEC 2013 include but are not limited to: - Anonymity - Application Security - Authentication, Authorization and Access Control - Biometrics - Block/Stream Ciphers - Cloud Computing Security - Cryptographic Implementations and their Analysis - Cryptographic Protocols - Cryptanalysis - Data and System Integrity - Database Security - Digital Forensics - Digital Signatures - E-business/e-commerce/e-government Security - Hash Functions - Information Hiding - Information Law and Ethics - Intellectual Property Protection - Intrusion Prevention and Detection - Malware Prevention and Detection - Mobile System Security - Network Security - Privacy Preserving Systems - Public Key Cryptosystems - Quantum Security - Risk Analysis and Risk Management - Security Architectures - Security for Consumer Electronics - Security for Critical Infrastructures - Security Management - Secure Multiparty Computation - Security for Ubiquitous/Pervasive Computing - Smart Card and RFID Security - Software Security - System Security - Web Security ------------------------------------------------------------------------- SOUPS-RISK 2013 Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK, July 24-26, 2013. (Submissions due 30 May 2013) http://cups.cs.cmu.edu/soups/2013/risk.html This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology. For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices. While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions. In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk. The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include: - Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc. - Research methods and metrics for assessing perception of risk - Assessing value of assets and resources at risk - Communicating and portrayal of risk - security indicators, status indicators, etc. - Organizational versus personal risk - The psychology of risk perception - Behavioral aspects of risk perception - Real versus perceived risk - Other topics related to measuring IT risk and/or user perception of IT risk ------------------------------------------------------------------------- SIN 2013 6th International Conference on Security of Information and Networks, Aksaray, Turkey, November 26-28, 2013. (Submissions due 30 June 2013) please see http://www.sinconf.org The 6th International Conference on Security of Information and Networks (SIN 2013) provides an international forum for presentation of research and applications of security in information and networks. Papers addressing all aspects of security in information and networks are being sought. Researchers and industrial practitioners working on the following and related subjects are especially encouraged: Development and realization of cryptographic solutions, security schemes, new algorithms; critical analysis of existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy; detection and prevention of cybercrimes such as fraud and phishing; next generation network architectures, protocols, systems and applications; industrial experiences and challenges of the above. ------------------------------------------------------------------------- RFIDsec-Asia 2013 Workshop on RFID and IoT Security, Guangzhou, China, November 27, 2013. (Submissions due 1 July 2013) http://www.inscrypt.cn/2013/Inscrypt_2013/CFP-RFIDsecAsia.htm The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of interest include, but are not limited to, the following: - New applications for secure RFID/IoT systems - Data integrity and privacy protection techniques for RFID/IoT - Attacks and countermeasures on RFID/IoT systems - Design and analysis on secure RFID/IoT hardware - Risk assessment and management on RFID/IoT applications - Trust model, data aggregation and information sharing for EPCglobal network - Resource efficient implementation of cryptography - Integration of secure RFID/IoT systems ------------------------------------------------------------------------- VizSec 2013 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA, October 14, 2013. (Submissions due 8 July 2013) http://www.vizsec.org/ The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2010 hardcopy proceedings are available at $25 each. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium (through 2009) is $10, plus shipping and handling. The 2009 hardcopy proceedings are not available. The DVD with all technical papers from all years of the SP Symposium and the CSF Symposium is $5, plus shipping and handling. The 2008 hardcopy proceedings are $10 plus shipping and handling; the 29 year CD is $5.00, plus shipping and handling. The 2007 proceedings are available in hardcopy for $10.00, the 28 year CD is $5.00, plus shipping and handling. The 2006 Symposium proceedings and 11-year CD are sold out. The 2005, 2004, and 2003 Symposium proceedings are available for $10 plus shipping and handling. Shipping is $5.00/volume within the US, overseas surface mail is $8/volume, and overseas airmail is $14/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $3 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the 2011 treasurer (below) with the order description, including shipping method and shipping address. Robin Sommer Treasurer, IEEE Symposium Security and Privacy 2011 International Computer Science Institute Center for Internet Research 1947 Center St., Suite 600 Berkeley, CA 94704 USA oakland11-treasurer@ieee-security.org IEEE CS Press You may order some back issues from IEEE CS Press at http://www.computer.org/cspress/catalog/proc9.htm Computer Security Foundations Symposium Copies of the proceedings of the Computer Security Foundations Workshop (now Symposium) are available for $10 each. Copies of proceedings are available starting with year 10 (1997). Photocopy versions of year 1 are also $10. Contact Jonathan Herzog if interested in purchase. Jonathan Herzog jherzog@alum.mit.edu ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sven Dietrich Robert Cunningham Department of Computer Science MIT Lincoln Laboratories Stevens Institute of Technology http://www.ll.mit.edu/mission +1 201 216 8078 /communications/ist/biographies spock AT cs.stevens.edu /cunningham-bio.html Vice Chair: Treasurer: Patrick McDaniel Terry Benzel Computer Science and Engineering USC Information Sciences Intnl Pennsylvania State University 4676 Admiralty Way, Suite 1001 360 A IST Building Los Angeles, CA 90292 University Park, PA 16802 (310) 822-1511 (voice) (814) 863-3599 tbenzel @isi.edu mcdaniel@cse.psu.edu Newsletter Editor and Security and Privacy Symposium, 2013 Chair: TC Awards Chair: Robin Sommer Hilarie Orman http://www.icir.org/robin Purple Streak, Inc. 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year