Commentary and Opinion
Richard Austin's review of The CERT Guide to Insider Threats by Dawn Cappelli, Andrew Moore and Randall Trzeciak
Some recent headlines (please contribute!)
Listing of academic positions available by
Conference and Workshop Announcements
Cipher calendar announcements are on Twitter; follow "ciphernews"
new calls or announcements added since Cipher E113 (the calls-for-papers and the calendar announcements may differ slightly in content or time of update):
IEEE Security & Privacy Magazine, Special Issue on Moving-Target Defense
(Optional) Abstract submissions due to the guest editors: 1 June 2013
Articles due to ScholarOne: 1 July 2013
Publication date: March/April 2014
Submit papers to ScholarOne at https://mc.manuscriptcentral.com/cs-ieee
Questions: Contact guest editors Luanne Goldrich (Johns Hopkins University Applied Physics Laboratory, Luanne.Goldrich@jhuapl.edu) and Carl Landwehr (George Washington University, Carl.Landwehr@gmail.com).
Hitting a moving target is usually more difficult than hitting a stationary one. In World War II, naval ships zigzagged through the water to make it harder for submarines to torpedo them, and Hedy Lamarr and George Antheil's invention of frequency-hopping eventually made radio communications harder to jam. But some defensive techniques -- like zigzagging -- are soon negated by effective countermeasures. So how can we embrace a moving-target defense that has promise for long-term effectiveness?
Typically, in a moving-target defense, some aspect of the computing environment on which an attacker depends changes either over time or between systems. Rather than just trying to remove all vulnerabilities, software (or hardware) diversification hopes to make the attacker work harder by needing to find the vulnerability anew in each system. For example, techniques such as address space layout randomization (ASLR) can change vulnerabilities' locations in a single system over time.
Moving-target defenses in cyberspace have been an announced priority for research programs for several years, and increasing numbers of techniques have been proposed and some (such as ASLR) have been widely deployed. This special issue of IEEE Security & Privacy magazine seeks papers that characterize the state of the art and future directions in moving-‐target defense. Papers should address questions such as:
We welcome case studies, experience reports, practices, research results, and standards reports. Our readers are eager to hear about industry experiences, especially resulting from empirical studies that help us learn how past successes and failures should inform the next generation.
SOUPS-RISK 2013 Workshop on Risk Perception in IT Security and Privacy, Newcastle, UK, July 24-26, 2013. (Submissions due 30 May 2013)
This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology. For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices. While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions. In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk. The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include:
WISA 2013 14th International Workshop on Information Security Applications, Jeju Island, Korea, August 19-21, 2013. (Submissions due 31 May 2013)
This year's program committee chairs decide to convert WISA to be a venue for discussing system security and offensive technology issues among researchers in Asia. More specifically, it will resemble two well-known conferences: USENIX Security and WOOT. The primary focus of WISA 2013, therefore, is on systems and network security, and the secondary focus is on offensive technology. Accordingly, the workshop will be composed of two tracks: regular and OT (Offensive Technology). Regular paper submissions are solicited in all areas relating to systems and network security, including:
DPM 2013 8th International Workshop on Data Privacy Management, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 2 June 2013)
The aim of this workshop is to discuss and exchange the ideas related to privacy data management. We invite papers from researchers and practitioners working in privacy, security, trustworthy data systems and related areas to submit their original papers in this workshop. Topics of interest include, but are not limited to the following:
CRiSIS 2013 8th International Conference on Risks and Security of Internet and Systems, La Rochelle, France, October 23-25, 2013. (Submissions due 3 June 2013)
The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, as well as security models, security mechanisms and privacy enhancing technologies. Prospective authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications and case studies, such as tele medicine, banking, e-government and critical infrastructure, are also welcome. The list of topics includes but is not limited to:
QASA 2013 2nd International Workshop in Quantitative Aspects in Security Assurance, Held in conjunction with ESORICS 2013, Egham, U.K., September 12-13, 2013. (Submissions due 5 June 2013)
There is an increasing demand for techniques to deal with quantitative aspects of security assurance at several levels of the development life-cycle of systems & services, e.g., from requirements elicitation to run-time operation and maintenance. The aim of this workshop is to bring together researchers and practitioners interested in these research topics with a particular emphasis techniques for service oriented architectures. The scope of the workshop, is intended to be broad, including aspects as dependability, privacy, risk and trust. The list of topics includes, but it is not limited to:
BigSecurity 2013 1st International Workshop on Security and Privacy in Big Data, Held in conjunction with Globecom 2013, Atlanta, Georgia, USA, December 9-13, 2013. (Submissions due 10 June 2013)
As we are deep into the Information Age, we witness the explosive growth of data available on the Internet. For example, human beings create about 2.5 quintillion bytes of data every day in 2012, which come from sensors, individual archives, social networks, Internet of Things, enterprise and Internet in all scales and formats. We face one of the most challenging issues, i.e., how to effectively manage such a large amount of data and identify new ways to analyze large amounts of data and unlock information. The issue is also known as Big Data, which has been emerging as a hot topic in Information and Communication Technologies (ICT) research. Security and privacy issue is critical for Big Data. Many works have been carried out focusing on business, application and information processing level from big data, such as data mining and analysis. However, security and privacy issues in Big Data are seldom mentioned to date. Due to its extraordinary scale, security and privacy in Big Data faces many challenges, such as efficient encryption and decryption algorithms, encrypted information retrieval, attribute based encryption, attacks on availability, reliability and integrity of Big Data. This workshop offers a timely venue for researchers and industry partners to present and discuss their latest results in security and privacy related work of Big Data.
SafeConfig 2013 6th Symposium on Security Analytics and Automation, Washington, D.C., USA, October 14, 2013. (Submissions due 25 June 2013)
The new sophisticated cyber security threats demand new security management approaches that offer a holistic security analytics based on the system data including configurations, logs and network traffic. Security analytics must be able to handle large volumes of data in order to model, integrate, analyze and respond to threats at real time. The system configuration/policy is a key component that determines the security and resiliency of networked information systems and services. However, a typical enterprise networked environment contains thousands of network and security devices and millions of inter-dependent configuration variables (e.g., rules) that orchestrate the end-to-end system behavior globally. As the current technology moves toward "smart" cyber infrastructure and open networking platforms (e.g. OpenFlow and virtual computing), the need for security analytics and automation significantly increases. The coupled integration of network sensor data and configuration in a unified framework will enable intelligent response, automated defense, and network resiliency/agility. This symposium offers a unique opportunity by bringing together researchers form academic, industry as well as government agencies to discuss these challenges, exchange experiences, and propose joint plans for promoting research and development in this area. SafeConfig Symposium is a one day program that will include invited talks, technical presentations of peer-reviewed papers, poster/demo sessions, and joint panels on research collaboration. SafeConfig Symposium solicits the submission of original unpublished ideas in 8-page long papers, 4-page sort papers, or 2-pages posters. Security analytics and automation for new emerging application domains such as clouds and data centers, cyber-physical systems software defined networking and Internet of things are of particular interest to SafeConfig community.
SIN 2013 6th International Conference on Security of Information and Networks, Aksaray, Turkey, November 26-28, 2013. (Submissions due 30 June 2013)
The 6th International Conference on Security of Information and Networks (SIN 2013) provides an international forum for presentation of research and applications of security in information and networks. Papers addressing all aspects of security in information and networks are being sought. Researchers and industrial practitioners working on the following and related subjects are especially encouraged: Development and realization of cryptographic solutions, security schemes, new algorithms; critical analysis of existing approaches; secure information systems, especially distributed control and processing applications, and security in networks; interoperability, service levels and quality issues in such systems; information assurance, security, and public policy; detection and prevention of cybercrimes such as fraud and phishing; next generation network architectures, protocols, systems and applications; industrial experiences and challenges of the above.
RFIDsec-Asia 2013 Workshop on RFID and IoT Security, Guangzhou, China, November 27, 2013. (Submissions due 1 July 2013)
The workshop series of RFIDsec Asia, the Asia branch of RFIDsec, aims to provide researchers, enterprises and governments a platform to investigate, discuss and propose new solutions on security and privacy issues of RFID/IoT (Internet of Things) technologies and applications. Papers with original research in theory and practical system design concerning RFID/IoT security are solicited. Topics of interest include, but are not limited to, the following:
eCrime 2013 8th IEEE eCrime Researchers Summit, San Francisco, California, USA, September 17-18, 2013. (Submissions due 5 July 2013)
eCRS 2013 consist of two full days which bring together academic researchers, security practitioners, and law enforcement to discuss all aspects of electronic crime and ways to combat it. Topics of interests include (but are not limited to):
VizSec 2013 10th International Symposium on Visualization for Cyber Security, Atlanta GA, USA, October 14, 2013. (Submissions due 8 July 2013)
The 10th International Symposium on Visualization for Cyber Security (VizSec) is a forum that brings together researchers and practitioners from academia, government, and industry to address the needs of the cyber security community through new and insightful visualization and analysis techniques. VizSec will provide an excellent venue for fostering greater exchange and new collaborations on a broad range of security- and privacy-related topics. Important research problems often lie at the intersection of disparate domains. Our focus is to explore effective, scalable visual interfaces for security domains, where visualization may provide a distinct benefit, including computer forensics, reverse engineering, insider threat detection, cryptography, privacy, preventing 'user assisted' attacks, compliance management, wireless security, secure coding, and penetration testing in addition to traditional network security. Human time and attention are precious resources. We are particularly interested in visualization and interaction techniques that effectively capture human analyst insights so that further processing may be handled by machines, freeing the analyst for other tasks. For example, a malware analyst might use a visualization system to analyze a new piece of malicious software and then facilitate generating a signature for future machine processing. When appropriate, research that incorporates multiple data sources, such as network packet captures, firewall rule sets and logs, DNS logs, web server logs, and/or intrusion detection system logs, is particularly desirable.
SPSM 2013 3rd Workshop on Security and Privacy in Smartphones and Mobile Devices, Held in conjunction with the ACM CCS 2013, Berlin, Germany, November 8, 2013. (Submissions due 22 July 2013)
The SPSM workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. The workshop will deepen our understanding of various security and privacy issues on smartphones. As with the two very well received previous editions, the topics of interest to SPSM 2013 include (but are not limited to) the following subject categories:
IFIP119-DF 2014 10th Annual IFIP WG 11.9 International Conference on Digital Forensics, Vienna University of Technology, Vienna, Austria, January 8-10, 2014. (Submissions due 15 September 2013)
The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Tenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to:
POST 2014 3rd Conference on Principles of Security and Trust, Grenoble, France, April 7-11, 2014. (Submissions due 4 October 2013)
Principles of Security and Trust is a broad forum related to the theoretical and foundational aspects of security and trust. Papers of many kinds are welcome: new theoretical results, practical applications of existing foundational ideas, and innovative theoretical approaches stimulated by pressing practical problems. We seek submissions proposing theories to clarify security and trust within computer science; submissions establishing new results in existing theories; and also submissions raising fundamental concerns about existing theories. We welcome new techniques and tools to automate reasoning within such theories, or to solve security and trust problems. Case studies that reflect the strengths and limitations of foundational approaches are also welcome, as are more exploratory presentations on open questions. Areas of interest include:
IEEE Transactions on Reliability, Special Section on Trustworthy Computing, 2014, (Submission Due 1 November 2013)
Editors: Shiuhpyng Winston Shieh (National Chiao Tung University, Taiwan)
Trustworthy Computing (TC) has been applied to software-enabled computing systems and networks that are inherently secure, private, available, and reliable. As the fast growing mobile cloud computing emerges to cover smart phones, tablets, smart TV, and cloud computing platforms, these ubiquitous computing devices poses new challenges to trustworthy computing. Cloud computing offers organizations of all sizes the ability to embrace and implement new applications at far less cost than traditional approaches. Organizations that move workloads to the cloud take advantage of the capabilities of their cloud providers to ensure continuous availability of services. However, the ever-growing complexity of such systems and the software that controls them not only makes it much more difficult to guarantee their quality, but also introduces more vulnerability for malicious attacks, intrusion, and data loss. To address these needs, this special section calls for novel applications of emerging techniques for trustworthy computing of information, software, systems, networks. Reviews and case studies which address state-of-art research and state-of-practice industry experiences are also welcomed. The topics of interest include, but are not limited to:
Staying in touch....
IEEE Computer Society's Technical Committee on Security and Privacy
|TC home page||TC Officers|
|How to join the TCSP||TC publications available online|
|TC Publications for sale||Cipher past issues archive|