Electronic CIPHER, Issue 118, January 21, 2014 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 118 January 21, 2014 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of "The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System (2ed)" by Bill Blunden o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News Items from the Media o Press Release: NSA Security Science award nominations due on March 31 o NSA morale down after Edward Snowden revelations, former U.S. officials say o Major tech companies unite to call for new limits on surveillance o NSA head says metadata program key tool against terrorism o Obama Panel Said to Urge N.S.A. Curbs o By cracking cellphone code, NSA has ability to decode private conversations o Judge: NSA phone surveillance program unconstitutional o Research shows how MacBook Webcams can spy on their users without warning o Snowden still holding 'keys to the kingdom' o RSA's secret contract with NSA o US spy court: NSA to keep collecting phone records o Malware attack hits thousands of Yahoo users o N.S.A. Devises Radio Pathway Into Computers o Amazon is a hornet's nest of malware o Point-of-sale malware infecting Target found hiding in plain sight o Some Obama spy changes hampered by complications * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This publication is the newsletter of the IEEE Computer Society's Technical Committee on Security and Privacy, and every two years we welcome new officers. Patrick McDaniel moves from TC Vice Chair to the Chair position, and Ulf Lindqvist takes over as Vice Chair. Sven Dietrich, the assistant editor of this publication, ends his term as the TCSP chair, and he has many accomplishments in his wake. One of them is the open access agreement for proceedings of the Security and Privacy Symposium. The 2012 proceedings are available without charge from the Computer Society's Digital Library, and those from 2013 will be similarly available this summer. There was so much news about computer security problems during the last 60 days that I found it difficult to keep up. Even deciding to limit limit Snowden articles was not enough, as the point-of-sale attacks and compromised user databases seemed endless. If this the new future? I read some time ago that the statistics on airline disasters were such that in the near future we would hear of at least one crash per day. Apparently computer security disasters are the same order of magnitude. NSA has announced that nominations for their "Science of Security" award are open. Authors of papers published in 2013 are eligible. Relevant to the point-of-sale attacks, Richard Austin this month has reviewed the second edition of a computer forensics book. If you are interested in learning how malware works to evade detection, even in a post-mortem, take a look at the review and decide if you'd like to see the book itself. The annual Security and Privacy Symposium (aka "Oakland") will announce the program of accepted papers soon, and the expectation is that it will be a full 3-day program. The conference has been moving around the San Francisco Bay area, and this year it will be in San Jose at the Fairmont Hotel. Target Target and become one, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 01/18/2014 The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System (2ed) by Bill Blunden ____________________________________________________________________ Wordware Press 2013. ISBN 978-1-4496-2636-5 amazon.com USD40.71 table of Contents: http://www.jblearning.com/catalog/9781449626365/ This is a new edition of a book that was originally reviewed in 2010 -- http://www.ieee-security.org/Cipher/BookReviews/2010/Blunden_by_austin.html While the book retains the previous edition's highly technical presentation of the ins-and-outs of rootkits and how they work, it displays an enhanced focus on anti-forensics. One of the factors that make modern rootkits so dangerous is their ability to hide in plain sight and remain undiscovered by the usual defensive measures we have in place (e.g., anti-malware, intrusion detection). As Blunden notes, "A well-designed rootkit will make a compromised system appear as nothing as wrong" (p. 12). The goals of a rootkit are basically to maintain a foothold that provides the adversary long-term access to a system and surveillance capability (e.g., credential capture, data exfiltration, etc.). Anti-forensics is focused on minimizing "the quality and quantity of useful trace evidence that is generated in addition to assuring that the quality of information is also limited" (p.35). Or, to put it another way, it's very hard to defeat what you cannot see. Supporting this theme, Blunden provides a detailed exploration of how this is actually accomplished. First, he explores "Postmortem" analysis (the processes performed after a system is imaged using classic digital forensics techniques) and explains how both disk and executable analysis can be defeated. However he notes (p. 402) that ideally (from an adversary's point of view) these techniques should be of limited use because the best rootkits never leave traces on disk in the first place. The second half (by page count) of the book is devoted to how live response can be defeated. "Live response" is an umbrella term for techniques used to investigating a running system for evidence of intrusion. Defenders developed live response to counter adversaries' use of techniques such as memory-only malware. As might be expected, in the continuing dance of attack and defense, adversaries were quick to respond. Be advised that even with the author's substantial introduction (chapters 3-6), your humble correspondent found himself leafing through the Intel architecture manuals more than once as he followed the presentation. As I said in my original review, this is a very dangerous book. However, it is also a critically useful book and deserves careful study by the technical security professional. Blunden has resisted the temptation to change a page here and there and call it a "new edition" by doing a substantial reorganization and update of the text. The focus on anti-forensics, though a core component in the original edition, is now the thread that binds the topics together. Definitely a recommended read. ----------------------------------------------------------------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html (nothing new since Cipher E117) -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ----------------------------------------------------------------------------- Press Release: NSA Security Science award nominations due on March 31 for the best paper of 2013. See http://www.nsa.gov/public_info/press_room/2013/2013_best_cybersecurity_paper_competition.shtml The 2013 winner, Joseph Bonneau, had mixed feelings about the honor, according to a statement he released last July: http://www.lightbluetouchpaper.org/2013/07/19/nsa-award-for-best-scientific-cybersecurity-paper ----------------------------------------------------------------------------- NSA morale down after Edward Snowden revelations, former U.S. officials say http://www.washingtonpost.com/world/national-security/nsa-morale-down-after-edward-snowden-revelations-former-us-officials-say/2013/12/07/24975c14-5c65-11e3-95c2-13623eb2b0e1_story.html?tid=hpModule_14fd66a0-9199-11e2-bdea-e32ad90da239 The Washington Post By Ellen Nakashima December 7, 2013 "The agency, from top to bottom, leadership to rank and file, feels that it is had no support from the White House even though it's been carrying out publicly approved intelligence missions," said Joel Brenner, NSA inspector general from 2002 to 2006. ----------------------------------------------------------------------------- Major tech companies unite to call for new limits on surveillance http://www.washingtonpost.com/business/technology/major-tech-companies-unite-to-call-for-new-limits-on-surveillance/2013/12/08/530f0fd4-6051-11e3-bf45-61f69f54fc5f_story.html By Craig Timberg The Washington Post December 8, 2013 Eight major US tech companies have sent a letter to U.S. leaders with a complaint against data collection. "We understand that governments have a duty to protect their citizens. But this summer's revelations highlighted the urgent need to reform government surveillance practices worldwide," the letter says. In addition to Microsoft and Google, the signers are Apple, Facebook, LinkedIn, Yahoo, AOL and Twitter. ----------------------------------------------------------------------------- NSA head says metadata program key tool against terrorism http://www.sltrib.com/sltrib/politics/57251012-90/agency-alexander-metadata-national.html.csp By Thomas Burr The Salt Lake Tribune Dec 11 2013, Updated Dec 16 2013 NSA's Director, Gen. Keith Alexander, to the Senate Judiciary Committee that NSA metadata gathering is necessary to protect the US against terrorism. The NSA has argued that collecting metadata - some of which is likely to be stored at the NSA's Utah Data Center - is a powerful instrument in being able to determine if terrorists are communicating with people inside the United States. ----------------------------------------------------------------------------- http://www.nytimes.com/2013/12/13/world/americas/obama-panel-said-to-urge-nsa-curbs.html?hp&_r=0 Obama Panel Said to Urge N.S.A. Curbs By David E. Sanger The New York Times December 12, 2013 The recommendations of a presidential advisory committee include more review of collection activities, including what data is sought and who the targets are. Administration officials say that the White House now supervises the programs. Resistance from agencies seems likely. ----------------------------------------------------------------------------- By cracking cellphone code, NSA has ability to decode private conversations http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html by Craig Timberg and Ashkan Soltani The Washington Post Dec 13, 2013 Karsten Nohl, chief scientist at Security Research Labs in Berlin, says that worldwide, over 80 per cent of all cell phone calls use no encryption. Even those that do encrypt may be vulnerable to eavesdropping by the NSA, because the encryption has been "cracked" by the NSA scientists. Matthew Blaze, a University of Pennsylvania cryptology expert, said the weakness was in A5/1 encryption and is "a pretty sweeping, large vulnerability." ----------------------------------------------------------------------------- Judge: NSA phone surveillance program unconstitutional http://www.cnn.com/2013/12/16/justice/nsa-surveillance-court-ruling/index.html By Bill Mears and Evan Perez CNN December 16, 2013 A Federal judge, Richard Leon, favored five plaintiffs who object to NSA phone surveillance, setting up a battle between privacy advocates and US intelligence agencies. "I cannot imagine a more 'indiscriminate' and 'arbitrary invasion' than this systematic and high-tech collection and retention of personal data on virtually every citizen for purposes of querying and analyzing it without prior judicial approval," said Leon. ----------------------------------------------------------------------------- Research shows how MacBook Webcams can spy on their users without warning http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-macbook-webcams-can-spy-on-their-users-without-warning/ By Ashkan Soltani and Timothy B. Lee The Washington Post December 18, 2013 Some Apple computer users put a piece of tape over the camera lens of the their laptops and tablets. Are they paranoid? Althugh the built-in cameras on Apple computers were designed to prevent surreptious use, Stephen Checkoway, a computer science professor at Johns Hopkins and his co-author Matthew Brocker were able to get around the security feature of having a light on the computer activated when the camera a being used. ----------------------------------------------------------------------------- Snowden still holding 'keys to the kingdom' http://www.washingtonpost.com/world/national-security/snowden-still-holding-keys-to-the-kingdom/2013/12/18/b91d29a2-6761-11e3-8b5b-a77187b716a3_story.html By Walter Pincus The Washington Post December 18, 2013 Journalist Glenn Greenwald, who has a copy of the Snowden documents, has commented on the extent of information as yet unpublished. These documents, Greenwald said, "would allow somebody who read them to know exactly how the NSA does what it does, which would in turn allow them to evade that surveillance or replicate it." ----------------------------------------------------------------------------- RSA's secret contract with NSA http://news.yahoo.com/exclusive-secret-contract-tied-nsa-security-industry-pioneer-001729620--finance.html By Joseph Menn Reuters December 20, 20133 The security company RSA adopted a random number generation method called Dual Elliptic Curve after being paid several million dollars the NSA. Documents leaked by Snowden indicate that the secret contract enabled backdoor access by NSA to encrypted data generated by RSA customers. ----------------------------------------------------------------------------- US spy court: NSA to keep collecting phone records http://news.yahoo.com/us-spy-court-nsa-keep-collecting-phone-records-214801109--finance.html By Stephen Braun and Kimberly Dozier Associated Press Jan 3, 2013 The Foreign Intelligence Surveillance Court acted to renew an NSA phone metadata collection program. At the same time, the US government filed to lift a stay of the collection on 5 plaintiffs as ordered by a Federal Court. ----------------------------------------------------------------------------- Millions of accounts compromised in Snapchat hack http://www.cnn.com/2014/01/01/tech/social-media/snapchat-hack/index.html?hpt=hp_bn5 By Doug Gross CNN January 2, 2014 A group of whitehat hackers, Gibson Security, published code that would let other hackers obtain names and partial phone numbers of Snapchat users. That code was apparently exploited shortly thereafter. Snapchat seemed to downplay the event, claiming that it would be virtually impossible to match partial numbers to users' real names. ----------------------------------------------------------------------------- Malware attack hits thousands of Yahoo users http://www.cnn.com/2014/01/05/tech/yahoo-malware-attack/index.html?hpt=hp_t2 By Faith Karimi and Joe Sutton CNN January 6, 2014 Windows users who accessed their Yahoo accounts from Dec. 31 to Jan. 3 may have been infected with malware introduced through hacked advertisements. ----------------------------------------------------------------------------- http://www.nytimes.com/2014/01/15/us/nsa-effort-pries-open-computers-not-connected-to-internet.html?_r=0 N.S.A. Devises Radio Pathway Into Computers By David E. Sanger and Thom Shankerton New York Times January 14, 2014 Ever wonder why the NSA needs to have a chip fabrication line? It may be for the purpose of manufacturing USB sticks that can communicate over short range radio transmissions without detection by unwitting users. These devices have been planted in as many as 100K computers around the world. ----------------------------------------------------------------------------- Amazon is a hornet's nest of malware http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/16/amazon-is-a-hornets-nest-of-malware/ By Brian Fung The Washington Post January 16, 2014 IT security firm Solutionary has gathered data indicating that Amazon's cloud services are the number one hosting site for malware affecting millions of LinkedIn subscribers. ----------------------------------------------------------------------------- Point-of-sale malware infecting Target found hiding in plain sight http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/ by Dan Goodin Ars Technica Jan 15, 2014 On December 18, 2013, KrebsOnSecurity's Brian Krebs uncovered "memory-scraping" malware on public site and reported on it here: http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/here. It is apparently the same software that was able to steal data from point-of-sale terminals at Target during previous weeks. The software cleverly scans memory for sensitive data and copies it before the terminal's software encrypts it for transmission to servers. ----------------------------------------------------------------------------- Some Obama spy changes hampered by complications http://www.sltrib.com/sltrib/world/57422905-68/government-nsa-records-obama.html.csp By Stephen Braun Associated Press in The Salt Lake Tribune Jan 20, 2014 Plans to add additional review of Foreign Intelligence Surveillance Courts might be opposed the Judiciary as being an illegal form of inteference between branches of the US government. ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 1/20/14: IFIP-SEC, 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco; http://www.ensa.ac.ma/sec2014/ ; Submissions are due 1/25/14: Elsevier Information Science, Special Issue on Security, Privacy and Trust in network-based Big Data; http://www.journals.elsevier.com/information-sciences/ call-for-papers/security-privacy-and-trust-in-network-based-big-data/ Submissions are due 2/ 3/14: CSF, 27th IEEE Computer Security Foundations Symposium, Vienna University of Technology, Vienna, Austria; http://csf2014.di.univr.it/ ; Submissions are due 2/ 8/14: DIMVA, 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK; http://www.dimva.org/dimva2014 Submissions are due 2/10/14: PETS, 14th Privacy Enhancing Technologies Symposium, Amsterdam, Netherlands; http://petsymposium.org/ Submissions are due 2/10/14: IWCC, International Workshop on Cyber Crime, Held in conjunction with the IEEE CS Security & Privacy Workshops (SPW 2014), Fairmont Hotel, San Jose, CA, USA; http://stegano.net/IWCC2014/ Submissions are due 2/10/14: DASec, 1st International Workshop on Big Data Analytics for Security, Held in conjunction with ICDCS 2014, Madrid, Spain; http://www.dis.uniroma1.it/~dasec/ Submissions are due 2/13/14: SACMAT, 19th ACM Symposium on Access Control Models and Technologies, London, Ontario, Canada; http://www.sacmat.org; Submissions are due 2/15/14: IEEE Internet of Things Journal, Special Issue on Security for IoT: the State of the Art; http://iot-journal.weebly.com/uploads/1/8/8/0/18809834/ ieee_iot_journal_si_iot_security_cfp.pdf; Submissions are due 2/23/14- 2/26/14: NDSS, 21st Annual Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2014 2/26/14- 2/28/14: ESSOS, 6th International Symposium on Engineering Secure Software and Systems, Munich, Germany; http://distrinet.cs.kuleuven.be/events/essos/2014/ 2/28/14: WEIS, 13th Annual Workshop on the Economics of Information Security, Pennsylvania State University, PA, USA; http://weis2014.econinfosec.org/ Submissions are due 2/28/14: SOUPS, Symposium On Usable Privacy and Security, In-cooperation with USENIX, Menlo Park, CA, USA; http://cups.cs.cmu.edu/soups/ Submissions are due 3/ 1/14: Journal of Cyber Security and Mobility, Special issue on Next Generation Mobility Network Security; http://www.ee.columbia.edu/~roger/call.pdf; Submissions are due 3/ 1/14: IEEE Pervasive Computing, Special issue on Pervasive Privacy and Security; http://www.computer.org/portal/web/computingnow/pccfp1; Submissions are due 3/ 1/14: RFIDSec, 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; http://rfidsec2014.cis.uab.edu/ Submissions are due 3/ 3/14: WiSec, 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; http://www.sigsac.org/wisec/WiSec2014/ Submissions are due 3/ 3/14: MOST, Mobile Security Technologies Workshop, An event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2014), Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014), San Jose, CA, USA; http://mostconf.org/2014/cfp.html Submissions are due 3/ 7/14: WISTP, 8th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org/ Submissions are due 3/ 7/14: CNS, 2nd IEEE Conference on Communications and Network Security, San Francisco, CA, USA; http://ieee-cns.org; Submissions are due 3/15/14: IEEE Security & Privacy, Special issue on Key Trends in Cryptography; http://www.computer.org/portal/web/computingnow/spcfp1 Abstract Submissions are due 3/24/14: SESOC, 6th International Workshop on Security and Social Networking, Held in conjunction with PerCom 2014, Budapest, Hungary; http://www.sesoc.org 3/24/14- 3/28/14: SAC-SEC, 29th ACM Symposium on Applied Computing, Computer Security track, Gyeongju, Korea; http://www.dmi.unict.it/~giamp/sac/cfp2014.php 4/ 7/14- 4/11/14: POST, 3rd Conference on Principles of Security and Trust, Grenoble, France; http://www.etaps.org/2014/post-2014 4/ 8/14- 4/ 9/14: HotSoS, Symposium and Bootcamp on the Science of Security, Raleigh, North Carolina, USA; http://www.csc2.ncsu.edu/conferences/hotsos 4/14/14- 4/15/14: COSADE, 5th International Workshop on Constructive Side-Channel Analysis and Secure Design, Paris, France; http://www.cosade.org 5/ 1/14: IEEE Security & Privacy, Special issue on Key Trends in Cryptography; http://www.computer.org/portal/web/computingnow/spcfp1; Submissions are due 5/ 2/14: TGC, 9th Symposium on Trustworthy Global Computing, Co-located with Concur 2014, Rome, Italy; http://www.cs.le.ac.uk/events/tgc2014/ Submissions are due 5/17/14- 5/18/14: IWCC, International Workshop on Cyber Crime, Held in conjunction with the IEEE CS Security & Privacy Workshops (SPW 2014), Fairmont Hotel, San Jose, CA, USA; http://stegano.net/IWCC2014/ 5/17/14: MOST, Mobile Security Technologies Workshop, An event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2014), Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014), San Jose, CA, USA; http://mostconf.org/2014/cfp.html 5/18/14- 5/21/14: SP, 35th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2014/cfp.html 6/ 2/14- 6/ 4/14: IFIP-SEC, 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco; http://www.ensa.ac.ma/sec2014/ 6/23/14- 6/24/14: WEIS, 13th Annual Workshop on the Economics of Information Security, Pennsylvania State University, PA, USA; http://weis2014.econinfosec.org/ 6/23/14- 6/25/14: WISTP, 8th Workshop in Information Security Theory and Practice, Heraklion, Greece; http://www.wistp.org/ 6/25/14- 6/27/14: SACMAT, 19th ACM Symposium on Access Control Models and Technologies, London, Ontario, Canada; http://www.sacmat.org 6/30/14- 7/ 3/14: DASec, 1st International Workshop on Big Data Analytics for Security, Held in conjunction with ICDCS 2014, Madrid, Spain; http://www.dis.uniroma1.it/~dasec/ 7/ 9/14- 7/11/14: SOUPS, Symposium On Usable Privacy and Security, In-cooperation with USENIX, Menlo Park, CA, USA; http://cups.cs.cmu.edu/soups/ 7/10/14- 7/11/14: DIMVA, 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK; http://www.dimva.org/dimva2014 7/16/14- 7/18/14: PETS, 14th Privacy Enhancing Technologies Symposium, Amsterdam, Netherlands; http://petsymposium.org/ 7/19/14- 7/22/14: CSF, 27th IEEE Computer Security Foundations Symposium, Vienna University of Technology, Vienna, Austria; http://csf2014.di.univr.it/ 7/21/14- 7/23/14: RFIDSec, 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom; http://rfidsec2014.cis.uab.edu/ 7/21/14- 7/25/14: WiSec, 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom; http://www.sigsac.org/wisec/WiSec2014/ 9/ 6/14- 9/ 6/14: TGC, 9th Symposium on Trustworthy Global Computing, Co-located with Concur 2014, Rome, Italy; http://www.cs.le.ac.uk/events/tgc2014/ 10/29/14-10/31/14: CNS, 2nd IEEE Conference on Communications and Network Security, San Francisco, CA, USA; http://ieee-cns.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E117) ___________________________________________________________________ IFIP-SEC 2014 29th IFIP TC-11 SEC 2014 International Conference ICT Systems Security and Privacy Protection, Marrakech, Morocco, June 2-4, 2014. (Submission Due 20 January 2014) http://www.ensa.ac.ma/sec2014/ This conference is the flagship event of the International Federation for Information Processing (IFIP) Technical Committee 11 on Security and Privacy Protection in Information Processing Systems (TC-11, www.ifiptc11.org). We seek submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and privacy protection in ICT Systems. Topics of interest include, but are not limited to: - Access control and authentication - Applied cryptography - Cloud and big data security - Critical Infrastructure Protection - Data and Applications Security - Digital Forensics - Human Aspects of Information Security and Assurance - Identity Management - Information Security Education - Information Security Management - Information Technology Mis-Use and the Law - Managing information security functions - Mobile security - Multilateral Security - Network & Distributed Systems Security - Pervasive Systems Security - Privacy protection - Trust Management - Audit and risk analysis ------------------------------------------------------------------------- Elsevier Information Science, Special Issue on Security, Privacy and trust in network-based Big Data, December 2014, (Submission Due 25 January 2014) http://www.journals.elsevier.com/information-sciences/call-for-papers/ security-privacy-and-trust-in-network-based-big-data/ Editor: Xiaohong Jiang (Future University Hakodate, Japan), Hua Wang (University of Southern Queensland, Australia), and Georgios Kambourakis (University of the Aegean, Greece) The aim of the special issue is to present leading edge work concerning privacy protection issues and security challenges in the rapidly emerging field of network-based Big Data. Research that addresses organisational and enterprise solutions for privacy protection and information security in Big Data environments will also be presented. Both papers dealing with fundamental theory, techniques, applications, and practical experiences concerning secure Big Data will be considered. The scope of the special issue includes (but is not limited to): - Security modeling and threat in Big Data - Auditing in network-based Big Data - Access control mechanisms for Big Data systems - Secure Big Data resource virtualisation mechanisms - Secure Big Data management outsourcing (e.g., database as a service) - Practical privacy and integrity mechanisms for outsourcing - Foundations of cloud-centric threat models for Big Data - Trust and policy management - Secure identity management mechanisms - New Big Data web service security paradigms and mechanisms - Business and security risk models and clouds - Cost and usability models and their interaction with security in Big Data systems - Remote data integrity protection - Data-centric security and data classification - Secure Big Data in wireless environment - Risk analysis and risk management ------------------------------------------------------------------------- CSF 2014 27th IEEE Computer Security Foundations Symposium, Vienna University of Technology, Vienna, Austria, July 19 - 22, 2014. (Submission Due 3 February 2014) http://csf2014.di.univr.it/ The Computer Security Foundations Symposium is an annual conference for researchers in computer security. CSF seeks papers on foundational aspects of computer security, e.g., formal security models, relationships between security properties and defenses, principled techniques and tools for design and analysis of security mechanisms, as well as their application to practice. While CSF welcomes submissions beyond the topics listed below, the main focus of CSF is foundational security: submissions that lack foundational aspects risk rejection. New results in computer security are welcome. Possible topics include, but are not limited to: access control, accountability, anonymity, authentication, critical infrastructure security, cryptography, data and system integrity, database security, decidability and complexity, distributed systems, electronic voting, executable content, formal methods and verification, game theory and decision theory, hardware-based security, humans and computer security, information flow, intrusion detection, language-based security, network security, novel insights on attacks, privacy, provenance, resource usage control, security for mobile computing, security models, security protocols, software security, socio-technical security, trust management, usable security, web security. ------------------------------------------------------------------------- DIMVA 2014 11th International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Royal Holloway London, Egham, UK, July 10-11, 2014. (Submission Due 8 February 2014) http://www.dimva.org/dimva2014 The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group "Security - Intrusion Detection and Response" (SIDAR) of the German Informatics Society (GI). The conference proceedings will appear as a volume in the Springer Lecture Notes in Computer Science (LNCS) series (approval pending). DIMVA encourages submissions from the following broad areas: Intrusion Detection - Novel approaches and domains - Insider detection - Prevention and response - Data leakage and exfiltration - Result correlation and cooperation - Evasion and other attacks - Potentials and limitations - Operational experiences Malware Detection - Automated analyses - Behavioral models - Prevention and containment - Infiltration - Acquisition and monitoring - Forensics and recovery - Underground economy Vulnerability Assessment - Vulnerability detection - Vulnerability prevention - Fuzzing techniques - Classification and evaluation - Situational awareness ------------------------------------------------------------------------- PETS 2014 14th Privacy Enhancing Technologies Symposium, Amsterdam, Netherlands, July 16-18, 2014. (Submission Due 10 February 2014) http://petsymposium.org/ The Privacy Enhancing Technologies Symposium (PETS) aims to advance the state of the art and foster a world-wide community of researchers and practitioners to discuss innovation and new perspectives. Suggested topics include but are not restricted to: - Behavioral targeting - Building and deploying privacy-enhancing systems - Crowdsourcing for privacy - Cryptographic tools for privacy - Data protection technologies - Differential privacy - Economics of privacy and game-theoretical approaches to privacy - Forensics and privacy - Information leakage, data correlation and generic attacks to privacy - Interdisciplinary research connecting privacy to economics, law, ethnography, psychology, medicine, biotechnology - Location and mobility privacy - Measuring and quantifying privacy - Obfuscation-based privacy - Policy languages and tools for privacy - Privacy and human rights - Privacy in ubiquitous computing and mobile devices - Privacy in cloud and big-data applications - Privacy in social networks and micro-blogging systems - Privacy-enhanced access control, authentication, and identity management - Profiling and data mining - Reliability, robustness, and abuse prevention in privacy systems - Surveillance - Systems for anonymous communications and censorship resistance - Traffic analysis - Transparency enhancing tools - Usability and user-centered design for PETs ------------------------------------------------------------------------- IWCC 2014 International Workshop on Cyber Crime, Held in conjunction with the IEEE CS Security & Privacy Workshops (SPW 2014), Fairmont Hotel, San Jose, CA, USA, May 17-18, 2014. (Submission Due 10 February 2014) http://stegano.net/IWCC2014/ Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Moreover, the frequently occurring international frauds impose the necessity to conduct the investigation of facts spanning across multiple international borders. Such examination is often subject to different jurisdictions and legal systems. A good illustration of the above being the Internet, which has made it easier to perpetrate traditional crimes. It has acted as an alternate avenue for the criminals to conduct their activities, and launch attacks with relative anonymity. The increased complexity of the communications and the networking infrastructure is making investigation of the crimes difficult. Traces of illegal digital activities are often buried in large volumes of data, which are hard to inspect with the aim of detecting offences and collecting evidence. Nowadays, the digital crime scene functions like any other network, with dedicated administrators functioning as the first responders. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies. The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of digital forensics and to present the development of tools and techniques which assist the investigation process of potentially illegal cyber activity. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. The workshop will be accessible to both non-experts interested in learning about this area and experts interesting in hearing about new research and approaches. Topics of interest include, but are not limited to: - Cyber crimes: evolution, new trends and detection - Cyber crime related investigations - Computer and network forensics - Digital forensics tools and applications - Digital forensics case studies and best practices - Privacy issues in digital forensics - Network traffic analysis, traceback and attribution - Incident response, investigation and evidence handling - Integrity of digital evidence and live investigations - Identification, authentication and collection of digital evidence - Anti-forensic techniques and methods - Watermarking and intellectual property theft - Social networking forensics - Steganography/steganalysis and covert/subliminal channels - Network anomalies detection - Novel applications of information hiding in networks - Political and business issues related to digital forensics and anti-forensic techniques ------------------------------------------------------------------------- DASec 2014 1st International Workshop on Big Data Analytics for Security, Held in conjunction with ICDCS 2014, Madrid, Spain, June 30 - July 3, 2014. (Submission Due 10 February 2014) http://www.dis.uniroma1.it/~dasec/ In the last 10 years we have witnessed a strong integration of several human activities with computers and digital networks. This has led to an interconnected economy, where interactions occur through the mediation of networked devices. The openness of this scenario was instrumental in creating new business opportunities. However, it has also paved the way to new forms of criminal activities that, while happening in the cyber domain, have strong implications in the real world. The current trend towards an Internet of Things will possibly worsen this scenario. In this context, private companies and public bodies struggle to defend their businesses against a deluge of attacks spanning from complex online frauds to malicious scanning activities of their IT infrastructures. As attacks continue to grow in complexity, classic "border-control" approaches to system security quickly prove to be ineffective, calling for an investigation into new methodologies and solutions. At the same time, ongoing research efforts on "Big Data" systems are devising new and innovative methodologies to manage and analyze large amounts of data with the aim of recognizing specific patterns and behaviors. The First International Workshop on Big Data Analytics for Security aims to bring together people from both academia and industry to present their most recent work related to trust, security and privacy issues in big data analytics, together with application of big data technologies in the field of security. The purpose is to establish if and how large-scale data analytics technologies can help in creating new security solutions for today's complex IT infrastructures. ------------------------------------------------------------------------- SACMAT 2014 19th ACM Symposium on Access Control Models and Technologies, London, Ontario, Canada, June 25-27, 2014. (Submission Due 13 February 2014) http://www.sacmat.org Papers offering novel research contributions in all aspects of access control are solicited for submission to the 19th ACM Symposium on Access Control Models and Technologies (SACMAT 2014). We have expanded the scope to include several new topics that have relevance to access control. These include cyber-physical systems, applications, systems, hardware, cloud computing, and usability. The Program Committee for this year reflects this expanded scope. - Administration - Applications - Attribute-based systems - Authentication - Biometrics - Cryptographic approaches - Cyber-physical systems - Design methodology - Distributed, cloud, and mobile systems - Economic models and game theory - Enforcement - Hardware enhanced - Identity management - Mechanisms, systems, and tools - Models and extensions - Obligations - Policy engineering and analysis - Requirements - Risk - Safety analysis - Standards - Theoretical foundations - Trust management - Usability ------------------------------------------------------------------------- IEEE Internet of Things Journal, Special Issue on Security for IoT: the State of the Art, October 2014, (Submission Due 15 February 2014) http://iot-journal.weebly.com/uploads/1/8/8/0/18809834/ ieee_iot_journal_si_iot_security_cfp.pdf Editor: Kui Ren (University at Buffalo, USA), Pierangela Samarati (University of Milan, Italy), Peng Ning (NCSU, Raleigh & Samsung Mobile, USA), Marco Gruteser (Rutgers University, USA), and Yunhao Liu (Tsinghua University, China) The Internet is becoming more and more ubiquitous. One central element of this trend is the existence of a massive network of interconnected wired/wireless physical objects/things/sensors/devices, which can interact in a rich set of manners through a worldwide communication and information infrastructure and provide value added services. The vision of such an Internet of Things (IoT) system, supported by industrial companies and governments globally, has the potential to mark an evolution that will surely have a great impact on our environments and our lives. Yet, the realization of a ubiquitous IoT also poses a number of challenges where security is among the top concerns. The globally interconnected physical objects inevitably result in a potentially enormous attack surface that can be easily exploited if without adequate protection. To enable strong security foundations for the ubiquitous IoT, plenty of factors need to be taken into account. Examples are data security, privacy, access control, information assurance, trust management, secure services interoperability, seamless integration, system heterogeneity, scalability, and mobility. This special issue solicits high-quality original research results about IoT that pertain to state-of-the-art security and privacy issues in various pervasive and ubiquitous scenarios. We encourage submissions on theoretical, practical, as well as experimental studies, from both academia and industry, related to all aspects of security for IoT. Topics of interests include (but are not limited to) the following categories: - Secure IoT architecture - IoT access control and key management - Identification and privacy for IoT - Smart phone enabled secure smart systems - New cryptographic primitives for IoT - Manage trust for IoT service interoperability - Security on heterogeneous ecosystems - Context-aware security design - Data security and privacy in the IoT - Intrusion detection and defense for IoT - Joint security&privacy aware protocol design - Failure detection, prediction, and recovery - Secure data management within IoT - Trusted computing technology and IoT - Availability, recovery and auditing - IoT related web services security - Secure cyber-physical system - Biometrics for the IoT ------------------------------------------------------------------------- WEIS 2014 13th Annual Workshop on the Economics of Information Security, Pennsylvania State University, PA, USA, June 23-24, 2014. (Submission Due 28 February 2014) http://weis2014.econinfosec.org/ The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security and privacy, combining expertise from the fields of economics, social science, business, law, policy, and computer science. Prior workshops have explored the role of incentives between attackers and defenders of information systems, identified market failures surrounding Internet security, quantified risks of personal data disclosure, and assessed investments in cyber-defense. The 2014 workshop will build on past efforts using empirical and analytic tools not only to understand threats, but also to strengthen security and privacy through novel evaluations of available solutions. We encourage economists, computer scientists, legal scholars, business school researchers, security and privacy specialists, as well as industry experts to submit their research and participate by attending the workshop. Suggested topics include (but are not limited to) empirical and theoretical studies of: - Optimal investment in information security - Models and analysis of online crime (including botnets, phishing, and spam) - Risk management and cyber-insurance - Security standards and regulation - Cyber-security and privacy policy - Security and privacy models and metrics - Economics of privacy and anonymity - Behavioral security and privacy - Vulnerability discovery, disclosure, and patching - Cyber-defense strategy and game theory - Incentives for information sharing and cooperation ------------------------------------------------------------------------- SOUPS 2014 Symposium On Usable Privacy and Security, In-cooperation with USENIX, Menlo Park, CA, USA, July 9-11, 2014. (Submission Due 28 February 2014) http://cups.cs.cmu.edu/soups/ The 2014 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, lightning talks and demos, and workshops and tutorials. This year SOUPS will be held at Facebook in Menlo Park, CA. We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design, - new applications of existing models or technology, - field studies of security or privacy technology, - usability evaluations of new or existing security or privacy features, - security testing of new or existing usability features, - longitudinal studies of deployed security or privacy features, - the impact of organizational policy or procurement decisions, and - lessons learned from the deployment and use of usable privacy and security features, - reports of replicating previously published studies and experiments, - reports of failed usable security studies or experiments, with the focus on the lessons learned from such experience. ------------------------------------------------------------------------- Journal of Cyber Security and Mobility, Special issue on Next generation mobility network security, July 2014, (Submission Due 1 March 2014) http://www.ee.columbia.edu/~roger/call.pdf Editor: Roger Piqueras Jover (AT&T Security Research Center) The Long Term Evolution (LTE) is the newly adopted standard technology to offer enhanced capacity and coverage for mobility networks, providing advanced multimedia services beyond traditional voice and short messaging traffic for billions of users. This new cellular communication system introduces a substantial redesign of the network architecture resulting in the new eUTRAN (Enhanced Universal Terrestrial Radio Access Network) and the EPC (Enhanced Packet Core). In this context, the LTE Radio Access Network (RAN) is built upon a redesigned physical layer and based on an Orthogonal Frequency Division Multiple Access (OFDMA) modulation, features robust performance in challenging multipath environments and substantially improves capacity. Moreover, a new all-IP core architecture is designed to be more flexible and flatter. In parallel, the cyber-security landscape has changed drastically over the last few years. It is now characterized by large scale security threats such as massive Distributed Denial of Service Attacks (DDoS), the advent of the Advanced Persistent Threat (APT) and the surge of mobile malware and fraud. These new threats illustrate the importance of strengthening the resiliency of mobility networks against security attacks, ensuring this way full mobility network availability. In this context, however, the scale of the threat is not the key element anymore and traditionally overlooked low range threats, such as radio jamming, should also be included in security studies. This special issue of the Journal of Cyber Security and Mobility addresses research advances in mobility threats and new security applications/architectures for next generation mobility networks. The main topics of interest of this issue include, but are not limited to, the following: - LTE RAN security - OFDM/OFDMA radio jamming - Secure wireless communications under malicious interference/jamming - Mobility security threats based on interoperability with legacy networks - LTE EPC security - Mobile malware/botnet impact on RAN/EPC - Femtocell security threats - Detection of attacks against mobility networks - Self Organizing Network (SON) security applications - WiFi-cellular interoperability threats and security - Mobile device baseband security ------------------------------------------------------------------------- IEEE Pervasive Computing, Special issue on Pervasive Privacy and Security, January-March 2015, (Submission Due 1 March 2014) http://www.computer.org/portal/web/computingnow/pccfp1 Editor: Sunny Consolvo (Google, USA), Jason Hong (Carnegie Mellon University, USA), and Marc Langheinrich (University of Lugano, Switzerland) Society is increasingly relying on pervasive computing technologies in all domains. However, with the growing adoption of these technologies, we are also seeing more and more issues related to privacy and security. The aim of this special issue is to explore technologies related to all aspects of privacy and security in pervasive computing. Relevant topics for this special issue include, but are not limited to, the following: - Privacy and security for pervasive computing domains, such as smart homes, smart cars, healthcare, urban computing, and more - Privacy and security for pervasive computing technologies, such as smartphones, wireless sensors, wearable computers, RFIDs, cameras, and more - New methods, techniques, or architectures for collecting, processing, managing, and sharing sensed data in a way that balances privacy, security, and utility - New approaches for managing privacy and security in pervasive computing domains, both for end-users and for organizations offering services - User interfaces for conveying to users what data is being sensed and gathered - User studies probing people's attitudes and behaviors towards privacy and security in pervasive computing domains and/or involving pervasive computing technologies - Tools, platforms, and user models to help developers improve privacy and security in ubicomp systems - Experiences with privacy and security for deployed ubicomp systems - More streamlined ways of authenticating to pervasive computing environments, or using pervasive computing technologies to improve authentication in general - Security on low-power computing devices - Establishing trust in pervasive hardware - Combining privacy with accuracy in location sensing - Coping with physical threats to pervasive hardware - Pervasive surveillance and privacy - technology and policy issues - New business processes and models involving ubicomp privacy and security - Incorporating privacy and security into the design and development process of pervasive applications (aka "privacy-by-design") ------------------------------------------------------------------------- RFIDSec 2014 10th Workshop on RFID Security, Co-located with ACM WiSec 2014, Oxford, United Kingdom, July 21-23, 2014. (Submission Due 1 March 2013) http://rfidsec2014.cis.uab.edu/ RFIDsec is the premier workshop devoted to security and privacy in Radio Frequency Identification (RFID) with participants throughout the world. RFIDsec brings together researchers from academia and industry for topics of importance to improving the security and privacy of RFID, NFC, contactless technologies, and the Internet of Things. RFIDsec bridges the gap between cryptographic researchers and RFID developers through invited talks and contributed presentations. Topics of interest include: - New applications for secure RFID, NFC and other constrained systems - Resource-efficient implementations of cryptography - Attacks on RFID systems (e.g. side-channel attacks, fault attacks, hardware tampering) - Data protection and privacy-enhancing techniques - Cryptographic protocols (e.g. authentication, key distribution, scalability issues) - Integration of secure RFID systems (e.g. infrastructures, middleware and security) - Data mining and other systemic approaches to RFID security - RFID hardware security (e.g. Physical Unclonable Functions (PUFs), RFID Trojans) - Case studies ------------------------------------------------------------------------- WiSec 2014 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Oxford, United Kingdom, July 21-25, 2014. (Submission Due 3 March 2013) http://www.sigsac.org/wisec/WiSec2014/ ACM WiSec has been broadening its scope and seeks to present high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the security and privacy of mobile software platforms, usable security and privacy, biometrics and the increasingly diverse range of mobile or wireless applications. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to: - Mobile malware and platform security - Security & Privacy for Smart Devices (e.g., Smartphones) - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key extraction, agreement, or distribution - Theoretical foundations, cryptographic primitives, and formal methods - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security and privacy in health, automotive, avionics, or smart grid applications - Self-tracking/Quantified Self Security and Privacy - Physical Tracking Security and Privacy - Usable Mobile Security and Privacy - Economics of Mobile Security and Privacy - Bring Your Own Device (BYOD) Security ------------------------------------------------------------------------- MOST 2014 Mobile Security Technologies Workshop, An event of the IEEE Computer Society's Security and Privacy Workshops (SPW 2014), Co-located with the 34th IEEE Symposium on Security and Privacy (IEEE S&P 2014), San Jose, CA, USA, May 17, 2014. (Submission Due 3 March 2014) http://mostconf.org/2014/cfp.html Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of MoST 2014 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies ------------------------------------------------------------------------- CNS 2014 2nd IEEE Conference on Communications and Network Security, San Francisco, CA, USA, October 29-31, 2014. (Submission Due 7 March 2014) http://ieee-cns.org IEEE Conference on Communications and Network Security (CNS) is a new conference series in IEEE Communications Society (ComSoc) core conference portfolio and the only ComSoc conference focusing solely on cyber security. IEEE CNS is a spin-off of IEEE INFOCOM, the premier ComSoc conference on networking. The goal of CNS is to provide an outstanding forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experience related to all practical and theoretical aspects of communications and network security. Building on the success of last year's inaugural conference, IEEE CNS 2014 seeks original high-quality technical papers from academia, government, and industry. Topics of interest encompass all practical and theoretical aspects of communications and network security, all the way from the physical layer to the various network layers to the variety of applications reliant on a secure communication substrate. Submissions with main contribution in other areas, such as information security, software security, system security, or applied cryptography, will also be considered if a clear connection to secure communications/networking is demonstrated. ------------------------------------------------------------------------- WISTP 2014 8th Workshop in Information Security Theory and Practice, Heraklion, Greece, June 23-25, 2014. (Submission Due 7 March 2014) http://www.wistp.org/ Future ICT technologies, such as the concepts of Ambient Intelligence, Cyber-physical Systems and Internet of Things provide a vision of the Information Society in which: a) people and physical systems are surrounded with intelligent interactive interfaces and objects, and b) environments are capable of recognising and reacting to the presence of different individuals or events in a seamless, unobtrusive and invisible manner. The success of future ICT technologies will depend on how secure these systems may be, to what extent they will protect the privacy of individuals and how individuals will come to trust them. WISTP 2014 aims to address security and privacy issues of smart devices, networks, architectures, protocols, policies, systems, and applications related to Internet of Things, along with evaluating their impact on business, individuals, and the society. The workshop seeks original submissions from academia and industry presenting novel research on all theoretical and practical aspects of security and privacy of Internet of Things, as well as experimental studies of fielded systems, the application of security technology, the implementation of systems, and lessons learned. We encourage submissions from other communities such as law, business, and policy that present these communities' perspectives on technological issues. Topics of interest include, but are not limited to: Security and Privacy in Smart Devices - Biometrics, National ID cards - Embedded Systems Security and TPMs - Interplay of TPMs and Smart Cards - Mobile Codes Security - Mobile Devices Security - Mobile Malware - Mobile OSes Security Analysis - New Applications for Secure RFID Systems - RFID Systems - Smart Card - Smart Devices Applications - Wireless Sensor Node Security and Privacy in Networks - Ad Hoc Networks - Delay-Tolerant Network - Domestic Network - GSM/GPRS/UMTS Systems - Peer-to-Peer Networks - Security Issues in Mobile and Ubiquitous Networks - Sensor Networks: Campus Area, Body Area, Sensor and Metropolitan Area Networks - Vehicular Network - Wireless Communication: Bluetooth, NFC, WiFi, WiMAX, others Security and Privacy in Architectures, Protocols, Policies, Systems and Applications - BYOD Contexts - Cloud-enhanced Mobile Security - Critical Infrastructure (e.g. for Medical or Military Applications) - Cyber-Physical Systems - Digital Rights Management (DRM) - Distributed Systems and Grid Computing - Information Assurance and Trust Management - Intrusion Detection and Information Filtering - Lightweight cryptography - Localization Systems (Tracking of People and Goods) - M2M (Machine to Machine), H2M (Human to Machine) and M2H (Machine to Human) - Mobile Commerce - Multimedia Applications - Public Administration and Governmental Services - Pervasive Systems - Privacy Enhancing Technologies - Secure self-organization and self-configuration - Security Models, Architecture and Protocol: for Identification and Authentication, Access Control, Data Protection - Security Policies (Human-Computer Interaction and Human Behavior Impact) - Security Measurements - Smart Cities - Systems Controlling Industrial Processes ------------------------------------------------------------------------- IEEE Security & Privacy, Special issue on Key Trends in Cryptography, January/February 2015, (Abstract Due 15 March 2014, and Final Submission Due 1 May 2014) http://www.computer.org/portal/web/computingnow/spcfp1 Editor: Hilarie Orman (purplestreak.com, USA) and Charles Pfleeger (pfleeger.com, USA) Cryptography has advanced from an arcane craft to a mathematical discipline with established principles, widely-accepted standards, and daily use in Internet and many other computer applications. Yet its actual utility and future are clouded topics that hit at two widely separated poles: the limits of computation and the role of government. Articles for this special issue of IEEE Security & Privacy magazine will cover recent research trends in cryptology and their implications for emerging computing techniques (such as cloud computing), collaboration between researchers and governments in defining cryptographic standards, how physics and mathematics shape and limit cryptology, and how cryptology implements privacy and security in an interconnected world. Potential articles for this issue might address: - Is cryptology an ongoing research area? What are the remaining challenges that have not been solved by public key systems and the AES cipher? - What new cryptographic methods are on the horizon? How could techniques such as homomorphic encryption affect computers and applications? What synergies do new methods have with emerging technologies such as cloud computing, digital commerce, tablets and cellphones, personal health and safety systems, etc.? - What are the known or potential failures of cryptology? Are mathematical advances eroding the fundamental "hard problems" such as discrete logarithms or factoring? How can one be sure that a system employing cryptographic techniques is implemented securely? Is it better to use specialized hardware instead of software? Should cryptographic software be open source? How will advances in computing hardware, such as graphics processors, affect the use of cryptography? - Is quantum key distribution a realistic method for day-to-day applications? Is quantum computing a serious threat to the strength of cryptography? Do quantum principles have wider application to cryptology? When are these technologies likely to move from research to proof-of-concept to widespread use? - As more and more small devices contain general purpose computers and wireless communication, should they also employ cryptography? What physical constraints such as size, power demand, ruggedness or heat dissipation affect the ability to integrate cryptography in all devices? If device-based cryptography is readily available, will it be used? Will it be used appropriately? - Is there such a thing as "user-friendly cryptography"? How much of the arcane side of cryptography can be shielded from the user without weakening its impact? Do users care whether they employ cryptography or at what strength? Do users worry about traffic interception by criminals, businesses, or governments? - How and why does the U.S. government develop standards for cryptography? What standards are being developed now? How have the Snowden disclosures affected that process? Are there non-governmental approaches to developing these standards? - What are the scientific and political limits to actual secrecy and privacy? Malware, man-the-middle attacks, hardware Trojans, collusion by businesses and governments - in this environment, what protection is available to end users? ------------------------------------------------------------------------- TGC 2014 9th Symposium on Trustworthy Global Computing, Co-located with Concur 2014, Rome, Italy, September 5-6, 2014. (Submission Due 2 May 2014) http://www.cs.le.ac.uk/events/tgc2014/ The Symposium on Trustworthy Global Computing is an international annual venue dedicated to secure and reliable computation in the so-called global computers, i.e., those computational abstractions emerging in large-scale infrastructures such as service-oriented architectures, autonomic systems, and cloud computing. The TGC series focuses on providing frameworks, tools, algorithms, and protocols for rigorously designing, verifying, and implementing open-ended, large-scaled applications. The related models of computation incorporate code and data mobility over distributed networks that connect heterogeneous devices and have dynamically changing topologies. We solicit papers in all areas of global computing, including (but not limited to): - languages, semantic models, and abstractions - security, trust, and reliability - privacy and information flow policies - algorithms and protocols - resource management - model checking, theorem proving, and static analysis - tool support ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Robin Sommer Computer Science and Engineering http://www.icir.org/robin Pennsylvania State University 360 A IST Building University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2014 Chair: TC Awards Chair: Greg Shannon Hilarie Orman CERT Purple Streak, Inc. oakland14-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year