_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 127 August 2, 2015 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Privacy in the Modern Age: The Search for Solutions" by Marc Rotenberg, Julia Horwitz and Jeramie Scott o Items from the News - Warrantless surveillance for suspected malware crossing US border - Office of Personnel Management Was Warned of Poor Security While Being Hacked - Samsung Galaxy Phones Vulnerable via Keyboard Prediction Software Updates - Mac OS Keychains: Not So Secure - Exceptional Access, Exceptional Objection - The Muddled Legal State of Bulk Metadata Collection - The Car Hack Hits the Streets and Prompts a Recall - How Experts Protect Their Own Accounts o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The US government is roiling with the recent discovery of the disclosure of a large amount of sensitive data about people who have applied for security clearances. This follows on the heels of many cases of data theft from health care providers. It seems that online databases have security procedures that are little more than window dressing --- sunscreens instead of firewalls. Our book review this month is about privacy in a world of increasing surveillance. One wonders how much the surveillors are being surveilled, and by whom! For several months the NSA has been speaking about the benefits of being able to access all encrypted communication and data without the necessity of notifying the person who did the encryption, and without obtaining a warrant. This is a challenge to privacy, certainly. It is also, in some sense, a technology challenge --- what kind of cryptologic methods can be used to implement this securely? Many people believe that it is impossible and dangerous. The debate is on, not just in the US but in Great Britain and other countries. The many research conferences that we list in our calendar and CFP sections follow a seasonal cycle. Many events to be held in the fall have their deadline for papers set for early summer. This year we noticed a surge in announcements and in extensions, and re-extensions, of deadlines. We also note that conferences are having a difficult time spreading themselves out evenly in time and space. It is something to think about as we continue to forge boldly into the mysteries of security research. Well regulated encryption, being necessary to the security of a free state?, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html Hunting for Hackers, N.S.A. Secretly Expands Internet Spying at U.S. Border http://www.nytimes.com/2015/06/05/us/hunting-for-hackers-nsa-secretly-expands-internet-spying-at-us-border.html New York Times By Charlie Savage, Julia Angwin, Jeff Larson and Henrik Moltke, June 4, 2015 Summary: According to revelations from Edward Snowden, in 2012 the US government approved warrantless surveillance of Internet traffic crossing the US border. The purpose of the surveillance is to detect cyberattacks originating from foreign government, and the NSA uses patterns to detect malware and and access to "suspicious" websites. The agency also sought permission to monitor related activities by US citizens on US soil, but the recent revelations do not include information about the outcome of that request. ------------------------------ New York Times http://www.nytimes.com/2015/06/06/us/chinese-hackers-may-be-behind-anthem-premera-attacks.html?_r=0 U.S. Agency Was Warned of System Open to Cyberattacks By David E. Sanger, Julie Hirschfeld Davis and Nicole Perlroth June 5, 2015 Summary: The US Office of Personnel Management was the target of two phases an apparently successful attack in 2015 to retrieve sensitive information from its databases. The Office's inspector general had issued a report in November of 2014 damning the poor security and even recommending shutting down some systems because they were so vulnerable. The intrusion into the Office's databases was attributed to non-governemental Chinese hackers who might be sharing information with the Chinese government. The attack might have been orchestrated by the same group that infiltrated health care providers. Ed.: one might wonder why the cross-border surveillance program did not detect this instrusion. ------------------------------ 600 million Samsung Galaxy phones exposed to hackers http://money.cnn.com/2015/06/17/technology/samsung-galaxy-hack/index.html CNN Money By Jose Pagliery Jun. 17, 2015 Summary: A partnership between Samsung and Swiftkey was meant to keep Galaxy phone up-to-date with the latest word prediction software. But researchers at NowSecure found that the update procedure can be compromised, potentially giving hackers access to core internals of the operating system. The hack can be carried out over wifi networks and perhaps over cellular networks. ------------------------------ Exceptional Access, Exceptional Objections Security Experts Oppose Government Access to Encrypted Communication http://www.nytimes.com/2015/07/08/technology/code-specialists-oppose-us-and-british-government-access-to-encrypted-communication.html?_r=0 The New York Times Nicole Perlroth July 7, 2015 Summary: Governments are touchy about the use of encryption by their citizens, today more so than ever. The NSA believes that it is possible to have encryption that is perfectly secure but also allows the government, under careful judicial control, to read the encrypted data without contacting the person who did the encrypting. The descriptive phrase for this is "exceptional access". It has raised a firestorm of debate. A group of 14 security experts have published a paper opposing the idea. "The government's proposals for exceptional access are wrong in principle and unworkable in practice," said Ross Anderson. "Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications" http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=1 ------------------------------ Major Mac flaw spills your passwords http://money.cnn.com/2015/06/18/technology/apple-keychain-passwords/index.html CNN Money By Jose Pagliery Jun. 18, 2015 Summary: The MACOS operating system from Apple has an application that is a manager for all the cryptographic keys used to protect data on the system. The "keychain" app is an important party of Apple's security for MAC computers. Researchers found significant flaws in the app and showed how to exploit them to gain access to a user's personal data, wherever it was stored --- locally or in iCloud. Frustrated by Apple's slow pace in addressing the problem, the researchers went public with their discovery, spurring Apple to work with them on a daily basis to get the holes closed. ------------------------------ http://www.nytimes.com/2015/07/15/us/politics/aclu-sues-to-stop-part-of-nsas-bulk-phone-data-collection.html A.C.L.U. Asks Court to Stop Part of N.S.A.'s Bulk Phone Data Collection The New York Times By Charlie Savage July 14, 2015 Summary: A US Federal Court has been asked to nullify an NSA program to collect bulk collection of calling information for US phones. The program was revealed by Edward Snowden, and it has been the subject of recent legislation and court challenges. Apparently the program is still in effect. The ACLU has petitioned the court to issue an injunction stopping the program. Also in question are the previously collected phone records. ------------------------------ Chryslers can be hacked over the Internet http://money.cnn.com/2015/07/21/technology/chrysler-hack/index.html CNN Money By Jose Pagliery Jul 21, 2015 Summary: Many recently manufactured Chrysler vehicles come with software that connects them to the Internet. This wonderful capability is provided by a wireless service Uconnect that connects these cars to the Sprint cellphone network. Unfortunately, researchers have demonstrated that it is possible for unauthorized users (i.e., hackers) to take control of the car from the Internet. They can, for example, stop and start the engine. All such cars the subject of a http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ target="_">large recall. ------------------------------ How security experts protect themselves online https://www.washingtonpost.com/blogs/the-switch/wp/2015/07/24/how-security-experts-protect-themselves-online/?tid=hpModule_88854bf0-8691-11e2-9d71-f0feafdd1394&hpid=z10 The Washington Post By Andrea Peterson July 24, 2015 Summary: Have you installed the latest versions of all your software? Do you use a different password for everyone of your accounts? Do you use two factor authentication? Then you might be a security expert. On the other hand, if you rely on anti-virus software and change your passwords frequently, you might not be an expert. These observations were presented at the recent SOUPS conference (https://cups.cs.cmu.edu/soups/2015/program.php), based on a survey carried out by researchers at Google. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin 7/22/2015 ____________________________________________________________________ Privacy in the Modern Age: The Search for Solutions by Marc Rotenberg, Julia Horwitz and Jeramie Scott The New Press 2015. ISBN 978-1-62097-107-9 "Privacy" is a hotly disputed issue with significant policy implications. We are assured that "privacy" and "security" are a zero-sum game and that one must be given up in the interest of the other. We are also told that "Privacy is dead. Get over it" and that, somehow, when the Internet came to dominate modern life, privacy was tossed out the window as a practical impossibility. And we are also assured that if effective encryption is widely deployed, the only beneficiaries are terrorists, drug dealers, pedophiles ..., when the Internet goes "dark". The editors take the view that the debate over privacy is much more nuanced than its simplistic, zero-sum portrayals in the media and have assembled an all-star cast of contributors to explore the dimensions of "privacy" and how it can be preserved. Though each of the contributions are excellent, I will focus on the chapters by Ross Anderson, Anna Lysyanskaya and Bruce Schneier to provide a sampling. "What goes around comes around" (Ross Anderson). What will be the legacy of the US? There are many contributions but "the architecture of the Internet and the moral norms embedded in it, will be a huge part of America's legacy" (p. 27). As the technological world embraces common standards, the costs of pervasive surveillance decreases. Anderson notes that in the past, things like phone systems were very different between countries and required significant investments to maintain surveillance capability in each of them. However, with the convergence on standardized technologies such as VoIP, emplacing a wiretap becomes relatively trivial. Also of note are the rise of advertiser-paid services in the form of "free" applications, "convenience" features such as tailored recommendations based on your geolocation, etc. Though developed and funded by business interests, the possibilities for use as surveillance tools are disturbing. The governance processes the US develops for its own uses (and abuses) of these capabilities will form a large part of its enduring legacy. "Cryptography is the future" (Anna Lysyanskaya). What if, instead of interfering with the capabilities of intelligence agencies and law enforcement, cryptographic technology could make their jobs easier while protecting individual privacy at the same time? That sounds too good to be true but Lysyanskaya, a cryptographer, describes currently available technologies (some the result of research funded by US intelligence agencies) that could make this possible. For example, it has been asserted that intelligence agencies must collect all phone records so that they can query them (after obtaining legal approval) to avoid the phone company's discovering which of their customers is of interest. Lysyanskaya identifies this situation as an example of the "secure two-party computation problem" (p. 113) and notes that protocols are well known that would allow the intelligence agency to obtain the information it needs without the records custodian (the service provider) being able to determine which of its customers was of interest. She then asks a critical question with wide applicability beyond cryptography: "If solutions are available, why aren't they being used?" with the answer "Perhaps cryptographers and policy makers are not speaking the same language." (p. 115). This is a significant challenge to a profession that often can't communicate even with its own management but as our professional responsibilities increasingly affect the society in which we live, it is a challenge we must acknowledge and solve. "Fear and convenience" (Bruce Schneier). Schneier asserts that we have been debating the privacy/security problem as if it were a technology problem rather than a people problem. By and large, we enable pervasive surveillance out of fear or for convenience. We fear terrorist attacks so we allow our government to conduct pervasive surveillance to protect us. We like "free" and convenient services that allow us to keep in touch, receive personalized advertising and other services. We seldom stop to think about the wealth of information we give up in order to enable those "free and convenient" services. Schneier's main point is that we need to move the discussion beyond technology (how who can surveil whom) and more to a reasoned discussion about how much surveillance we're willing to accept in return for which benefits. Without this type of reasoned, public debate, "the trajectory of technology is resulting in a level of surveillance that will change society in ways we can just begin to imagine." (p. 203). This is a timely book that explores the complex issues at the intersection of "privacy" and "security" in clear, understandable language. Do read this book and share it with friends, book discussion groups and even elected officials. The evolving complex relationship between "security" and "privacy" affects us all and a public, intelligent discourse will assure that our voices are heard. ------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin (http://cse.spsu.edu/raustin2) fearlessly samples the wares of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New since Cipher 126: Posted July 2015 Department of Computer Science, TU Darmstadt Darmstadt, Germany Two PostDoc Positions in Software Security: - Concurrent Program Security - Information-Flow Security by Design The positions are available from September 1st 2015, but a later start is also possible. We will consider applications until the positions are filled. http://www.mais.informatik.tu-darmstadt.de/Positions.html http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 8/ 6/15: EuroSP, 1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrucken, Germany; http://www.ieee-security.org/TC/EuroSP2016/; Submissions are due 8/10/15: ICISS, 11th International Conference on Information Systems Security, Kolkata, India; http://www.iciss.org.in; Submissions are due 8/12/15- 8/14/15: USENIX-Security, 24th USENIX Security Symposium, Washington, D.C., USA; https://www.usenix.org/conference/usenixsecurity15 8/13/15: WPES, Workshop on Privacy-Preserving Information Retrieval, Held in conjunction with the ACM SIGIR conference, Santiago de Chile; http://privacypreservingir.org 8/14/15: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2016; Submissions are due 8/16/15- 8/21/15: 10th IFIP Summer School on Privacy and Identity Management - Time for a Revolution?, Edinburgh, Scotland; http://www.ifip-summerschool.org/ 8/20/15- 8/22/15: WISA, 16th International Workshop on Information Security Applications, Jeju Island, Korea; http://www.wisa.or.kr 8/24/15- 8/25/15: WISTP, 9th WISTP International Conference on Information Security Theory and Practice, Crete, Greece; http://www.wistp.org 8/24/15- 8/28/15: ECTCM, 3rd International Workshop on Emerging Cyberthreats and Countermeasures, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/wsdf-2015/ 8/24/15- 8/28/15: RT2ND, International Workshop on Risk and Trust in New Network Developments, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/rt2nd-2015/ 8/24/15- 8/28/15: WSDF, 8th International Workshop on Digital Forensics, Held in conjunction with the 10th International Conference on Availability, Reliability and Security (ARES 2015), Toulouse, France; http://www.ares-conference.eu/conference/workshops/wsdf-2015/ 8/31/15: IEEE Transactions on Services Computing, Special Issue on Security and Dependability of Cloud Systems and Services; http://www.journals.elsevier.com/journal-of-computer-and-system-sciences/call-for-papers/cyber-security-in-the-critical-infrastructure-advances-and-f/; Submissions are due 8/31/15- 9/ 4/15: EUSIPCO, 23rd European Signal Processing Conference, Information Forensics and Security Track, Nice, Cote d' Azur, France; http://www.eusipco2015.org 9/ 1/15: Elsevier Future Generation Computer Systems, Special issue on Security, Privacy and Trust of the User-centric Solutions; http://www.journals.elsevier.com/future-generation-computer-systems/call-for-papers/special-issue-on-security-privacy-and-trust-of-the-user-cent/; Submissions are due 9/ 1/15: SPW, Security and Privacy Workshops, Held in conjunction with the 37th IEEE Symposium on Security and Privacy (SP 2016), San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/cfworkshops.html; Workshop proposals are due 9/ 1/15- 9/ 2/15: TrustBus, 12th International Conference on Trust, Privacy, and Security in Digital Business, Valencia, Spain; http://www.ds.unipi.gr/trustbus15/ 9/ 4/15: IFIP119-DF, 12th IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org; Submissions are due 9/ 8/15: ICISSP, 2nd International Conference on Information Systems Security and Privacy, Rome, Italy; http://www.icissp.org/; Submissions are due 9/10/15: IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security; http://www.journals.elsevier.com/computers-and-electrical-engineering/call-for-papers/challenges-and-solutions-in-mobile-systems-security/; Submissions are due 9/14/15: IET Information Security, Special Issue on Lightweight and Energy-Efficient Security Solutions for Mobile Computing Devices; http://digital-library.theiet.org/files/IET_IFS_SI_CFP.pdf; Submissions are due 9/14/15: CODASPY, 6TH ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA; http://www.codaspy.org; Submissions are due 9/21/15: ICSS, Industrial Control System Security Workshop, Held in conjunction with 31st Annual Computer Security Applications Conference (ACSAC), Los Angeles, California, USA; http://acsac.org/2015/workshops/icss/; Submissions are due 9/21/15- 9/22/15: DPM, 10th International Workshop on Data Privacy Management, Co-located with ESORICS 2015, Vienna, Austria; http://deic.uab.cat/conferences/dpm/dpm2015/ 9/23/15- 9/25/15: ESORICS, 20th European Symposium on Research in Computer Security, Vienna, Austria; http://www.esorics2015.sba-research.org 9/25/15: ESSoS, International Symposium on Engineering Secure Software and Systems, University of London, London, UK; https://distrinet.cs.kuleuven.be/events/essos/2016/calls-papers.html; Submissions are due 9/28/15- 9/30/15: CNS, 3rd IEEE Conference on Communications and Network Security, Florence, Italy; http://cns2015.ieee-cns.org/ 9/30/15: Pervasive and Mobile Computing, Special Issue on Mobile Security, Privacy and Forensics; http://www.journals.elsevier.com/pervasive-and-mobile-computing/call-for-papers/special-issue-on-mobile-security-privacy-and-forensics/; Submissions are due 9/30/15: SPC, 1st Workshop on Security and Privacy in the Cloud, Held in conjunction with the IEEE Conference on Communications and Network Security (CNS 2015), Florence, Italy; http://www.zurich.ibm.com/spc2015/ 9/30/15: SPiCy, 1st Workshop on Security and Privacy in Cybermatics, Held in conjuction with IEEE Conference on Communications and Networks Security (IEEE-CNS 2015), Florence, Italy; http://spicy2015.di.unimi.it 10/ 3/15: INTRICATE-SEC, 4th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Held in conjunction with the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), Crans-Montana, Switzerland; http://infosec.cs.uct.ac.za/INTRICATE-SEC/; Submissions are due 10/ 5/15-10/ 7/15: CRITIS, 10th International Conference on Critical Information Infrastructures Security, Berlin, Germany; http://www.critis2015.org 10/ 7/15: PQCrypto, 7th International Conference on Post-Quantum Cryptography, Fukuoka, Japan; https://pqcrypto2016.jp/; Submissions are due 10/ 7/15-10/10/15: IWDW, 14th International Workshop on Digital Forensics and Watermarking, Tokyo, Japan; http://iwdw2015.tokyo/ 10/12/15: WISCS, 2nd Workshop on Information Sharing and Collaborative Security, Held in conjunction with the 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015), Denver, Colorado, USA; https://sites.google.com/site/wiscs2015/ 10/12/15: WPES, Workshop on Privacy in the Electronic Society, Held in conjunction with the 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015), Denver, Colorado, USA; https://wpes15.cs.umn.edu/ 10/12/15: SafeConfig, 8th Workshop on Automated Decision Making for Active Cyber Defense, Held in conjunction with the 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015), Denver, Colorado, USA; http://ccsw.ics.uci.edu/15/ 10/12/15-10/16/15: ACM-CCS, 22nd ACM Conference on Computer and Communications Security, Denver, Colorado, USA; http://www.sigsac.org/ccs/CCS2015 10/15/15: Elsevier Computer Networks, Special issue on Recent Advances in Physical-Layer Security; http://www.journals.elsevier.com/computer-networks/call-for-papers/special-issue-on-recent-advances-in-physical-layer-security/; Submissions are due 10/16/15: CCSW, ACM Cloud Computing Security Workshop, Held in conjunction with the 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015), Denver, Colorado, USA; http://ccsw.ics.uci.edu/15/ 10/16/15: CPS-SPC, 1st ACM Cyber-Physical Systems Security and PrivaCy Workshop, Held in conjunction with the 22nd ACM Conference on Computer and Communications Security (ACM CCS 2015), Denver, Colorado, USA; https://sites.google.com/site/2015cpsspc/ 10/20/15: WileySecurity and Communication Networks journal, Special Issue on Cyber Crime; http://onlinelibrary.wiley.com/journal/10.1002/%28ISSN%291939-0122; Submissions are due 10/26/15-10/28/15: FPS, 8th International Symposium on Foundations & Practice of Security, Clermont-Ferrand, France; http://confiance-numerique.clermont-universite.fr/fps2015/ 10/26/15-10/28/15: C&TC, 5th International Symposium on Cloud Computing, Trusted Computing and Secure Virtual Infrastructures - Cloud and Trusted Computing, Rhodes, Greece; http://www.onthemove-conferences.org/index.php/cloud-trust-15 11/ 1/15: IEEE Communication Magazine, Feature Topic on Bio-inspired Cyber Security for Communications and Networking; http://www.comsoc.org/commag/cfp /bio-inspired-cyber-security-communications-and-networking; Submissions are due 11/ 3/15-11/ 5/15: NSS, 9th International Conference on Network and System Security, New York City, NY, USA; http://anss.org.au/nss2015/index.htm 11/13/15: SP, 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/; Submissions are due 11/20/15: ASIACCS, 11th ACM Asia Conference on Computer and Communications Security, Xi'an, China; http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html; Submissions are due 11/30/15: ACM Transactions on Internet Technology, Special Issue on Internet of Things (IoT): Secure Service Delivery; http://toit.acm.org/CfP/ACM-ToIT-CfP-IoT-Security.pdf; Submissions are due 12/ 6/15-12/10/15: Globecom-CISS, IEEE Globecom 2015, Communication & Information System Security Symposium, San Diego, CA, USA; http://globecom2015.ieee-globecom.org/sites/globecom2015.ieee-globecom.org/files/u42/GC15_TPC_CFP_CISS_-_Communication_&_Information_System_Security.pdf 12/ 7/15-12/11/15: ICSS, Industrial Control System Security Workshop, Held in conjunction with 31st Annual Computer Security Applications Conference (ACSAC), Los Angeles, California, USA; http://acsac.org/2015/workshops/icss/ 12/ 8/15-12/12/15: CANS, 14th International Conference on Cryptology and Network Security, Morocco, Marrakesh; http://www.cans2015.org/ 12/16/15-12/20/15: ICISS, 11th International Conference on Information Systems Security, Kolkata, India; http://www.iciss.org.in 12/24/15: IFIP SEC, 31th IFIP TC-11 SEC 2016 International Information Security and Privacy Conference, Ghent, Belgium; http://ifipsec.org/2016/; Submissions are due 1/ 4/16- 1/ 6/16: IFIP119-DF, 12th IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India; http://www.ifip119.org 2/19/16- 2/21/15: ICISSP, 2nd International Conference on Information Systems Security and Privacy, Rome, Italy; http://www.icissp.org/ 2/21/16- 2/24/16: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; http://www.internetsociety.org/events/ndss-symposium-2016 2/24/16- 2/26/16: PQCrypto, 7th International Conference on Post-Quantum Cryptography, Fukuoka, Japan; https://pqcrypto2016.jp/ 3/ 9/16- 3/11/16: CODASPY, 6TH ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA; http://www.codaspy.org 3/21/16- 3/24/16: EuroSP, 1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrucken, Germany; http://www.ieee-security.org/TC/EuroSP2016/ 3/23/16- 3/25/16: INTRICATE-SEC, 4th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Held in conjunction with the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), Crans-Montana, Switzerland; http://infosec.cs.uct.ac.za/INTRICATE-SEC/ 4/ 6/16- 4/ 8/16: ESSoS, International Symposium on Engineering Secure Software and Systems, University of London, London, UK; https://distrinet.cs.kuleuven.be/events/essos/2016/calls-papers.html 5/23/16- 5/25/16: SP, 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/ 5/26/16: SPW, Security and Privacy Workshops, Held in conjunction with the 37th IEEE Symposium on Security and Privacy (SP 2016), San Jose, CA, USA; http://www.ieee-security.org/TC/SP2016/cfworkshops.html 5/30/16- 6/ 1/16: IFIP SEC, 31th IFIP TC-11 SEC 2016 International Information Security and Privacy Conference, Ghent, Belgium; http://ifipsec.org/2016/ 5/31/16- 6/ 3/16: ASIACCS, 11th ACM Asia Conference on Computer and Communications Security, Xi'an, China; http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E126) ___________________________________________________________________ EuroSP 2016 1st IEEE European Symposium on Security and Privacy, Congress Center Saar, Saarbrücken, Germany, March 21-24, 2016. (Submissions Due 6 August 2015) http://www.ieee-security.org/TC/EuroSP2016/ The IEEE European Symposium on Security and Privacy (EuroS&P) has been founded as the European sister conference of the established IEEE S&P symposium, and thus as a premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship and censorship-resistance - Cloud security - Distributed systems security - Embedded systems security - Forensics - Formal methods for security - Hardware security - Intrusion detection - Malware - Metrics - Mobile security and privacy - Language-based security - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - System security - Usable security and privacy - Web security and privacy ------------------------------------------------------------------------- ICISS 2015 11th International Conference on Information Systems Security, Kolkata, India, December 16-20, 2015. (Submissions Due 10 August 2015) http://www.iciss.org.in The conference series ICISS (International Conference on Information Systems Security), held annually, provides a forum for disseminating latest research results in information and systems security. ICISS 2015, the eleventh conference in this series, will be held under the aegis of the Society for Research in Information Security and Privacy (SRISP). Submissions are encouraged from academia, industry and government, addressing theoretical and practical problems in information and systems security and related areas. Topics of interest include but are not limited to: - Access and Usage Control - Application Security - Authentication and Audit - Biometric Security - Cloud Security - Cryptographic Protocols - Cyber-physical Systems Security - Data Security and Privacy - Digital Forensics - Digital Rights Management - Distributed Systems Security - Formal Models in Security - Identity Management - Intrusion Detection and Prevention - Intrusion Tolerance and Recovery - Key Management - Language-based Security - Malware Analysis and Mitigation - Network Security - Operating Systems Security - Privacy and Anonymity - Secure Data Streams - Security and Usability - Security Testing - Sensor and Ad Hoc Network Security - Smartphone Security - Software Security - Usable Security - Vulnerability Detection and Mitigation - Web Security ------------------------------------------------------------------------- NDSS 2016 Network and Distributed System Security Symposium, San Diego, California, USA, February 21-24, 2016. (Submissions Due 14 August 2015) http://www.internetsociety.org/events/ndss-symposium-2016 ISOC NDSS fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. Technical papers and panel proposals are solicited. All submissions will be reviewed by the Program Committee and accepted submissions will be published by the Internet Society in the Proceedings of NDSS 2016. The Proceedings will be made freely accessible from the Internet Society webpages. Furthermore, permission to freely reproduce all or parts of papers for noncommercial purposes is granted provided that copies bear the Internet Society notice included in the first page of the paper. The authors are therefore free to post the camera-ready versions of their papers on their personal pages and within their institutional repositories. Reproduction for commercial purposes is strictly prohibited and requires prior consent. Topics include: - Anti-malware techniques: detection, analysis, and prevention - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Security for future Internet architectures and designs (e.g., Software-Defined Networking) - High-availability wired and wireless networks - Implementation, deployment and management of network security policies - Integrating security in Internet protocols: routing, naming, network management - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Intrusion prevention, detection, and response - Privacy and anonymity technologies - Security and privacy for distributed cryptocurrencies - Security and privacy in Social Networks - Public key infrastructures, key management, certification, and revocation - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost - Security for collaborative applications: teleconferencing and video-conferencing - Security for cloud computing - Security for emerging technologies: sensor/wireless/mobile/personal networks and systems - Security for future home networks, Internet of Things, body-area networks - Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid) - Security for peer-to-peer and overlay network systems - Security for Vehicular Ad-hoc Networks (VANETs) - Security of Web-based applications and services - Trustworthy Computing mechanisms to secure network protocols and distributed systems - Usable security and privacy ------------------------------------------------------------------------- Journal of Computer and System Sciences, Special Issue on Cyber Security in the Critical Infrastructure: Advances and Future Directions. (Submissions Due 31 August 2015) http://www.journals.elsevier.com/journal-of-computer-and-system-sciences/call-for-papers/cyber-security-in-the-critical-infrastructure-advances-and-f/ Editors: Jemal Abawajy (Deakin University, Australia), Kim-Kwang Raymond Choo (University of South Australia, Australia), and Rafiqul Islam (Charles Sturt University, Australia). This special issue invites original research papers that reports on state-of-the-art and recent advancements in securing our critical infrastructure and cyberspace, with a particular emphasis on novel techniques to build resilient critical information infrastructure. Topics of interest include but are not limited to: - Cyber security mitigation techniques for critical infrastructures such as banking and finance, communications, emergency services, energy, food chain, health, mass gatherings, transport and water - Cyber threat modelling and analysis - Cyber forensics - Visual analytics and risk management techniques for cyber security - Cyber security test beds, tools, and methodologies ------------------------------------------------------------------------- Elsevier Future Generation Computer Systems, Special issue on Security, Privacy and Trust of the User-centric Solutions. (Submissions Due 1 September 2015) http://www.journals.elsevier.com/future-generation-computer-systems/call-for-papers/special-issue-on-security-privacy-and-trust-of-the-user-cent/ Editors: Raja Naeem Akram (University of London, United Kingdom), Hsiao-Hwa Chen (National Cheng Kung University, Taiwan), Javier Lopez (University of Malaga, Spain), Damien Sauveron (University of Limoges, France), and Laurence T. Yang (St. Francis Xavier University, Canada). In future computing environments, due to the ongoing development of pervasive and smart technologies, movement towards user-centric solutions must be paramount. The frameworks for everyday personal computing devices, including smartphones, smart cards and sensors, are becoming user-centric instead of issuer-centric. User-centric solutions can target a wide range of applications, ranging from individual devices communicating with other connected devices, through to data-sharing in cloud computing and open grids on very powerful computing systems. User-centric solutions address the devices themselves and the ways in which they communicate, i.e., the networks and the end-user applications. The key factor in the success of user-centric solutions is the peace of mind of users. To achieve this the security, privacy and trust in the user-centric ecosystem for any device must be ensured. This special issue aims to further scientific research within the field of security, privacy and trust for user-centric solutions. It will accept original research papers that report the latest results and advances in this area. It also invites review articles that focus on the state of the art in security, privacy and trust solutions for user-centric devices, network and applications, highlighting trends and challenges. The papers will be peer reviewed and will be selected on the basis of their quality and relevance to the topic of this special issue. Topics include (but are not limited to): - Security, Privacy and Trust of User-centric Devices (Smartphones, PDA, RFID, Sensors, Smart Cards, Smart Cameras, Smart Objects), User-centric Networks (Mobile Ad hoc Networks, M2M Networks, Urban Networks, Wireless Sensor Networks),and User-centric Applications (Cloud Computing, Data Provenance, Smart Grids - Technologies used to enhance Security, Privacy and Trust in User-centric solutions (NFC, IPv6, TPM) - Societal issues related to Security, Privacy and Trust in User-centric solutions (HCI, User interactions) ------------------------------------------------------------------------- SPW 2016 Security and Privacy Workshops, Held in conjunction with the 37th IEEE Symposium on Security and Privacy (SP 2016), San Jose, CA, USA, May 26, 2016. (Submissions Due 1 September 2015) http://www.ieee-security.org/TC/SP2016/cfworkshops.html Since 1980, the IEEE Symposium on Security and Privacy (SP) has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. To expand opportunities for scientific exchanges, the IEEE CS Technical Committee on Security and Privacy created the Security and Privacy Workshops (SPW). The typical purpose of such a workshop is to cover a specific aspect of security and privacy in more detail, making it easy for the participants to attend IEEE SP and a specialized workshop at SPW with just one trip. Furthermore, the co-location offers synergies for the organizers. The number of workshops and attendees has grown steadily during recent years. Workshops can be annual events, one time events, or aperiodic. The Security and Privacy Workshops in 2016 will be held on Thursday, May 26. All workshops will occur on that day. Up to six workshops will be hosted by SPW. ------------------------------------------------------------------------- IFIP119-DF 2016 12th IFIP WG 11.9 International Conference on Digital Forensics, New Delhi, India, January 4-6, 2016. (Submissions Due 4 September 2015) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Twelfth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately 100 participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the twelfth volume in the well-known Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2016. Technical papers and posters are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- ICISSP 2016 2nd International Conference on Information Systems Security and Privacy, Rome, Italy, February 19-21, 2016. (Submissions Due 8 September 2015) http://www.icissp.org/ The International Conference on Information Systems Security and Privacy aims at creating a meeting point for researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, that concerns to organizations and individuals, thus creating new research opportunities. Topics include: - Security Frameworks, Architectures and Protocols - Cryptographic Algorithms - Information Hiding and Anonymity - Vulnerability Analysis and Countermeasures - Database Security - Content Protection and Digital Rights Management - Software Security Assurance - Security Architecture and Design Analysis - Security Testing - Risk and Reputation Management - Phishing - Security and Trust in Pervasive Information Systems - Legal and Regulatory Issues - Security Professionalism and Practice - Trust in Social Networks - Identity and Trust Management - Intrusion Detection and Response - Smartcard Technology - Privacy-Enhancing Models and Technologies - Privacy In Cloud and Pervasive Computing - Authentication, Privacy and Security Models - Social Media Privacy - E-Voting and Privacy - Privacy Metrics and Control - Malware Detection - Vehicular Systems and Networks - Threat Awareness - Identification and Access Control - Mobile Systems Security - Biometric Technologies and Applications - Security Awareness and Education - Data and Software Security - Data Mining and Knowledge Discovery - Web Applications and Services ------------------------------------------------------------------------- IEICE Transactions on Information and Systems, Special Issue on Information and Communication System Security. (Submissions Due 10 September 2015) http://www.journals.elsevier.com/computers-and-electrical-engineering/call-for-papers/challenges-and-solutions-in-mobile-systems-security/ Editors: Abhishek Parakh (University of Nebraska, Omaha, USA) and Zhiwei Wang (Nanjing University of Posts and Telecommunications, P.R. China). Mobile devices, such as smart tags, smart pads, tablets, PDAs, smart phones and wireless sensors, have become pervasive and attract significant interest from academia, industry, and standard organizations. With the latest cloud computing technology, those mobile devices will play a more and more important role in computing and communication. When those devices become pervasive, security become critical components for the acceptance of applications build based on those devices. Moreover, several favorable characteristics of mobile devices, including portability, mobility and sensitivity, further increase the challenges of security in these systems. However due to rapid development and applications, security in mobile systems involves different challenges. This special issue aims to bring together works of technologists and researchers who share an interest in the area of security in mobile systems, and to explore new venues of collaboration. Its main purpose is to promote discussions about research and relevant activities in the models and designs of secure, privacy-preserving, trusted architectures, security protocols, cryptographic algorithms, services and applications, as well as to analyse cyber threat in mobile systems. It also aims at increasing the synergy between academic and industry professionals working in this area. We seek papers that address theoretical, experimental research, and works-in-progress for security-related issues in the context of mobile systems. Suitable topics include the following in relation to security: - Cryptography for mobile systems - Mobile local area networks - Mobile mesh networks - Mobile ad-hoc networks - Vehicular networks - Mobile social networks - Mobile smart grid - Mobile RFID-based systems - Mobile cloud - Mobile cyber-physical systems - Internet of things - Location-based service systems - Mobile healthcare systems - Big data for mobile computing ------------------------------------------------------------------------- IET Information Security, Special Issue on Lightweight and Energy-Efficient Security Solutions for Mobile Computing Devices. (Submissions Due 14 September 2015) http://digital-library.theiet.org/files/IET_IFS_SI_CFP.pdf Editors: Nele Mentens (KU Leuven, Belgium), Damien Sauveron (University of Limoges, France), Jose Maria Sierra Camara (Universidad Carlos III Madrid, Spain), Shiuh-Jeng Wang (Central Police University, Taiwan, R.O.C.), and Isaac Woungang (Ryerson University, Canada). In the modern life, computing devices are becoming more and more mobile and embedded, meaning that they are vulnerable to power limitation and low resources. In this context, the needs of lightweight and energy-efficient security solutions to secure communication as well as applications in which they are involved are inescapable. The targeted mobile devices are small and low computational ones such as RFID, Contactless Smart Card, Wireless Sensors Nodes, to name a few. The aim of this Special Issue is to publish state-of-the-art research results in recent advances in Lightweight and Energy-Efficient Security Solutions for Mobile and Pervasive Computing Devices. ------------------------------------------------------------------------- CODASPY 2016 6TH ACM Conference on Data and Application Security and Privacy, New Orleans, LA, USA, March 9-11, 2016. (Submissions Due 14 September 2015) http://www.codaspy.org Data and applications security and privacy has rapidly expanded as a research field with many important challenges to be addressed. The goal of the ACM Conference on Data and Applications Security (CODASPY) is to discuss novel, exciting research topics in data and application security and privacy and to lay out directions for further research and development in this area. The conference seeks submissions from diverse communities, including corporate and academic researchers, open-source projects, standardization bodies, governments, system and security administrators, software engineers and application domain experts. Topics of interest include, but are not limited to: - Application-layer security policies - Access control for applications - Access control for databases - Data-dissemination controls - Data forensics - Enforcement-layer security policies - Privacy-preserving techniques - Private information retrieval - Search on protected/encrypted data - Secure auditing - Secure collaboration - Secure data provenance - Secure electronic commerce - Secure information sharing - Secure knowledge management - Secure multiparty computations - Secure software development - Securing data/apps on untrusted platforms - Securing the semantic web - Security and privacy in GIS/spatial data - Security and privacy in healthcare - Security policies for databases - Social computing security and privacy - Social networking security and privacy - Trust metrics for applications, data, and users - Usable security and privacy - Usage Control - Web application security ------------------------------------------------------------------------- ICSS 2015 Industrial Control System Security Workshop, Held in conjunction with 31st Annual Computer Security Applications Conference (ACSAC), Los Angeles, California, USA, December 7-11, 2015. (Submissions Due 21 September 2015) http://acsac.org/2015/workshops/icss/ Supervisory control and data acquisition (SCADA) and industrial control systems monitor and control a wide range of industrial and infrastructure processes such as water treatment, power generation and transmission, oil and gas refining and steal manufacturing. Such systems are usually built using a variety of commodity computer and networking components, and are becoming increasingly interconnected with corporate and other Internet-visible networks. As a result, they face significant threats from internal and external actors. For example, Stuxnet malware was specifically written to attack SCADA systems that alone caused multi-million dollars damages in 2010. The critical requirement for high availability in SCADA and industrial control systems, along with the use of resource constrained computing devices, legacy operating systems and proprietary software applications limits the applicability of traditional information security solutions. The goal of this workshop is to explore new security techniques that are applicable in the control systems context. Papers of interest including (but not limited to) the following subject categories are solicited: - Intrusion detection and prevention - Malware - Vulnerability analysis of control systems protocols - Digital forensics - Virtualization - Application security - Performance impact of security methods and tools in control systems ------------------------------------------------------------------------- ESSoS 2016 International Symposium on Engineering Secure Software and Systems, University of London, London, UK, April 6 - 8, 2016. (Submissions Due 25 September 2015) https://distrinet.cs.kuleuven.be/events/essos/2016/calls-papers.html Trustworthy, secure software is a core ingredient of the modern world. So is the Internet. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. High-quality security building blocks (e.g., cryptographic components) are necessary but insufficient to address these concerns. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. The goal of this symposium, which will be the eighth in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program including two keynote presentations. In addition to academic papers, the symposium encourages submission of high-quality, informative industrial experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight. The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to): - Cloud security, virtualization for security - Mobile devices security - Automated techniques for vulnerability discovery and analysis - Model checking for security - Binary code analysis, reverse-engineering - Programming paradigms, models, and domain-specific languages for security - Operating system security - Verification techniques for security properties - Malware: detection, analysis, mitigation - Security in critical infrastructures - Security by design - Static and dynamic code analysis for security - Web applications security - Program rewriting techniques for security - Security measurements - Empirical secure software engineering - Security-oriented software reconfiguration and evolution - Computer forensics - Processes for the development of secure software and systems - Security testing - Embedded software security ------------------------------------------------------------------------- Pervasive and Mobile Computing, Special Issue on Mobile Security, Privacy and Forensics. (Submissions Due 30 September 2015) http://www.journals.elsevier.com/pervasive-and-mobile-computing/call-for-papers/special-issue-on-mobile-security-privacy-and-forensics/ Editors: Kim-Kwang Raymond Choo (University of South Australia, Australia), Lior Rokach (Ben-Gurion University of the Negev Beer-Sheva, Israel), and Claudio Bettini (University of Milan, Italy) This special issue will focus on cutting edge research from both academia and industry on the topic of mobile security, privacy and forensics, with a particular emphasis on novel techniques to secure user data and/or obtain evidential data from mobile devices in crimes that make use of sophisticated and secure technologies. Topics of interest include: - Advanced mobile security features - Anti-anti mobile forensics - Data visualization in mobile forensics - Economics of mobile user security and privacy - Information security awareness of mobile users - Mobile app security - Mobile cloud security - Mobile device security - Mobile app forensic and anti-forensic techniques - Mobile device forensic and anti-forensic techniques - Mobile evidence preservation and examination - Mobile information leakage detection and prevention - Mobile malware - Mobile network security - Mobile threat identification, detection and prevention - Mobile user anonymity - Privacy in geo-social networks - Privacy in mobile context-aware services - Privacy for mobile smart objects - Trust models for mobile devices and services - Usability of mobile privacy and security technologies ------------------------------------------------------------------------- INTRICATE-SEC 2016 4th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Held in conjunction with the 30th International Conference on Advanced Information Networking and Applications (AINA-2016), Crans-Montana, Switzerland, March 23-25, 2016. (Submissions Due 3 October 2015) http://infosec.cs.uct.ac.za/INTRICATE-SEC/ For INTRICATE-SEC 2016 we are expanding our scope from a focus on security intricacies in designing/modelling service oriented architectures to the broader field of secure cyber physical systems (CPS) and services. Of particular interest are ideas and solutions on provisioning secure CPS and services over resource constrained and low power lossy networks. In addition to invited talks, we welcome papers with novel theoretical and application-centered contributions focused on (but not restricted to) the following topics: - Security and Privacy for CPS, including: Anonymity and Pseudonymity, Authentication and Authorization, Trust & Identity Management, Privacy, and Malware. - Secure Service Platforms for CPS, including: Smart Grids, Demand Management, Scheduling, Energy Management Models, and Mobile Web Services and Middleware. - Secure Architectures for CPS, including: Data Modeling, Home Energy Management, Scalability, Reliability, and Safety, Resource Constrained and Low Power Lossy Networks, and Unconventional/Biologically Inspired Models ------------------------------------------------------------------------- PQCrypto 2016 7th International Conference on Post-Quantum Cryptography, Fukuoka, Japan, February 24-26, 2016. (Submissions Due 7 October 2015) https://pqcrypto2016.jp/ The aim of PQCrypto is to serve as a forum for researchers to present results and exchange ideas on the topic of cryptography in an era with large-scale quantum computers. The conference will be preceded by a winter school on February 22-23, 2016. Original research papers on all technical aspects of cryptographic research related to post-quantum cryptography are solicited. The topics include (but are not restricted to): - Cryptosystems that have the potential to be safe against quantum computers such as: hash-based signature schemes, lattice-based cryptosystems, code-based cryptosystems, multivariate cryptosystems and quantum cryptographic schemes; - Classical and quantum attacks including side-channel attacks on post-quantum cryptosystems; - Security models for the post-quantum era. ------------------------------------------------------------------------- Elsevier Computer Networks, Special issue on Recent Advances in Physical-Layer Security. (Submissions Due 15 October 2015) http://www.journals.elsevier.com/computer-networks/call-for-papers/special-issue-on-recent-advances-in-physical-layer-security/ Editors: Gerhard Hancke (City University of Hong Kong, Hong Kong), Aikaterini Mitrokotsa (Chalmers University of Technology, Sweden), Reihaneh Safavi-Naini (University of Calgary, Canada), and Damien Sauveron (University of Limoges, France). Physical-layer security is emerging as a promising approach for supporting new and existing security services. Aspects of the physical layer have the potential to provide security services that challenges the capabilities of conventional cryptographic mechanisms, such as relay attacks, ad-hoc key establishment and key-less secure communication. This special issue aims to further scientific research into both theoretical and practical approaches to physical-layer security. It will accept original research papers that report latest results and advances in this area, and will also invite review articles that focus on the state-of-the-art, highlighting trends and challenges. The papers will be peer reviewed and will be selected on the basis of their quality and relevance to the topic of this special issue. We would particularly like to encourage submissions that present strong experimental and/or practical implementation results. Topics include (but are not limited to): - Determining physical proximity of devices (distance-bounding protocols, location limited channels, etc.) - Device fingerprinting based on communication features (frequency/data clock skew/transients, etc.) - Noisy channels ('friendly' jamming) approaches for security - Jamming ('unfriendly') resistance - Secret-key generation and agreement over wireless channels - Cross-layer security mechanisms incorporating cryptography and physical layer aspects for low-resource devices like RFID (efficient schemes, simplified signal processing requirements, etc.) - Experimental results on practical implementations of physical layer security techniques ------------------------------------------------------------------------- Wiley Security and Communication Networks journal, Special Issue on Cyber Crime. (Submissions Due 20 October 2015) http://onlinelibrary.wiley.com/journal/10.1002/%28ISSN%291939-0122 Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Krzysztof Szczypiorski (Warsaw University of Technology, Poland), Zoran Duric (George Mason University, USA), and Dengpan Ye (Wuhan University, China). Today's world's societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which are exploited by cyber criminals. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous socio-economic impact on global enterprises as well as individuals. Moreover, the frequently occurring international frauds impose the necessity to conduct the investigation of facts spanning across multiple international borders. Such examination is often subject to different jurisdictions and legal systems. A good illustration of the above being the Internet, which has made it easier to perpetrate traditional crimes. It has acted as an alternate avenue for the criminals to conduct their activities, and launch attacks with relative anonymity. The increased complexity of the communications and the networking infrastructure is making investigation of the crimes difficult. Traces of illegal digital activities are often buried in large volumes of data, which are hard to inspect with the aim of detecting offences and collecting evidence. Nowadays, the digital crime scene functions like any other network, with dedicated administrators functioning as the first responders. This poses new challenges for law enforcement policies and forces the computer societies to utilize digital forensics to combat the increasing number of cybercrimes. Forensic professionals must be fully prepared in order to be able to provide court admissible evidence. To make these goals achievable, forensic techniques should keep pace with new technologies. The aim of this special issue is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of digital forensics and to present the development of tools and techniques which assist the investigation process of potentially illegal cyber activity. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. This special issue presents some of the most relevant ongoing research in cyber crime. Topics include, but are not limited to the following: - Cyber crimes: evolution, new trends and detection/prevention - Cyber crime related investigations - Network forensics: tools and applications, case studies and best practices - Privacy issues in network forensics - Social networking forensics - Network traffic analysis, traceback and attribution - Network incidents response, investigation and evidence handling - Identification, authentication and collection of digital evidence in networking environment - Anti-forensic techniques and methods - Stealthiness improving techniques: information hiding, steganography/steganalysis and covert/subliminal channels - Watermarking and intellectual property theft - Network anomalies detection ------------------------------------------------------------------------- IEEE Communication Magazine, Feature Topic on Bio-inspired Cyber Security for Communications and Networking. (Submissions Due 1 November 2015) http://www.comsoc.org/commag/cfp/bio-inspired-cyber-security-communications-and-networking Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Sean Moore (Centripetal Networks, USA), Errin W. Fulp (Wake Forest University, USA), Hiroshi Wada (Unitrends, Australia), Kenji Leibnitz (National Institute of Information and Communications Technology, Japan). Nature is Earth's most amazing invention machine for solving problems and adapting to significant environmental changes. Its ability to address complex, large-scale problems with robust, adaptable, and efficient solutions results from many years of selection, genetic drift and mutations. Thus, it is not surprising that inventors and researchers often look to natural systems for inspiration and methods for solving problems in human-created artificial environments. This has resulted in the development of evolutionary algorithms including genetic algorithms and swarm algorithms, and of classifier and pattern-detection algorithms, such as neural networks, for solving hard computational problems. A natural evolutionary driver is to survive long enough to create a next-generation of descendants and ensure their survival. One factor in survival is an organism's ability to defend against attackers, both predators and parasites, and against rapid changes in environmental conditions. Analogously, networks and communications systems use cyber security to defend their assets against cyber criminals, hostile organizations, hackers, activists, and sudden changes in the network environment (e.g., DDoS attacks). Many of the defense methods used by natural organisms may be mapped to cyber space to implement effective cyber security. Some examples include immune systems, invader detection, friend vs. foe, camouflage, mimicry, evasion, etc. Many cyber security technologies and systems in common use today have their roots in bio-inspired methods, including anti-virus, intrusion detection, threat behavior analysis, attribution, honeypots, counterattack, and the like. As the threats evolve to evade current cyber security technologies, similarly the bio-inspired security and defense technologies evolve to counter the threat. The goal of this feature topic is twofold: (1) to survey the current academic and industry research in bio-inspired cyber security for communications and networking, so that the ComSoc community can understand the current evolutionary state of cyber threats, defenses, and intelligence, and can plan for future transitions of the research into practical implementations; and (2) to survey current academic and industry system projects, prototypes, and deployed products and services (including threat intelligence services) that implement the next generation of bio-inspired methods. Please note that we recognize that in some cases, details may be limited or obscured for security reasons. Topics of interests include, but are not limited to: - Bio-inspired anomaly & intrusion detection - Adaptation algorithms for cyber security & networking - Biometrics related to cyber security & networking - Bio-inspired security and networking algorithms & technologies - Biomimetics related to cyber security & networking - Bio-inspired cyber threat intelligence methods and systems - Moving-target techniques - Network Artificial Immune Systems - Adaptive and Evolvable Systems - Neural networks, evolutionary algorithms, and genetic algorithms for cyber security & networking - Prediction techniques for cyber security & networking - Information hiding solutions (steganography, watermarking) and detection for network traffic - Cooperative defense systems - Bio-inspired algorithms for dependable networks ------------------------------------------------------------------------- SP 2016 37th IEEE Symposium on Security and Privacy, San Jose, CA, USA, May 23-25, 2016. (Submissions Due 13 November 2015) http://www.ieee-security.org/TC/SP2016/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been the premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - System security - Usable security and privacy ------------------------------------------------------------------------- ASIACCS 2016 11th ACM Asia Conference on Computer and Communications Security, Xi'an, China, May 31 - June 3, 2016. (Submissions Due 20 November 2015) http://meeting.xidian.edu.cn/conference/AsiaCCS2016/home.html Building on the success of ACM Conference on Computer and Communications Security (CCS) and ACM Transactions on Information and System Security (TISSEC), the ACM Special Interest Group on Security, Audit, and Control (SIGSAC) formally established the annual ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS). The inaugural ASIACCS was held in Taipei (2006). Since then ASIACCS has been held in Singapore (2007), Tokyo (2008), Sydney (2009), Beijing (2010), Hong Kong (2011), Seoul (2012), Hangzhou (2013), Kyoto (2014), and Singapore (2015). Considering that this series of meetings has moved beyond a symposium and it is now widely regarded as the Asia version of CCS, the full name of AsiaCCS is officially changed to ACM Asia Conference on Computer and Communications Security starting in June 2015. The 11th ACM Asia Conference on Computer and Communications Security (ASIACCS 2016) will be held in 31 May - 3 June, 2016 in Xi'an, China. We invite submissions from academia, government, and industry presenting novel research on all theoretical and practical aspects of computer and network security. Areas of interest for ASIACCS 2016 include, but are not limited to: - Access control - Accounting and audit - Applied cryptography - Authentication - Cloud computing security - Cyber-physical security - Data and application security - Digital forensics - Embedded systems security - Formal methods for security - Hardware-based security - Intrusion detection - Key management - Malware and botnets - Mobile computing security - Network security - Operating system security - Privacy-enhancing technology - Security architectures - Security metrics - Software security - Smart grid security - Threat modeling - Trusted computing - Usable security and privacy - Web security - Wireless security ------------------------------------------------------------------------- ACM Transactions on Internet Technology, Special Issue on Internet of Things (IoT): Secure Service Delivery. (Submissions Due 30 November 2015) http://toit.acm.org/CfP/ACM-ToIT-CfP-IoT-Security.pdf Editors: Elisa Bertino (Purdue University, USA), Kim-Kwang Raymond Choo (University of South Australia, Australia), Dimitrios Georgakopoulos (RMIT University, Australia), and Surya Nepal (CSIRO, Australia). The aim of this special section is to bring together cutting-edge research with particular emphasis on novel and innovative techniques to ensure the security and privacy of IoT services and users. We solicit research contributions and potential solutions for IoT-based secure service delivery anywhere and at any time. This special section emphasizes service-level considerations. Topics of interest include, but are not limited to: - Security of IoT - IoT Service Architectures and Platforms - Real-Time IoT Service Security Analytics and Forensics - Organizational Privacy and Security Policies - Governance for IoT Services - Social Aspects of IoT Security - Security and Privacy Threats to IoT Services and Users - Accountability and Trust Management - Legal Considerations and Regulations - Case Studies and Applications ------------------------------------------------------------------------- IFIP SEC 2016 31th IFIP TC-11 SEC 2016 International Information Security and Privacy Conference, Ghent, Belgium, May 30 - June 1, 2016. (Submissions Due 24 December 2015) http://ifipsec.org/2016/ The IFIP SEC conference is the flagship event of the International Federation for Information Processing (IFIP) Technical Committee 11 on Security and Privacy Protection in Information Processing Systems (TC-11, www.ifiptc11.org). We seek submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and privacy protection in ICT Systems. Topics of interest: - Access control and authentication - Applied cryptography - Audit and risk analysis - Big data security and privacy - Cloud security and privacy - Critical infrastructure protection - Cyber-physical systems security - Data and applications security - Digital forensics - Human aspects of security and privacy - Identity management - Information security education - Information security management - Information technology misuse and the law - Managing information security functions - Mobile security - Multilateral security - Network & distributed systems security - Pervasive systems security - Privacy protection and Privacy-by-design - privacy enhancing technologies - Surveillance and counter-surveillance - Trust management ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at https://www.ieee.org/membership-catalog/productdetail/showProductDetailPage.html?product=CMYSP728 ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Patrick McDaniel Sean Peisert Computer Science and Engineering UC Davis and Pennsylvania State University Lawrence Berkeley National Laboratory 360 A IST Building oakland15-chair@ieee-security.org University Park, PA 16802 (814) 863-3599 mcdaniel@cse.psu.edu Vice Chair: Treasurer: Ulf Lindqvist Yong Guan SRI International 3219 Coover Hall Menlo Park, CA Department of Electrical and Computer ulf.lindqvist@sri.com Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2016 Chair: TC Awards Chair: Michael Locasto Hilarie Orman University of Calgary Purple Streak, Inc. oakland16-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year