_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 133 July 18, 2016 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Richard Austin Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Richard Austin's review of "Phishing Dark Waters: The Offensive and Defensive Use of Malicious E-mails" by Christopher Hadnagy and Michele Fincher o News Items - Don't Even Ask About Your Biometrics - All Your MySpace Are Belong to Us - Cyber Security Hall of Fame - Cybercurrency Hacked, and There Is No Good Solution (2 items) - Russian Government Hackers Go After the DNC - Cybersecurity Pioneer Mourned - Pokemon Go Insanity Overrides Rational Security - Facebook to Aggregator: Get Outta Here! o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Gene Spafford reminds us that the deadline for nominations for the Computer Security Hall of Fame is only two days away (July 20). Consider speaking up for a luminary who has inspired your work or smoothed the path. While looking forward to the Hall of Fame winners for 2016, we note with sadness the passing of a pioneer of computer security, Stephen T. Walker, first winner of the National Computer System Security Award. Richard Austin, our constant security reader, brings us a review of book on email phishing. This is a remarkably effective, almost timeless, way of delivering malware or stealing credentials. Vigilance is the price of email freedom. Nietzsche's computer: What doesn't crash me makes me stronger, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin July 15, 2016 ____________________________________________________________________ "Phishing Dark Waters: The Offensive and Defensive Use of Malicious E-mails" by Christopher Hadnagy and Michele Fincher Wiley, 2016, ISBN 978-1-118-95847-6 Table of Contents: http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958470.html Hadnagy (joined by Finch in this case) is one of those inconvenient people who keep reminding us that despite all the shiny equipment, whiz-bang software and expensive consultants, it's the human factor that will often allow our adversaries to penetrate our defenses. He first raised this unpleasant allegation back in 2011 with his book "Social Engineering: The Art of Human Hacking" (reviewed in the June issue of that year) and has returned to vex us with a detailed look at a technique much in the news: phishing. The book opens with an overview of the modern world of phishing which serves as a stark reminder that the phishers' craft has advanced far beyond yesteryear's plain-text, poorly worded deceptions. The modern phish is skillfully designed to look real and bait the recipient into carrying out the phisher's intent. The next two chapters delve into why phishes work with insights from neuropsychology and other social sciences. This material provides good background for understanding the "buttons" the phishers try to push in tricking us into carrying out their wishes. After a solid introduction to the tactics of the phishers, Chapter 4, "Lessons in Protection" provides guidance on how to foil those tactics. Of particular value is the catalog of bad ideas which far too often make it onto the list of suggested defensive measures. Self-phishing or applying the tactics of the professional phisher to your own organization is the subject of Chapter 5. Done correctly, this is an excellent way to assess the efficacy of your defenses and identify those who need additional awareness training. However, as the authors point out, this type of thing must be well-planned and aptly executed in order to achieve the objective. Doing it right requires substantial planning but following the guidance in this chapter will make it much more likely that you succeed in improving your organization's posture. Studying policies and their implementations is about as exciting as watching grass grow or paint dry - installing a new messaging gateway or endpoint protection project is much more interesting to the technical security professional. However, as Chapter 6 "The Good, the Bad, and the Ugly: Policies and More" so aptly points out, policy and awareness are critical to defending your organization against human-based attacks. An enabler of the growth in phishing attacks is the quality tools that are available, and Chapter 7, "The Professional Phisher's Tackle Bag", provides a whirlwind tour of the tools and how they are used to mount a campaign. The quality of the tools underlines how far phishing has come since the days of plain-text, badly written promises of quick wealth. The final chapter, "Phish Like a Boss", is a gem as the authors avoid the temptation to rehash the preceding material. Instead, they identify the most important factors that a successful anti-phishing program must include. I recommend particularly their advice on setting reasonable goals for your organization given your particular circumstances, resources and culture. I hope you will buy and read this book but, most importantly, I hope you will apply its guidance. The authors are experts in their field and have an engaging writing style that holds your interest while exploring this dark territory. Their exposition is well illustrated and firmly grounded in the reality of having engaged the professional phishers and foiled their activities. -------------- It has been said "Be careful, for writing books is endless, and much study wears you out" so Richard Austin fearlessly samples the latest offerings of the publishing houses and opines as to which might most profitably occupy your scarce reading time. He welcomes your thoughts and comments via raustin at ieee dot org ==================================================================== News Briefs ==================================================================== Don't Even Ask About Your Biometrics FBI wants to exempt its huge fingerprint and photo database from privacy protections https://www.washingtonpost.com/world/national-security/fbi-wants-to-exempt-its-huge-fingerprint-and-photo-database-from-privacy-protections/2016/05/31/6c1cda04-244b-11e6-8690-f14ca9de2972_story.html The Washington Post By Ellen Nakashima June 1, 2016 Summary: The FBI has a database of 100 million fingerprints 45 facial photos. The fingerprints are exempt from the Privacy Act, and under rules recently proposed by the agency, the facial photos and all biometric data would also be exempt. A coalition that includes the ACLU opposes the exemption. Unlike most public records, the photos would not available to examination by the subjects, so they would not be able to ask that errors be corrected. The FBI argues that letting someone know that information about them is in the database would compromise investigations. The public comment period ended on July 6. ------------------------------------------------------------------------- All Your MySpace Are Belong to Us Why you should delete the online accounts you don't use anymore - right now https://www.washingtonpost.comews/the-switch/wp/2016/05/31/why-you-should-delete-the-online-accounts-you-dont-use-anymore-right-now/ The Washington Post Brian Fung May 31, 2016 Summary: Sometime before June 2013, hackers stole over 350 million MySpace account credentials. They were recently put up for sale. Even if you forgot you had a MySpace account, this could be a problem for you, especially if you still have the same email address and used the same password for both services. This kind of data breach is not uncommon, and it illustrates the fragility of passwords. Although the title of article emphasizes deleting old accounts, more to the point is the importance of not re-using passwords. ------------------------------------------------------------------------- Cyber Security Hall of Fame Gene Spafford notes that he nomination cycle for the 2016 induction into the Cyber Security Hall of Fame is now open. Details on the nomination procedure are available at http://www.cybersecurityhalloffame.com/contentomination/Cyber-Security-Hall-Of-Fame-Nomination%20Process Nominations are due by July 20. ------------------------------------------------------------------------- Cybercurrency Hacked, and There Is No Good Solution (2 items) Hacker May Have Taken $50 Million From Cybercurrency Project http://www.nytimes.com/2016/06/18/business/dealbook/hacker-may-have-removed-more-than-50-million-from-experimental-cybercurrency-project.html The New York Times Nathaniel Popper June 17, 2016 Summary: A new blockchain-based currency, intended for an investment fund, lost at least a third of its value as hackers exploited a software flaw. The developers have been left with a dilemma: fork the code and lose the integrity of the blockchain (and the confidence of the community) or withdraw all funds and close down. --------------------------------------- Ethereum Developers Launch White Hat Counter-Attack on The DAO http://www.coindesk.com/ethereum-developers-draining-dao/ CoinDesk Stan Higgins June 21, 2016 Summary: More funds have be siphoned from the DAO, and the lead designer announced that the developers were removing their funds. -------------------------------------------------- Russian Government Hackers Go After the DNC Cyber researchers confirm Russian government hack of Democratic National Committee https://www.washingtonpost.com/worldational-security/cyber-researchers-confirm-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-3719-11e6-9ccd-d6005beac8b3_story.html The Washington Post Ellen Nakashima June 20, 2016 Summary: The DNC website is managed by a company called MIS Department, and by registering a similar domain name, hackers may have used a phishing attack to gain access to confidential documents compiled by the Democratic National Committee. At least two security firms attribute forensic evidence to known hacker groups within the Russian government. -------------------------------------------------- Cybersecurity Pioneer Mourned Obituary for Stephen T. Walker The Baltimore Sun July 9, 2016 http://www.legacy.com/obituaries/baltimoresun/obituary.aspx?pid=180600554 -------------------------------------------------- Pokemon Go Insanity Overrides Rational Security Pokemon Go maker: Coding error gave company access to your emails http://money.cnn.com/2016/07/11/technology/pokemon-go-coding-error-emails/index.html?iid=SF_LN CNN Money Jose Pagliery Jul. 11, 2016 Summary: The Pokemon Go phenomenon has a cybersecurity sidelight that is truly disturbing. Downloaded apps are supposed to run with the minimal privileges needed to their operation, but not all developers have the same notion of "minimal". In the "all or nothing" model of app privileges, the user either grants what the app demands or doesn't load the software. In the case of this game, iPhone users are asked to grant full access to their Google accounts to the app. That gives the Pokemon distributor the ability to access the users' email. Granting that privilege to this "insanely" popular game is ... insane. ---------------------------------------------------------------------- Facebook to Aggregator: Get Outta Here! 9th Circuit: It's a federal crime to visit a website after being told not to visit it https://www.washingtonpost.comews/volokh-conspiracy/wp/2016/07/12/9th-circuit-its-a-federal-crime-to-visit-a-website-after-being-told-not-to-visit-it/ The Washington Post Orin Kerr Jul 12, 2016 Summary: The Computer Fraud and Abuse Act was written long before Facebook was dreamed of, but it has been applied to a use of Facebook messaging that most people would probably consider perfectly legal. In this case, a new service for messaging allowed users to aggregate the use of their own social media accounts through a third party interface. That interface used the users' credential to login to their accounts and send messages to other users. Facebook sent a cease-and-desist order to the third party, but the service continued to operate. The Ninth Circuit Court held this to be a violation of CFAA and other laws. This article criticizes the decision, which is likely to be appealed. ----------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine http://cisr.nps.edu/jobscipher.html ==================================================================== Posted Jul 2016 Lancaster University, UK (Security Research Centre) Lancaster, UK Lecturer (Assistant Professor in North American System) in Cyber Security Application deadline: 30 September 2016 https://hr-jobs.lancs.ac.uk/Vacancy.aspx?ref=A1599 Posted Jul 2016 Lancaster University, UK (Security Research Centre) Lancaster, UK Senior Research Associate/Research Associate - Human Aspects of Security in the Internet of Things Application deadline: 21 August 2016 https://hr-jobs.lancs.ac.uk/Vacancy.aspx?ref=A1462R Posted Jul 2016 Lancaster University, UK (Security Research Centre) Lancaster, UK Senior Research Associate/Research Associate - Dynamically Adaptive Security Policies Application deadline: 21 August 2016 https://hr-jobs.lancs.ac.uk/Vacancy.aspx?ref=A1371S Posted Jun 2016 University of Twente Enschede, The Netherlands Assistant Professor in Systems Security Application deadline: 5 August 2016 https://www.utwente.nl/en/organization/careers/vacancies/!/vacature/662159 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 7/18/16: EuroUSEC, 1st European Workshop on Usable Security, Affiliated with PETS 2016, Darmstadt, Germany; https://eurousec.secuso.org/2016/ 7/18/16- 7/20/16: WiSec, 9th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Darmstadt, Germany; http://www.sigsac.org/wisec/WiSec2016/ 7/18/16- 7/21/16: DBSec, 30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Trento, Italy; http://dbsec2016.fbk.eu 7/18/16- 7/22/16: SHPCS, 11th International Workshop on Security and High Performance Computing Systems, Held in conjunction with the 2016 International Conference on High Performance Computing & Simulation (HPCS 2016), Innsbruck, Austria; http://hpcs2016.cisedu.info/2-conference/workshops---hpcs2016/workshop09-shpcs 7/19/16- 7/21/16: HAISA, International Symposium on Human Aspects of Information Security & Assurance, Frankfurt Germany; http://haisa.org/ 7/19/16- 7/22/16: PETS, 16th Privacy Enhancing Technologies Symposium, Darmstadt, Germany; http://petsymposium.org/ 7/20/16- 7/22/16: SIN, 9th International Conference on Security of Information and Networks, Rutgers University, New Jersey, NJ, USA; http://www.sinconf.org 7/22/16: WISCS, 3rd ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; https://sites.google.com/site/wiscs2016/; Submissions are due 7/23/16- 7/26/16: TrustCom, 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, Tianjin, China; http://adnet.tju.edu.cn/TrustCom2016/ 7/24/16: WIFS, 8th IEEE International Workshop on Information Forensics and Security, Abu Dhabi, UAE; http://www.wifs2016.org; Submissions are due 7/26/16- 7/28/16: SECRYPT, 13th International Conference on Security and Cryptography, Lisbon, Portugal; http://www.secrypt.icete.org 7/27/16: TrustED, 6th International Workshop on Trustworthy Embedded Devices, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de; Submissions are due 7/27/16: CCSW, 8th ACM Cloud Computing Security Workshop, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; https://www.zurich.ibm.com/ccsw16/index.html; Submissions are due 7/27/16: CPS-SPC 2016 2nd ACM Workshop on Cyber-Physical Systems Security & Privacy, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://eecs.oregonstate.edu/cps-spc/index.html; Submissions are due 7/29/16: ICISS, 12th International Conference on Information Systems Security, Jaipur, India; http://www.iciss.org.in; Submissions are due 8/ 1/16- 8/ 4/16: NSAA, Workshop on Network Security Analytics and Automation, Held in conjunction with the 25th International Conference on Computer Communication and Networks (ICCCN 2016), Waikoloa, Hawaii, USA; http://icccn.org/icccn16/ 8/ 4/16: IEEE EuroSP, 2nd IEEE European Symposium on Security and Privacy, Paris, France; http://www.ieee-security.org/TC/EuroSP2017/cfp.php; Submissions are due 8/12/16: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; https://www.internetsociety.org/events/ndss-symposium/ ndss-symposium-2017/ndss-2017-call-papers; Submissions are due 8/20/16: PROOFS, 5th International Workshop on Security Proofs for Embedded Systems, Santa Barbara, California, USA; http://www.proofs-workshop.org/ 8/22/16: GenoPri, 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA; http://www.genopri.org/; Submissions are due 8/25/16: IEICE Transactions on Information and Systems, Special Section on Information and Communication System Security; http://www.ieice.org/~icss/CFP/ICSS-Ieice-2017e.pdf; Submissions are due 8/29/16- 8/30/16: TRUST, 9th International Conference on Trust & Trustworthy Computing, Vienna, Austria; http://trust2016.sba-esearch.org/ 8/29/16- 9/ 2/16: IWCC, 5th International Workshop on Cyber Crime, Co-located with the 11th International Conference on Availability, Reliability and Security (ARES 2016), Salzburg, Austria; http://stegano.net/IWCC2016/ 9/ 7/16- 9/ 9/16: ISC, 19th Information Security Conference, Honolulu, Hawaii, USA; http://manoa.hawaii.edu/isc2016 9/12/16- 9/14/16: IWSEC, 11th International Workshop on Security, Tokyo, Japan; http://www.iwsec.org/2016/ 9/16/16: IFIP 119 DF, 13th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/; Submissions are due 9/17/16- 9/19/16: IWDW, 15th International Workshop on Digital-forensics and Watermarking Beijing, China; http://www.iwdw.net/ 9/19/16- 9/21/16: RAID, 19th International Symposium on Research in Attacks, Intrusions and Defenses, Paris, France; http://www.raid2016.org/ 9/20/16- 9/22/16: SADFE, 11th International Conference on Systematic Approaches to Digital Forensics Engineering, Kyoto, Japan; http://sadfe.org 9/26/16- 9/27/16: WISTP, 10th WISTP International Conference on Information Security Theory and Practice, Heraklion, Crete, Greece; http://www.wistp.org/ 9/26/16- 9/30/16: ESORICS, 21st European Symposium on Research in Computer Security, Heraklion, Crete; http://www.ics.forth.gr/esorics2016/ 10/ 1/16: IEEE Communications Magazine, Feature Topic on Traffic Measurements for Cyber Security; http://www.comsoc.org/commag/cfp/traffic-measurements-cyber-security; Submissions are due 10/ 1/16: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan; https://goo.gl/562zhD; Submissions are due 10/10/16-10/12/16: SecureComm, 12th EAI International Conference on Security and Privacy in Communication Networks, Guangzhou, China; http://securecomm.org 10/17/16-10/19/16: CNS, 4th IEEE Conference on Communications and Network Security, Philadelphia, PA, USA; http://cns2016.ieee-cns.org/ 10/24/16-10/28/16: ACM CCS, 23rd ACM Conference on Computer and Communications Security, Vienna, Austria; http://www.sigsac.org/ccs/CCS2016/call-for-papers/ 10/24/16: WISCS, 3rd ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de 10/28/16: TrustED, 6th International Workshop on Trustworthy Embedded Devices, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://www.trusted-workshop.de 10/28/16: CCSW, 8th ACM Cloud Computing Security Workshop, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; https://www.zurich.ibm.com/ccsw16/index.html 10/28/16: CPS-SPC 2016 2nd ACM Workshop on Cyber-Physical Systems Security & Privacy, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria; http://eecs.oregonstate.edu/cps-spc/index.html 11/ 2/16-11/ 4/16: NordSec, 21st Nordic Conference on Secure IT Systems, Oulu, Finlanda; http://nordsec.oulu.fi 11/12/16: GenoPri, 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA; http://www.genopri.org/ 11/23/16-11/25/16: FNSS, 2nd International Conference on Future Networks Systems and Security, Paris, France; http://fnss.org 12/ 1/16-12/ 2/16: Mycrypt, 2nd International Conference on Cryptology & Malicious Security, Kuala Lumpur, Malaysia; https://foe.mmu.edu.my/mycrypt2016 12/ 54/16-12/ 7/16: WIFS, 8th IEEE International Workshop on Information Forensics and Security, Abu Dhabi, UAE; http://www.wifs2016.org 12/ 5/16-12/ 6/16: SSR, 3rd International conference on Security Standardization Research, Gaithersburg, MD, USA; http://csrc.nist.gov/groups/ST/ssr2016/ 12/14/16-12/16/16: BigTrust, 1st International Workshop on Trust, Security and Privacy for Big Data, Granada, Spain; http://csee.hnu.edu.cn/hbs/ 12/16/16-12/18/16: SPACE, 6th International Conference on Security, Privacy and Applied Cryptography Engineering, Hyderabad, India; http://www.math.umn.edu/~math-sa-sara0050/space16/ 12/16/16-12/20/16: ICISS, 12th International Conference on Information Systems Security, Jaipur, India; http://www.iciss.org.in 1/30/17- 2/ 1/17: IFIP 119 DF, 13th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org/ 2/26/17- 3/ 1/17: NDSS, Network and Distributed System Security Symposium, San Diego, California, USA; https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/ndss-2017-call-papers; 3/27/17- 3/29/17: INTRICATE-SEC, 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan; https://goo.gl/562zhD 4/26/17- 4/28/17: IEEE EuroSP, 2nd IEEE European Symposium on Security and Privacy, Paris, France; http://www.ieee-security.org/TC/EuroSP2017/cfp.php ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E132) ___________________________________________________________________ WISCS 2016 3rd ACM Workshop on Information Sharing and Collaborative Security, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria, October 24, 2016. (Submission Due 22 July 2016) https://sites.google.com/site/wiscs2016/ Sharing of cyber-security related information is believed to greatly enhance the ability of organizations to defend themselves against sophisticated attacks. If one organization detects a breach sharing associated security indicators (such as attacker IP addresses, domain names, file hashes etc.) provides valuable, actionable information to other organizations. The analysis of shared security data promises novel insights into emerging attacks. Sharing higher level intelligence about threat actors, the tools they use and mitigations provides defenders with much needed context for better preparing and responding to attacks. In the US and the EU major efforts are underway to strengthen information sharing. Yet, there are a number of technical and policy challenges to realizing this vision. Which information exactly should be shared? How can privacy and confidentiality be protected? How can we create high-fidelity intelligence from shared data without getting overwhelmed by false positives? The 3rd Workshop on Information Sharing and Collaborative Security (WISCS 2016) aims to bring together experts and practitioners from academia, industry and government to present innovative research, case studies, and legal and policy issues. The workshop solicits original research papers in these areas, both full and short papers. ------------------------------------------------------------------------- WIFS 2016 8th IEEE International Workshop on Information Forensics and SecurityAbu Dhabi, UAE, December 4-7, 2016. (Submission Due 24 July 2016) http://www.wifs2016.org WIFS is the flagship workshop on information forensics and security organised by IEEE signal processing society. Its major objective is to bring together researchers from relevant disciplines to exchange latest results and to discuss emerging challenges in different areas of information security. Topics of interest include, but are not limited to: - Forensics - Information and system security - Biometrics - Multimedia content security - Steganography and covert communications - Hardware security - Network traffic analysis - Surveillance - Sousvelliance and anti-surveillance - Privacy in data analytics - Privacy in the Internet of everything ------------------------------------------------------------------------- TrustED 2016 6th International Workshop on Trustworthy Embedded Devices, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria, October 28, 2016. (Submission Due 27 July 2016) http://www.trusted-workshop.de TrustED considers selected security and privacy (S&P) aspects of cyber physical systems and their environments, which influence trust and trust establishment in such environments. A major theme of TrustED 2016 will be security and privacy aspects of the Internet of Things Paradigm. The IoTs promises to make reality Mark Weisser's vision of ubiquitous computation set out in his 1991 influential paper. Yet to make such vision successful, it is widely acknowledged that security of super large distributed systems has to be guaranteed and the privacy of the collected data protected. Submissions exploring new paradigms to assure security and privacy in the IoTs are thus strongly encouraged. The workshop topics include but are not limited to: - Trustworthy and secure embedded systems - Novel constructions, implementations and applications with physical security primitives (e.g., PUFs, PhySec) - Hardware entangled cryptography - Novel security architectures for the IoTs - Frameworks and tools to design, validate and test trustworthy embedded systems - Secure execution environments (e.g., TrustZone, TPMs) on mobile devices - Remote attestation and integrity validation - Privacy aspects of embedded systems (e.g., medical devices, electronic IDs) - Physical and logical convergence (e.g., secure and privacy-preserving facility management) - Novel paradigms to established trust in large distributed environments ------------------------------------------------------------------------- CCSW 2016 8th ACM Cloud Computing Security Workshop, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria, October 28, 2016. (Submission Due 27 July 2016) https://www.zurich.ibm.com/ccsw16/index.html Cloud computing is a dominant trend in computing for the foreseeable future; e.g., major cloud operators are now estimated to house over a million machines each and to host substantial (and growing) fractions of our IT and web infrastructure. CCSW is a forum for bringing together researchers and practitioners to discuss the implications of this trend to the security of cloud operators, tenants, and the larger Internet community. We invite submissions on new threats, countermeasures, and opportunities brought about by the move to cloud computing, with a preference for unconventional approaches, as well as measurement studies and case studies that shed light on the security implications of clouds. ------------------------------------------------------------------------- CPS-SPC 2016 2nd ACM Workshop on Cyber-Physical Systems Security & Privacy, Held in conjunction with 23rd ACM Conference on Computer and Communications Security (CCS 2016), Hofburg Palace, Vienna, Austria, October 28, 2016. (Submission Due 27 July 2016) http://eecs.oregonstate.edu/cps-spc/index.html Cyber-Physical Systems (CPS) integrate computing and communication capabilities with monitoring and control of entities in the physical world. These systems are usually composed of a set of networked agents, including sensors, actuators, control processing units, and communication devices. While some forms of CPS are already in use, the widespread growth of wireless embedded sensors and actuators is creating several new applications in areas such as medical devices, autonomous vehicles, and smart infrastructure, and is increasing the role that the information infrastructure plays in existing control systems such as in the process control industry or the power grid. Many CPS applications are safety-critical: their failure can cause irreparable harm to the physical system under control, and to the people who depend, use or operate it. In particular, critical cyber-physical infrastructures such as the electric power generation, transmission and distribution grids, oil and natural gas systems, water and waste-water treatment plants, and transportation networks play a fundamental and large-scale role in our society and their disruption can have a significant impact to individuals, and nations at large. Securing these CPS infrastructures is therefore vitally important. Similarly because many CPS systems collect sensor data non-intrusively, users of these systems are often unaware of their exposure. Therefore in addition to security, CPS systems must be designed with privacy considerations. To address some of these issues, we invite original research papers on the security and/or privacy of Cyber-Physical Systems. We seek submissions from multiple interdisciplinary backgrounds tackling security and privacy issues in CPS. ------------------------------------------------------------------------- ICISS 2016 12th International Conference on Information Systems Security, Jaipur, India, December 16-20, 2016. (Submission Due 29 July 2016) http://www.iciss.org.in The ICISS Conference held annually, provides a forum for disseminating latest research results in information and systems security. Like previous years, proceedings of the conference will be published as part of the Springer Verlag series of Lecture Notes in Computer Science. Submissions are encouraged from academia, industry and government, addressing theoretical and practical problems in information and systems security and related areas. Topics of interest include but are not limited to: - Access and Usage Control - Authentication and Audit - Cloud Security - Cyber-physical Systems Security - Digital Forensics - Distributed Systems Security - Identity Management - Intrusion Tolerance and Recovery - Language-based Security - Network Security - Privacy and Anonymity - Security and Usability - Sensor and Ad Hoc Network Security - Software Security - Vulnerability Detection and Mitigation - Application Security - Biometric Security - Cryptographic Protocols - Data Security and Privacy - Digital Rights Management - Formal Models in Security - Intrusion Detection and Prevention - Key Management - Malware Analysis and Mitigation - Operating Systems Security - Secure Data Streams - Security Testing - Smartphone Security - Usable Security - Web Security ------------------------------------------------------------------------- IEEE EuroSP 2017, 2nd IEEE European Symposium on Security and Privacy, Paris, France, April 26-28, 2017. (Submission Due 4 August 2016) http://www.ieee-security.org/TC/EuroSP2017/cfp.php The IEEE European Symposium on Security and Privacy (EuroS&P) is the European sister conference of the established IEEE S&P symposium. It is a premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Papers that shed new light on past results by means of sound of theory or thorough experimentation are also welcome. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Cryptography with applied relevance to security and privacy - Attacks and defenses - Authentication - Censorship and censorship-resistance - Cloud security - Distributed systems security - Embedded systems security - Forensics - Formal methods for security - Hardware security - Human aspects of security and privacy - Intrusion detection - Malware - Metrics - Mobile security and privacy - Language-based security - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - System security - Web security and privacy ------------------------------------------------------------------------- NDSS 2017 Network and Distributed System Security Symposium, San Diego, California, USA, February 26 - March 1, 2017. (Submission Due 12 August 2016) https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/ ndss-2017-call-papers The Network and Distributed System Security Symposium fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies. Technical papers and panel proposals are solicited. All submissions will be reviewed by the Program Committee and accepted submissions will be published by the Internet Society in the Proceedings of NDSS 2017. The Proceedings will be made freely accessible from the Internet Society webpages. Furthermore, permission to freely reproduce all or parts of papers for noncommercial purposes is granted provided that copies bear the Internet Society notice included in the first page of the paper. The authors are therefore free to post the camera-ready versions of their papers on their personal pages and within their institutional repositories. Reproduction for commercial purposes is strictly prohibited and requires prior consent. Submissions are solicited in, but not limited to, the following areas: - Anti-malware techniques: detection, analysis, and prevention - Combating cyber-crime: anti-phishing, anti-spam, anti-fraud techniques - Security for future Internet architectures and designs (e.g., Software-Defined Networking) - High-availability wired and wireless networks - Implementation, deployment and management of network security policies - Integrating security in Internet protocols: routing, naming, network management - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Intrusion prevention, detection, and response - Privacy and anonymity technologies - Security and privacy for distributed cryptocurrencies - Security and privacy in social networks - Public key infrastructures, key management, certification, and revocation - Special problems and case studies: e.g., tradeoffs between security and efficiency, usability, reliability and cost - Security for collaborative applications: teleconferencing and video-conferencing - Security for cloud computing - Security for emerging technologies: sensor/wireless/mobile/personal networks and systems - Security for future home networks, Internet of Things, body-area networks - Security for large-scale systems and critical infrastructures (e.g., electronic voting, smart grid) - Security for peer-to-peer and overlay network systems - Security for Vehicular Ad-hoc Networks (VANETs) - Security of Web-based applications and services - Trustworthy Computing mechanisms to secure network protocols and distributed systems - Usable security and privacy ------------------------------------------------------------------------- GenoPri 2016 3rd International Workshop on Genome Privacy and Security, Held in conjunction with the AMIA 2016 Annual Symposium, Chicago, IL, USA, November 12, 2016. (Submission Due 22 August 2016) http://www.genopri.org/ Over the past several decades, genome sequencing technologies have evolved from slow and expensive systems that were limited in access to a select few scientists and forensics investigators to high-throughput, relatively low-cost tools that are available to consumers. A consequence of such technical progress is that genomics has become one of the next major challenges for privacy and security because (1) genetic diseases can be unveiled, (2) the propensity to develop specific diseases (such as Alzheimer's) can be revealed, (3) a volunteer, accepting to have his genomic code made public, can leak substantial information about his ethnic heritage and the genomic data of his relatives (possibly against their will), and (4) complex privacy issues can arise if DNA analysis is used for criminal investigations and medical purposes. As genomics is increasingly integrated into healthcare and "recreational" services (e.g., ancestry testing), the risk of DNA data leakage is serious for both individuals and their relatives. Failure to adequately protect such information could lead to a serious backlash, impeding genomic research, that could affect the well-being of our society as a whole. This prompts the need for research and innovation in all aspects of genome privacy and security, as suggested by the non-exhaustive list of topics on the workshop website. ------------------------------------------------------------------------- IEICE Transactions on Information and Systems, Special Section on Information and Communication System Security, (Submission Due 25 August 2016) http://www.ieice.org/~icss/CFP/ICSS-Ieice-2017e.pdf Guest Editors: Yasunori Ishihara (Osaka University, Japan), Atsushi Kanai (Hosei University, Japan), Kazuomi Oishi (Shizuoka Institute of Science and Technology, Japan), and Yoshiaki Shiraishi (Kobe University, Japan) The IEICE Transactions on Information and Systems, which is included in SCIE (Science Citation Index Expanded), announces that it will publish a special section entitled "Special Section on Information and Communication System Security" in August, 2017. The major topics include, but are not limited to: - Security Technologies on AdHoc Network, P2P, Sensor Network, RFID, Wireless Network, Mobile Network, Home Network, Cloud, Database System, SNS - Access Control, Content Security, DRM, CDN, Privacy Protection, E-Commerce, PKI, Security Architecture, Security Protocol, Security Implementation Technology, Secure OS, Security Evaluation/Authentication ------------------------------------------------------------------------- IFIP 119 DF 2017 13th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 30-February 1, 2017. (Submission Due 16 September 2016) http://www.ifip119.org/ The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Thirteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the eleventh volume in the well-known Research Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2017. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Network and cloud forensics - Embedded device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- IEEE Communications Magazine, Feature Topic on Traffic Measurements for Cyber Security, (Submission Due 1 October 2016) http://www.comsoc.org/commag/cfp/traffic-measurements-cyber-security Guest Editors: Wojciech Mazurczyk (Warsaw University of Technology, Poland), Koji Nakao (KDDI / NICT, Japan), Maciej Korczyski (Delft University of Technology, The Netherlands), Engin Kirda (Northeastern University, USA), Cristian Hesselman (SIDN Labs, The Netherlands), and Katsunari Yoshioka (Yokohama National University, Japan) In today's world, societies are becoming more and more dependent on open networks such as the Internet - where commercial activities, business transactions and government services are realized. This has led to the fast development of new cyber threats and numerous information security issues which cyber criminals exploit. The inability to provide trusted secure services in contemporary computer network technologies has a tremendous unfavorable socio-economic impact on global enterprises as well as individuals. Current communication networks are increasingly becoming pervasive, complex, and ever-evolving due to factors like enormous growth in the number of network users, continuous appearance of network applications, increasing amount of data transferred, and diversity of user behaviors. Understanding and measuring traffic in such networks is a not only difficult yet vital task for network management but recently also for cyber security purposes. Network traffic measuring and monitoring can, enable the analysis of the spreading of malicious software and its capabilities or can help us understand the nature of various network threats including those that exploit users' behavior and other user's sensitive information. On the other hand, network traffic investigation can also help us assess the effectiveness of the existing countermeasures or contribute to building new, better ones. Recently, traffic measurements have been utilized in the area of economics of cyber security e.g. to assess ISP "badness" or to estimate the revenue of cyber criminals. The aim of this feature topic is to bring together the research accomplishments by academic and industry researchers. The other goal is to show the latest research results in the field of cyber security and understand how traffic measurements can influence it. We encourage prospective authors to submit related distinguished research papers on the subject of both theoretical approaches and practical case reviews. This special issue presents some of the most relevant ongoing research in cyber security seen from the traffic measurements perspective. Topics include, but are not limited to the following: - Measurements for network incidents response, investigation and evidence handling - Measurements for network anomalies detection - Measurements for economics of cyber security - Network traffic analysis to discover the nature and evolution of the cyber security threats - Measurements for assessing the effectiveness of the threats detection/prevention methods and countermeasures - Novel passive, active and hybrid measurements techniques for cyber security purposes - Traffic classification and topology discovery tools for monitoring the evolving status of the network from the cyber security perspective - Correlation of measurements across multiple layers, protocols or networks for cyber security purposes - Novel visualization approaches to detect network attacks and other threats - Analysis of network traffic to provide new insights about network structure and behavior from the security perspective - Measurements of network protocol and applications behavior and its impact on cyber security and users' privacy - Measurements related to network security and privacy ------------------------------------------------------------------------- INTRICATE-SEC 2017 5th International Workshop on Security Intricacies in Cyber-Physical Systems and Services, Taipei, Taiwan, March 27-29, 2017. (Submission Due 1 October 2016) https://goo.gl/562zhD Cyber-physical systems (CPS) are ubiquitous in critical infrastructures such as electrical power generation, transmission, and distribution networks, water management, and transportation, but also in both industrial and home automation. For flexibility, convenience, and efficiency, CPS are increasingly supported by commodity hardware and software components that are deliberately interconnected using open standard general purpose information and communication technology (ICT). The long life-cycles of CPS and increasingly incremental changes to these systems require novel approaches to the composition and inter-operability of services provided. The paradigm of service-oriented architectures (SoA) has successfully been used in similar long-lived and heterogeneous software systems. However, adapting the SoA paradigm to the CPS domain requires maintaining the security, reliability and privacy properties not only of the individual components but also, for complex interactions and service orchestrations that may not even exist during the initial design and deployment of an architecture. An important consideration therefore is the design and analysis of security mechanisms and architectures able to handle cross domain inter-operability over multiple domains involving components with highly heterogeneous capabilities. The INTRICATE-SEC workshop aims to provide a platform for academics, industry, and government professionals to communicate and exchange ideas on provisioning secure CPS and Services. ------------------------------------------------------------------------- ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line for at IEEE at http://www.computer.org/portal/web/tandc/tclist ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE CS Press ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Ulf Lindqvist Michael Locasto SRI International SRI International Menlo Park, CA oakland16-chair@ieee-security.org ulf.lindqvist@sri.com Chair: Treasurer: Sean Peisert Yong Guan UC Davis and 3219 Coover Hall Lawrence Berkeley Department of Electrical and Computer National Laboratory Engineering speisert@ucdavis.edu Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2017 Chair: TC Awards Chair: Kevin Butler Hilarie Orman Department of Computer and Purple Streak, Inc. Information Science and Engineering 500 S. Maple Dr. University of Florida Woodland Hills, UT 84653 butler at ufl.edu cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year