_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 144 June 4, 2018 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of SCION: A Secure Internet Architecture by Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat o News - There's a Russian in my router - PGP Mime, decryption through invisible html - Did he or didn't he? Only Tor knows ... - Your Location Data, Free to the World o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Security and Privacy Symposium was held recently, and it was a time to reflect on the growth of security research field. The symposium had 66 papers packed into 3 days, a poster session, and a full day of workshops. There were nearly 600 registrations for the main symposium. There are now 3 separate conferences under the same sponsorship: the European Security and Privacy Symposium, the SecDev conference, and the Computer Security Foundations symposium. The program committees are generally disposed towards increasing the number of papers, and this means that the format of Security and Privacy will have to change. At the business meeting there was strong support for dual track, and next year there may be some experimentation to help settle on a stable format for outyears. The program had a greater breadth of topics than in previous years. Some, perhaps most, of the non-traditional topics had interesting presentations, and many of the traditional topics elicited little perceptible interest from the audience. This phenomenon was a bit jarring, especially when juxtaposed against the rumblings of complaints about the review process. The review committee does a huge amount of work in considering the deluge of submissions, but perhaps not all papers get consideration from appropriate experts. The all-important acceptance rate may increase, but that in itself does not guarantee that the conference's paper quality goals are met. The conference had, for the first time, a published code of conduct, based on the IEEE code of conduct. The conference organizers seemed committed to making the venue a confortable society for all attendees. One of the five minute talks took direct aim at the lack of gender and racial diversity of the symposium, something that has changed little over its history. Next year will be the 40th meeting of the symposium (NB: this is not the same as the 40th anniversary). Some commemoration of the milestone may occur. My eyes are fully open to my awful situation - I shall go at once to Microsoft and make them an oration. I shall tell them I've deleted my corrupted hard drive data, And I don't care twobits-half-a-byte for any damaged SATA. Now I do not want to perish by the word or by the sector, But a martyr may indulge in a little pardonable lecture, And a word or two of complement my ECC would tatter, But my data dies tomorrow, so it really doesn't matter! (so sorry G&S!) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html --------------------------------------------------------------------- Book Review By Sven Dietrich 6/4/18 SCION: A Secure Internet Architecture by Adrian Perrig, Pawel Szalachowski, Raphael M. Reischuk, and Laurent Chuat Springer Verlag 2017. ISBN 978-3-319-670079-9 432 pages Some of us have witnessed the early days of the Internet, seen it grow from a military to an academic network, and then become an omnipresent network, something we find it difficult to live without. Recent attacks on this infrastructure have shown us how much indeed we have become dependent on this very Internet, an unbounded system that permeates our everyday lives via mobile, IoT, business, and home computing and networking. The Mirai botnet DDoS attacks, descendants of the early DDoS attacks from almost twenty years ago, remind us that the Internet has grown organically over the years. And perhaps it is time to rethink what the Internet is. This is where Adrian Perrig and his team come in. There has been a fine selection of efforts for creating a next-generation Internet architecture, e.g. in the FIA and GENI research programs. Here we have Adrian Perrig's project, the SCION architecture, with his proposal at the next generation of the Internet. It was originally named SCI-FI, but was renamed SCION for a better naming approach: Scalability, Control, and Isolation for Next-Generation Networks. Much of it is based on the seminal paper of the same name at the 2011 IEEE Security and Privacy conference. This book summarizes many years, almost a decade, of research and development on SCION. The reader is brought up to speed with the current state of the Internet, the threat landscape vs. the underlying networking and routing protocols that were designed when the threat landscape was much different. The book is divided into five parts spanning a total of seventeen chapters. After a foreword by Virgil Gligor, part one of the book presents an overview of the Internet today, the need for a next step, and the related, competing, and even compatible efforts out there. The second chapter describes the SCION architecture at a higher level, mentioning the data and control planes concepts, security aspects for the Internet, incentives for stakeholders to "fix" the Internet, deployment, and possible extensions for the architecture. Most importantly, chapter three covers the key concept of SCION: the isolation domain, the "I" in SCION. It covers the motivation for the isolation domains (ISDs), the ISD core, coordination among ISDs, name resolution, governance models, and last but not least, the nesting of ISDs. Part two of the book goes into much detail, delving deeply into the intricacies of SCION, such as the authentication infrastructure, ISD coordination, data and control plane specifics such as the SCION version of TCP/IP, yes, you guessed it: TCP/SCION. Also covered are name resolution and deployment of SCION, e.g. how to deploy or even just try it out. Part three talks about possible extensions of SCION, and part four does the necessary due diligence and provides an analysis and evaluation covering the security analysis of SCION, looking at the threat model, packet and route manipulation, and overall resilience given by the absence of a "kill switch" for the network. Part five finally goes into the specification of the SCION components, such as the various packet formats, configuration files, and the necessary cryptographic algorithms. Overall, this is a great book for understanding where we are in today’s Internet, and what we need to consider for moving forward. I hope you will enjoy reading this book as much as I did. Adrian Perrig is a seasoned researcher and expert in his field, and shares his knowledge with the reader in an accessible, easily-readable manner. I had the pleasure of working with Adrian at Carnegie Mellon University’s CyLab many years ago. ------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ------------------------------------------------------------------------------ There's a Russian in my router U.S., British governments warn businesses worldwide of Russian campaign to hack routers The Washington Post https://www.washingtonpost.com/world/national-security/us-british-governments-say-russia-has-hacked-routers-used-by-businesses-globally/2018/04/16/90e8d34c-4181-11e8-8569-26fda6b404c7_story.html By Ellen Nakashima April 16, 2018 Summary: The US and British governments jointly issued a warning about malware in computer routers and firewalls. The White House has said that there is "high confidence" that the malware is orchestrated by Russia and is part of a long-term campaign to infiltrate the Internet infrastructure for espionage purposes. ----------------- U.S.-U.K. Warning on Cyberattacks Includes Private Homes The New York Times https://www.nytimes.com/2018/04/16/world/europe/us-uk-russia-cybersecurity-threat.html By David D. Kirkpatrick and Ron Nixon Apr 16, 2018 Summary: A former director of the British electronic spying agency GCHQ said that the joint warning of the US and British governments about router malware was meant to serve as a warning to the Russians with the message "We know where you are pre-positioned and if something happens, we will know it is you." According to officials, the Russian efforts have been going on for at least 20 years, so the immediate urgency of responding to the malware is unclear. It may be a sort of civilian cyber emergency drill. We wonder if officials will check to see how many people actually reboot or factory reset their routers in response to the warning. ----------------- Official Warning re Network Infrastructure Devices Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices US-CERT, United States Computer Emergency Readiness Tream https://www.us-cert.gov/ncas/alerts/TA18-106A April 20, 2018 Summary: The alert concerns vulnerabilities present in many router devices, including inexpensive ones that would be used in homes or small businesses, that are being exploited by malware. The malware seems to have come from Russia, and it is widespread. It depends on a website (reportedly shutdown prior to this alert), and the advice includes this statement: "... administrators should inspect the presence of protocol 47 traffic flowing to or from unexpected addresses, or unexplained presence of GRE tunnel creation, modification, or destruction in log files." ------------------------------------------------------------------------------ PGP Mime, decryption through invisible html Decade-old Efail attack can decrypt previously obtained encrypted emails Ars Technica https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/ By Dan Goodin May 14, 2018 Summary: We think that this hack should win an award for cleverness. It shows that cryptography is not worth much without being used with well-defined security architecture. Read the article yourself to understand the exploit in depth, what follows here is a summary and opinion on what is missing in the use of cryptography in user applications. The basic idea of the exploit is to construct a multi-part MIME message with encrypted parts that are cobbled together from ordinary html and ciphertext that had been previously received by the victim. After all the processing is completed, the parts together form an html document. When that is presented to a browser, it may fetch data from links in the html document. The attacker has constucted the document so that those url links name a website controlled by the attacker, and the remainder of url is the decryption of the old ciphertext. By examining the server logs, the attacker can read the decrypted text. This problem arises because there is no clear definition of a security policy for encrypted email. In a formally specified system, encrypted data would be marked as sensitive, and it would not be used as part of unprotected communication to an untrusted website. But by blindly following the details of low-level crypto processing without considering the fact that the crypto was meant to provide confidentiality, the software engineers allowed an attacker turn crypto capability against the user. ------------------------------------------------------------------------------ Did he or didn't he? Only Tor knows ... U.S. identifies suspect in major leak of CIA hacking tools The Washington Post By Shane Harris May 15, 2018 https://www.washingtonpost.com/world/national-security/us-identifies-suspect-in-major-leak-of-cia-hacking-tools/2018/05/15/5d5ef3f8-5865-11e8-8836-a4a123c359ab_story.html Summary: Joshua Adam Schulte worked for the CIA group that produced hacking tools. Those tools showed up in WikiLeaks in March 2017. Did Schulte use Tor to distribute the CIA tools to WikiLeaks? The US government has his computers, but has not formally charged him for the leak. Did Schulte, in an unrelated act, load child pornography onto a server? He sits in jail on that charge. Schulte claims innocence. He was critical of CIA management, and he was one of more than 50 people with access to the server; those facts, he says, have led the government to mistakenly suspect and charge him. ------------------------------------------------------------------------------ Your Location Data, Free to the World Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site Krebs On Security May 17, 2018 https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/ Summary: Unbeknownst to most people, the location of most mobile telephones in the US was available with little in the way of secure authentication through the website of a company called LocationSmart. LocationSmart seemed to have been security dumb, despite statements saying that it took privacy and security seriously. A freely available demo on its webiste allowed anyone to request location data for any phone (apparently the user of the phone had to give permission via a text message for each access). LocationData is used by third parties: law enforcement, companies that give mobile phone to their employees, etc. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New since Cipher E143: Temple University Philadelphia, Pennsylvania. USA Chair, Department of Computer and Information Sciences For information contact: zoran.obradovic@temple.edu with "Chair position" as the subject. Applications may be submitted electronically at: https://academicjobsonline.org/ajo/jobs/10070 http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 6/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 6/ 4/18- 6/ 7/18: WIIoTS, Workshop on Industrial Internet of Things Security, Bilbao, Spain; http://globaliotsummit.org 6/ 4/18- 6/ 8/18: ASIACCS, ACM Symposium on Information, Computer and Communications Security, Sungdo, Incheon, Korea; http://asiaccs2018.org/ 6/8/18: ICICS, 20th International Conference on Information and Communications Security, Lille, France; http://conference.imt-lille-douai.fr/icics2018/ Submissions are due 6/15/18: ACSAC, 2018 Annual Computer Security Applications Conference, San Juan, Puerto Rico, USA; https://www.acsac.org Submissions are due 6/16/18: STM, 14th International Workshop on Security and Trust Management, Co-located with the 23rd European Symposium On Research in Computer Security (ESORICS 2018), Barcelona, Spain; https://www.nics.uma.es/pub/stm18 Submissions are due 6/22/18: SSR, 4th Conference on Security Standards Research, Darmstadt, Germany; https://ssr2018.net/ Submissions are due 6/26/18- 6/27/18: ESSoS, International Symposium on Engineering Secure Software and Systems, Campus Paris-Saclay, France; https://distrinet.cs.kuleuven.be/events/essos/2018/index.html 7/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 7/ 2/18-7/ 4/18: IVSW, 3rd International Verification and Security Workshop, Costa Brava, Spain; http://tima.imag.fr/conferences/ivsw/ivsw18/ 7/ 6/18: CRiSIS, 13th International Conference on Risks and Security of Internet and Systems, Arcachon, France; http://crisis2018.labri.fr Submissions are due 7/ 8/18: GRAMSEC, 5th International Workshop on Graphical Models for Security, Co-located with CSF 2018, Oxford, UK; http://gramsec.uni.lu 7/ 8/18-7/13/18: WCCI-Blockchain, Blockchain Research and Applications Session, Held in conjunction with the 2018 World Congress on Computational Intelligence (WCCI 2018), Rio de Janeiro, Brasil; http://www.ieee-cifer.org 7/15/18-7/18/18: DFRWS, 18th Annual DFRWS USA 2018 Conference, Providence, Rhode Island, USA; http://dfrws.org/conferences/dfrws-usa-2018 7/16/18-7/18/18: DBSec, 32nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, Bergamo, Italy; http://dbsec18.unibg.it 7/24/18-7/27/18: PETS, 18th Privacy Enhancing Technologies Symposium, Barcelona, Spain; https://petsymposium.org/ 7/20/18: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.isddc.org/2018/ Submissions are due 8/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 8/10/18: NordSec, 23rd Nordic Conference on Secure IT Systems, Oslo, Norway,; https://securitylab.no/nordsec18/ Submissions are due 8/12/18-8/14/18: SOUPS, 14th Symposium on Usable Privacy and Security, Baltimore, MD, USA; https://www.usenix.org/conference/soups2018 8/12/18-8/14/18: SciSec, 1st International Conference on Science of Cyber Security, Beijing, China; http://www.sci-cs.net/ 8/12/18-8/15/18: DASC, 16th IEEE International Conference on Dependable, Autonomic and Secure Computing, Athens, Greece; http://cyber-science.org/2018/dasc/ 8/15/18-8/17/18: USENIX Security, 27th USENIX Security Symposium, Baltimore, MD, USA; https://www.ieee-security.org/TC/SP2018/cfpapers.html 8/19/18-8/23/18: Crypto, 38th International Cryptology Conference, Santa Barbara, CA, USA; https://crypto.iacr.org/2018/ 8/27/18-8/30/18: ARES, 13th International Conference on Availability, Reliability and Security, Hamburg, Germany; http://www.ares-conference.eu 8/27/18-8/30/18: FARES, 13th International Workshop on Frontiers in Availability, Reliability and Security, Hamburg, Germany; https://www.ares-conference.eu/workshops/fares-2018/ 8/27/18-8/30/18: WCTI, International Workshop on Cyber Threat Intelligence, Held in conjunction with the 13th International Conference on Availability, Reliability and Security (ARES 2018), Hamburg, Germany; https://www.ares-conference.eu/workshops/wcti-2018/ 8/31/18: NSPW, New Security Paradigms Workshop, Cumberland Lodge, Windsor, UK; http://nspw.org/2018/cfp 9/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 9/ 3/18- 9/ 5/18: WSEC, 13th International Workshop on Security, Sendai, Japan; http://www.iwsec.org/2018/ 9/ 6/18- 9/ 7/18: STM, 14th International Workshop on Security and Trust Management, Co-located with the 23rd European Symposium On Research in Computer Security (ESORICS 2018), Barcelona, Spain; https://www.nics.uma.es/pub/stm18 9/10/18- 9/12/18: ICDF2C, 10th EAI International Conference on Digital Forensics & Cyber Crime, New Orleans, LA, USA; http://d-forensics.org/ 9/17/18: IFIP 11.9 DF, 15th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org Submissions are due 9/17/18- 9/19/18: PLLS, 2nd Workshop on the Protection of Long-Lived Systems, Parnu, Estonia; http://plls2018.ttu.ee 9/18/18: STRIVE, 1st Workshop on Safety, securiTy, and pRivacy In automotiVe systEms, Co-located with SAFECOMP 2018, Vasteras, Sweden; http://www.iit.cnr.it/strive2018 9/18/18- 9/20/18: NISK, 11th Norwegian Information Security Conference, Longyearbyen, Svalbard, Norway; https://easychair.org/cfp/NISK2018 9/30/18-10/ 2/18: SecDev, IEEE Security Development Conference, Cambridge, MA, USA; https://secdev.ieee.org/2018/papers/ 9/30/18-10/ 3/18: CANS, 17th International Conference on Cryptology and Network Security, Naples, Italy; http://cans2018.na.icar.cnr.it/ 10/ 1/18: Springer International Journal of Information Security, Special Issue on IoT Security and Privacy; https://link.springer.com/journal/10207 Submissions are due 10/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 10/15/18-10/19/18: ACM-CCS, 25th ACM Conference on Computer and Communications Security, Toronto, Canada; https://www.sigsac.org/ccs/CCS2018/papers.html 10/16/18-10/18/18: CRiSIS, 13th International Conference on Risks and Security of Internet and Systems, Arcachon, France; http://crisis2018.labri.fr 10/29/18-10/31/18: ICICS, 20th International Conference on Information and Communications Security, Lille, France; http://conference.imt-lille-douai.fr/icics2018/ 11/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 11/26/18-11/27/18: SSR, 4th Conference on Security Standards Research, Darmstadt, Germany; https://ssr2018.net/ 11/28/18-11/30/18: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.isddc.org/2018/ 11/28/18-11/30/18: NordSec, 23rd Nordic Conference on Secure IT Systems, Oslo, Norway,; https://securitylab.no/nordsec18/ 12/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 12/ 3/18-12/7/18: ACSAC, 2018 Annual Computer Security Applications Conference, San Juan, Puerto Rico, USA; https://www.acsac.org 1/28/19- 1/30/19: IFIP 11.9 DF, 15th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 5/20/19- 5/22/19: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E143) ___________________________________________________________________ SP 2019 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-22, 2019. (Submissions due first day of each month) https://www.ieee-security.org/TC/SP2019/ Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix "SoK:" in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2019/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- ICICS 2018 20th International Conference on Information and Communications Security, Lille, France, October 29-31, 2018. (Submissions due 8 June 2018) http://conference.imt-lille-douai.fr/icics2018/ The conference started in 1997 and aims at bringing together leading researchers and practitioners from both academia and industry to discuss and exchange their experiences, lessons learned, and insights related to computer and communications security. Original papers offering novel research contributions on all aspects of information and communications security are solicited for submission to ICICS 2018. Topics of interest include, but are not limited to: - Access control - Anonymity - Applied cryptography - Authentication and authorization - Biometrics security - Blockchain and digital currency security - Cloud security - Computer and digital forensics - Cyber-Physical Systems security - Data and system integrity - Database security - Distributed systems security - E-Commerce security and trust issues - Embedded systems security - Engineering issues of cryptographic protocols and security systems - Fraud and cyber-crime - Hardware security - Identity access management - Industrial Control Systems security - Information hiding and watermarking - Insider threat detection - Intellectual property protection - Intrusion detection - IoT security and privacy - Key management and key recovery - Language-based security - Malware and Anti-malware - Mobile computing security and privacy - Network security - Network Functions Virtualization security - Operating systems security - Post-snowden cryptography - Privacy protection - Privacy-preserving data mining - Risk assessment - Social networks security, privacy and trust - Software Defined Networking security - Security management - Security models, metrics, and policies - Security and privacy of Big Data - Security of Critical Infrastructures - Trust and reputation systems - Trusted computing and trustworthy computing technologies - Usable security and privacy - Underground economy - Verification of security protocols - Web security - Wireless security ------------------------------------------------------------------------- STM 2018 14th International Workshop on Security and Trust Management, Co-located with the 23rd European Symposium On Research in Computer Security (ESORICS 2018), Barcelona, Spain, September 6-7, 2018. (Submissions due 16 June 2018) https://www.nics.uma.es/pub/stm18 STM (Security and Trust Management) is a working group of ERCIM (European Research Consortium in Informatics and Mathematics). STM 2018 is the fourteenth workshop in this series and will be held in Barcelona, Spain, in conjunction with the 23rd European Symposium On Research in Computer Security (ESORICS 2018). The workshop seeks submissions from academia, industry, and government presenting novel research on all theoretical and practical aspects of security and trust in ICTs. ------------------------------------------------------------------------- SSR 2018 4th Conference on Security Standards Research, Darmstadt, Germany, November 26-27, 2018. (Submissions due 22 June 2018) https://ssr2018.net/ The purpose of this conference is to discuss the many research problems deriving from studies of existing standards, the development of revisions to existing standards, and the exploration of completely new areas of standardisation. Indeed, many security standards bodies are only beginning to address the issue of transparency, so that the process of selecting security techniques for standardisation can be seen to be as scientific and unbiased as possible. This year, we hope to tap into the current trend, which has seen more standardisation efforts being open to interaction with academics. This follows in the footsteps of IETFÍs design approach for TLS 1.3, which has seen substantial academic input. Similarly, several post-quantum efforts have seen interaction between academia and industry. This conference is intended to cover the full spectrum of research on security standardisation, including, but not restricted to, work on cryptographic techniques (including ANSI, IEEE, IETF, ISO/IEC JTC 1/SC 27, ITU-T and NIST), security management, security evaluation criteria, network security, privacy and identity management, smart cards and RFID tags, biometrics, security modules, and industry-specific security standards (e.g. those produced by the payments, telecommunications and computing industries for such things as payment protocols, mobile telephony and trusted computing). ------------------------------------------------------------------------- CRiSIS 2018 13th International Conference on Risks and Security of Internet and Systems, Arcachon, France, October 16-18, 2018. (Submissions due 6 July 2018) http://crisis2018.labri.fr The International Conference on Risks and Security of Internet and Systems 2018 will be the 13th in a series dedicated to security issues in Internet-related applications, networks and systems. Internet has become essential for the exchange of information between user groups and organizations from different backgrounds and with different needs and objectives. These users are exposed to increasing risks regarding security and privacy, due to the development of more and more sophisticated online attacks, the growth of Cyber Crime, etc. Attackers nowadays do not lack motivation and they are more and more experienced. To make matters worse, for performing attacks have become easily accessible. Moreover, the increasing complexity as well as the immaturity of new technologies such as pervasive, mobile and wireless devices and networks, raise new security challenges. In this context, new security mechanisms and techniques should be deployed to achieve an assurance level acceptable for critical domains such as energy, transportation, health, defence, banking, critical infrastructures, embedded systems and networks, avionics systems, etc. The CRiSIS conference offers a remarkable forum for computer and network security actors from industry, academia and government to meet, exchange ideas and present recent advances on Internet-related security threats and vulnerabilities, and on the solutions that are needed to counter them. The topics addressed by CRiSIS range from the analysis of risks, attacks to networks and system survivability, to security models, security mechanisms and privacy enhancing technologies. The authors are invited to submit research results as well as practical experiment or deployment reports. Industrial papers about applications or case studies are also welcomed in different domains (e.g., telemedicine, banking, e-government, e-learning, e-commerce, critical infrastructures, mobile networks, embedded applications, etc.). ------------------------------------------------------------------------- ISDDC 2018 International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada, November 28-30, 2018. (Submissions due 20 July 2018) http://www.isddc.org/2018/ This conference solicits papers addressing issues related to the design, analysis, and implementation, of dependable and secure infrastructures, systems, architectures, algorithms, and protocols that deal with network computing, mobile/ubiquitous systems, cloud systems, and IoT systems. ------------------------------------------------------------------------- NordSec 2018 23rd Nordic Conference on Secure IT Systems, Oslo, Norway, November 28-30, 2018. (Submissions due 10 August 2018) https://securitylab.no/nordsec18/ NordSec addresses a broad range of topics within IT security with the aim of bringing together computer security researchers and encouraging interaction between academia and industry. In addition to regular research paper submissions, we invite participants to present their ideas in poster sessions during lunches and coffee breaks. NordSec 2018 welcomes contributions within, but not limited to, the following areas: - Access control and security models - Applied cryptography - Blockchains - Cloud security - Commercial security policies and enforcement - Cryptanalysis - Cryptographic protocols - Cyber crime, warfare, and forensics - Economic, legal, and social aspects of security - Enterprise security - Hardware and smart card security - Mobile and embedded security - Internet of Things and M2M security - Internet, communication, and network security - Intrusion detection - Language-based techniques for security - New ideas and paradigms in security - Operating system security - Privacy and anonymity - Public-key cryptography - Security and machine learning - Security education and training - Security evaluation and measurement - Security management and audit - Security protocols - Security usability - Social engineering and phishing - Software security and malware - Symmetric cryptography - Trust and identity management - Trusted computing - Vulnerability testing - Web application security ------------------------------------------------------------------------- IFIP 11.9 DF 2019 15th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 28-30, 2019. (Submissions due 17 September 2018) http://www.ifip119.org The IFIP Working Group 11.9 on Digital Forensics (www.ifip119.org) is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in digital forensics. The Fifteenth Annual IFIP WG 11.9 International Conference on Digital Forensics will provide a forum for presenting original, unpublished research results and innovative ideas related to the extraction, analysis and preservation of all forms of electronic evidence. Papers and panel proposals are solicited. All submissions will be refereed by a program committee comprising members of the Working Group. Papers and panel submissions will be selected based on their technical merit and relevance to IFIP WG 11.9. The conference will be limited to approximately sixty participants to facilitate interactions between researchers and intense discussions of critical research issues. Keynote presentations, revised papers and details of panel discussions will be published as an edited volume - the fifteenth volume in the well-known Research Advances in Digital Forensics book series (Springer, Heidelberg, Germany) during the summer of 2019. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Enterprise and cloud forensics - Embedded device forensics - Internet of Things forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- Springer International Journal of Information Security, Special Issue on IoT Security and Privacy, (Submissions due 1 October 2018) https://link.springer.com/journal/10207 Guest Editors: Takeshi Takahashi (National Institute of Information and Communications Technology, Japan), Rodrigo Roman Castro (Universidad de Malaga, Spain), Ryan Ko (University of Waikato, New Zealand), Bilhanan Silverajan (Tampere University of Technology, Finland), and Said Tabet (Dell EMC, USA). The Internet is gradually transforming from a communication platform for conventional IT appliances into the Internet of Things (IoT), increasingly interconnecting many assorted devices and sensors. These devices are generally referred as IoT devices, and many of them are inexpensive and can be constrained in terms of energy, bandwidth and memory. The establishment of IoT ecosystems in various domains is bringing multiple benefits to human users and companies alike. Example of such domains include Smart Homes, Smart Cities, the Industrial Internet and even Intelligent Transportation Systems. However, the IoT as a whole - including related paradigms such as Machine-to-Machine (M2M) and Cyber-Physical Systems (CPS) - is susceptible to a multitude of threats. In fact, many IoT devices currently are insecure and have many security vulnerabilities. For example, many vulnerable IoT devices which have been infected with malware have subsequently become comprised into large botnets, resulting in devastating DDOS attacks. Consequently, ensuring the security of such IoT ecosystems - before, during, and after an attack takes place - is a crucial issue for our society at this moment. This special issue aims to collect contributions by leading-edge researchers from academia and industry, show the latest research results in the field of IoT security and privacy, and provide valuable information to researchers as well as practitioners, standards developers and policymakers. Its aim is to focus on the research challenges and issues in IoT security. Manuscripts regarding novel algorithms, architectures, implementations, and experiences are welcome. Topics include but are not limited to: - Secure protocols for IoT devices - Privacy solutions and privacy helpers for IoT environments - Trust frameworks and secure/private collaboration mechanisms for IoT environments - Secure management and self-healing for IoT environments - Operative systems security for IoT devices - Security diagnosis tools for IoT devices - Threat and vulnerability detection in IoT environments - Anomaly detection and prevention mechanisms in IoT networks - Case studies of malware analysis in IoT environments - IoT forensics and digital evidence - Testbeds and experimental facilities for IoT security analysis and research - Standardization activities for IoT security - Security and privacy solutions tailored to specific IoT domains and ecosystems ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Kevin R. B. Butler UC Davis and University of Florida Lawrence Berkeley oakland17-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2018 Chair: TC Awards Chair: Jason Li Hilarie Orman Intelligent Automation Purple Streak, Inc. oakland18-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year