Electronic CIPHER, Issue 146, November 20, 2018 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 146 November 20, 2018 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Sven Dietrich Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion and News o Sven Dietrich's review of "Cryptography" by William J. Buchanan OBE o News items - 2-Factor is no panacea - Hal the Hacker - Facebook holds Messenger calls private - Giving up the kingdom to get rid of ads - 3 errors put 50 million at risk (oh, only 30 million) - NZ says 'welcome, password holder' - The stealth chip is finally here, or is it? - Google had a secret bug o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * List of Computer Security Academic Positions, by Cynthia Irvine * Conference and Workshop Announcements * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This is our first issue since last July. Wildfires in Utah disrupted the editor's life enough to force cancellation of the newsletter, but ultimately there was no damage (unlike the horrific California fires), and now we are back with all your computer security news. By now, all the potential papers for the 2019 Security and Privacy and also Euro S&P have been submitted, and the committees are hard at work evaluating them. Make plans to attend a conference next year, and start preparing papers for 2020. The GREPSEC workshop for diversity in computer security research will be held in 2019 just prior to S&P. The application instructions will be posted at http://ieee-security.org/grepsec in January. There is a small effort within the Computer Society to take some organizational steps towards helping to increase diversity across all the Technical Committees. If you have ideas for this or want to participate, please contact Jean-Luc Gaudiot (the Board of Governors sponsor for this ad hoc effort) at gaudiot@uci.edu . The Quantum Algorithm Not Executed Two roads diverged in a yellow wood, And sorry I could not travel both And be one traveler, ... Wait, I thought, let me and my entangled self, Take boths roads, and later meet, And in doing so, collapse our experiences. This I did, but when the time arrived To resolve myselves to one, I simply traveled on, uncaring of that other road, More traveled by, and its consequential differences. (With apologies to Robert Frost and Erwin Schroedinger) Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Sven Dietrich Nov 18, 2018 ____________________________________________________________________ Cryptography by William J. Buchanan OBE River Publishers 2017. ISBN 978-87-93379-10-7 Cryptography, the art of secret writing, is at the center of most computer security curricula. The topic has edged into more public awareness with ransomware encrypting our files, with cryptocurrencies allowing us to exchange money in a peer-to-peer fashion, with smart contracts opening new business opportunities, with confidential conversations using Signal, with whistleblowers communicating securely with journalists, and many more. The book is written as a textbook, divided into twelve chapters, with introductory material, the theory, practical explorations for some topics including code samples and labs/tutorials, and academic paper references for deeper study at the end of each chapter. A lot of the supporting material is on a companion website, whether it be a demo, examples that the reader can work out, or errata in the book. The book takes a very pragmatic and hands-on approach, pointing to tools commonly found in modern operating systems. The chapter titles, in order, are Cipher and Fundamentals, Secret Key Encryption, Hashing, Public Key, Key Exchange, Authentication and Digital Certificates, Tunneling, Crypto Cracking, Light-weight Cryptography and Other Methods, Blockchain and Crypto-currency, Zero-knowledge Proof (ZKP) and Privacy Preserving, and Wireless Cryptography, and Stream Ciphers. The first two chapters provide the basics for a proper understanding of ciphers, looking a basic cryptosystems and their attacks such as brute-force and frequency analysis, the mathematical background in number theory, as well as coding techniques. The third chapter on hashing addresses the issues encountered with hash functions over the last few years, leading up to the standardization of SHA-3. The practice of password hashing is mentioned in this context, as well as the related password cracking. The next two chapters talk about Public Key techniques, such as the RSA, Elliptic Curve Cryptography, ElGamal, Cramer-Shoup, Paillier cryptosystems, as well as Knapsack problems, and Identity-based Encryption, and also about Key Exchange, covering the Diffie-Hellman and Elliptic Curve variants. In the Authentication and Digital Certificates chapter, we see the Public Key Infrastructure (PKI) and Trust, email encryption, the mythical Kerberos, and other methods of authentication. Following that chapter, in Tunnels we segway into the SSL/TLS protocols, Virtual Private Networks (VPNs), and examining Tor traffic. The Crypto Cracking chapter covers Key Escrow, seven attacks on RSA, three on AES, and cracking Digital Certificates. Color diagrams illustrate how the attacks work, with sample runs for a better understanding. The next chapter, Light-weight Cryptography and other methods, brings a timely topic into the limelight: light-weight cryptography for resource-constrainted devices, a topic that NIST has given guidance about in recent times, especially with the tremendous growth of Internet-of-Things (IoT) devices. Also of greater concern is the advent of quantum computers, hence the chapter includes a discussion on post-quantum cryptography to overcome to so-called cryptoapocalypse, which is to happen when Shor's algorithm and related techniques become practical. The chapter on Blockchain and Crypto-currency discusses the cryptocurrency Bitcoin, blockchain, mining techniques, as well as Ethereum for smart contracts. As always, the web companion has related code and examples. As a next step, the author discusses Zero-Knowledge Proofs and Privacy Preserving techniques. Here we learn about Feige-Fiat-Shamir, Oblivious Transfers, Scrambled Circuits, the Millionaire's Problem, RAPPOR, and Secure Function Evaluation. Finally, the Wireless Cryptography and Stream Cipher chapter rounds off the collection by a treatise on the stream ciphers and wireless standards in use (as well as some attacks on WPA2 PSK), even those used for mobile phone communications such as GSM. More recent attacks on the wireless standards such as KRACK are not covered in this 2017 edition, as expected. William Buchanan has written a nice textbook to be used for an undergraduate applied cryptography course, a supplement for a computer security course, or a self-learning guide, covering most of the relevant topics that one would want to see treated. The topics feel a bit of a hodge-podge to me at times, but it keeps the reader alert and sharpens their ability to combine topics across traditional boundaries. It was a fun book to read. -------------------------- Sven Dietrich reviews technology and security books for IEEE Cipher. He welcomes your thoughts at spock at ieee dot org ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.edu/jobscipher.html Posted November 2018 University of Nebraska-Lincoln Lincoln, Nebraska, USA Assistant Professor of Computer Science and Engineering (Cybersecurity) Closes November 15, 2018, but open until filled URL of position description: //https://cse.unl.edu/facultysearch#13299 -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html --------------------- 2-Factor is no panacea Reddit user data compromised in sophisticated hack The Guardian Aug 6, 2018 By Samuel Gibbs https://www.theguardian.com/technology/2018/aug/02/reddit-user-information-usernames-passwords-email-addresses-hack Summary: By targeting the accounts of privileged Reddit employees, hackers got access to two stores of user data and were not detected for a few days. The cellphone accounts of the employees had been compromised so that the SMS messages for Reddit's two factor authentication were intercepted. Users of Reddit should consider changing their passwords. ------------------ Hal the Hacker New genre of artificial intelligence programs take computer hacking to another level Reuters Aug 8, 2018 By Joseph Menn https://www.reuters.com/article/us-cyber-conference-aiew-genre-of-artificial-intelligence-programs-take-computer-hacking-to-another-level-idUSKBN1KT120 Summary: Ahead of the Black Hat conference, a team of researchers at IBM talked about their use of machine learning to develop defense-evading malware. Industry experts interviewed for the story claimed that AI designed hacking tools would become a real threat in the next few years. One claimed that "Whoever you personally consider evil is already working on this." [Editor's Note: The top rank of the Cipher Editor's personal evil list does not include any cybersecurity experts.] ------------------ Facebook holds Messenger calls private Exclusive: In test case, U.S. fails to force Facebook to wiretap Messenger calls - sources Reuters Sep 28, 2018 By Joseph Menn, Dan Levine https://www.reuters.com/article/us-facebook-encryption-exclusive/exclusive-in-test-case-u-s-fails-to-force-facebook-to-wiretap-messenger-calls-sources-idUSKCN1M82K1 Summary: In a sealed decision in U.S. District Court in Fresno, a federal and state task force were rebuffed in their effort to compel Facebook to wiretap calls made with the Messenger app. In monitoring the MS-13 gang, the task force had been able to tap all ordinary phone calls, but not Messenger. At issue were 3 Messenger calls made by indicted gang members. ------------------ Giving up the kingdom to get rid of ads Popular Mac App Adware Doctor Actually Acts Like Spyware WIRED Sep 28, 2018 By Lily Hey Newman https://www.wired.com/story/adware-doctor-mac-app-store-spyware/ Summary: Despite Apple's attempts to keep its App Store clean, a very popular app called Adware Doctor appeared to be a double-agent. In addition to its main function of blocking unwanted ads, the app also collected information about what other apps the user ran and sent that information regularly to a server in China. Researchers complained that Apple did not respond forcefully to their concerns, and that the app is, in fact, a reincarnation of an app that was previously banned. ------------------ Facebook - 3 errors make one hot mess Facebook says big breach exposed 50 million accounts to full takeover Reuters Sep 29, 2018 By Munsif Vengattil, Arjun Panchadar, Paresh Dave https://www.reuters.com/article/us-facebook-cyber/facebook-says-big-breach-exposed-50-million-accounts-to-full-takeover-idUSKCN1M82BK Summary: Facebook noticed a large surge in use of the "view as" feature that let's a user see his page as though he were an ordinary user, not the owner of the page. After some deep diving into the code, Facebook engineers found that three logic errors combined to open a gaping security hole that let hackers steal the private data of some tens of million of users. It was a "complex" bug with huge implications. --- Facebook data breach, don't worry, it's only 30 million https://www.cnn.com/2018/10/12/tech/facebook-hack-personal-information-accessed/index.html Hackers accessed personal information of 30 million Facebook users CNN Oct 12, 2018 By Donie O'Sullivan Summary: On further examination, Facebook came up with the cheerful news that only 30 million accounts had been impacted by the "complex" bug, and of those, only 14 million were subjected to examination of personal user data. [Editor's note: Facebook recently purged a billion "fake" accounts. Perhaps some of them were in the "hacked" category.] ------------------ NZ says 'welcome, password holder' New Zealand's 'digital strip searches': Give border agents your passwords or risk a $5,000 fine The Washington Post Oct 2, 2018 By Isaac Stanley Becker https://www.washingtonpost.comews/morning-mix/wp/2018/10/02ew-zealands-digital-strip-searches-give-border-agents-your-device-passwords-or-risk-a-5000-fine/ Summary: New Zealand has new legislation affecting incoming travelers that "balances the protection of New Zealand with individual rights" by allowing custom's agents to demand all passwords necessary to examine a traveler's digital devices. Failure to comply would risk seizure of the items and subjecting them to forensic analysis. Not to worry, this can only be done if the customs officers have reason to suspect wrongdoing. ------------------ The stealth chip is finally here, or is it? The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies Bloomberg Oct 4, 2018 By Jordan Robertson and Michael Riley https://www.bloomberg.comews/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies Summary: The possibility of adding secret functionality to computer chips, in order to allow the operation of malware, is a problem that has been bothering security experts for a long time. This Bloomberg story says that that day has arrived, and it shows pictures of a tiny bump of metal on a computer board that may have been shipped to many US companies through a trustworthy third party. The board orginated in China, and the chip, it is said, compromised the boot process and allowed malware to exfiltrate data to some remote site. There is a great deal of argument about whether or not any US companies used the compromised boards. They may have only used them during an evaluation period, or the boards might not exist at all. In the weeks after the story was published, all the named companies denied it, and the FBI announced that it had no open investigation and knew nothing about the boards. ------------------ Google had a secret bug Google for months kept secret a bug that imperiled the personal data of Google+ users The Washington Post Oct 8, 2018 By Craig Timberg , Craig Timberg, Renae Merle and Cat Zakrzewski https://www.washingtonpost.com/technology/2018/10/08/google-overhauls-privacy-rules-after-discovering-exposure-user-data/ Summary: Google found a serious privacy bug in its Google+ service, but it did not inform government regulators or users for several months. At that time, it announced that it would be winding down the Google+ service, it would impose new privacy limits on developer's for Android apps, and it would limit the sharing of information about Gmail users. Google said it could not notify users about the bug when it was first discovered because it was not sure which users were affected. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html Cipher calendar entries are announced on Twitter; follow ciphernews Requests for inclusion in the list should sent per instructions: http://www.ieee-security.org/Calendar/submitting.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ 11/13/18: EuroSP, 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden, https://www.ieee-security.org/TC/EuroSP2019/cfp.php Submissions are due 11/26/18-11/27/18: SSR, 4th Conference on Security Standards Research, Darmstadt, Germany; https://ssr2018.net/ 11/28/18-11/30/18: ISDDC, International Conference on Intelligent, Secure and Dependable Systems in Distributed and Cloud Environments, Vancouver, BC, Canada; http://www.isddc.org/2018/ 11/28/18-11/30/18: NordSec, 23rd Nordic Conference on Secure IT Systems, Oslo, Norway; https://securitylab.no/nordsec18/ 11/30/18: MDPI Informatics, Special Issue Human Factors in Security and Privacy in IoT (HFSP-IoT); https://www.mdpi.com/journal/informatics/special_issues/HFSP-IoT Submissions are due 11/30/18: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php Submissions are due 12/ 1/18: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 12/ 3/18-12/7/18: ACSAC, 2018 Annual Computer Security Applications Conference, San Juan, Puerto Rico, USA; https://www.acsac.org 12/ 4/18: IEEE Internet Computing Magazine, Special Issue on the Meaning of Identity on the Internet https://publications.computer.org/internet-computing/2018/05/31/meaning-identity-internet-call-papers/ Submissions are due 12/ 6/18: Elsevier Pervasive and Mobile Computing, Special issue on Blockchain Technology and Applications; https://www.journals.elsevier.com/pervasive-and-mobile-computing/call-for-papers/special-issue-on-blockchain-technology-and-applications Submissions are due 12/15/18: IWSPA, 5th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2019, Dallas, TX, USA; https://sites.google.com/view/iwspa-2019/home Submissions are due 12/21/18: CNS, IEEE Conference on Communications and Network Security, Washington, D.C., USA; http://cns2019.ieee-cns.org/ Submissions are due 12/31/18: Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things; https://hcis-journal.springeropen.com/securityhciot Submissions are due 12/31/18: Journal of Parallel and Distributed Computing, Special Issue on Security & Privacy in Social Big Data; https://www.journals.elsevier.com/journal-of-parallel-and-distributed-computing/call-for-papers/security-privacy-in-social-big-data Submissions are due 1/ 1/19: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ Submissions are due 1/25/19: ACM WiSec, 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA; https://wisec19.fiu.edu/ Submissions are due 1/28/19- 1/30/19: IFIP 11.9 DF, 15th Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA; http://www.ifip119.org 1/31/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 2/10/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ Submissions are due 2/15/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 Submissions are due 2/24/19- 2/27/19: NDSS, 26th Annual Network and Distributed System Security Symposium, San Diego, California, USA; https://www.ndss-symposium.org/ndss2019/ndss-2019-call-for-papers/ 2/28/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php Submissions are due 3/ 1/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA; http://www.blockchain-ieee.org/ Submissions are due 3/25/19- 3/27/19: CODASPY, 9th ACM Conference on Data and Application Security and Privacy, Dallas, TX, USA; http://www.codaspy.org 3/27/19: IWSPA, 5th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2019, Dallas, TX, USA; https://sites.google.com/view/iwspa-2019/home 5/15/19- 5/17/19: ACM WiSec, 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA; https://wisec19.fiu.edu/ 5/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 5/20/19- 5/22/19: SP, 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA; https://www.ieee-security.org/TC/SP2019/ 6/ 4/19- 6/ 6/19: SACMAT, 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada; http://www.sacmat.org/ 6/10/19- 6/12/19: CNS, IEEE Conference on Communications and Network Security, Washington, D.C., USA; http://cns2019.ieee-cns.org/ 6/17/19- 6/19/19: EuroSP, 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden https://www.ieee-security.org/TC/EuroSP2019/cfp.php 7/14/19- 7/17/19: Blockchain, IEEE International Conference on Blockchain, Atlanta, GA, USA http://www.blockchain-ieee.org/ 7/16/19- 7/20/19: PET, 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden; https://petsymposium.org/cfp19.php 8/14/19- 8/16/19: USENIX-Security, 28th USENIX Security Symposium, Santa Clara, CA, USA; https://www.usenix.org/conference/usenixsecurity19 9/ 1/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ Submissions are due 11/11/19-11/15/19: ACM-CCS, 26th ACM Conference on Computer and Communications Security, London, United Kingdom; http://www.sigsac.org/ccs/CCS2019/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E145) ___________________________________________________________________ SP 2019 40th IEEE Symposium on Security and Privacy, San Francisco, CA, USA, May 20-22, 2019. (Submissions Due first day of each month) https://www.ieee-security.org/TC/SP2019/ NB: Submissions for the 2019 conference are closed; papers submitted now will be considered for the 2020 conference. Since 1980 in Oakland, the IEEE Symposium on Security and Privacy has been he premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in any aspect of security or privacy. Papers may present advances in the theory, design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Topics of interest include: - Access control and authorization - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Censorship resistance - Cloud security - Distributed systems security - Economics of security and privacy - Embedded systems security - Forensics - Hardware security - Intrusion detection and prevention - Malware and unwanted software - Mobile and Web security and privacy - Language-based security - Network and systems security - Privacy technologies and mechanisms - Protocol security - Secure information flow - Security and privacy for the Internet of Things - Security and privacy metrics - Security and privacy policies - Security architectures - Usable security and privacy This topic list is not meant to be exhaustive; S&P is interested in all aspects of computer security and privacy. Papers without a clear application to security or privacy, however, will be considered out of scope and may be rejected without full review. Systematization of Knowledge Papers As in past years, we solicit systematization of knowledge (SoK) papers that evaluate, systematize, and contextualize existing knowledge, as such papers can provide a high value to our community. Suitable papers are those that provide an important new viewpoint on an established, major research area, support or challenge long-held beliefs in such an area with compelling evidence, or present a convincing, comprehensive new taxonomy of such an area. Survey papers without such insights are not appropriate. Submissions will be distinguished by the prefix 'SoK:' in the title and a checkbox on the submission form. They will be reviewed by the full PC and held to the same standards as traditional research papers, but they will be accepted based on their treatment of existing work and value to the community, and not based on any new research results they may contain. Accepted papers will be presented at the symposium and included in the proceedings. Workshops The Symposium is also soliciting submissions for co-located workshops. Further details on submissions can be found at https://www.ieee-security.org/TC/SP2019/workshops.html. Ongoing Submissions To enhance the quality and timeliness of the scientific results presented as part of the Symposium, and to improve the quality of our reviewing process, IEEE S&P now accepts paper submissions 12 times a year, on the first of each month. The detailed process can be found at the conference call-for-papers page. ------------------------------------------------------------------------- EuroSP 2019 4th IEEE European Symposium on Security and Privacy, Stockholm, Sweden, June 17-19, 2019. (Submissions Due 13 November 2018) https://www.ieee-security.org/TC/EuroSP2019/cfp.php The IEEE European Symposium on Security and Privacy (EuroS&P) is the European sister conference of the established IEEE S&P symposium. It is a premier forum for computer security research, presenting the latest developments and bringing together researchers and practitioners. We solicit previously unpublished papers offering novel research contributions in security or privacy. The emphasis is on building or attacking real systems, even better if actually deployed, rather than presenting purely theoretical results. Papers may present advances in the design, implementation, analysis, verification, or empirical evaluation and measurement of secure systems. Papers that shed new light on past results by means of sound theory or thorough experimentation are also welcome. Topics of interest include: - Access control - Accountability - Anonymity - Application security - Attacks and defenses - Authentication - Blockchain - Censorship and censorship-resistance - Cloud security - Cryptography with applied relevance to security and privacy - Distributed systems security - Embedded systems security - Forensics - Formal methods for security - Hardware security - Human aspects of security and privacy - Intrusion detection - IoT security and privacy - Language-based security - Malware - Metrics - Mobile security and privacy - Network security - Privacy-preserving systems - Protocol security - Secure information flow - Security and privacy policies - Security architectures - Security usability - System security - Web security and privacy ------------------------------------------------------------------------- MDPI Informatics, Special Issue Human Factors in Security and Privacy in IoT (HFSP-IoT), (Submissions Due 30 November 2018) https://www.mdpi.com/journal/informatics/special_issues/HFSP-IoT Guest Editors: Karen Renaud (Abertay University, UK) and Melanie Volkamer (Karlsruhe Institute of Technology, Germany). This special issue of the Informatics journal welcomes submissions on the topic of the security and privacy in the context of IoT while focusing on the human aspect. IoT contains smart home including devices such as digital assistances (e.g. google home and alexa) and smart health, including devices such as fitness tracker. There are several aspects, which are of high interest for this special issue including: - Investigations into the deployment of these solutions, especially studies related to acceptability of these solutions - Research into how humans are expected to interact with IoT devices to secure them, how they can be compromised - Research into how humans are expected to configure IoT devices to preserve their privacy, and perceptions of privacy-related IoT behaviours - Studies that reveal new security vulnerabilities or privacy violations facilitated by the design of the "Human-IoT" interface - Studies on users' awareness and perception of potential security and privacy threats and risks ------------------------------------------------------------------------- PET 2019 19th Privacy Enhancing Technologies Symposium, Stockholm, Sweden, July 16-20, 2019. (Submissions Due 31 May 2018, 31 August 2018, 30 November 2018, 28 February 2019) https://petsymposium.org/cfp19.php The annual Privacy Enhancing Technologies Symposium (PETS) brings together privacy experts from around the world to present and discuss recent advances and new perspectives on research in privacy technologies. Papers undergo a journal-style reviewing process and accepted papers are published in the journal Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs, a scholarly, open access journal for timely research papers on privacy, has been established as a way to improve reviewing and publication quality while retaining the highly successful PETS community event. PoPETs is published by De Gruyter Open, the world's second largest publisher of open access academic content, and part of the De Gruyter group, which has over 260 years of publishing history. PoPETs does not have article processing charges (APCs) or article submission charges. Submitted papers to PETS/PoPETs should present novel practical and/or theoretical research into the design, analysis, experimentation, or fielding of privacy-enhancing technologies. Authors can submit papers to PoPETs four times a year, every three months, and are notified of the decisions about two months after submission. In addition to accept and reject decisions, papers may receive resubmit with major revisions decisions, in which case authors are invited to revise and resubmit their article to one of the following two issues. We endeavor to assign the same reviewers to revised versions. Papers accepted for an issue in the PoPETS 2019 volume must be presented at the symposium PETS 2019. ------------------------------------------------------------------------- IEEE Internet Computing Magazine, Special Issue on the Meaning of Identity on the Internet, (Submissions Due 4 December 2018) https://publications.computer.org/internet-computing/2018/05/31/meaning-identity-internet-call-papers/ Guest Editors: Hilarie Orman (Purple Streak, Inc., USA) and Kent Seamons (Brigham Young University, USA). An online identity used to be a simple login name for a time-sharing system, but today an online presence consists of a fabric of identities created through websites, apps, and constantly evolving social media. We constantly deal with people, things, and institutions that have attributes and history that are varied, subject to change, secured through questionable practices, and authenticated both formally and informally. How do we transfer the concept of ñwhoî to an Internet environment? This special issue will explore new trends in identity granting, establishment, verification, management, use, and trust in an Internet computing environment. We would like to highlight m ethods that have the potential for easily enabling identities to be used for a variety of Internet purposes. We envision a Internet with a secure identity ecosystem that meets the needs of the worldÍs population of billions of individuals and objects while balancing privacy and accountability. The technologies of the future may include blockchain, smart identity contracts, artificial intelligence, functional encryption, expanded use of social media identities, identity aggregation techniques, new types of biometrics, etc. We are interested in articles that cover how they can contribute to the overall vision. Topics of interest include but arenÍt limited to the following: - Methods and architectures that enable decentralized identity granting - Bringing digital online identities to the digitally disadvantaged - Attributing trust to an Internet identity - Innovation in secure identity management - New methods of proving identity - Usability issues in managing multiple identities ------------------------------------------------------------------------- Elsevier Pervasive and Mobile Computing, Special issue on Blockchain Technology and Applications, (Submissions Due 6 December 2018) https://www.journals.elsevier.com/pervasive-and-mobile-computing /call-for-papers/special-issue-on-blockchain-technology-and-applications Guest Editors: Paolo Mori (Institute of Informatics and Telematics, National Research Council of Italy, Italy), Wolfgang Prinz (Fraunhofer Institute for Applied Information Technology, Germany), Laura Ricci (University of Pisa, Italy), and Edgar Weippl (SBA Research, Austria). In recent years, the blockchain technology is having an ever growing popularity, in particular for what concerns its application cryptocurrencies. As a matter of fact, Bitcoin is currently the most known application of the blockchain technology, and a number of alternative cryptocurrencies have been defined and are currently used, e.g., Litecoin or Monero. However, the application of blockchain is not limited to cryptocurrencies. The immutability of the transactions and the absence of trusted intermediaries make the blockchain technology suitable to be applied in many research and business scenarios, and a number of blockchains are currently available on the market. For instance, permissioned blockchains are meant to address those business scenarios where transactions needs to be private, and their processing must be executed within a predefined group of known participants. Moreover, some blockchains (such as Ethereum or Quorum) allow the execution of Smart Contracts, thus paving the way to a very large plethora of new interesting applications of the technology in several fields, such as: Internet of Things, Cyber Physical Systems, Edge Computing, Supply Chain Management, Social Networks, and many others. The aim of this special issue is to gather latest research results concerning blockchain technology and its application on relevant scenarios, such as the ones previously listed. Researchers, experts, and scholars from both industry and academia are encouraged to present their recent achievements and research directions in this area. ------------------------------------------------------------------------- IWSPA 2019 5th International Workshop on Security and Privacy Analytics, Co-located with ACM CODASPY 2019, Dallas, TX, USA, March 27, 2019. (Submissions Due 15 December 2018) https://sites.google.com/view/iwspa-2019/home Increasingly, sophisticated techniques from machine learning, data mining, statistics and natural language processing are being applied to challenges in security and privacy fields. However, experts from these areas have no medium where they can meet and exchange ideas so that strong collaborations can emerge, and cross-fertilization of these areas can occur. Moreover, current courses and curricula in security do not sufficiently emphasize background in these areas and students in security and privacy are not emerging with deep knowledge of these topics. Hence, we propose a workshop that will address the research and development efforts in which analytical techniques from machine learning, data mining, natural language processing and statistics are applied to solve security and privacy challenges ("security analytics"). Submissions of papers related to methodology, design, techniques and new directions for security and privacy that make significant use of machine learning, data mining, statistics or natural language processing are welcome. Furthermore, submissions on educational topics and systems in the field of security analytics are also highly encouraged. ------------------------------------------------------------------------- CNS 2019 IEEE Conference on Communications and Network Security, Washington, D.C., USA, June 10-12, 2019. (Submissions Due 21 December 2018) http://cns2019.ieee-cns.org/ The IEEE Conference on Communications and Network Security (CNS) is a premier forum for cyber security researchers, practitioners, policy makers, and users to exchange ideas, techniques and tools, raise awareness, and share experiences related to all practical and theoretical aspects of communications and network security. The conference seeks submissions from academia, government, and industry presenting novel research results in communications and network security. Particular topics of interest include, but are not limited to: - Anonymity and privacy technologies - Censorship countermeasures and privacy - Combating cyber-crime (anti-spam, anti-phishing, anti-fraud techniques, etc.) - Computer and network forensics - Cyber deterrence strategies - Game-theoretic security technologies - Implementation and evaluation of networked security systems - Information-theoretic security - Intrusion detection, prevention, and response - Key management, public key infrastructures, certification, revocation, and authentication - Malware detection and mitigation - Security metrics and models - Physical-layer and cross-layer security technologies - Security and privacy for big data - Security and privacy for data and network outsourcing services - Security and privacy for mobile and wearable devices - Security and privacy in cellular networks - Security and privacy in cloud and edge computing - Internet Security: protocols, standards, measurements - Security and privacy in crowdsourcing - Security and privacy in cyber-physical systems - Security and privacy in emerging wireless technologies and applications (dynamic spectrum sharing, cognitive radio networks, millimeter wave communications, MIMO systems, smart/connected vehicles, UAS, etc.) - Security and privacy in peer-to-peer and overlay networks - Security and privacy in WiFi, ad hoc, mesh, sensor, vehicular, body-area, disruption/delay tolerant, and social networks. - Security and privacy in smart cities, smart and connected health, IoT, and RFID systems - Security for critical infrastructures (smart grids, transportation systems, etc.) - Security for future Internet architectures and designs - Security for software-defined and data center networks - Security in machine learning - Social, economic, and policy issues of trust, security, and privacy - Traffic analysis - Usable security and privacy - Web, e-commerce, m-commerce, and e-mail security ------------------------------------------------------------------------- Springer Human-centric Computing and Information Sciences, Thematic Issue on Security, trust and privacy for Human-centric Internet of Things, (Submissions Due 31 December 2018) https://hcis-journal.springeropen.com/securityhciot Guest Editors: Yunsick Sung (Dongguk University, Korea), Isaac Woungang (Ryerson University, Canada), Javier López (University of Málaga, Spain), Sherali Zeadally (University of Kentucky, USA), and Damien Sauveron (XLIM (UMR CNRS 7252 / Universite' de Limoges), France). The aim of this thematic series is to publish articles that cover the various developments in theory and practice related to the latest methods, solutions, and case studies in security, trust, and privacy for human-centric internet of things (IoT). Submitted articles should present research contributions that help solve the challenges that arise in developing a secure and privacy-aware human-centric IoT. This can be achieved by proposing security policies, algorithms, protocols, frameworks, and solutions for human-centric IoT ecosystems. We also welcome high-quality review articles, which focus on the analysis and integration of diverse kinds of approaches such as artificial intelligence cognitive computing, blockchain, big data mining, or soft computing in the area of human-centric IoT security. Topics of interest include but are not limited to: - Security and privacy issues in human-centric IoT - Trust management for human-centric IoT - Intrusion detection technique for human-centric IoT - Artificial intelligence for secure human-centric IoT - Cognitive computing for secure human-centric IoT - Social considerations, legal, and ethics in human-centric IoT security - Blockchain for human-centric IoT security - Cyber-attack detection and prevention systems for human-centric IoT - Biometric security in human-centric IoT - Reverse engineering for human-centric IoT - Human-centric IoT security using digital forensics investigation - Big data mining for privacy-aware human-centric IoT - Innovative deep learning approach for human-centric IoT security - Fuzzy fusion of Information, data and sensors - Advance persistent threats in human-centric IoT ------------------------------------------------------------------------- Journal of Parallel and Distributed Computing, Special Issue on Security & Privacy in Social Big Data, (Submissions Due 31 December 2018) https://www.journals.elsevier.com/journal-of-parallel-and-distributed-computing/call-for-papers/security-privacy-in-social-big-data Guest Editors: Qin Liu (Hunan University, China), Md Zakirul Alam Bhuiyan (Fordham University, USA), Jiankun Hu (University of New South Wales, Australia), and Jie Wu (Temple University, USA). The rapid development of social networks dramatically changes the way people think, work, and interact. As more and more individual users proactively generate, share, and exchange digital contents through social media, social networks have become a key source of big data. However, with such vast interconnectivity, convergence of relationships, and shared user information comes increased security and privacy concerns in social big data. On one hand, users carelessly posting their personal information on social media which can easily have their privacy breached. On the other hand, malicious attackers may manipulate such information to make a profit. There are two important security and privacy issues in social networks. The first is how to effectively utilize social data while protecting user privacy. The second is how to guarantee the authenticity of social data for an in-depth data analysis. Traditional security mechanisms and models tailored to small-scale or isomorphic data are inadequate to securing social big data which exhibit enormous volume and diverse formats. Therefore, how to develop scalable cryptographic algorithms/protocols and lightweight data mining/organization/optimization models to solve the security and privacy challenges becomes crucial for the successful application of social big data. Any topic related to security and privacy aspects, e.g., access control, authorization, authorization, and anonymization, for big data and social networks, will be considered. All aspects of design, theory and realization are of interest. ------------------------------------------------------------------------- ACM WiSec 2019 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks, Miami beach, FL, USA, May 15-17, 2019. (Submissions Due 25 January 2019) https://wisec19.fiu.edu/ ACM WiSec is the leading ACM and SIGSAC conference dedicated to all aspects of security and privacy in wireless and mobile networks and their applications. In addition to the traditional ACM WiSec topics of physical, link, and network layer security, we welcome papers focusing on the increasingly diverse range of mobile or wireless applications such as Internet of Things, and Cyber-Physical Systems, as well as the security and privacy of mobile software platforms, usable security and privacy, biometrics, and cryptography. The conference welcomes both theoretical as well as systems contributions. Topics of interest include, but are not limited to: - Security protocols for wireless networking - Security & privacy for smart devices (e.g., smartphones) - Security of mobile applications for smartphones and wearables - Wireless and mobile privacy and anonymity - Secure localization and location privacy - Cellular network fraud and security - Jamming attacks and defenses - Key management (agreement or distribution) for wireless or mobile systems - Theoretical and formal approaches for wireless and mobile security - Physical layer and Information-theoretic security schemes for wireless systems - Cryptographic primitives for wireless and mobile security - NFC and smart payment applications - Security and privacy for mobile sensing systems - Wireless or mobile security for Cyber-Physical Systems (e.g, healthcare, smart grid, or IoT applications) - Vehicular networks security (e.g., drones, automotive, avionics, autonomous driving) - Physical tracking security and privacy - Usable mobile security and privacy - Economics of mobile security and privacy - Mobile malware and platform security - Security for cognitive radio and dynamic spectrum access systems ------------------------------------------------------------------------- ACM-CCS 2019 26th ACM Conference on Computer and Communications Security, London, United Kingdom, November 11-15, 2019. (Submissions Due 31 January 2019, 15 May 2019, 1 September 2019) http://www.sigsac.org/ccs/CCS2019/ The ACM Conference on Computer and Communications Security (CCS) is the flagship annual conference of the Special Interest Group on Security, Audit and Control (SIGSAC) of the Association for Computing Machinery (ACM). The conference brings together information security researchers, practitioners, developers, and users from all over the world to explore cutting-edge ideas and results. It provides an environment to conduct intellectual discussions. From its inception, CCS has established itself as a high standard research conference in its area. The Conference on Computer and Communications Security (CCS) seeks submissions presenting novel contributions related to all real-world aspects of computer security and privacy. Theoretical papers must make a convincing case for the relevance of their results to practice. Authors are encouraged to write the abstract and introduction of their paper in a way that makes the results accessible and compelling to a general computer-security researcher. In particular, authors should bear in mind that anyone on the program committee may be asked to give an opinion about any paper. IMPORTANT: CCS will have three review cycles in 2019: the first with a submission deadline of January 31, the second with a submission deadline of May 15, and the third with a tentative submission deadline of September 1. The third review cycle is only for papers invited for resubmission from the first two cycles; no new submissions will be considered. Papers rejected from the first review cycle may not be submitted again (even in revised form) to the second review cycle. ------------------------------------------------------------------------- SACMAT 2019 24th ACM Symposium on Access Control Models and Technologies, Toronto, Canada, June 4-6, 2019. (Submissions Due 10 February 2019) http://www.sacmat.org/ The organizing committee of the 24th ACM Symposium on Access Control Models and Technologies (SACMAT 2019) invites contributions in all aspects of access control. The symposium will provide participants the opportunity to present work at different levels of development, from early work on promising ideas to fully developed technical results as well as system demonstrations. Papers offering novel research contributions are solicited for submission. Accepted papers will be presented at the symposium and published by the ACM in the symposium proceedings. In addition to the regular research track, this year SACMAT will again host a special track -- "Blue Sky/Vision Track". Researchers are invited to submit papers describing promising new ideas and challenges of interest to the community as well as access control needs emerging from other fields. We are particularly looking for potentially disruptive and new ideas which can shape the research agenda for the next 10 years. We encourage submissions that present ideas that may have not been completely developed and experimentally evaluated. Submissions to the regular track covering any relevant area of access control are welcomed. Areas include, but are not limited to, the following: - Access control for edge computing - Applications - Applied machine learning for access management - Attribute-based systems - Authentication - Big data - Biometrics - Blockchain - Cloud computing and network access control management - Cryptographic approaches - Cyber attacks and network dynamics - Cyber-physical systems and Internet of Things (IoT) - Databases and data management - Data protection on untrusted infrastructure - Design methodology - Distributed and mobile systems - Economic models and game theory - Enforcement mechanisms - Hardware enhanced security - Identity management - Identification of and protection from data leakage - Mechanisms, systems, and tools - Models and extensions - Obligations - Privacy-aware access control - Policy engineering and analysis - Requirements - Risk and uncertainty - Safety analysis - Theoretical foundations - Trust management - Usability ------------------------------------------------------------------------- USENIX-Security 2019 28th USENIX Security Symposium, Santa Clara, CA, USA, August 14-16, 2019. (Submissions Due 15 November 2018, 15 February 2019) https://www.usenix.org/conference/usenixsecurity19 The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security and privacy of computer systems and networks. The USENIX Security Symposium is moving to multiple submission deadlines for USENIX Security '19. This change includes changes to the review process and submission policies. Detailed information is available on the USENIX Security Publication Model Changes web page at www.usenix. org/conference/usenixsecurity19/publication-model-change. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in computer security. There will be two quarterly submission deadlines for USENIX Security '19. The fall quarter submissions deadline is Thursday, November 15, 2018, 5:00 pm PST. The winter quarter submissions deadline is Friday, February 15, 2019, 5:00 pm PST. The Symposium will span three days with a technical program including refereed papers, invited talks, posters, panel discussions, and Birds-of-a-Feather sessions. Co-located events will precede the Symposium on August 12 and 13. ------------------------------------------------------------------------- Blockchain 2019 IEEE International Conference on Blockchain, Atlanta, GA, USA, July 14-17, 2019. (Submissions Due 1 March 2019) http://www.blockchain-ieee.org/ The emergence and popularity of blockchain techniques will significantly change the way of digital and networking systems' operation and management. In the meantime, the application of blockchain will exhibit a variety of complicated problems and new requirements, which brings more open issues and challenges for research communities. The goal of this conference is to promote community-wide discussion identifying the advanced applications, technologies and theories for blockchain. We seek submissions of papers that invent novel techniques, investigate new applications, introduce advanced methodologies, propose promising research directions and discuss approaches for unsolved issues. ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy (or other TCs) by completing the on-line form at IEEE at https://www.computer.org/web/tandc/technical-committees ______________________________________________________________________ TC Conference Publications Online ______________________________________________________________________ The proceedings of previous conferences are available from the Computer Society's Digital Library. IEEE Security and Privacy Symposium IEEE Computer Security Foundations IEEE Europenan Security and Privacy Symposium From 2012 onward, these are available without charge from the digital library 12 months after the conference. ____________________________________________________________________________ TC Officers and SP Steering Committee ____________________________________________________________________________ Chair: Security and Privacy Symposium Chair Emeritus: Sean Peisert Jason Li UC Davis and Intelligent Automation Lawrence Berkeley oakland18-chair@ieee-security.org National Laboratory speisert@ucdavis.edu Vice Chair: Treasurer: Ulfar Erlingsson Yong Guan Manager, Security Research 3219 Coover Hall Google Department of Electrical and Computer tcchair at ieee-security.org Engineering Iowa State University, Ames, IA 50011 (515) 294-8378 yguan (at) iastate.edu Newsletter Editor and Security and Privacy Symposium, 2019 Chair: TC Awards Chair: Mark Gondree Hilarie Orman Sonoma State University Purple Streak, Inc. oakland19-chair@ieee-security.org 500 S. Maple Dr. Woodland Hills, UT 84653 cipher-editor@ieee-security.org ____________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year