Subject: Electronic CIPHER, Issue 46, January 16, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 46 January 16, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Mary Ellen Zurko, Assoc. Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events o Information on the 2002 IEEE Symposium on Security and Privacy (May 12-15, 2002) can be found at www.ieee-security.org/TC/SP-Index.html o Information on the 15th IEEE Computer Security Foundations Workshop (June 24-26, 2002) can be found at www.csl.sri.com/programs/security/csfw/index.html. The call for papers is included in the News Bits section below. * News Briefs: o Correspondence from TCSP Chair Mike Reiter * Commentary and Opinion o Robert Bruen's review of "Computer Forensics. Incident Response Essentials" by Warren G. Kruse II and Jay G. Heiser o Robert Bruen's reviews of "Building Secure Software. How to Avoid Security Problems" by John Viega and Gary McGraw o Robert Bruen's review of "Strategic Warfare in Cyberspace" by Gregory Rattray * Reader's guide to recent security and privacy literature, by Anish Mathuria * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find three book reviews by Robert Bruen, links to new calls for papers, and a note from TC chair Mike Reiter. Welcome to our new TC officers! Tom Berson moves to Past Chair and Mike Reiter is serving as Chair, Heather Hinton as Vice Chair and S&P Symposium Chair, and Terry Hall is the new TC Treasurer. We are fortunate to have their experience and leadership. While we welcome our new TC officers, we need to say a "goodbye" of sorts and a HUGE thank you to Mary Ellen Zurko. As you know, Mez has been a faithful contributor and supporter of Cipher for many years, but finds that her current assignments are consuming all spare time. Mez, thanks for providing us with an interesting, timely, and provocative column! Many thanks to our colleagues who contributed to this issue! Best regards, Jim Davis davis@iastate.edu 1/16/2002 ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. * CONTEMPCRYPT, UCLA, Los Angeles, CA 1/14/02- 1/15/02 www.ipam.ucla.edu/programs/cry2002/ * WITS '02, Portland, OR; Conf Web page 1/20/02- 1/25/02 www.dsi.unive.it/IFIPWG1_7/wits2002.html * SecWmMMC, San Jose, CA 1/20/02- 1/25/02 * OpSecCDT, San Jose, CA 1/28/02: USENIX Sec Symp, San Francisco, CA * 1/28/02: PKI Research, Gaithersburg, MD; submission due www.cs.dartmouth.edu/~pki02/ * 1/28/02- 1/31/02: DSPCS '02, Sydney-Manly, Australia www.elec.uow.edu.au/people/staff/wysocki/dspcs/CFP_/2002a.html * 1/29/02- 1/30/02: DRM 2002, Berlin, Germany digital-rights-management.de/ * 2/ 5/02: CSFW-15, submissions due www.csl.sri.com/programs/security/csfw/csfw15/csfw15.html * 2/10/02: SAFECOMP 2002, Catania, Italy www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/ * 2/11/02: CRYPTO 2002, submissions due www.iacr.org/conferences/crypto2002/ * 2/28/02: STEG '02, submissions due www.know.comp.kyutech.ac.jp/STEG02/ * 2/ 1/02: SIGCOMM '02, Pittsburgh, Pennsylvania; Submissions are due www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html * 1/29/02- 2/ 1/02:SCIS '02 , Sirahama-machi, Japan www.sdl.hitachi.co.jp/scis/2002/English/ * 2/ 4/02- 2/ 6/02: FSE 2002, Leuven, Belgium Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-FSE2002.html * 2/ 6/02- 2/ 8/02: NDSS '02; San Diego, California Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-NDSS02.html * 2/12/02- 2/14/02: PKC '02, Paris, France www.novamedia.fr/conferences/conferences/confpkc.html * 2/18/02 2/22/02: RSA Crypto Track, San Jose, CA www.rsaconference.com/rsa2002/cryptotrack.html * 3/ 1/02: JSAC Special Issue DnA-SecAsr, submissions due www.cs.utah.edu/flux/cipher/cfps/cfp-JSAC_SI-DnA-SecAsr.html * 3/ 5/02- 3/ 8/02: WATERMARKING '02, Paris, France www.upperside.fr/watermarking/watermarkintro.htm * 3/10/02- 3/14/02: SAppC '02, Madrid, Spain www.cs.fit.edu/~rmenezes/sac02/ * 3/11/02- 3/14/02: FC '02, Southampton, Bermuda fc02.ai/ * 3/17/02- 3/22/02: IETF, Minneapolis, MN www.ietf.org * 4/ 5/02: NSPW 2002, Hampton, VA Conf Web page Submissions are due www.cs.utah.edu/flux/cipher/cfps/cfp-NSPW.html * 4/14/02- 4/15/02: WPET '02, San Francisco, CA; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-WPET02.html * 4/15/02: IASTED, Malaga, Spain; Conf Web page Submissions due www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 4/24/02- 4/25/02: PKI Res, Gaithersburg, MD www.cs.dartmouth.edu/~pki02/ * 4/28/02-5/ 2/02: Eurocrypt 2002, Amsterdam, Netherlands. www.ec2002.tue.nl/ * 5/ 3/02: SAC 2002, Newfoundland, Canada; Submissions due sac2002@engr.mun.ca. www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 5/ 5/02: 5th WOIH, Noordwijkerhout, The Netherlands; submissions due research.microsoft.com/ih2002/ * 5/ 5/02- 5/10/02: North America CACS '02, San Francisco, CA www.isaca.org/nacacscfp.htm * 5/ 7/02- 5/11/02: WWW 2002, Honolulu, Hawaii Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-WWW2002.html * 5/13/02- 5/15/02: IEEE S&P, Oakland, CA www.ieee-security.org/TC/SP02/sp02index.html * 5/24/02: ASIACRYPT '2002, Queenstown, New Zealand; submissions due www.sis.uncc.edu/ac02/ * 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-CSFW15.html * 7/ 3/02- 7/ 5/02, ACISP '02, Melbourne, Australia www.cm.deakin.edu.au/ACISP'02 * 7/11/02- 7/12/02: STEG '02, Kitakyushu, Japan www.know.comp.kyutech.ac.jp/STEG02/ * 7/14/02- 7/19/02: IETF, Yokohama, Japan www.ietf.org * 8/ 5/02- 8/ 9/02: USENIX 11, San Francisco, CA www.usenix.org/events/sec02/ * 8/13/02-8/15/02: CHES 2002, Redwood City, CA www.chesworkshop.org * 8/15/02- 8/16/02: SAC 2002, Newfoundland, Canada www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 8/18/02- 8/22/02: CRYPTO 2002, Santa Barbara, CA * 8/19/02- 8/23/02: SIGCOMM '02, Pittsburgh, Pennsylvania www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html * 9/ 4/02- 9/ 5/02: Workshop on Trust and Privacy in Digital Business, Aix en Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/ 5/02- 9/ 7/02: VII Spanish Meeting on Cryptology and Information Security, Asturias, Espana enol.etsiig.uniovi.es/viirecsi/ * 9/ 9/02- 9/12/02: IASTED, Malaga, Spain; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 9/10/02- 9/13/02: SAFECOMP 2002, Catania, Italy www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/ * 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html * 9/23/02- 9/26/02: NSPW 2002, Hampton, VA Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-NSPW.html * 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands research.microsoft.com/ih/2002/ * 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop * 12/ 1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/ 9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ IEEE Journal on Selected Areas in Communications, Special issue on Design and Analysis Techniques for Security Assurance. Publication: 1st quarter 2003. Editors: Li Gong (SUN Microsystems), Joshua Guttman (The MITRE Corp), Peter Ryan (Carnegie Mellon University), and Steve Schneider (University of London). Submission deadline is March 1, 2002. Information security plays a dominant and increasingly critical role in society. It is therefore essential that we have effective tools and techniques to design and evaluate secure systems and demonstrate that they meet their security requirements. The application of rigorous methods to the specification, modeling, analysis, and design of security-critical systems has made considerable strides in recent years, and the field is rapidly gaining in maturity. The scope of this issue will range over all rigorous, mathematically well founded, approaches to all aspects of security system development. This issue is intended to gather together the leading edge approaches in this area. Papers are solicited in the following areas: * Security protocol analysis * Computer security models and policies * Information flow * Secure architectures * Mobility * Tools for security analysis * Languages * Logics * Static/typechecking techniques * Smartcards Original, unpublished contributions and invited articles will be considered for the issue. The paper should be no longer than 20 double-spaced pages, excluding illustrations and graphs and follow the IEEE J-SAC manuscript format described in the Information for Authors. Authors wishing to submit papers should send an electronic version (postscript or PDF files ONLY) to Steve Schneider at S.Schneider@rhul.ac.uk by March 1, 2002. -------- The 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002. (submissions due January 28, 2002) The USENIX Security Symposium program committee seeks refereed paper submissions in all areas relating to system and network security. If you are working in any practical aspects of security or applications of cryptography, we would like to urge you to submit a paper. Suggested paper topics include, but are not limited to: * Adaptive security and system management * Analysis of malicious code * Analysis of network and security protocols * Applications of cryptographic techniques * Attacks against networks and machines * Automated tools for source code analysis * Authentication and authorization of users, systems, and applications * Denial-of-service attacks * File and filesystem security * Firewall technologies * Intrusion detection  * Privacy preserving systems * Public key infrastructure * Rights management and copyright protection * Security in heterogeneous environments * Security of agents and mobile code  * Security of Internet voting systems  * Techniques for developing secure systems  * World Wide Web security For more details on the submission process, authors are encouraged to consult the detailed author guidelines at: www.usenix.org/events/sec02/cfp/ The 1st Annual PKI Research Workshop, NIST, Gaithersburg, MD, USA, April 24-25, 2002. (submissions due January 28, 2002) To a large extent, the hoped-for public key infrastructure has not "happened yet." PKI for large, eclectic populations has not materialized; PKI for smaller, less diverse "enterprise" populations is beginning to emerge, but at a slower rate than many would like or had expected. Why is this? This workshop among leading security researchers will explore the issues relevant to this question, and will seek to foster a long-term research agenda for authentication and authorization in large populations via public key cryptography. The workshop is intended to promote a vigorous and structured discussion---a discussion well-informed by the problems and issues in deployment today. Submitted works for panels, papers and reports should address one or more critical areas of inquiry. Topics include (but not are not limited to): * Cryptographic methods in support of security decisions * The characterization and encoding of security decision data (e.g., name spaces, x509, SDSI/SPKI, XKMS, PGP, SAML, Keynote, PolicyMaker, etc), policy mappings and languages, etc. * The relative security of alternative methods for supporting security decisions * Privacy protection and implications of different approaches * Scalability of security systems; (are there limits to growth?) * Security of the rest of the components of a system * User interface issues with naming, multiple private keys, selective disclosure * Mobility solutions * Approaches to attributes and delegation * Discussion of how the "public key infrastructure" required may differ from the "PKI" traditionally defined See the workshop web site at www.cs.dartmouth.edu/~pki02/index.shtml for details. CSFW15 15th IEEE Computer Security Foundations Workshop, Keltic Lodge, Cape Breton, Nova Scotia, Canada, July 29-31, 2002. (submissions due February 5, 2002) This workshop series brings together researchers in computer science to examine foundational issues in computer security. For background information about the workshop, and an html version of this Call for Papers, see the CSFW home page www.csl.sri.com/csfw/index.html We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Both papers and panel proposals are welcome. Possible topics include, but are not limited to: Access control Authentication Data and system integrity Database security Network security Distributed systems security Anonymity Intrusion detection Security for mobile computing Security protocols Security models Decidability issues Privacy Executable content Formal methods for security Information flow Language-based security 3rd Annual IEEE Information Assurance Workshop, United Stated Military Academy, West Point, NY, USA, June 17-19, 2002. (submissions due February 18, 2002) The workshop is designed to provide a forum for Information Assurance researchers and practitioners to share their research and experiences. Attendees hail from industry, government, and academia. The focus of this workshop is on innovative, new technologies designed to address important Information Assurance issues. Papers will be divided into two broad categories. Approximately 2/3 of the papers will focus on innovative new research in Information Assurance. The remaining 1/3 of the papers will be recent experience and lessons learned from Information Assurance practitioners. Areas of particular interest at this workshop are:  * Innovative intrusion detection and response methodologies  * Information warfare  * Information Assurance education and professional development  * Secure software technologies  * Wireless security  * Computer forensics  More information can be found on the conference web age at www.itoc.usma.edu/Workshop/2002. Trust and Privacy in Digital Business (on conjunction with DEXA 2002), Aix-en-Provence, France, September 2-6, 2002. (submissions due February 21, 2002) The Internet and the powerful WWW have created a tremendous opportunity to conduct business electronically. However, the lack of trust in electronic procedures as well as the diversity of threatens to users' privacy are the major inhibitors for a full deployment of digital business. The purpose of this workshop is twofold: First, all issues of digital business, focusing on trust and privacy problems will be discussed. Second, the workshop will be a forum for the exchange of results and ongoing work performed in R&D projects. Authors are invited to submit papers describing both theoretical and practical work to: trustbus02@wi-inf.uni-essen.de or trustbus02@lcc.uma.es. Papers accepted for presentation will be published by IEEE Computer Society Press as proceedings of the DEXA'02 workshops. More information can be found on the workshop web site at www.wi-inf.uni-essen.de/~dexa02ws/ CMS2002 The Seventh IFIP Communications and Multimedia Security Conference, Portoroz, Slovenia, September 26-27, 2002. (submissions due March 8, 2001) CMS 2002 is the seventh working conference on Communications and Multimedia Security since 1995. State-of-the-art issues as well as practical experiences and new trends in the areas will be the topics of interest again, as proven by preceding conferences. Topics of interest include, but are not limited to  * Applied cryptography  * Biometry  * Combined multimedia security  * Communications systems security  * Cryptography - steganography * Digital signatures * Digital watermarking * Internet, intranet and extranet security  * Legal, social and ethical aspects of communication systems security  * Mobile communications security  * Multimedia systems security  * New generation networks (NGN) security * Possible attacks on multimedia systems  * Secure electronic commerce More information can be found on the conference web page at: www.setcce.org/cms2002/, or contact: Prof. Borka Jerman-Blazic / Institut Jozef Stefan / Jamova 39 / SI-1000 Ljubljana / Slovenia /  e-mail: cms02@setcce.org. ESORICS 2000 7th European Symposium on Research in Computer Security, Zurich, Switzerland, October 14-16, 2002. (submissions due March 15, 2001) ESORICS is the European research event in computer security with audience from both the academic and industrial communities. For background information about the symposium, and an html version of this Call for Papers, see the ESORICS 2002 home page www.esorics2002.org. We are interested in papers that may present theory, technique, applications, or practical experience on topics related to information security, privacy and dependability. The primary focus is on high-quality original unpublished research, case studies and implementation experiences. We encourage submissions of papers discussing industrial research and development. The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application Security, King's College, University of Cambridge, UK, July 29-31, 2002. (submissions due March 22, 2001) The conference provides a forum for presenting original unpublished research results, practical experiences, and innovative ideas in data and applications security. Papers and panel proposals are solicited. The conference is limited to about forty participants so that ample time for discussion and interaction may occur. Additional information and a list of topics can be found at www.cis.utulsa.edu/ifip02. The conference location can be explored at www.kings.cam.ac.uk/ and the WG 11.3 home page is at sansone.crema.unimi.it/~ifip113. NSPW2002 New Security Paradigms Workshop, Hampton, Virginia, USA, September 23-26, 2002. (submissions due March 28, 2002, April 8th if submitting via email) For ten years the New Security Paradigms Workshop has provided a productive and highly interactive forum for innovative new approaches to computer security. The workshop offers a constructive environment for experienced researchers and practitioners as well as newer participants in the field. The result is a unique opportunity to exchange ideas. NSPW 2002 will take place September 23 - 26, 2001 at the Chamberlain Hotel, Fort Monroe, Hampton, Virginia, about 2.5 hours from Washington, DC. The complete CFP is at www.nspw.org. Workshop on Economics and Information Security, University of California, Berkeley, CA, USA, May 16-17, 2002. (submissions due March 31, 2002) Do we spend enough on keeping `hackers' out of our computer systems? Do we not spend enough? Or do we spend too much? Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogeneity. For these and other reasons, the confluence between information security and economics is of growing importance. We are organising the first workshop on the topic, to be held in the School of Information Management and Systems at the University of California, Berkeley, on the 16th and 17th May 2002. In order to keep the event informal and interactive, attendance will be limited to about 30-35 participants. If you would like to participate, please send us a position paper (of 1-2 pages) by the 31st March 2002. We welcome interest not just from economists and information security professionals, but from people with relevant experience, such as in the insurance industry, corporate risk management, or law enforcement agencies. More information can be found on the workshop web page at www.cl.cam.ac.uk/users/rja14/econws.html WTCP'2002 Workshop on Trusted Computing Paradigms (in conjunction with ICPP-2002), Vancouver, British Columbia, Canada, August 18-21, 2002. (submissions due April 1, 2002) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. To build the secure and reliable systems required for our increasingly mobile, interconnected information-technology enabled society, research is needed to develop the large-scale information systems of the future such that they not only behave as expected, but, more importantly, continue to produce expected behavior against security breaches and hostile attacks. Moreover, we must ensure that any service disruptions that occur are infrequent, of minimal duration, manageable, and cause the least damage possible. The aim of this workshop is to consolidate state-of-the-art research in this area. Fundamental research articles and practical experience reports are solicited. Topics of interest include, but are not limited to: * Specification, Design, Development, and Composition of Trustworthy Components * Modeling, Analyzing, and Predicting Trust Properties of Systems and Components * Policies and Standards for Building and Operating Trusted Systems and Components * Assessment of Tradeoffs in Trustworthy System Design * Personal Information Management in a Trustworthy Environment * Management of Heterogeneous Trusted Computing Technologies * Cyber Attack Prediction and Detection * Information Operations to include Mining, Recovery, Security, and Assurance * Secure and Safe Access to Autonomous Services and Applications * Trusted Computing in Agent-based Environments * Trusted Computing in Mobile and Wireless Environments More information can be found on the conference web site at www.cs.odu.edu/~wadaa/ICPP02/WTCP/ IASTED'2002 IASTED Conference on Conference on Communication Systems and Networks, Malaga, Spain, September 9-12, 2002. (submissions due April 15, 2002) This conference is an international forum for researchers and practitioners interested in the advances in, and applications of, networks and communication systems. This conference will be comprised of the following four Symposia: Telecommunications Technology, Optical Communication Systems, Wireless Networks, and Satellite Communications and Antennas. More information on areas of interest and complete instructions for submitting a paper or tutorial proposal can be found at the conference web site at: www.iasted.org and www.iasted.org/conferences/2002/spain/submit-371.htm ASIACRYPT 2002 Queenstown, New Zealand, December 1-5, 2002. (submissions due May 24, 2002) Original papers on all technical aspects of cryptology are solicited for submission to Asiacrypt 2002. The conference is organized by the International Association for Cryptologic Research (IACR). Submissions must not substantially duplicate work that any of the authors has published elsewhere or has submitted in parallel to any other conference or workshop that has proceedings. More information can be found on the conference web page at www.sis.uncc.edu/ac02. ICISC 2002 Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. (submissions due July 1, 2002) Original papers on all aspects of information and communications security are solicited for submission to ICICS’02. Areas of interests include but not restricted to the following: * Access Control Authentication and Authorization * Biometric Security Cryptology * Database Security Distributed System Security * Electronic Commerce Security Fraud Control * Information Hiding and Watermarking Intellectual Property Protection * Internet and Intranet Security Intrusion Detection * Key Management and Key Recovery Mobile System Security * Network Security Operating System Security * Protocols and Their Analysis Risk Evaluation and Security Certification * Security Modeling and Architecture Virus and Worms More information can be found on the conference web page at www.krdl.org.sg/General/conferences/icics/Homepage.html. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== FAST 2002 www.usenix.org/events/fast/cfp/ File and Storage Technologies Conference, Monterey, CA, USA, January 28-29, 2002. Cryptographer's Track at the RSA 2002 Conference, San Jose, California, USA, February 18-22, 2002. www.rsaconference.com/rsa2002/cryptotrack.html. PKC'2002 www.novamedia.fr/conferences/conferences/confpkc.html International Workshop on the Practice and Theory of Public Key Cryptography, Paris, France, February 12-14, 2002. IPTPS'02 www.cs.rice.edu/Conferences/IPTPS02/ The First International Workshop on Peer-to-Peer Systems, Cambridge, MA, USA, March 7-8, 2002. FC'2002 www.crypto.com/papers/fc02cfp.html Financial Cryptography, Southhampton, Bermuda, March 11-14, 2002. PET2002 www.pet2002.org Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA, April 14-15, 2002. WWW2001 www2002.org The Eleventh International World Wide Web Conference, Sheraton Waikiki Hotel, Honolulu, Hawaii, USA, May 7-11, 2002. NCISSE'2002 www.ncisse.org The 6th National Colloquium for Information Systems Security Education, Redmond, Washington, USA, June 3-7, 2002. POLICY2002 www.policy-workshop.org/2002/ IEEE Third International Workshop on Policies for Distributed Systems and Networks, June 5-7, 2002. DSN2002 www.dsn.org The International Conference on Dependable Systems and Networks, Bethesda, Maryland, USA, June 23-26, 2002. FIRST www.first.org/ The 14th Annual Computer Security Incident Handling Conference, Hilton Waikoloa Village, Hawaii, USA, June 24-28, 2002. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ Correspondence from Mike Reiter, Chair of the TCSP January 14, 2002 ____________________________________________________________________ Dear Cipher readership, The IEEE Technical Committee on Security and Privacy (TCSP) is the volunteer organization that sponsors this newsletter, the IEEE Symposium on Security and Privacy (S&P), and the IEEE Computer Security Foundations Workshop (CSFW). As we enter 2002, I want to take a moment to welcome two new members of the TCSP leadership team. 1) At 2001 S&P, Heather Hinton was elected Vice Chair of the TCSP, a role that I officially handed off to her on Jan 1. Vice Chair is a two-year position, after which Heather will become TCSP Chair for another two years. Heather is also presently serving as the General Chair for 2002 S&P, following her successful service as Registration Chair at 2001 S&P. Heather works at IBM. 2) Terry Hall has stepped up to assume the role of S&P Treasurer starting this year. Since S&P is the source of the vast majority of TCSP income, Terry will effectively be serving as Treasurer for the whole TCSP, as well. Terry works at Boeing. Terry will be replacing Brian Loe, who capably served as S&P Treasurer for several years. Thank you, Brian, for a job well done. I also especially want to thank Tom Berson, TCSP Chair for the past two years and a long-time contributor to our community. In fact, Tom attended the very first S&P symposium in 1980 (!), and he still attends today. Tom has been a great leader, a source of stability, and our institutional memory within the TCSP. I realize that I have a big task in front of me to continue in Tom's footsteps. The TCSP accomplished much in 2001. The 2001 S&P symposium and CSFW workshop were successes, as usual. S&P provided a forum for the presentation of 19 high quality advances in computer security and for numerous other hallway exchanges. Picking those 19 from the 107 submissions was a tough task, and many thanks go to Roger Needham, Martin Abadi, and their program committee for doing a great job. Thanks also go to Li Gong for serving as General Chair. The success of CSFW this year is thanks to Iliano Cervesato and Steve Schneider, the General Chair and Program Chair, respectively. The TCSP also continued its tradition of publishing arguably the best electronic newsletter around for computer security researchers, namely the Cipher newsletter that you are reading right now. Jim Davis at Iowa State, along with his editorial staff, deserve a tremendous round of applause for this. Jim also maintains the www.ieee-security.org web site, which I consider to be one of my essential bookmarks. Welcome to 2002. I am looking forward to seeing you at the S&P symposium in May and the CSFW workshop in June. Mike Reiter Chair, TCSP ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Warren G. Kruse II and Jay G. Heiser. Computer Forensics. Incident Response Essentials. Addison-Wesley 2002. Index, Annotated Bibliography, 8 appendices. ISBN 0-201-70719-5. $39.99 The field of computer forensics is coming into its own these days. It was always important to discover how someone broke into your machine, but now there is a greater need to find who broke in and follow up with legal action. The follow up action requires evidence, which in turn must meet much higher standards than most sysadmins were familiar with. In the old days we looked at logs and changed files to figure out what happened. Now we need to be very careful not to contaminate the disk, or even cache (good luck) and preserve that state of the disk. Moreover, once the disk has been designated as compromised, there is something called the chain of custody that is critical. If the disk is now evidence in a trial, there had better be a log of everyone who touched the disk, they ought to have been appropriate people and they should have done nothing to alter the disk contents. A failure to do this could cause the case to be thrown out of court. The chain of evidence is not the only new idea for sysadmins. There are other procedures that must be followed, as well as small bumps in the road that can cause major problems along the road. The new demands of forensics are somewhat foreign to most techies, but this book can help you step through them. In general, the good techie will want to take a close look at the disk to what has happened. Fortunately, there are a set of tools available, with more coming, to help in this. Kruse and Heiser provide urls to many of them, along with explaining how they work. The authors are coming at this from the point of view of cops who have learned how computers work, as opposed to computer guys who learned about investigation. This is not a criticism, but rather just a note to explain their approach. It is good introductory text for anyone who wants to learn about computer forensics. If you are comfortable with systems operations, the book is quick read. If you have never looked at a disk drive in raw mode, you will have to go a little slower. The main topics addressed are that of using the net to track down an intruder and disk and file analysis. They explain about Unix systems for the Windows folks and they cover the criminal justice system. For anyone who expects to handle a break-in incident, this book is something that ought to have been read in advance. The book is well organized with a good number of illustrations. The tools presented are both free and commercial, which is helpful for getting started. They explain in detail how to use the tools that protect the disk contents while being copied, pointing the obvious that one should work on a copy not the evidence. This little mistake could easily ruin the whole process. I liked the book, although it is a bit elementary in the technical sense, but helpful in its organization and the information on the legal aspects. One more book the security professional ought to read. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Viega, John and Gary McGraw. Building Secure Software. How to Avoid Security Problems the Right Way. Addison-Wesley 2002. Index. Bibliography. 3 appendices. 493 pages ISBN 0-201-72152-X LoC QA76.76.D47 V857. 2001 $54.99 If you are tired of hearing about buffer overflows and other consequences of software designed or written without much thought to security issues, give a copy of this book to your favorite software vendor. No one really expects perfect, bug-free software, but we should expect that the trivial things are fixed at the outset of software design. Perhaps it may be little worn out as an analogy, but constructing buildings still offers some useful lessons for software builders. For example, we all know that foundations are real important. We also know not to use sand as the primary material, just as know that earthquakes effect buildings, so we take some care to account for this in the building's design. By now everyone knows that buffer overflows are a mostly preventable problem, just as we know that storing usernames and passwords in ASCII files which are accessible to the world is a problem. It is had to believe that buffer overflows are still being discovered, so the question has to be whether the authors did not know how to handle this while writing or whether they just did not pay attention. In any case, Viega and McGraw have spelled out quite clearly why one should care and how one should do it. They have also gone beyond the buffer overflow problem, providing good coverage secure software. There are only a few books published in this area and a bit more on the net, so this is welcome addition to the security library. One can only hope that this will grow into a serious branch of software development. These problems have been around for a while, for example Aleph1 released a paper in 1996 (Smashing the Stack for Fun and Profit) almost six years ago, a long time in the technology world. Some things have moved very along very quickly, but writing secure code has not been one of them. Attacking code, on the other hand has caught on like the plague. The time has arrived for a response from software vendors that does more than complain about people finding security holes in their software. This book has detailed information on system library code that should be avoided with the replacement code identified. It in clear wording: You should not system call X because of problem Y, use system call Z instead. There are examples of attack code with explanations of how and why it works, as well as methods for avoiding the problems. Of course, not everyone appreciates attack code being made public, especially with analysis, but it is helpful to see the details if you will be writing code that needs to prevent such an attack. The authors have reminded us of another old problem that seems to have been forgotten, that of trust and input validation. In the early days of programming, especially for business, one always tried to make sure that if a number was expected as input, a number was what was allowed. And that number would be within a range. The extension today is for things like file locations in a URL and such, but is goes beyond that to programs calling other programs. If your program is secure, you cannot expect the program you call to be secure, which appears to happen a little too often. Building Secure Software is a highly recommended book that does what it says it will do. If only it gets read. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Rattray, Gregory. Strategic Warfare in Cyberspace. MIT Press 2001. ISBN 0-262-18209-2 LoC U163.R29 2001517 pages. $49.95 Acronyms. Index. Annotated bibliography and extension notes for chapter. Generally speaking computer security professionals do not concern themselves with warfare between nation states. Their focus is probably on the next virus or network scan. However, now that the Internet is truly global and information technology is deeply embedded in almost all important infrastructures, computers are now both targets and weapons for governments. The military has used computer technology for all sorts of things for many years, but has only recently begun to take seriously the new role of technology in warfare. The computer as a weapon has a great number of interesting implications beyond just hacking a web site, some of them created by the fact that they are cheap, with a global reach. Unlike large military hardware costing tens of millions of dollars to buy and maintain, computers and network connections are cheap. All that someone needs in expertise, time and will. The military is used to waging war by superior firepower, by being the biggest, baddest guy on the block. The history of warfare is filled with examples of why this approach was not enough, things like disease and the weather have probably caused more casualties than the weapons themselves. Rattray is a member of the Air Force which sets the stage for his viewpoint on how cyber warfare ought to be studied and brought into the military mindset. He presents a detailed study of the development of the US strategic airpower during the first part of the 20th century to provide the lessons for how the US might develop cyber warfare. There are two basic questions of new ideas work their way into the military, or any organization for that matter. First is how does happen? And second is how does happen here? The first question is the generalized problem and the second is the general problem with modifications that are specific to the local organization. The military may be the ultimate local problem, but they have demonstrated that they can evolve. Integrating strategic information warfare into the military by members of the military appears to be no easy task. This book is scholarly tome which provides convincing arguments as to why and how it should happen. Information warfare as an idea has been around for over a decade, but we have yet to see much beyond isolated attacks on web sites. The status quo will be shifting relatively soon. A denial of service attack such as NATO experienced after the US bomb the Chinese embassy during attacks on parts of the former Yugoslavia a few years ago are not really major events when compared to attacks which are possible. As the military begins to gear up for the future, it is in the interest of security professionals to have some insight into how the military works and will adapt to the new possibilities of war in cyberspace. This book is an excellent path to that insight. It is always of interest to observe how different disciplines implement ideas that are familiar to you in unfamiliar ways. Since international warfare has been with us since civilization began, there is little hope it will be eliminated in the age of information. It will be simply transformed. This is a highly recommended book that will expand how you think about computer and network security. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm Department of Computing Imperial College of Science, Technology and Medicine, London, UK Up to 5 Lecturer (Assistant Professor) appointments Closing date: 7 January 2002 www.doc.ic.ac.uk/situation.html#job8 Cornell University Ithaca, NY Post-Doctoral Position Position closes 12/31/2001 www.cs.cornell.edu/cdlrg/prism/postdoc.htm Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Talahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ We are currently updating this section - stay tuned! ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon Univeristy Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair and S&P 2002 chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #46, January 16, 2002===========