Subject: Electronic CIPHER, Issue 48, May 20, 2002
_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/
_/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/
_/ _/ _/ _/ _/ _/ _/ _/
_/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/
====================================================================
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 48 May 20, 2002
Jim Davis, Editor Hilarie Orman, Assoc. Editor
Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide
====================================================================
http://www.ieee-security.org/cipher.html
Contents:
* Letter from the Editor
* Conference and Workshop Announcements
o Upcoming calls-for-papers and events
5 new calls added since Cipher E47: SACT, HICSS-36, SCN'02,
LawTech2002, InfoSecu02
o Information and Program for the 15th IEEE Computer Security
Foundations Workshop (Cape Breton, Nova Scotia, Canada,
June 24-26, 2002)
o Information and Program for the International Workshop on Trust
and Privacy in Digital Business (Aix-en-Provence, France,
September 3-5, 2002)
* Commentary and Opinion
o Robert Bruen's review of "Designing Security Architecture Solutions"
by Jay Ramachandran
o Vernon Stagg's review of the Australian Institute of Professional
Intelligence Officers workshop (AIPIO, November 2001), and the
2nd Australian IW and CS Conference (IW, November 2001)
o NewsBits: Announcements and correspondence from readers
o Book reviews from past Cipher issues
o Conference Reports and Commentary from past Cipher issues
o News items from past Cipher issues
* Reader's guide to recent security and privacy literature,
by Anish Mathuria (new entries March 15, 2002)
* List of Computer Security Academic Positions, by Cynthia Irvine
* Staying in Touch
o Information for subscribers and contributors
o Recent address changes
* Interesting Links and New reports available via FTP and WWW
* Links for the IEEE Computer Society TC on Security and Privacy
o Becoming a member of the TC
o TC Officers
o TC publications for sale
====================================================================
Letter from the Editor
====================================================================
Dear Readers:
We are pleased to bring you another issue of Cipher! In it you
will find a book review by Robert Bruen, links to upcoming conferences,
and reviews of the Australian AIPIO and IW conferences by Vernon Staggs.
Many thanks to our colleagues who contributed to this issue!
Best regards,
Jim Davis
Cipher Editor
davis@iastate.edu
====================================================================
Conference and Workshop Announcements
====================================================================
15th IEEE Computer Security Foundations Workshop
June 24-26, 2002
Keltic Lodge
Cape Breton, Nova Scotia, Canada
www.csl.sri.com/programs/security/csfw/csfw15/
Registration information is at: www.csl.sri.com/programs/security/csfw/csfw15/
Program:
SUNDAY June 23, 2002
6:30 - 7:30 Reception and Registration
MONDAY June 24, 2002
8:45 - 9:00 Welcome
Iliano Cervesato (Naval Research Laboratory), General Chair
Steve Schneider (Royal Holloway, University of London),
Program Chair
9:00 - 10:30 Information Flow I
"Approximate Non-Interference", Alessandra Di Pierro
(University of Pisa), Chris Hankin (Imperial College),
and Herbert Wiklicky (Imperial College)
"Quantifying Information Flow", Gavin Lowe (Oxford)
"Secrecy in Multiagent Systems", Joseph Halpern and Kevin O'Neill
(Cornell)
10:30 - 11:00 Break
11:00 - 12:00 Intrusion
"Two Formal Analyses of Attack Graphs", Somesh Jha (University of
Wisconsin), Oleg Sheyner (CMU), and Jeannette Wing (CMU)
"Formal Specification of Intrusion Signatures and Detection Rules",
Jean-Philippe Pouzol and Mireille Ducass (IRISA)
12:00 - 2:00 Lunch
2:00 - 3:30 Protocols I
"Types and Effects for Asymmetric Cryptographic Protocols",
Andrew D. Gordon (Microsoft Research) and Alan Jeffrey
(DePaul University)
"Security Protocol Design via Authentication Tests",
Joshua D. Guttman (MITRE)
"Strand Spaces and Rank Functions: More Than Distant Cousins",
James Heather (University of Surrey)
3:30 - 4:00 Break
4:00 - 5:00 Applications of model-checking
"Probabilistic Analysis of Anonymity", Vitaly Shmatikov (SRI)
"Analysis of SPKI/SDSI Certificates Using Model Checking",
Somesh Jha and Thomas Reps (University of Wisconsin)
TUESDAY June 25, 2002
9:00 - 10:30 Protocols II
"Capturing Parallel Attacks within the Data Independence
Framework", Philippa J. Broadfoot and Bill Roscoe (Oxford)
"Polynomial Fairness and Liveness", Michael Backes (Saarland
University), Birgit Pfitzmann (IBM Zurich), Michael Steiner
(Saarland University), and Michael Waidner (IBM Zurich)
"A Formal Analysis of aome Properties of Kerberos 5 using MSR",
Frederick Butler (University of Pennsylvania),
Iliano Cervesato (ITT Industries), Aaron D. Jaggard
(University of Pennsylvania) and Andre Scedrov
(University of Pennsylvania)
10:30 - 11:00 Break
11:00 - 12:00 Games
"A Formal Analysis of Syverson's Rational Exchange Protocol",
Levente Buttyan, Jean-Pierre Hubaux and Srdjan Capkun (EPFL)
"Game Analysis of Abuse-free Contract Signing", Steve Kremer and
Jean-Franois Raskin (Universit Libre de Bruxelles)
12:00 - 2:00 Lunch
2:00 - 3:30 Language-based security
"Fine-grained Information Flow Analysis for a Lambda-Calculus
with Sum Types" Vincent Simonet (INRIA)
"Cryptographic Types", Dominic Duggan (Stevens Institute)
"Secure Information Flow and Pointer Confinement in a Java-like
Language", Anindya Banerjee (Kansas State University) and
David A. Naumann (Stevens Institute)
3:30 - 4:00 Break
4:00 - 5:00 Business meeting
WEDNESDAY June 13, 2002
9:00 - 10:30 Distributed Rights, Access Control, and Watermarking
"A Privacy Policy Model for Enterprises", Guenter Karjoth and
Matthias Schunter (IBM Zurich)
"A Logic for Reasoning about Digital Rights", Riccardo Pucella
and Vicky Weissman (Cornell)
"Hiding Functions and Computational Security of Image
Watermarking Systems", Nicholas Tran (Santa Clara)
13:00 - 11:00 Break
11:00 - 12:00 Information flow II
"Information Flow Security in Dynamic Contexts", Riccardo Focardi
and Sabina Rossi (University of Venice)
"A Simple View of Type-Secure Information Flow in the pi-Calculus",
Franois Pottier (INRIA)
12:00 - 12:15 Closing remarks. Presentation of Croquet Awards
Lunch
____________________________________________________________________
Trust and Privacy in Digital Business
Aix-en-Provence, France, September 2-6, 2002
www.dexa.org
List of accepted papers
"Electronic Payment in Mobile Environment", Huang Zheng, Chen Ke-Fei
ShangHai JiaoTong University, China
"Simplifying PKI usage through a Client-Server Architecture and dynamic
propagation of constructed certificate paths and repository addresses",
Brian Hunter, Fraunhofer, Germany
"Efficient identification of traitors in fingerprinted multimedia contents"
Marcel Fernandez, Miguel Soriano, Universidad Politcnica de Catalua, Spain
"Ubiquitous Internet access control: the PAPI system", Diego R. Lopez,
Rodrigo Castro, RedIris, Spain
"Evaluation of Certificate Revocation Policies: OCSP vs.Overissued CRL",
J. L. Muoz, J. Forn, ,J. C. Castro, Universidad Politcnica de Catalua, Spain
"STREAMOBILE: Pay-per-View Video Streaming to Mobile Devices Over the
Internet", Antoni Martinez-Balleste, Josep Domingo-Ferrer, Universidad Rovira
i Virgili, Spain
"A Decentralized Authorization Mechanism for E-Business Applications",
Zoltan Miklos, Technical University of Viena, Austria
"Privacy-enabled Services for Enterprises", Guenter Karjoth,
Matthias Schunter, Michael Waidner, IBM Research - Zurich Research Laboratory,
Switzerland
"Private Auctions with Multiple Rounds and Multiple Items", Ahmad-Reza Sadeghi,
Matthias Schunter, Sandra Steinbrecher, University of Saarbruecken, Germany
"Notes on Program-Orientated Access Control", Adrian Spalka, Hanno Langweg,
University of Bonn, Germany
"Data Privacy, US Common Practices", Ashrafi Noushin, Jean-Pierre Kuilboer,
University of Massachusetts Boston, USA
"Using a formal technique for protocol idealization: A cautionary note",
Anish Mathuria, University of Massachusetts Dartmouth, USA
"An Access Control System in the Flexible Organization Management",
Masahiro Mambo, Eiji Okamoto, Yasushi Sengoku, Takashi Tanaka, Tohoku
University, Japan
"Role based specification and security analysis of cryptographic protocols
using asynchronous product automata", Sigrid Grgens, Peter Ochsenschlger and
Carsten Rudolph, Fraunhofer, Germany
"An Electronic Payment Scheme Allowing Special Rates for Anonymous Regular
Customers", Chunfu Tan, Jianying Zhou, Labs for Information Technology,
Singapore
"Privacy in mobile environment", Silke Holtmanns, Ericsson Eurolab Deutschland
GmbH, Germany
"Privacy of Trust in Similarity Estiamtion through Secure Computations",
Javier Carbo, J.M. Molina, Jorge Davila, Universidad Carlos III de Madrid,
Spain
"Models of Trust In Business-To-Consumer Electronic Commerce: A Review",
Vivienne Farrell, Rens Scheepers, Philip Joyce, Swinburne University of
Technology, Australia
====================================================================
Upcoming Calls-For-Papers and Events
====================================================================
The complete Cipher Calls-for-Papers is located at
www.ieee-security.org/cfp.html. The Cipher event Calendar is at
www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html
____________________________________________________________________
Cipher Event Calendar
____________________________________________________________________
Calendar of Security and Privacy Related Events
maintained by Hilarie Orman
Date (Month/Day/Year), Event, Locations, e-mail for more info.
See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html)
for details on many of these listings. Also worth a look are the
ICL calendar and the IACR site, and several others.
* 5/24/02: ASIACRYPT '2002, Queenstown, New Zealand; submissions due
www.sis.uncc.edu/ac02/
* 5/30/02: WMN, Hsinchu, Taiwan; submissions due
www.ee.nthu.edu.tw/~PCM2002/
* 5/31/02: InfraSec 2002, Bristol, UK; submissions are due,
www.infrasec-conf.org
* 5/31/02: ICCC 2002, Mumbai, India; submissions are due
iccc2002.ernet.in/
* 6/1/02: 18th ACSAC, Las Vegas, NV; Conf Web page; submissions due,
www.acsac.org
* 6/1/02: WSNA 2002, Atlanta, GA; submissions are due
wsna02.cs.uga.edu
* 6/15/02: SCN '02, Amalfi, Italy, conf web page;
www.dia.unisa.it/SCN02/
* 6/17/02- 6/19/02: NetSec 2002, San Francisco, CA
www.gocsi.com/netsec/02/
* 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada
www.csl.sri.com/csfw/csfw15/
* 6/24/02: DIREN, New York, NY Conf Web page comet.columbia.edu/diren
* 6/24/02- 6/27/02: ICWN '02, Las Vegas
www.ece.queensu.ca/hpages/faculty/yeh/icwn02.html
* 6/24/02- 6/27/02: IMCS 2002, Las Vegas, Nevada;
www.ashland.edu/~iajwa/conferences
* 6/24/02- 6/28/02: 14th FIRST, Hilton Waikoloa Village, Hawaii
www.first.org/conference/2002/
* 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada
www.cs.utah.edu/flux/cipher/cfps/cfp-CSFW15.html
* 6/24/02: CARDIS '02, San Jose, CA; submissions are due
www.usenix.org/events/cardis02/
* 6/30/02: Special session for SCI 2002, Orlando, Florida
www.iiis.org/sci2002/
* 7/ 1/02: HotNets-I, Princeton, NJ; submissions due,
www.acm.org/sigcomm/HotNets-I
* 7/ 3/02- 7/ 5/02, ACISP '02, Melbourne, Australia
www.cm.deakin.edu.au/ACISP'02
* 7/ 3/02- 7/ 5/02: ASWN, Paris, France
www.professional-communities.com
* 7/11/02- 7/12/02: STEG '02, Kitakyushu, Japan
www.know.comp.kyutech.ac.jp/STEG02/
* 7/14/02- 7/18/02: Special session for SCI 2002, Orlando, Florida
www.iiis.org/sci2002/
* 7/14/02- 7/19/02: IETF, Yokohama, Japan
www.ietf.org
* 7/23/02: AMS 2002. Edinburgh, UK www.lasr.cs.ucla.edu/AMS_2002
* 7/26/02: LFM '02, Copenhagen, Denmark; www.cs.cmu.edu/~lfm02/
* 8/ 5/02- 8/ 9/02: USENIX 11, San Francisco, CA
www.usenix.org/events/sec02/
* 8/11/02- 8/14/02: ICCC 2002, Mumbai, India; iccc2002.ernet.in/
* 8/13/02-8/15/02: CHES 2002, Redwood City, CA
www.chesworkshop.org
* 8/14/02- 8/16/02: 7th WCW, Boulder, Colorado; 2002.iwcw.org/
* 8/15/02- 8/16/02: SAC 2002, Newfoundland, Canada
www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html
* 8/18/02- 8/22/02: CRYPTO 2002, Santa Barbara, CA
* 8/19/02- 8/23/02: SIGCOMM '02, Pittsburgh, Pennsylvania
www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html
* 8/27/02- 8/30/02: ICON 2002, Singapore, icon2002.calendarone.com
* 9/ 2/02- 9/6/02: Trustbus '02, Aix-en-Provence, France
www.wi-inf.uni-essen.de/~dexa02ws/
* 9/ 4/02- 9/ 5/02: Workshop on Trust and Privacy in Digital Business,
Aix en Provence, France www.wi-inf.uni-essen.de/~dexa02ws/
* 9/ 5/02- 9/ 7/02: VII Spanish Meeting on Cryptology and Information
Security, Asturias, Espana enol.etsiig.uniovi.es/viirecsi/
* 9/ 9/02- 9/12/02: IASTED, Malaga, Spain; Conf Web page
www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html
* 9/10/02- 9/13/02: SAFECOMP 2002, Catania, Italy
www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/
* 9/12/02- 9/13/02: SCN '02, Amalfi, Italy, www.dia.unisa.it/SCN02/
* 9/19/02- 9/21/02: SECI 2002, Tunis, Tunisia; www.epita.fr/~seci02/-
* 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany
www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html
* 9/23/02- 9/26/02: NSPW 2002, Virginia Beach, VA www.nspw.org
* 9/23/02- 9/26/02: MobiCom 2002, Atlanta, Georgia;
www.acm.org/sigmobile/mobicom/2002/
* 9/26/02- 9/27/02: CMS 2002, Portoroz, Slovenia; www.setcce.org/cms2002/
* 9/28/02: WSNA 2002, Atlanta, GA; wsna02.cs.uga.edu
* 10/ 1/02-10/ 3/02: InfraSec 2002, Bristol, UK; www.infrasec-conf.org
* 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands
research.microsoft.com/ih/2002/
* 10/14/02-10/16/02: ESORICS 2002, Zurich, Switzerland; www.esorics2002.org/
* 10/15/02-10/16/02: SREIS 2002, Raleigh, NC; www.sreis.org
* 10/22/02-10/24/02: FOUNDATIONS '02, Laurel, MD;
www.cs.clemson.edu/~steve/ivandv/ResearchCallv2.pdf
* 10/23/02-10/25/02: NGC 2002, Boston, Massachusetts;
signl.cs.umass.edu/ngc2002
* 10/28/02-10/29/02: HotNets-I, Princeton, NJ;
www.acm.org/sigcomm/HotNets-I
* 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA
zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop
* 11/ 6/02-11/ 8/02: CW 2002, Tokyo, Japan
wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp
* 11/12/02-11/15/02: ISSRE 2002, Annapolis, MD; www.issre2002.org
* 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan;
opnear.utdallas.edu/hsnhome.htm
* 11/20/02-11/22/02: CARDIS '02, San Jose, CA;
www.usenix.org/events/cardis02/
* 12/ 1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand
www.commerce.otago.ac.nz/infosci/asiacrypt/
* 12/ 1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France;
www.acm.org/sigmm/MM2002/index.html
* 12/ 9/02-12/11/02: OSDI '02, Boston, Massachusetts,
www.usenix.org/events/osdi02/cfp/
* 12/ 9/02-12/12/02: ICICS '02, Singapore.
www.krdl.org.sg/General/conferences/icics/Homepage.html
* 12/ 9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada; www.acsac.org
* 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India
www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html
* 12/16/02-12/18/02: WMN, Hsinchu, Taiwan
www.ee.nthu.edu.tw/~PCM2002/
____________________________________________________________________
Journal, Conference and Workshop Calls-for-Papers
____________________________________________________________________
ACSAC2002 18th Annual Computer Security Applications Conference,
Las Vegas, Nevada, USA, December 9-13, 2002. (submissions due June 1, 2002).
This internationally recognized conference provides a forum for experts in
information system security to exchange practical ideas about solving these
critical problems. See the conference web page at www.acsac.org for
details on submitting papers and tutorial proposals.
SACT First ACM Workshop on Scientific Aspects of Cyber Terrorism
(in conjunction with the ACM Conference on Computer and Communication
Security), Washington, DC, USA, November 21, 2002.
(submissions due June 1, 2002).
The goal of this workshop is to address scientific contributions to
understand cyber terrorism and to fight cyber terrorism. Examples of
possible topics of interest include: methods to identify the most critical
infrastructures, methods to detect cyber terrorist attacks, methods to
protect against cyber terrorism (including survivability, quorum systems,
PKI). More information can be found on the conference web page at
http://www.sait.fsu.edu/sactworkshop/sact.html
HICSS-36 Secure and Survivable Software Systems (Part of the Software
Technology Track), Big Island, Hawaii, USA, January 6-9, 2003.
(optional abstracts due March 31, 2002; full papers due June 1, 2002)
The focus of this minitrack is security and survivability in large,
non-trivial, software systems, with an emphasis on the last phases of the
four stage survivability model consisting of Resistance, Recognition,
Recovery, and Adaptation. Papers on Resistance and Recognition that address
the need or capacity for safety critical software systems to "fail-safe"
and "fail-secure" are also desired. More information can be found on
the HICSS-36 conference web site is at www.hicss.hawaii.edu/ and the
miitrack web site at www.cs.uidaho.edu/~krings/HICSS36/HICSS36-cfp.htm
SCN'02 The Third Workshop on Security in Communication Networks,
Amalfi, Italy, September 12-13, 2002. (submissions due June 15, 2002)
SCN '02 aims at bringing together researchers in the field of security in
communication networks to foster cooperation and exchange of ideas.
More information can be found on the workshop web page at
www.dia.unisa.it/SCN02/.
WISA2002 The 3rd International Workshop on Information Security
Applications, Jeju Island, Korea, August 28-30, 2002. (submissions due
June 28, 2002)
Please see the conference web page at icns.ewha.ac.kr/wisa2002 for
details on submitting papers.
ICISC 2002 Fourth International Conference on Information and Communications
Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002.
(submissions due July 1, 2002)
Original papers on all aspects of information and communications security
are solicited for submission to ICICS'02. More information can be found
on the conference web page at
www.krdl.org.sg/General/conferences/icics/Homepage.html.
LawTech2002 ISLAT International Conference on Law and Technology,
Cambridge, Massachusetts, USA, November 6-8, 2002. (submissions due
July 1, 2002)
This conference is an international forum for lawyers and engineers
interested in understanding the latest developments and implications of
technology in the field of law. The conference will address both the
legal ramifications of new technology and how technology advances the
field of law. The full call for papers and an extensive list of topics,
including issues related to security and privacy, can be found on the
workshop web page at www.islat.org.
SAINT2003 2003 Symposium on the Internet and Applications, Orlando, Florida,
USA, January 27-31, 2003. (submissions due July 1, 2002)
THEME: The Evolving Internet. The Symposium on Applications and the
Internet focuses on emerging and future Internet applications and their
enabling technologies. The symposium provides a forum for researchers and
practitioners from the academic, industrial, and public sectors, to share
their latest innovations on Internet technologies and applications.
Information for prospective authors, including paper format and submission
instructions can be found in the symposium web page at www.saint2003.org.
NORDSEC2002 7th Nordic Workshop on Secure IT Systems, Karlstad University,
Sweden, November 7-8, 2002. (submissions due August 1, 2002)
The NordSec workshops were started in 1996 with the aim of bringing together
researchers and practitioners within computer security in the Nordic countries.
The theme of the workshops has been applied security, i.e., all kinds of
security issues that could encourage interchange and cooperation between the
research community and the industrial/consumer community. A main theme of
NordSec 2002, to which a special track within the workshop will be devoted,
is Privacy Enhancing Technologies. NordSec 2002 will also specifically address
the areas of Software Engineering and Quality of Service in relation to IT
security. More information can be found on the conference web page at
www.cs.kau.se/nordsec2002.
====================================================================
Conferences and Workshops
(the call for papers deadline has passed)
====================================================================
NCISSE'2002 www.ncisse.org
The 6th National Colloquium for Information Systems Security Education,
Redmond, Washington, USA, June 3-7, 2002.
POLICY2002 www.policy-workshop.org/2002/
IEEE Third International Workshop on Policies for Distributed
Systems and Networks, June 5-7, 2002.
Workshop on Statistical and Machine Learning Techniques in Computer
Intrusion Detection, The Johns Hopkins University, Baltimore, MD, USA,
June 11-13, 2002.
IAW www.itoc.usma.edu/Workshop/2002
3rd Annual IEEE Information Assurance Workshop, United Stated Military
Academy, West Point, NY, USA, June 17-19, 2002.
DSN2002 www.dsn.org
The International Conference on Dependable Systems and Networks,
Bethesda, Maryland, USA, June 23-26, 2002.
FIRST www.first.org/
The 14th Annual Computer Security Incident Handling Conference, Hilton
Waikoloa Village, Hawaii, USA, June 24-28, 2002.
VInfoSecu02 www.cintec.cuhk.edu.hk/~infosecu02
The International Conference on Information Security 2002, Si Nan Story,
Shanghai Science Hall, Shanghai, China, July 10-13, 2002.
VERIFY'02 www.ags.uni-sb.de/verification-ws/verify02.html
Verification Workshop, in connection with CADE at FLoC 2002, Copenhagen,
Denmark, July 25-26, 2002.
FCS'02 floc02.diku.dk/FCS/
LICS Satellite Workshop on Foundations of Computer Security,
Copenhagen, Denmark, July 26, 2002.
sansone.crema.unimi.it/~ifip113.
The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and
Application Security, King's College, University of Cambridge, UK,
July 29-31, 2002.
CSFW15 www.csl.sri.com/programs/security/csfw/csfw15/
15th IEEE Computer Security Foundations Workshop, Keltic Lodge,
Cape Breton, Nova Scotia, Canada, July 29-31, 2002.
USENIX www.usenix.org/events/sec02/cfp/
The 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002.
WTCP'2002 www.cs.odu.edu/~wadaa/ICPP02/WTCP/
Workshop on Trusted Computing Paradigms (in conjunction with ICPP-2002),
Vancouver, British Columbia, Canada, August 18-21, 2002.
CYRPTO'2002 www.iacr.org/conferences/crypto2002/
The Twenty-Second Annual ICAR Crypto Conference, Santa Barbara, Ca, USA,
August 18-22, 2002
www.wi-inf.uni-essen.de/~dexa02ws/
Trust and Privacy in Digital Business (on conjunction with DEXA 2002),
Aix-en-Provence, France, September 2-6, 2002.
IASTED'2002
www.iasted.org and www.iasted.org/conferences/2002/spain/submit-371.htm
IASTED Conference on Conference on Communication Systems and
Networks, Malaga, Spain, September 9-12, 2002.
ECC2002 www.exp-math.uni-essen.de/~weng/ecc2002.html
The 6th Workshop on Elliptic Curve Cryptography, University of Essen,
Essen, Waterloo September 23-25, 2002
NSPW2002 www.nspw.org.
New Security Paradigms Workshop, Virginia Beach, Virginia, USA,
September 23-26, 2002.
CMS2002 www.setcce.org/cms2002/
The Seventh IFIP Communications and Multimedia Security Conference,
Portoroz, Slovenia, September 26-27, 2002.
CNS'02 cs.anu.edu.au/~Chuan.Wu/conference/cns02_cfp.html
2002 International Workshop on Cryptology and Network Security,
San Francisco, CA, USA, September 26-28, 2002.
ESORICS 2000 www.esorics2002.org/
7th European Symposium on Research in Computer Security,
Zurich, Switzerland, October 14-16, 2002.
SREIS2002 www.sreis.org/
Second Symposium on Requirements Engineering for Information Security,
Raleigh, North Carolina, USA, October 15-16, 2002.
RAID'2002 www.raid-symposium.org/raid2002/.
Fifth International Symposium on Recent Advances in Intrusion Detection,
Zurich, Switzerland, October 16-18, 2002 (Held in conjunction with
Esorics 2002).
SIGSAC 2002 www.acm.org/sigsac/ccs
9th ACM Conference on Computer and Communication Security,
Washington DC, USA, November 17-21, 2002.
ASIACRYPT 2002 www.sis.uncc.edu/ac02
Queenstown, New Zealand, December 1-5, 2002.
IICIS 2002 www.db.cs.ucdavis.edu/IICIS2002/
Fifth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal
Control in Information Systems - New Perspectives from Academia and
Industry, Bonn, Germany, November 11-12, 2002.
====================================================================
News Briefs
====================================================================
News briefs from past issues of Cipher are archived at
www.ieee-security.org/Cipher/NewsBriefs.html
====================================================================
Commentary and Opinion
====================================================================
Book reviews from past issues of Cipher are archived at
www.ieee-security.org/Cipher/BookReviews.html, and conference reports
are archived at www.ieee-security.org/Cipher/ConfReports.html.
____________________________________________________________________
Book Review By Robert Bruen
____________________________________________________________________
Designing Security Architecture Solutions by Jay Ramachandran
Wiley 2002. Index, Bibliography, Glossary of Acronyms. 452 pages.
ISBN 0-471-20602-4. $49.99
There are still not enough books that cover writing secure code and
designing secure systems. Fortunately, the few that are out there are
generally good quality books. The range of topics for this set of books
is still limited, leaving the door wide open for new, useful titles.
Ramchandran has made a real contribution with this title.
Anyone who reads Bugtraq regularly is painfully aware of the almost
daily barrage of security issues with software. Many of the issues have
been caused by poor coding practices. Naturally, some of the holes are
obscure and the discovery has been clever, but more often that not,
someone was just not paying attention. If you have read "Building Secure
Software" by Viega and McGraw and Anderson's "Security Engineering",
this book would be a good addition to help round out the overall approach.
Code writers need to make sure that they use good practices for the code,
but just as important is the architecture of whatever it is being built.
It is well established that security needs to be built in from the
beginning, because retrofitting usually is hard and not very successful.
One is never sure whether a poor product of any kind turned out that way
as a result of simply doing a lousy job or because they did not know how
to do a good job. Ramchandran has significantly reduced the excuse pool
for the latter. This is not a cookbook by any means, but it is thorough
in its approach to security architecture. He has included the required
chapter on cryptography, but fortunately, does not dwell on it. He shows
how cryptography fits into the security architecture without restating
the obvious, as many other books have done.
The author covers both Windows and Unix issues. The scope includes
databases, web applications, CORBA and IPSEC, among other things, always
with a clear introduction to each topic. Unlike many security books, he
has an in-depth business case with analysis. He also has a sense of humor.
While the book is not intended to be a security book, there are plenty of
security concepts presented. The concepts contain enough detail that, in
spite of the intention, the reader will learn something about security.
The author's approach is one of the book's strengths. Each section is well
organized, with appropriate definitions, along with the relationship to
the planning and design of a secure application. One generally thinks of
architecture as a high level endeavor, but in order to do it right, one
must scrutinize the details. Ramchandran has done it right.
____________________________________________________________________
Commentary on 10th Australian Institute of Professional Intelligence
Officers (AIPIO), November 2001, Queensland, Australia
by Vernon Stagg
vstagg@deakin.edu.au
March 17, 2002
____________________________________________________________________
The Australian Institute of Professional Intelligence Officers held its
tenth conference in November 2001 at the ANA Hotel on the Gold Coast,
Queensland. The theme of the conference was "e-intelligence: New
challenges and solutions". There was a common theme of cooperation,
integration, sharing, and awareness running throughout the presentations,
and the spectre of the September 11 attacks fresh on everyone's mind.
Ian Wing, President of AIPIO and Lieutenant Colonel in the Australian Army,
presided over the conference and presented the welcoming ceremony for
delegates. He discussed the role of AIPIO, its inception in 1990, and its
role in the promotion of intelligence professionals throughout Australia.
DAY ONE
Alfred Rolington, Group Managing Director of Jane's Information Group was
the keynote speaker for Day One. He spoke of the problems of information
overload, the difference between analysis and policy, and the growth of
technology and globalisation, particularly as transnational threats move
to a "network function". When producing information, we need to be aware
of customer's expectations, the differences between conspiracy and bias,
and secrecy versus open source. In dealing with open source, we need to
appreciate its many different forms: contextual, factual, opinion, and bias.
In closing, Alfred discussed the restructuring of Jane's services with a
focus on these issues, to produce an enhanced information product.
Grant Wardlaw, Director of the Australian Bureau of Criminal Intelligence,
lead the first plenary session. He spoke of the importance of reporting
incidents, and the possession of unique technical knowledge within the
private sector. There is a growing need for cooperation and collaboration
between intelligence agencies and the private sector, as well as new
approaches to security and information-related product development. In this
new e-environment there are new concepts of jurisdiction, new/no boundaries,
and the end of the territorial state. He discussed the growing issue of
responsibility and the impact/effect a crime can have on a nation/state's
economy. To enable better cooperation he suggested starting off with a small
element (eg. fraud), establishing a network, and then expanding from there.
Allan McDonald, Business Development Manager for the Distillery, spoke
next. His focus was an integrated approach to systems and information
gathering and analysis. Citing a Victorian Police case study, he discussed
the shift from early information collection/collation efforts to stand-alone
PC-based intelligent databases to state wide integrated investigation
systems. Some of the drivers and enablers for this change are: wider
acceptance and understanding of the benefits of intelligence; cross
training of investigators in intelligence; intelligence professionals
becoming technologically literate; use of data clustering to improve
information stored; the need to increase functionality in investigation
and intelligence systems.
Graeme Clark, Deputy Commandant of the Defence Intelligence Training Centre
(DintTC), discussed developments in defence intelligence training. He began
with a history of defence intelligence training and education: its
stove-piped approach, duplication of efforts, and general dissatisfaction
within the intelligence community. Following the Baker review of 1990 there
was a restructuring and development of core competencies, career development,
training, and education, which saw the establishment of the DintTC.
Competencies were clearly defined, training philosophies restructured, and
a focus on issues such as: general-to-specific, adult, continuing development,
principles, technology, and analysis. Validation of methods from reporting
to assessment stages has improved all source fusions, and increased
productivity and multiple skills.
Peter Ford, First Assistant Secretary of the Australian Attorney-General's
Department, looked at unique policy problems relating to intelligence.
Issues include determining whether a problem is security or privacy related,
regulation, and development of public policy. There is also the need to
consider the global nature of attacks and threats, differentiation of
threats, and who is responsible for protection/prevention. Looking at the
National and Critical Information Infrastructures, he remarked that the
strengths of these systems are their weaknesses. Citing a recent OECD
workshop, he pointed out the need for mechanisms for sharing information on
incidents, threats, and systems failure, the establishment of security
professional networks, and training. He finished with details of an
Australian government and business task force that has been set up to
develop measures to protect information systems, and the roles expected of
each other.
Alex Gibbs, Wing Commander RAAF, and Fiona Peacock, psychologist at the
Department of Defence, lead a presentation on Information Operations (IO).
They looked at the gradual inclusion of information into military
doctrine/strategy, and its close links to intelligence. Referring to the
Knowledge Edge concept, they showed that IO is another targeting option, it
is critical if the information is critical, and the importance of the
National Information Infrastructure. They pointed out that eWarfare is a
means, not an enabler, that technology is the enabler and we are still
reliant on humans. eIntel is considered a tool, not a solution: it supports
overall system survivability, facilitates decision making, and without
security efforts we will remain reactive not proactive.
Glenn Phelps, Manager GSK Australia, discussed Competitive Intelligence (CI)
and its capabilities. He began by describing what CI is not: market research
or vice versa, nor a function of marketing. Everyone is considered a CI
practitioner in his or her own right, and tacit knowledge is an asset. He
discussed the need for reporting and delivery, and the design or war room
scenarios. A model of CI was presented consisting of inputs: media,
Internet, rumours; processes: analysis, inputs from internal databases; and
output: reports, summaries.
John Geurts, Group Security Head at the Commonwealth Bank, presented a talk
on security as a business enabler. He started with a look at the Bank for
International Settlements Basel Committee and how, in 1988, they made
operational risk part of the capital buffer related to credit risk.
Operational risk was seen as identifying important/strategic elements, such
as when a bank deals with the telecommunications sector to make sure that
these communication providers also have operational risk procedures
(elements such as fraud, armed robbery, kidnap, business continuity, etc.).
He indicated the main electronic threat faced is not from hackers, but from
credit card theft and identity theft. Strategies in place to deal with this
include open source information, shared intelligence, advanced rules-based
and neural network detection systems, environment scans, and risk
assessments with product developers.
Day One finished off with two workshops, one by Steven Longford, Director at
The Distillery, on the use of behavioural intelligence as an assessment
tool. The other workshop was by Terry-Anne O'Neill, Attorney-General's
Department, on developing professional pathways in intelligence.
DAY TWO
The keynote speaker for Day Two was Shane Carmody, Department of Defence. He
began by emphasising the need to utilise the e-environment or risk losing
the game. There is a need to derive intelligence from various sources using
a model of direction, collection, process, and analysis. The emergence of
user empowering technologies represents a new paradigm, not just a shift
from mainframe to PC, new WAN's, high technology, etc. He indicated how
e-intelligence has improved processes, parallel actions, and decision
cycles, but cautioned to be aware of what information means and act
accordingly.
Richard Lloyd Jones, Principal of Lloyd Jones Consulting, spoke of the
impact of globalisation on intelligence activities. The organisational
impact was felt across numerous sectors including: commercial (global
markets), law enforcement (international crime), security (terrorism), and
the military (asymmetric warfare). Technological challenges include: system
flexibility - internationalisation, interoperability, and cooperation;
decision enhancement - collection and document volume reduction, pattern
recognition, and environmental understanding. He spoke of how new
technologies allow for standardisation of data (eg. XML), as well as new
means of attaining ends.
Graham Whyte, Australian Tax Office, presented a number of case studies in
e-intelligence. The first study related to the FSM Knowledge Exchange
website. It is available to various governments and deals with tax laws,
rules, etc. and focuses on tax avoidance. The second study dealt with
offshore tax promoters and open source issues. The third study looked at
high wealth individuals and the creation of a task force to deal with this
group. The last case study related to e-intelligence analytical tools used
to identify tax schemes through the use of the tax return database.
Lorraine Van der Weide, SAS Institute, discussed the benefits of the SAS
Intelligence Layer product. She highlighted the need for organisations to
consider their information architecture, understand customers through data
mining, and the importance of customer relationship management.
Geoff Rothfield, Senior Analyst Office of Strategic Crime Assessments,
looked at law enforcement implications of new technologies. There is an
expected slowdown in technology over the next five years with technology
consolidating in its existing form. There will be a shift in the Information
and Communications sector in business reengineering, reprioritising of
resources, enhanced mobile functionality, and increased data transmission
capacity. There will be the emergence of new technologies such as
biotechnology and nanotechnology. There will also be the integration of
technology to address risks and maximise benefits in law enforcement
agencies.
Jeff Penrose, Australian Federal Police, discussed the AFP's intelligence
processes. He highlighted the aspects of a new criminal environment and
their use of intelligence, global alliances, and new technologies. The AFP
is being intelligence led with four objectives: identify and develop high
value criminal targets; determine and formulate operational priorities and
strategies; support corporate policy and planning processes; and provide
assistance to Government and law enforcement partners.
Jonathan Mobbs, CEO Crimtrac Agency, presented an overview of his agency,
and the electronic law enforcement technologies in use there.
Steven James, CEO ITAC Security, gave an entertaining presentation on hacker
intelligence. He looked at the hacker culture and the rise through the ranks
of lamer to elite. Following a review of various hacker groups, people, and
exploits he presented a hack attack framework. This framework consisted of a
number of steps being 1: Select target. 2: Identify information, components,
and active ports. 3: Cross-reference and run exploits. 4: Compromise. 5:
Extend levels of access, leave backdoor/s, and manipulate audit trails. He
went on to point out that business needs must drive security agendas, and
that security should enable not hinder.
Steve Tregarthen, Senior Manager KPMG, discussed the issue of Corporate
Intelligence which he defined as "the collection and analysis of public
information that has strategic value". Corporations need to be aware of who
they are dealing with, and the associated risks and threats (not just in the
traditional way either, eg. is Company X harmful to the environment?). He
went on to list a number of open source channels available for finding
information about individuals, including global newspaper databases, credit
background checks, criminal records, personal assets, and company and
directorship information. He also detailed the necessity of understanding
the different ways and means for obtaining information in different
countries.
One of the workshops for Day Two was held by Jason Brown, Director General
of Safety, Compensation and People Development, and focused on a "Code of
Ethics" for the intelligence profession. Brett Peppler, Intelligent Futures,
held the other workshop, dealing with knowledge mapping.
____________________________________________________________________
Review of the 2nd Australian IW and CS Conference
November 29-30, 2001, Perth, Australia
by Vernon Stagg
vstagg@deakin.edu.au
March 17, 2002
____________________________________________________________________
Pre-Conference Seminar
Prior to the conference official, the Centre for Information Warfare held a
two-day hacking seminar (Hacking 101 and Hacking 102) hosted by Tim
Rosenberg of Whitewolf Consulting. Tim provided an entertaining two days,
with a mixture of technical and high-level information, along with a number
of hands-on exercises. He presented slides concerned with legal, managerial,
criminal, physical, national, and international issues. Some of the
exercises included sniffing the network, email bombing each other (a popular
event!), and capturing network traffic. All the tools used were publicly
available hacker tools, and showed many of the attendees the ease with which
many hack attacks can be carried out.
2nd Australian IW Conference
The 2nd Australian Information Warfare and Security Conference took
place in Perth, Western Australia at the Hotel Rendezvous Observation
during November 29-30, 2001. The theme for the conference was "Survival in
the e-conomy" and attracted a broad range of speakers, attendees, and
participants.
The 2nd AIW conference opened with an introduction by Bill Hutchinson,
followed by a keynote presentation from Paul Schapper, Director General of
the Department of Industry and Technology, WA. Paul discussed issues of
risk, poor security controls, and the high cost of cyber crime ($3 trillion
worldwide). He discussed a number of initiatives for dealing with these
issues, including the C4IW Centre, GovSecure services, and the role of
government in developing, strengthening, and maintaining security issues
within Western Australia.
DAY ONE
Winn Schwartau, well known IW proponent and maintainer of infowar.com, began
the next address by warning us to consider all unknown attacks. He pointed
out the government think they know what IW is, base their doctrine on
Information Operations (IO), assume a known and expected enemy along
with a fortress mentality. Winn then went on to raise a number of
important questions relating to IW, being: What factors determine IW;
Is an attack an attack; Where is IW on the conflict spectrum; What is
an appropriate response; Is IW escalatory; Global issues of borders,
international attacks and empowerment; Battle damage assessment issues;
Homeland defence; Rights of the private sector in active defence; and
Is Infowar War?
Following these addresses, a number of parallel sessions were held.
Summaries are provided where possible.
Ian Martinus, Edith Cowan University (ECU), presented "Small Business in the
New Battlefield: Government Attempts at Providing a Secure Environment".
Timo Vuori, Murdoch University, presented "Virus Infection: The People
Problem".
Greg Robins, ECU, presented "e-Government, Information Warfare and Risk
Management: An Australian Case Study". Greg outlined five objectives of the
WA Government's security management objectives: Authorisation, Availability,
Confidentiality, Integrity, and Non-repudiation. These are based on three
levels of control. Level 1 is basic in-house information security practices,
Level 2 is protection of information systems, and Level 3 is transmission
protection. A security controls matrix was developed to outline these
controls with appropriate descriptions and implementation methods. Greg then
followed on with a case study of the Department of Sport and Recreation's se
curity restructuring according to this matrix.
Mark Williams, ECU, presented "The Need for In-depth Cyber Defence
Programmes in Business Information Warfare Environments"
John Fawcett, University of Cambridge, presented "On Wireless Network
Security".
Nick Lethbridge, ECU, presented "Impact of Information Warfare on Business
Continuity Planning".
Tyrone Busuttil, Deakin University (DU), presented "Intelligent Agents and
Their Information Warfare Applications".
John Fawcett, presented "The Autonomous Locksmith".
Craig Valli, ECU, "Automaton Hackers - The New Breed". Craig's presentation
was based on a scenario to detect a company's network vulnerabilities and
the efforts required to reduce them or remove them. The first step was to
conduct a Target Identification diagram, which showed two primary systems
for attack. Following construction of an attack tree, a number of attacks
were developed using information and tools available from the Internet. Port
scanners and sniffer daemons were used to find open ports and various IP
addresses. From a series of attacks (internal and external) it was found
there was no POP3 or SMTP encryption, many passwords were common dictionary
words, and an administration password was obtained. Following this effort a
number of recommendations have been implemented to provide, or strengthen
existing, security measures.
Christopher Lueg, University of Technology, "Towards a Framework for
Analyzing Information-level Online Activities".
Shu Wenhui, Nanyang Technological University, "In-depth Analysis on Web
Server Behavior".
Dragan Velichkovich, ECU, "Using the Techniques of Internet Advertising for
a Perception Offensive in Information Warfare". Dragan proposed how the
Internet could be used as a medium for Offensive IW. He compared broadcast
(one-to-many) to narrowcast (one-to-one and interactive) and issues of
privacy and customer profiling. Discussing Perception Management (PM), he
compared the military's use of broadcast (radio, print, TV) to some methods
used by traditional advertising agencies. Dragan identified that PM as a
methodology in IW is not fully utilised or effectively instigated,
especially with new technologies emerging.
Lars Nicander, Director of the National Office of IO/CIP Studies at the
Swedish National Defence College, presented "Information Operations - A
Swedish View". Lars discussed the Swedish initiative for Critical
Infrastructure Protection. He discussed the taxonomy developed using a
top-down approach, and numerous issues faced including policy development,
organisational structure, protection, structure and responsibility. Also
addressed was the forthcoming implementation of issues raised in a 1999
Swedish Report and White Paper on defence.
Charles McCathieNevile, World Wide Web Consortium, "An Intelligent
Agent-based Security Management Architecture for Enterprise Networks".
Charles presented an agent-based approach to security and detection. He
looked at networks and their increased complexity and features. The need for
new solutions to deal with dynamic networks and systems and their evolving
security needs was identified. Required characteristics for such solutions
include distribution of activity, autonomy, and communication and
cooperation. This can be provided through the development of a multi-agent
system for security management with high -level policies to determine
actions and events.
Terence Love, ECU, "Designing Information Security in Small Businesses: A
Qualitative & Quantitative Case Study".
Peter Goldschmidt, University of Western Australia, "Dataveillance and
Compliance Verification. Knowledge Management of the True and False
Positives".
Wei-Chi Ku, Fu Jen Catholic University, "ID-Based Key Distribution Protocols
for Mail Systems". Wei-Chi began by reviewing existing key distribution
protocols and the dispatchment process of secret keys, either centralised or
distributed. An ID-based system does not require public key certificates and
may be interactive or non-interactive. Security issues with existing
protocols was outlined, and then it was shown how the proposed protocol
addressed these issues, through the use of a formula that to compromise
would be equivalent to the discrete logarithm problem.
Lorraine O"Neill Cooper, ECU, "Weaving the Tangled Web - Deception on the
Internet, A Travellers Tale?" Lorraine's presentation focused on IW in the
travel industry. Based on a preliminary study she developed 3 classification
levels: Camouflage atack (perception management), Showing the False (false
information, photographs, dishonesty), and Suspect a Scam (online
criminals). She stressed the distinction between deception and perception
and also pointed out the lack of laws on copyright.
The closing session for this day was Winn Schwartau's discussion on Time
Based Security. Winn discussed the shift from unidirectional to
bidirectional security issues and the cold war mentality of security models
(fortress). Some of the modern needs for security include: simplicity, offer
utility, be methodological, quantitative, replicable, and
mathematical/provable.
DAY TWO
Kim Forrest of ISA Technologies opened the second day discussing the role of
ISA and its links with industry and academia. Kim described ISA's
development of the Communications Technology Centre in 1998 and the recent
Centre for Information Warfare in 2001.
Helen Armstrong, Curtin University, "Denial of Service and Protection of
Critical Infrastructure".
Vernon Stagg, DU, "A Business Information Infrastructure". My presentation,
based on a model of the National Information Infrastructure for providing IW
defense.
Shermin Voshmgir, Vienna University, "Hackers: Criminals or the Drivers of
Open-source?".
Craig Valli, ECU, "NIDH - Network Intrusion Detection Hierarchy - A Model
for Gathering". The NIDH is a defence mechanism to allow rapid exchange of
attack intelligence. It is able to gather attack intelligence from a variety
of dispersed hosts and the information stored in RAM as well as hard
storage. PKI is used to increase authenticity and the integrity of packets.
Jill Slay, University of South Australia, "Culture and Sensemaking in
Information Warfare".
Senthilkumar Krishnaswamy, Arizona State University, "Stateful Intrusion
Detection System".
Steve Fall, ECU, "The Role of Security Standards in Electronic Business".
Steve looked at the diversity of security products and the need to extend
security to all business areas as well as incorporating security awareness
into a companies policy and procedures. He compared the ISO17799 and Common
Criteria to the TOGAF (a methodology and supporting tools for defining open
IT architecture).
David Maguire, ECU, "Desktop Warfare in the Data Gridlocked Information
age". This discussion looked at the growth of available information, the
democritisation of data, and information overload. David pointed out how
this overload of information creates a strategic advantage for competitors
especially with reduced time for decision making. In the security sector
agencies are trying to cope with too much information, too many targets, and
technology that is too sophisticated.
During the lunchtime break Winn Schwartau regaled us with his "General
Abdication Rule". This looks at how control has been lost and the need to
determine who is in charge. In looking at solutions to this Winn proposes a
return to the '2 man rule' along with Time-based security.
Jack Davey, Assistant Director Defence Security Authority, presented an
afternoon keynote address on "IW: Another Asymmetric Threat". Jack began by
outlining the roles of a number of Australian Defence Departments. He then
looked at the ability to handle an incident when it occurs, the issue of
operational decisions, how to train IW defenders, and the issues of threat
assessments. He discussed problems with traditional measures, considered
current trends, and outlined points for required thinking.
Matt Warren, DU, presented on behalf of Steven Furnell, University of
Plymouth, "The Problem of Categorising Cybercrime and Cybercriminals". He
looked at the increasing problem of cybercrime and how the nature of this
activity has changed. By considering a variety of categories of computer
crime, Steven has developed a taxonomy to help define cybercrime and develop
a standardised set of names and definitions.
Colin Armstrong, ECU, "Security Culture as a Defence Against Information
Warfare"
Vernon Stagg and Tyrone Busuttil, DU, held a workshop "The Implication and
Impacts of Information Warfare in a Commercial Environment"
Matt Warren, DU, "A Duality Security Risk Analysis Method for E-commerce"
The final session of the conference was an entertaining workshop held by
Winn Schwartau based on his popular "Cyber Survivor Game".
____________________________________________________________________
NewsBits
Announcements and correspondence from readers
____________________________________________________________________
Correspondence from Dr. Annie Anton, Department of Computer Science,
North Carolina State University:
Researchers at ThePrivacyPlace.Org are conducting an online survey
about privacy values. The survey is supported by an NSF ITR grant
(National Science Foundation Information Technology Research) and
will help us establish an Internet privacy values baseline for
correlation with our privacy goal taxonomy to aid policy makers
as well as software developers.
The URL is: www.theprivacyplace.org/privacySurvey/surveyPage1.php
We would be most appreciative if you would consider helping us get the
word out about the survey which takes about 5 minutes to complete. The
results will be made available this summer via our project website
(http://theprivacyplace.org).
____________________________________________________________________
March 8,2002
The National Security Agency (NSA) announces the designation of new
Centers of Academic Excellence in Information Assurance Education
The NSA designated the following universities as Centers of Academic
Excellence in Information Assurance Education for academic years 2002
through 2005. They join the list of twenty-three universities across
the country to be awarded this distinction:
Air Force Institute of Technology (OH)
George Washington University (DC)
Indiana University of Pennsylvania (PA)
New Mexico Tech (NM)
North Carolina State University (NC)
Northeastern University (MA)
Polytechnic University (NY)
State University of New York, Buffalo (NY)
State University of New York, Stony Brook (NY)
Towson University (MD)
University of Maryland, University College (MD)
University of Nebraska, Omaha (NE)
University of Texas, San Antonio (TX)
The program is intended to reduce vulnerabilities in the national
information infrastructure by promoting higher education in
information assurance and producing a growing number of professionals
with information assurance expertise in various disciplines. Additional
information about the program may be found at
www.nsa.gov/isso/programs/coeiae/index.htm
Formal presentations will be made to the universities by the
Information Assurance Director, National Security Agency on 4 June 2002,
during the annual conference of the National Colloquium for Information
Systems Security Education. The conference will be hosted by Microsoft
in Redmond, Washington. Additional information on the Colloquium and
the annual conference may be found at www.ncisse.org.
Universities designated as Centers are eligible to apply for
scholarships and grants through both the National Science Foundation
SFS program (www.ehr.nsf.gov/due/programs/sfs) and the Department of
Defense (www.C3i.osd.mil/iasp) Information Assurance Scholarship Programs.
Information assurance education plays a critical role in protecting
the national information infrastructure. The Centers are key to having
security solutions keep pace with evolving technology now and into the
future. The Centers also provide great geographic dispersion of
information assurance education across the country, building expertise
where the national information infrastructures reside.
____________________________________________________________________
Correspondence from Riccardo Focardi, Dipartimento di Informatica,
Universita Ca' Foscari di Venezia:
THIRD INTERNATIONAL SCHOOL ON FOUNDATIONS OF SECURITY ANALYSIS AND
DESIGN (FOSAD 2002)
www.cs.unibo.it/fosad
Application Deadline: June 20, 2002
23-27 September 2002, Bertinoro, Italy
Security in computer systems and networks is emerging as one of the most
challenging research areas for the future. The main aim of the school is
to offer a good spectrum of current research in foundations of security,
ranging from programming languages to analysis of protocols, that can be
of help for graduate students, young researchers from academia or
industry that intend to approach the field.
The school covers one week (from Monday 23 to Friday 27, September 2002)
and alternates monographic courses of about 4/6 hours and short courses of
2 hours.
The school offers six main courses, each composed of 2/3 seminars, each
seminar of 2 hours. In alphabetic order, the lecturers of the six main
courses are the following:
- Carlo Blundo and Stelvio Cimato (Univ. of Salerno)
Cryptographic Protocols for Internet Services
- Michele Bugliesi (Univ. of Venice) and Giuseppe Castagna (ENS, Paris)
Security by Typing in Systems of Mobile Agents
- Matthew Hennessy (University of Sussex)
Types for Resource Access Control and Information Flow
- Jonathan K. Millen (SRI International)
Constraint Solving for Security Protocol Analysis
- David Sands (Chalmers University)
Semantic Models of Secure Information flow in Programs
- Steve Schneider (Royal Holloway, University of London)
Verifying security protocols with rank functions
Further short courses will be given by:
- Alessandro Aldini (University of Bologna)
Non-interference Properties for Probabilistic Processes
- Vladimiro Sassone (University of Sussex)
Capacity-Bounded Computational Ambients
In order to be really effective, at most 45 participants will be
admitted to the lectures. Prospective participants should send an
application to the address below, together with a recommendation letter,
by June 20, 2002. Notification of accepted applicants will be posted
by July 5, 2002. Registration to the school is due by July 31, 2002.
More detailed information on courses will be soon available at URL
www.CS.UniBO.it/fosad/. Requests of information on the school and
applications should be addressed to fosad@dsi.unive.it, while information
on organisation (address, how to reach us, etc...) can be requested by
e-mail to cbert@sun1.spfo.unibo.it
____________________________________________________________________
Colleges make cybersecurity pledge
In a "Federal Computer Week" article by Megan Lisagor (April 19, 2002,
www.fcw.com/fcw/articles/2002/0415/web-cyber-04-19-02.asp), Universities
are encouraged to help secure cyberspace.
"Colleges and universities have always played a major role in defending our
country and keeping our economy healthy," said Richard Clarke, President
Bush's cyberspace security adviser, speaking April 18 at a conference on
policy affecting information technology in higher education. "So it's not
just about protecting research going on at your [university]. It's about
protecting your country."
The framework the organizations endorsed will serve as a basis for
coordinating cybersecurity activities at the campus and national levels. It
calls for:
* Making IT security a higher and more visible priority in higher education.
* Doing a better job with existing security tools, including revising
institutional policies.
* Developing improved security for future research and education networks.
* Raising the level of security collaboration among higher education,
industry and government.
* Integrating higher education work on security into the broader national
effort to strengthen critical infrastructure.
Clarke further asked colleges and universities to develop their own
strategies to defend "their bit of cyberspace" as the Bush administration
works out a national plan. The framework provides a foundation for those
strategies.
The complete article is at
www.fcw.com/fcw/articles/2002/0415/web-cyber-04-19-02.asp
____________________________________________________________________
There has been a growing concern with some IEEE members about the
linkage between the IEEE copyright form and the Digital Millennium
Copyright Act (DMCA). IEEE no longer requires authors who write for
its journals to sign a form promising to abide by the DMCA. See the
story in the Chronicle of Higher Education (April 18, 2002) by
Dan Carnevale at chronicle.com/free/2002/04/2002041802t.htm.
____________________________________________________________________
____________________________________________________________________
News Bits contains correspondence, interesting links, non-commercial
announcements and other snippets of information the editor thought that Cipher
readers might find interesting.
====================================================================
Reader's Guide to Current Technical Literature in Security and
Privacy, by Anish Mathuria
====================================================================
The Reader's Guide from Past issues of Cipher is archived at
www.ieee-security.org/Cipher/ReadersGuide.html
====================================================================
Listing of academic positions available
by Cynthia Irvine
====================================================================
http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm
CASE Center, Syracuse University, Syracuse, NY
Visiting SUPRA faculty position
www.ecs.syr.edu/dept/eecs/positions/supria.html
Max-Planck Institute for Computer Science, Saarbruecken, Germany
Postdoc/Research associate position
Areas of particular interest: static program analysis, verification,
security, cryptographic protocols, critical software. Applications
begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html
School of Information Sciences and Technology
PennState, University Park, PA
Full-Time Faculty Positions: Security and Privacy Perspectives
ist.psu.edu/jobposts/index2.cfm?pageID=30
Department of Computer Science
James Madison University, Harrisonburg, VA
Tenure-Faculty position
The James Madison University Department of Computer Science is seeking
applications of faculty that specialize in Information Security or
closely related areas.
www.cs.jmu.edu/faculty_openings.htm
Vrije Universiteit
Amsterdam, The Netherlands
Postdoc/Assistant Professor
Internet security. Position is available immediately.
www.cs.vu.nl/~ast/jobs
Department of Information and Software Engineering
George Mason University, Fairfax, VA
1 Tenure-track, 1 visiting position
Positions are in security. Areas of particular interest: Computer security,
networking, data mining and software engineering. Search will continue until
positions are filled.
ise.gmu.edu/hire/
Department of Computer Science
Purdue University,West Lafayette, IN
Emphasis on Assistant Professor Positions, but more senior applicants will be
considered. Areas of particular interest: Computer security, and INFOSEC.
Positions beginning August 2000.
www.cs.purdue.edu/announce/faculty2001.html
Department of Computer Science
Renesselaer Polytechnic InstituteTroy, NY
Tenure Track, Teaching, and Visiting Positions
Areas of particular interest: Computer security, networking, parallel and
distributed computing and theory.
Positions beginning Fall 2000.
www.cs.rpi.edu/faculty-opening.html
Swiss Federal Institute of Technology
Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris
General Director
Areas of particular interest: Education and research in telecommunications.
Applications begin immediately.
admwww.epfl.ch/pres/dir_eurecom.html
Department of Computer Science
Florida State University, Talahassee, FL
Tenure-track positions at all ranks, several positions available.
Available (1/00) Areas of particular interest: Trusted Systems, security,
cryptography, software engineering, provability and verification,
real-time and software engineering, provability and verifications,
real-time and safety-critical systems, system software, databases,
fault tolerance, and computational/simulation-based design.
www.cs.fsu.edu/positions/
--------------
This job listing is maintained as a service to the academic community. If you
have an academic position in computer security and would like to have in it
included on this page, send the following information:
Institution,
City, State,
Position title,
date position announcement closes, and
URL of position description
to: irvine@cs.nps.navy.mil
====================================================================
Interesting Links and Reports Available via FTP and WWW
====================================================================
"Reports Available" links from previous issues of
Cipher are archived at www.ieee-security.org/Cipher/NewReports.html
and www.ieee-security.org/Cipher/InterestingLinks.html
====================================================================
Information on the Technical Committee on Security and Privacy
====================================================================
____________________________________________________________________
Information for Subscribers and Contributors
____________________________________________________________________
SUBSCRIPTIONS:
Two options:
1. To receive the full ascii CIPHER issues as e-mail, send e-mail to
cipher@issl.iastate.edu (which is NOT automated) with subject line
"subscribe".
2. To receive a short e-mail note announcing when a new issue of
CIPHER is available for Web browsing send e-mail to
cipher@issl.iastate.edu (which is NOT automated) with subject line
"subscribe postcard".
To remove yourself from the subscription list, send e-mail to
cipher@issl.iastate.edu with subject line "unsubscribe".
Those with access to hypertext browsers may prefer to read Cipher
that way. It can be found at URL www.ieee-security.org/cipher.html
CONTRIBUTIONS:
to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter,
not a bulletin board or forum. It has a fixed set of departments,
defined by the Table of Contents. Please indicate in the
subject line for which department your contribution is intended. For
Calendar entries, please include a URL and/or e-mail address for the
point-of-contact. For Calls for Papers, please submit a one paragraph
summary. See this and past issues for examples. ALL CONTRIBUTIONS
CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses
of Cipher material should respect stated copyright notices, and should
cite the sources explicitly; as a courtesy, publications using Cipher
material should obtain permission from the contributors.
____________________________________________________________________
Recent Address Changes
____________________________________________________________________
Address changes from past issues of Cipher are archived at
www.ieee-security.org/Cipher/AddressChanges.html
______________________________________________________________________
How to become <> a member of the
IEEE Computer Society's TC on Security and Privacy
________________________________________________________________________
You do NOT have to join either IEEE or the IEEE Computer Society to
join the TC, and there is no cost to join the TC. All you need to
do is fill out an application form and mail or fax it to the
IEEE Computer Society. A copy of the form is included below (to
simplify things, only the TC on Security and Privacy is included, and
is marked for you). Members of the IEEE Computer Society may join the
TC via an https link. The full and complete form is available on the
IEEE Computer Society's Web Server by following the application form
hyperlink at the URL: computer.org/tcsignup/
IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED
(BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER.
---------
IEEE Computer Society
Technical Committee Membership Application
-----------------------------------------------------------
Please print clearly or type.
-----------------------------------------------------------
Last Name First Name Middle Initial
___________________________________________________________
Company/Organization
___________________________________________________________
Office Street Address (Please use street addresses over P.O.)
___________________________________________________________
City State
___________________________________________________________
Country Postal Code
___________________________________________________________
Office Phone Fax
___________________________________________________________
Email Address (Internet accessible)
___________________________________________________________
Home Address (optional)
___________________________________________________________
Home Phone
___________________________________________________________
[ ] I am a member of the Computer Society
IMPORTANT: IEEE Member/Affiliate/Computer Society Number:
____________________
[ ] I am not a member of the Computer Society*
Please Note: In some TCs only current Computer Society members are
eligible to receive Technical Committee newsletters.
Please select up to four Technical Committees/Technical Councils of
interest.
TECHNICAL COMMITTEES
[ X ] T27 Security and Privacy
Please Return Form To:
IEEE Computer Society
1730 Massachusetts Ave, NW
Washington, DC 20036-1992
Phone: (202) 371-0101
FAX: (202) 728-9614
_____________________________________________________________
TC Publications for Sale
_____________________________________________________________
Proceedings of the IEEE CS Symposium on Security and Privacy
The Technical Committee on Security and Privacy has copies of its publications
available for sale directly to you. You may pay for Proceedings by credit
card or check.
Proceedings of the IEEE Symposium on Security and Privacy
Year(s) Format Price
2001 Hardcopy $25.00*
2000 Hardcopy $15.00*
1999 Hardcopy SOLD OUT
1998 Hardcopy $10.00*
2000-2001 CD-ROM $25.00*
* Plus shipping charges
Payment by Check:
Please specify the items and quantities that you wish to receive, your shipping
address, and the method of shipping (for overseas orders). Mail your order
request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to:
Terry L. Hall
Treasurer, IEEE Security and Privacy
14522 Gravelle Lane
Florissant, Mo 63034
U S A
Please include the appropriate amount to cover shipping charges as noted in the
table below.
Domestic shipping: $4.00 per order for 3 volumes or fewer
Overseas surface mail: $6.00 per order for 3 volumes or fewer
Overseas air mail: $12 per volume
Credit Card Orders:
For a limited time, the TC on Security and Privacy can charge orders to your
credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish
to receive, your shipping address, method of shipping (surface or air for
overseas orders) along with
* the name of the cardholder,
* credit card number, and
* the expiration date.
Exact shipping charges will be charged to your credit card and included in
your receipt. Shipping charges may approximated from the table above.
IEEE CS Press
You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm.
Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of
the IEEE CS Computer Security Foundations Workshop
The most recent Computer Security Foundation Workshop (CSFW14) took place
June 2001 in Cape Breton, Nova Scotia. Topics included formal specification
of security protocols, protocol engineering, distributed systems, information
flow, and security policies.
Copies of the proceedings are available from the publications chair for
$25 each. Copies of earlier proceedings starting with year 3 (1990) are
available at $10. Photocopy versions of year 1 are also $10.
Checks payable to Joshua Guttman for CSFW may be sent to:
Joshua Guttman, MS S119
The MITRE Corporation
202 Burlington Rd.
Bedford, MA 01730-1420 USA
guttman@mitre.org
________________________________________________________________________
TC Officer Roster
________________________________________________________________________
Chair: Past Chair:
Mike Reiter Thomas A. Berson
Carnegie Mellon University Anagram Laboratories
ECE Department P.O. Box 791
Hamerschlag Hall, Room D208 Palo Alto, CA 94301
Pittsburgh, PA 15213 USA (650) 324-0100 (voice)
(412) 268-1318 (voice) berson@anagram.com
reiter@cmu.edu
Vice Chair and S&P 2002 chair: Chair,Subcommittee on Academic Affairs:
Heather Hinton Cynthia Irvine
IBM Software Group - Tivoli U.S. Naval Postgraduate School
11400 Burnett Road Computer Science Department
Austin, TX 78758 Code CS/IC
(512)436 1538 (voice) Monterey CA 93943-5118
hhinton@us.ibm.com (408) 656-2461 (voice)
irvine@cs.nps.navy.mil
Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences:
David Aucsmith Jonathan Millen
Intel Corporation SRI International EL233
JF2-74 Computer Science Laboratory
2111 N.E. 25th Ave 333 Ravenswood Ave.
Hillsboro OR 97124 Menlo Park, CA 94025
(503) 264-5562 (voice) (650) 859-2358 (voice)
(503) 264-6225 (fax) (650) 859-2844 (fax)
awk@ibeam.intel.com millen@csl.sri.com
Newsletter Editor:
Jim Davis
Department of Electrical and Computer Engineering
2413 Coover Hall
Iowa State University
Ames, Iowa 50011
(515) 294-0659 (voice)
davis@iastate.edu
BACK ISSUES:
Cipher is archived at: www.ieee-security.org/cipher.html
========end of Electronic Cipher Issue #48, May 20, 2002===========