Subject: Electronic CIPHER, Issue 48, May 20, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 48 May 20, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events 5 new calls added since Cipher E47: SACT, HICSS-36, SCN'02, LawTech2002, InfoSecu02 o Information and Program for the 15th IEEE Computer Security Foundations Workshop (Cape Breton, Nova Scotia, Canada, June 24-26, 2002) o Information and Program for the International Workshop on Trust and Privacy in Digital Business (Aix-en-Provence, France, September 3-5, 2002) * Commentary and Opinion o Robert Bruen's review of "Designing Security Architecture Solutions" by Jay Ramachandran o Vernon Stagg's review of the Australian Institute of Professional Intelligence Officers workshop (AIPIO, November 2001), and the 2nd Australian IW and CS Conference (IW, November 2001) o NewsBits: Announcements and correspondence from readers o Book reviews from past Cipher issues o Conference Reports and Commentary from past Cipher issues o News items from past Cipher issues * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find a book review by Robert Bruen, links to upcoming conferences, and reviews of the Australian AIPIO and IW conferences by Vernon Staggs. Many thanks to our colleagues who contributed to this issue! Best regards, Jim Davis Cipher Editor davis@iastate.edu ==================================================================== Conference and Workshop Announcements ==================================================================== 15th IEEE Computer Security Foundations Workshop June 24-26, 2002 Keltic Lodge Cape Breton, Nova Scotia, Canada www.csl.sri.com/programs/security/csfw/csfw15/ Registration information is at: www.csl.sri.com/programs/security/csfw/csfw15/ Program: SUNDAY June 23, 2002 6:30 - 7:30 Reception and Registration MONDAY June 24, 2002 8:45 - 9:00 Welcome Iliano Cervesato (Naval Research Laboratory), General Chair Steve Schneider (Royal Holloway, University of London), Program Chair 9:00 - 10:30 Information Flow I "Approximate Non-Interference", Alessandra Di Pierro (University of Pisa), Chris Hankin (Imperial College), and Herbert Wiklicky (Imperial College) "Quantifying Information Flow", Gavin Lowe (Oxford) "Secrecy in Multiagent Systems", Joseph Halpern and Kevin O'Neill (Cornell) 10:30 - 11:00 Break 11:00 - 12:00 Intrusion "Two Formal Analyses of Attack Graphs", Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU), and Jeannette Wing (CMU) "Formal Specification of Intrusion Signatures and Detection Rules", Jean-Philippe Pouzol and Mireille Ducass (IRISA) 12:00 - 2:00 Lunch 2:00 - 3:30 Protocols I "Types and Effects for Asymmetric Cryptographic Protocols", Andrew D. Gordon (Microsoft Research) and Alan Jeffrey (DePaul University) "Security Protocol Design via Authentication Tests", Joshua D. Guttman (MITRE) "Strand Spaces and Rank Functions: More Than Distant Cousins", James Heather (University of Surrey) 3:30 - 4:00 Break 4:00 - 5:00 Applications of model-checking "Probabilistic Analysis of Anonymity", Vitaly Shmatikov (SRI) "Analysis of SPKI/SDSI Certificates Using Model Checking", Somesh Jha and Thomas Reps (University of Wisconsin) TUESDAY June 25, 2002 9:00 - 10:30 Protocols II "Capturing Parallel Attacks within the Data Independence Framework", Philippa J. Broadfoot and Bill Roscoe (Oxford) "Polynomial Fairness and Liveness", Michael Backes (Saarland University), Birgit Pfitzmann (IBM Zurich), Michael Steiner (Saarland University), and Michael Waidner (IBM Zurich) "A Formal Analysis of aome Properties of Kerberos 5 using MSR", Frederick Butler (University of Pennsylvania), Iliano Cervesato (ITT Industries), Aaron D. Jaggard (University of Pennsylvania) and Andre Scedrov (University of Pennsylvania) 10:30 - 11:00 Break 11:00 - 12:00 Games "A Formal Analysis of Syverson's Rational Exchange Protocol", Levente Buttyan, Jean-Pierre Hubaux and Srdjan Capkun (EPFL) "Game Analysis of Abuse-free Contract Signing", Steve Kremer and Jean-Franois Raskin (Universit Libre de Bruxelles) 12:00 - 2:00 Lunch 2:00 - 3:30 Language-based security "Fine-grained Information Flow Analysis for a Lambda-Calculus with Sum Types" Vincent Simonet (INRIA) "Cryptographic Types", Dominic Duggan (Stevens Institute) "Secure Information Flow and Pointer Confinement in a Java-like Language", Anindya Banerjee (Kansas State University) and David A. Naumann (Stevens Institute) 3:30 - 4:00 Break 4:00 - 5:00 Business meeting WEDNESDAY June 13, 2002 9:00 - 10:30 Distributed Rights, Access Control, and Watermarking "A Privacy Policy Model for Enterprises", Guenter Karjoth and Matthias Schunter (IBM Zurich) "A Logic for Reasoning about Digital Rights", Riccardo Pucella and Vicky Weissman (Cornell) "Hiding Functions and Computational Security of Image Watermarking Systems", Nicholas Tran (Santa Clara) 13:00 - 11:00 Break 11:00 - 12:00 Information flow II "Information Flow Security in Dynamic Contexts", Riccardo Focardi and Sabina Rossi (University of Venice) "A Simple View of Type-Secure Information Flow in the pi-Calculus", Franois Pottier (INRIA) 12:00 - 12:15 Closing remarks. Presentation of Croquet Awards Lunch ____________________________________________________________________ Trust and Privacy in Digital Business Aix-en-Provence, France, September 2-6, 2002 www.dexa.org List of accepted papers "Electronic Payment in Mobile Environment", Huang Zheng, Chen Ke-Fei ShangHai JiaoTong University, China "Simplifying PKI usage through a Client-Server Architecture and dynamic propagation of constructed certificate paths and repository addresses", Brian Hunter, Fraunhofer, Germany "Efficient identification of traitors in fingerprinted multimedia contents" Marcel Fernandez, Miguel Soriano, Universidad Politcnica de Catalua, Spain "Ubiquitous Internet access control: the PAPI system", Diego R. Lopez, Rodrigo Castro, RedIris, Spain "Evaluation of Certificate Revocation Policies: OCSP vs.Overissued CRL", J. L. Muoz, J. Forn, ,J. C. Castro, Universidad Politcnica de Catalua, Spain "STREAMOBILE: Pay-per-View Video Streaming to Mobile Devices Over the Internet", Antoni Martinez-Balleste, Josep Domingo-Ferrer, Universidad Rovira i Virgili, Spain "A Decentralized Authorization Mechanism for E-Business Applications", Zoltan Miklos, Technical University of Viena, Austria "Privacy-enabled Services for Enterprises", Guenter Karjoth, Matthias Schunter, Michael Waidner, IBM Research - Zurich Research Laboratory, Switzerland "Private Auctions with Multiple Rounds and Multiple Items", Ahmad-Reza Sadeghi, Matthias Schunter, Sandra Steinbrecher, University of Saarbruecken, Germany "Notes on Program-Orientated Access Control", Adrian Spalka, Hanno Langweg, University of Bonn, Germany "Data Privacy, US Common Practices", Ashrafi Noushin, Jean-Pierre Kuilboer, University of Massachusetts Boston, USA "Using a formal technique for protocol idealization: A cautionary note", Anish Mathuria, University of Massachusetts Dartmouth, USA "An Access Control System in the Flexible Organization Management", Masahiro Mambo, Eiji Okamoto, Yasushi Sengoku, Takashi Tanaka, Tohoku University, Japan "Role based specification and security analysis of cryptographic protocols using asynchronous product automata", Sigrid Grgens, Peter Ochsenschlger and Carsten Rudolph, Fraunhofer, Germany "An Electronic Payment Scheme Allowing Special Rates for Anonymous Regular Customers", Chunfu Tan, Jianying Zhou, Labs for Information Technology, Singapore "Privacy in mobile environment", Silke Holtmanns, Ericsson Eurolab Deutschland GmbH, Germany "Privacy of Trust in Similarity Estiamtion through Secure Computations", Javier Carbo, J.M. Molina, Jorge Davila, Universidad Carlos III de Madrid, Spain "Models of Trust In Business-To-Consumer Electronic Commerce: A Review", Vivienne Farrell, Rens Scheepers, Philip Joyce, Swinburne University of Technology, Australia ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. * 5/24/02: ASIACRYPT '2002, Queenstown, New Zealand; submissions due www.sis.uncc.edu/ac02/ * 5/30/02: WMN, Hsinchu, Taiwan; submissions due www.ee.nthu.edu.tw/~PCM2002/ * 5/31/02: InfraSec 2002, Bristol, UK; submissions are due, www.infrasec-conf.org * 5/31/02: ICCC 2002, Mumbai, India; submissions are due iccc2002.ernet.in/ * 6/1/02: 18th ACSAC, Las Vegas, NV; Conf Web page; submissions due, www.acsac.org * 6/1/02: WSNA 2002, Atlanta, GA; submissions are due wsna02.cs.uga.edu * 6/15/02: SCN '02, Amalfi, Italy, conf web page; www.dia.unisa.it/SCN02/ * 6/17/02- 6/19/02: NetSec 2002, San Francisco, CA www.gocsi.com/netsec/02/ * 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada www.csl.sri.com/csfw/csfw15/ * 6/24/02: DIREN, New York, NY Conf Web page comet.columbia.edu/diren * 6/24/02- 6/27/02: ICWN '02, Las Vegas www.ece.queensu.ca/hpages/faculty/yeh/icwn02.html * 6/24/02- 6/27/02: IMCS 2002, Las Vegas, Nevada; www.ashland.edu/~iajwa/conferences * 6/24/02- 6/28/02: 14th FIRST, Hilton Waikoloa Village, Hawaii www.first.org/conference/2002/ * 6/24/02- 6/26/02: CSFW-15, Nova Scotia, Canada www.cs.utah.edu/flux/cipher/cfps/cfp-CSFW15.html * 6/24/02: CARDIS '02, San Jose, CA; submissions are due www.usenix.org/events/cardis02/ * 6/30/02: Special session for SCI 2002, Orlando, Florida www.iiis.org/sci2002/ * 7/ 1/02: HotNets-I, Princeton, NJ; submissions due, www.acm.org/sigcomm/HotNets-I * 7/ 3/02- 7/ 5/02, ACISP '02, Melbourne, Australia www.cm.deakin.edu.au/ACISP'02 * 7/ 3/02- 7/ 5/02: ASWN, Paris, France www.professional-communities.com * 7/11/02- 7/12/02: STEG '02, Kitakyushu, Japan www.know.comp.kyutech.ac.jp/STEG02/ * 7/14/02- 7/18/02: Special session for SCI 2002, Orlando, Florida www.iiis.org/sci2002/ * 7/14/02- 7/19/02: IETF, Yokohama, Japan www.ietf.org * 7/23/02: AMS 2002. Edinburgh, UK www.lasr.cs.ucla.edu/AMS_2002 * 7/26/02: LFM '02, Copenhagen, Denmark; www.cs.cmu.edu/~lfm02/ * 8/ 5/02- 8/ 9/02: USENIX 11, San Francisco, CA www.usenix.org/events/sec02/ * 8/11/02- 8/14/02: ICCC 2002, Mumbai, India; iccc2002.ernet.in/ * 8/13/02-8/15/02: CHES 2002, Redwood City, CA www.chesworkshop.org * 8/14/02- 8/16/02: 7th WCW, Boulder, Colorado; 2002.iwcw.org/ * 8/15/02- 8/16/02: SAC 2002, Newfoundland, Canada www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 8/18/02- 8/22/02: CRYPTO 2002, Santa Barbara, CA * 8/19/02- 8/23/02: SIGCOMM '02, Pittsburgh, Pennsylvania www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html * 8/27/02- 8/30/02: ICON 2002, Singapore, icon2002.calendarone.com * 9/ 2/02- 9/6/02: Trustbus '02, Aix-en-Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/ 4/02- 9/ 5/02: Workshop on Trust and Privacy in Digital Business, Aix en Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/ 5/02- 9/ 7/02: VII Spanish Meeting on Cryptology and Information Security, Asturias, Espana enol.etsiig.uniovi.es/viirecsi/ * 9/ 9/02- 9/12/02: IASTED, Malaga, Spain; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 9/10/02- 9/13/02: SAFECOMP 2002, Catania, Italy www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/ * 9/12/02- 9/13/02: SCN '02, Amalfi, Italy, www.dia.unisa.it/SCN02/ * 9/19/02- 9/21/02: SECI 2002, Tunis, Tunisia; www.epita.fr/~seci02/- * 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html * 9/23/02- 9/26/02: NSPW 2002, Virginia Beach, VA www.nspw.org * 9/23/02- 9/26/02: MobiCom 2002, Atlanta, Georgia; www.acm.org/sigmobile/mobicom/2002/ * 9/26/02- 9/27/02: CMS 2002, Portoroz, Slovenia; www.setcce.org/cms2002/ * 9/28/02: WSNA 2002, Atlanta, GA; wsna02.cs.uga.edu * 10/ 1/02-10/ 3/02: InfraSec 2002, Bristol, UK; www.infrasec-conf.org * 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands research.microsoft.com/ih/2002/ * 10/14/02-10/16/02: ESORICS 2002, Zurich, Switzerland; www.esorics2002.org/ * 10/15/02-10/16/02: SREIS 2002, Raleigh, NC; www.sreis.org * 10/22/02-10/24/02: FOUNDATIONS '02, Laurel, MD; www.cs.clemson.edu/~steve/ivandv/ResearchCallv2.pdf * 10/23/02-10/25/02: NGC 2002, Boston, Massachusetts; signl.cs.umass.edu/ngc2002 * 10/28/02-10/29/02: HotNets-I, Princeton, NJ; www.acm.org/sigcomm/HotNets-I * 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop * 11/ 6/02-11/ 8/02: CW 2002, Tokyo, Japan wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp * 11/12/02-11/15/02: ISSRE 2002, Annapolis, MD; www.issre2002.org * 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan; opnear.utdallas.edu/hsnhome.htm * 11/20/02-11/22/02: CARDIS '02, San Jose, CA; www.usenix.org/events/cardis02/ * 12/ 1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/ 1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France; www.acm.org/sigmm/MM2002/index.html * 12/ 9/02-12/11/02: OSDI '02, Boston, Massachusetts, www.usenix.org/events/osdi02/cfp/ * 12/ 9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/ 9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada; www.acsac.org * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html * 12/16/02-12/18/02: WMN, Hsinchu, Taiwan www.ee.nthu.edu.tw/~PCM2002/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ ACSAC2002 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 9-13, 2002. (submissions due June 1, 2002). This internationally recognized conference provides a forum for experts in information system security to exchange practical ideas about solving these critical problems. See the conference web page at www.acsac.org for details on submitting papers and tutorial proposals. SACT First ACM Workshop on Scientific Aspects of Cyber Terrorism (in conjunction with the ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002. (submissions due June 1, 2002). The goal of this workshop is to address scientific contributions to understand cyber terrorism and to fight cyber terrorism. Examples of possible topics of interest include: methods to identify the most critical infrastructures, methods to detect cyber terrorist attacks, methods to protect against cyber terrorism (including survivability, quorum systems, PKI). More information can be found on the conference web page at http://www.sait.fsu.edu/sactworkshop/sact.html HICSS-36 Secure and Survivable Software Systems (Part of the Software Technology Track), Big Island, Hawaii, USA, January 6-9, 2003. (optional abstracts due March 31, 2002; full papers due June 1, 2002) The focus of this minitrack is security and survivability in large, non-trivial, software systems, with an emphasis on the last phases of the four stage survivability model consisting of Resistance, Recognition, Recovery, and Adaptation. Papers on Resistance and Recognition that address the need or capacity for safety critical software systems to "fail-safe" and "fail-secure" are also desired. More information can be found on the HICSS-36 conference web site is at www.hicss.hawaii.edu/ and the miitrack web site at www.cs.uidaho.edu/~krings/HICSS36/HICSS36-cfp.htm SCN'02 The Third Workshop on Security in Communication Networks, Amalfi, Italy, September 12-13, 2002. (submissions due June 15, 2002) SCN '02 aims at bringing together researchers in the field of security in communication networks to foster cooperation and exchange of ideas. More information can be found on the workshop web page at www.dia.unisa.it/SCN02/. WISA2002 The 3rd International Workshop on Information Security Applications, Jeju Island, Korea, August 28-30, 2002. (submissions due June 28, 2002) Please see the conference web page at icns.ewha.ac.kr/wisa2002 for details on submitting papers. ICISC 2002 Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. (submissions due July 1, 2002) Original papers on all aspects of information and communications security are solicited for submission to ICICS'02. More information can be found on the conference web page at www.krdl.org.sg/General/conferences/icics/Homepage.html. LawTech2002 ISLAT International Conference on Law and Technology, Cambridge, Massachusetts, USA, November 6-8, 2002. (submissions due July 1, 2002) This conference is an international forum for lawyers and engineers interested in understanding the latest developments and implications of technology in the field of law. The conference will address both the legal ramifications of new technology and how technology advances the field of law. The full call for papers and an extensive list of topics, including issues related to security and privacy, can be found on the workshop web page at www.islat.org. SAINT2003 2003 Symposium on the Internet and Applications, Orlando, Florida, USA, January 27-31, 2003. (submissions due July 1, 2002) THEME: The Evolving Internet. The Symposium on Applications and the Internet focuses on emerging and future Internet applications and their enabling technologies. The symposium provides a forum for researchers and practitioners from the academic, industrial, and public sectors, to share their latest innovations on Internet technologies and applications. Information for prospective authors, including paper format and submission instructions can be found in the symposium web page at www.saint2003.org. NORDSEC2002 7th Nordic Workshop on Secure IT Systems, Karlstad University, Sweden, November 7-8, 2002. (submissions due August 1, 2002) The NordSec workshops were started in 1996 with the aim of bringing together researchers and practitioners within computer security in the Nordic countries. The theme of the workshops has been applied security, i.e., all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. A main theme of NordSec 2002, to which a special track within the workshop will be devoted, is Privacy Enhancing Technologies. NordSec 2002 will also specifically address the areas of Software Engineering and Quality of Service in relation to IT security. More information can be found on the conference web page at www.cs.kau.se/nordsec2002. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== NCISSE'2002 www.ncisse.org The 6th National Colloquium for Information Systems Security Education, Redmond, Washington, USA, June 3-7, 2002. POLICY2002 www.policy-workshop.org/2002/ IEEE Third International Workshop on Policies for Distributed Systems and Networks, June 5-7, 2002. Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, The Johns Hopkins University, Baltimore, MD, USA, June 11-13, 2002. IAW www.itoc.usma.edu/Workshop/2002 3rd Annual IEEE Information Assurance Workshop, United Stated Military Academy, West Point, NY, USA, June 17-19, 2002. DSN2002 www.dsn.org The International Conference on Dependable Systems and Networks, Bethesda, Maryland, USA, June 23-26, 2002. FIRST www.first.org/ The 14th Annual Computer Security Incident Handling Conference, Hilton Waikoloa Village, Hawaii, USA, June 24-28, 2002. VInfoSecu02 www.cintec.cuhk.edu.hk/~infosecu02 The International Conference on Information Security 2002, Si Nan Story, Shanghai Science Hall, Shanghai, China, July 10-13, 2002. VERIFY'02 www.ags.uni-sb.de/verification-ws/verify02.html Verification Workshop, in connection with CADE at FLoC 2002, Copenhagen, Denmark, July 25-26, 2002. FCS'02 floc02.diku.dk/FCS/ LICS Satellite Workshop on Foundations of Computer Security, Copenhagen, Denmark, July 26, 2002. sansone.crema.unimi.it/~ifip113. The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application Security, King's College, University of Cambridge, UK, July 29-31, 2002. CSFW15 www.csl.sri.com/programs/security/csfw/csfw15/ 15th IEEE Computer Security Foundations Workshop, Keltic Lodge, Cape Breton, Nova Scotia, Canada, July 29-31, 2002. USENIX www.usenix.org/events/sec02/cfp/ The 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002. WTCP'2002 www.cs.odu.edu/~wadaa/ICPP02/WTCP/ Workshop on Trusted Computing Paradigms (in conjunction with ICPP-2002), Vancouver, British Columbia, Canada, August 18-21, 2002. CYRPTO'2002 www.iacr.org/conferences/crypto2002/ The Twenty-Second Annual ICAR Crypto Conference, Santa Barbara, Ca, USA, August 18-22, 2002 www.wi-inf.uni-essen.de/~dexa02ws/ Trust and Privacy in Digital Business (on conjunction with DEXA 2002), Aix-en-Provence, France, September 2-6, 2002. IASTED'2002 www.iasted.org and www.iasted.org/conferences/2002/spain/submit-371.htm IASTED Conference on Conference on Communication Systems and Networks, Malaga, Spain, September 9-12, 2002. ECC2002 www.exp-math.uni-essen.de/~weng/ecc2002.html The 6th Workshop on Elliptic Curve Cryptography, University of Essen, Essen, Waterloo September 23-25, 2002 NSPW2002 www.nspw.org. New Security Paradigms Workshop, Virginia Beach, Virginia, USA, September 23-26, 2002. CMS2002 www.setcce.org/cms2002/ The Seventh IFIP Communications and Multimedia Security Conference, Portoroz, Slovenia, September 26-27, 2002. CNS'02 cs.anu.edu.au/~Chuan.Wu/conference/cns02_cfp.html 2002 International Workshop on Cryptology and Network Security, San Francisco, CA, USA, September 26-28, 2002. ESORICS 2000 www.esorics2002.org/ 7th European Symposium on Research in Computer Security, Zurich, Switzerland, October 14-16, 2002. SREIS2002 www.sreis.org/ Second Symposium on Requirements Engineering for Information Security, Raleigh, North Carolina, USA, October 15-16, 2002. RAID'2002 www.raid-symposium.org/raid2002/. Fifth International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 16-18, 2002 (Held in conjunction with Esorics 2002). SIGSAC 2002 www.acm.org/sigsac/ccs 9th ACM Conference on Computer and Communication Security, Washington DC, USA, November 17-21, 2002. ASIACRYPT 2002 www.sis.uncc.edu/ac02 Queenstown, New Zealand, December 1-5, 2002. IICIS 2002 www.db.cs.ucdavis.edu/IICIS2002/ Fifth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems - New Perspectives from Academia and Industry, Bonn, Germany, November 11-12, 2002. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen ____________________________________________________________________ Designing Security Architecture Solutions by Jay Ramachandran Wiley 2002. Index, Bibliography, Glossary of Acronyms. 452 pages. ISBN 0-471-20602-4. $49.99 There are still not enough books that cover writing secure code and designing secure systems. Fortunately, the few that are out there are generally good quality books. The range of topics for this set of books is still limited, leaving the door wide open for new, useful titles. Ramchandran has made a real contribution with this title. Anyone who reads Bugtraq regularly is painfully aware of the almost daily barrage of security issues with software. Many of the issues have been caused by poor coding practices. Naturally, some of the holes are obscure and the discovery has been clever, but more often that not, someone was just not paying attention. If you have read "Building Secure Software" by Viega and McGraw and Anderson's "Security Engineering", this book would be a good addition to help round out the overall approach. Code writers need to make sure that they use good practices for the code, but just as important is the architecture of whatever it is being built. It is well established that security needs to be built in from the beginning, because retrofitting usually is hard and not very successful. One is never sure whether a poor product of any kind turned out that way as a result of simply doing a lousy job or because they did not know how to do a good job. Ramchandran has significantly reduced the excuse pool for the latter. This is not a cookbook by any means, but it is thorough in its approach to security architecture. He has included the required chapter on cryptography, but fortunately, does not dwell on it. He shows how cryptography fits into the security architecture without restating the obvious, as many other books have done. The author covers both Windows and Unix issues. The scope includes databases, web applications, CORBA and IPSEC, among other things, always with a clear introduction to each topic. Unlike many security books, he has an in-depth business case with analysis. He also has a sense of humor. While the book is not intended to be a security book, there are plenty of security concepts presented. The concepts contain enough detail that, in spite of the intention, the reader will learn something about security. The author's approach is one of the book's strengths. Each section is well organized, with appropriate definitions, along with the relationship to the planning and design of a secure application. One generally thinks of architecture as a high level endeavor, but in order to do it right, one must scrutinize the details. Ramchandran has done it right. ____________________________________________________________________ Commentary on 10th Australian Institute of Professional Intelligence Officers (AIPIO), November 2001, Queensland, Australia by Vernon Stagg vstagg@deakin.edu.au March 17, 2002 ____________________________________________________________________ The Australian Institute of Professional Intelligence Officers held its tenth conference in November 2001 at the ANA Hotel on the Gold Coast, Queensland. The theme of the conference was "e-intelligence: New challenges and solutions". There was a common theme of cooperation, integration, sharing, and awareness running throughout the presentations, and the spectre of the September 11 attacks fresh on everyone's mind. Ian Wing, President of AIPIO and Lieutenant Colonel in the Australian Army, presided over the conference and presented the welcoming ceremony for delegates. He discussed the role of AIPIO, its inception in 1990, and its role in the promotion of intelligence professionals throughout Australia. DAY ONE Alfred Rolington, Group Managing Director of Jane's Information Group was the keynote speaker for Day One. He spoke of the problems of information overload, the difference between analysis and policy, and the growth of technology and globalisation, particularly as transnational threats move to a "network function". When producing information, we need to be aware of customer's expectations, the differences between conspiracy and bias, and secrecy versus open source. In dealing with open source, we need to appreciate its many different forms: contextual, factual, opinion, and bias. In closing, Alfred discussed the restructuring of Jane's services with a focus on these issues, to produce an enhanced information product. Grant Wardlaw, Director of the Australian Bureau of Criminal Intelligence, lead the first plenary session. He spoke of the importance of reporting incidents, and the possession of unique technical knowledge within the private sector. There is a growing need for cooperation and collaboration between intelligence agencies and the private sector, as well as new approaches to security and information-related product development. In this new e-environment there are new concepts of jurisdiction, new/no boundaries, and the end of the territorial state. He discussed the growing issue of responsibility and the impact/effect a crime can have on a nation/state's economy. To enable better cooperation he suggested starting off with a small element (eg. fraud), establishing a network, and then expanding from there. Allan McDonald, Business Development Manager for the Distillery, spoke next. His focus was an integrated approach to systems and information gathering and analysis. Citing a Victorian Police case study, he discussed the shift from early information collection/collation efforts to stand-alone PC-based intelligent databases to state wide integrated investigation systems. Some of the drivers and enablers for this change are: wider acceptance and understanding of the benefits of intelligence; cross training of investigators in intelligence; intelligence professionals becoming technologically literate; use of data clustering to improve information stored; the need to increase functionality in investigation and intelligence systems. Graeme Clark, Deputy Commandant of the Defence Intelligence Training Centre (DintTC), discussed developments in defence intelligence training. He began with a history of defence intelligence training and education: its stove-piped approach, duplication of efforts, and general dissatisfaction within the intelligence community. Following the Baker review of 1990 there was a restructuring and development of core competencies, career development, training, and education, which saw the establishment of the DintTC. Competencies were clearly defined, training philosophies restructured, and a focus on issues such as: general-to-specific, adult, continuing development, principles, technology, and analysis. Validation of methods from reporting to assessment stages has improved all source fusions, and increased productivity and multiple skills. Peter Ford, First Assistant Secretary of the Australian Attorney-General's Department, looked at unique policy problems relating to intelligence. Issues include determining whether a problem is security or privacy related, regulation, and development of public policy. There is also the need to consider the global nature of attacks and threats, differentiation of threats, and who is responsible for protection/prevention. Looking at the National and Critical Information Infrastructures, he remarked that the strengths of these systems are their weaknesses. Citing a recent OECD workshop, he pointed out the need for mechanisms for sharing information on incidents, threats, and systems failure, the establishment of security professional networks, and training. He finished with details of an Australian government and business task force that has been set up to develop measures to protect information systems, and the roles expected of each other. Alex Gibbs, Wing Commander RAAF, and Fiona Peacock, psychologist at the Department of Defence, lead a presentation on Information Operations (IO). They looked at the gradual inclusion of information into military doctrine/strategy, and its close links to intelligence. Referring to the Knowledge Edge concept, they showed that IO is another targeting option, it is critical if the information is critical, and the importance of the National Information Infrastructure. They pointed out that eWarfare is a means, not an enabler, that technology is the enabler and we are still reliant on humans. eIntel is considered a tool, not a solution: it supports overall system survivability, facilitates decision making, and without security efforts we will remain reactive not proactive. Glenn Phelps, Manager GSK Australia, discussed Competitive Intelligence (CI) and its capabilities. He began by describing what CI is not: market research or vice versa, nor a function of marketing. Everyone is considered a CI practitioner in his or her own right, and tacit knowledge is an asset. He discussed the need for reporting and delivery, and the design or war room scenarios. A model of CI was presented consisting of inputs: media, Internet, rumours; processes: analysis, inputs from internal databases; and output: reports, summaries. John Geurts, Group Security Head at the Commonwealth Bank, presented a talk on security as a business enabler. He started with a look at the Bank for International Settlements Basel Committee and how, in 1988, they made operational risk part of the capital buffer related to credit risk. Operational risk was seen as identifying important/strategic elements, such as when a bank deals with the telecommunications sector to make sure that these communication providers also have operational risk procedures (elements such as fraud, armed robbery, kidnap, business continuity, etc.). He indicated the main electronic threat faced is not from hackers, but from credit card theft and identity theft. Strategies in place to deal with this include open source information, shared intelligence, advanced rules-based and neural network detection systems, environment scans, and risk assessments with product developers. Day One finished off with two workshops, one by Steven Longford, Director at The Distillery, on the use of behavioural intelligence as an assessment tool. The other workshop was by Terry-Anne O'Neill, Attorney-General's Department, on developing professional pathways in intelligence. DAY TWO The keynote speaker for Day Two was Shane Carmody, Department of Defence. He began by emphasising the need to utilise the e-environment or risk losing the game. There is a need to derive intelligence from various sources using a model of direction, collection, process, and analysis. The emergence of user empowering technologies represents a new paradigm, not just a shift from mainframe to PC, new WAN's, high technology, etc. He indicated how e-intelligence has improved processes, parallel actions, and decision cycles, but cautioned to be aware of what information means and act accordingly. Richard Lloyd Jones, Principal of Lloyd Jones Consulting, spoke of the impact of globalisation on intelligence activities. The organisational impact was felt across numerous sectors including: commercial (global markets), law enforcement (international crime), security (terrorism), and the military (asymmetric warfare). Technological challenges include: system flexibility - internationalisation, interoperability, and cooperation; decision enhancement - collection and document volume reduction, pattern recognition, and environmental understanding. He spoke of how new technologies allow for standardisation of data (eg. XML), as well as new means of attaining ends. Graham Whyte, Australian Tax Office, presented a number of case studies in e-intelligence. The first study related to the FSM Knowledge Exchange website. It is available to various governments and deals with tax laws, rules, etc. and focuses on tax avoidance. The second study dealt with offshore tax promoters and open source issues. The third study looked at high wealth individuals and the creation of a task force to deal with this group. The last case study related to e-intelligence analytical tools used to identify tax schemes through the use of the tax return database. Lorraine Van der Weide, SAS Institute, discussed the benefits of the SAS Intelligence Layer product. She highlighted the need for organisations to consider their information architecture, understand customers through data mining, and the importance of customer relationship management. Geoff Rothfield, Senior Analyst Office of Strategic Crime Assessments, looked at law enforcement implications of new technologies. There is an expected slowdown in technology over the next five years with technology consolidating in its existing form. There will be a shift in the Information and Communications sector in business reengineering, reprioritising of resources, enhanced mobile functionality, and increased data transmission capacity. There will be the emergence of new technologies such as biotechnology and nanotechnology. There will also be the integration of technology to address risks and maximise benefits in law enforcement agencies. Jeff Penrose, Australian Federal Police, discussed the AFP's intelligence processes. He highlighted the aspects of a new criminal environment and their use of intelligence, global alliances, and new technologies. The AFP is being intelligence led with four objectives: identify and develop high value criminal targets; determine and formulate operational priorities and strategies; support corporate policy and planning processes; and provide assistance to Government and law enforcement partners. Jonathan Mobbs, CEO Crimtrac Agency, presented an overview of his agency, and the electronic law enforcement technologies in use there. Steven James, CEO ITAC Security, gave an entertaining presentation on hacker intelligence. He looked at the hacker culture and the rise through the ranks of lamer to elite. Following a review of various hacker groups, people, and exploits he presented a hack attack framework. This framework consisted of a number of steps being 1: Select target. 2: Identify information, components, and active ports. 3: Cross-reference and run exploits. 4: Compromise. 5: Extend levels of access, leave backdoor/s, and manipulate audit trails. He went on to point out that business needs must drive security agendas, and that security should enable not hinder. Steve Tregarthen, Senior Manager KPMG, discussed the issue of Corporate Intelligence which he defined as "the collection and analysis of public information that has strategic value". Corporations need to be aware of who they are dealing with, and the associated risks and threats (not just in the traditional way either, eg. is Company X harmful to the environment?). He went on to list a number of open source channels available for finding information about individuals, including global newspaper databases, credit background checks, criminal records, personal assets, and company and directorship information. He also detailed the necessity of understanding the different ways and means for obtaining information in different countries. One of the workshops for Day Two was held by Jason Brown, Director General of Safety, Compensation and People Development, and focused on a "Code of Ethics" for the intelligence profession. Brett Peppler, Intelligent Futures, held the other workshop, dealing with knowledge mapping. ____________________________________________________________________ Review of the 2nd Australian IW and CS Conference November 29-30, 2001, Perth, Australia by Vernon Stagg vstagg@deakin.edu.au March 17, 2002 ____________________________________________________________________ Pre-Conference Seminar Prior to the conference official, the Centre for Information Warfare held a two-day hacking seminar (Hacking 101 and Hacking 102) hosted by Tim Rosenberg of Whitewolf Consulting. Tim provided an entertaining two days, with a mixture of technical and high-level information, along with a number of hands-on exercises. He presented slides concerned with legal, managerial, criminal, physical, national, and international issues. Some of the exercises included sniffing the network, email bombing each other (a popular event!), and capturing network traffic. All the tools used were publicly available hacker tools, and showed many of the attendees the ease with which many hack attacks can be carried out. 2nd Australian IW Conference The 2nd Australian Information Warfare and Security Conference took place in Perth, Western Australia at the Hotel Rendezvous Observation during November 29-30, 2001. The theme for the conference was "Survival in the e-conomy" and attracted a broad range of speakers, attendees, and participants. The 2nd AIW conference opened with an introduction by Bill Hutchinson, followed by a keynote presentation from Paul Schapper, Director General of the Department of Industry and Technology, WA. Paul discussed issues of risk, poor security controls, and the high cost of cyber crime ($3 trillion worldwide). He discussed a number of initiatives for dealing with these issues, including the C4IW Centre, GovSecure services, and the role of government in developing, strengthening, and maintaining security issues within Western Australia. DAY ONE Winn Schwartau, well known IW proponent and maintainer of infowar.com, began the next address by warning us to consider all unknown attacks. He pointed out the government think they know what IW is, base their doctrine on Information Operations (IO), assume a known and expected enemy along with a fortress mentality. Winn then went on to raise a number of important questions relating to IW, being: What factors determine IW; Is an attack an attack; Where is IW on the conflict spectrum; What is an appropriate response; Is IW escalatory; Global issues of borders, international attacks and empowerment; Battle damage assessment issues; Homeland defence; Rights of the private sector in active defence; and Is Infowar War? Following these addresses, a number of parallel sessions were held. Summaries are provided where possible. Ian Martinus, Edith Cowan University (ECU), presented "Small Business in the New Battlefield: Government Attempts at Providing a Secure Environment". Timo Vuori, Murdoch University, presented "Virus Infection: The People Problem". Greg Robins, ECU, presented "e-Government, Information Warfare and Risk Management: An Australian Case Study". Greg outlined five objectives of the WA Government's security management objectives: Authorisation, Availability, Confidentiality, Integrity, and Non-repudiation. These are based on three levels of control. Level 1 is basic in-house information security practices, Level 2 is protection of information systems, and Level 3 is transmission protection. A security controls matrix was developed to outline these controls with appropriate descriptions and implementation methods. Greg then followed on with a case study of the Department of Sport and Recreation's se curity restructuring according to this matrix. Mark Williams, ECU, presented "The Need for In-depth Cyber Defence Programmes in Business Information Warfare Environments" John Fawcett, University of Cambridge, presented "On Wireless Network Security". Nick Lethbridge, ECU, presented "Impact of Information Warfare on Business Continuity Planning". Tyrone Busuttil, Deakin University (DU), presented "Intelligent Agents and Their Information Warfare Applications". John Fawcett, presented "The Autonomous Locksmith". Craig Valli, ECU, "Automaton Hackers - The New Breed". Craig's presentation was based on a scenario to detect a company's network vulnerabilities and the efforts required to reduce them or remove them. The first step was to conduct a Target Identification diagram, which showed two primary systems for attack. Following construction of an attack tree, a number of attacks were developed using information and tools available from the Internet. Port scanners and sniffer daemons were used to find open ports and various IP addresses. From a series of attacks (internal and external) it was found there was no POP3 or SMTP encryption, many passwords were common dictionary words, and an administration password was obtained. Following this effort a number of recommendations have been implemented to provide, or strengthen existing, security measures. Christopher Lueg, University of Technology, "Towards a Framework for Analyzing Information-level Online Activities". Shu Wenhui, Nanyang Technological University, "In-depth Analysis on Web Server Behavior". Dragan Velichkovich, ECU, "Using the Techniques of Internet Advertising for a Perception Offensive in Information Warfare". Dragan proposed how the Internet could be used as a medium for Offensive IW. He compared broadcast (one-to-many) to narrowcast (one-to-one and interactive) and issues of privacy and customer profiling. Discussing Perception Management (PM), he compared the military's use of broadcast (radio, print, TV) to some methods used by traditional advertising agencies. Dragan identified that PM as a methodology in IW is not fully utilised or effectively instigated, especially with new technologies emerging. Lars Nicander, Director of the National Office of IO/CIP Studies at the Swedish National Defence College, presented "Information Operations - A Swedish View". Lars discussed the Swedish initiative for Critical Infrastructure Protection. He discussed the taxonomy developed using a top-down approach, and numerous issues faced including policy development, organisational structure, protection, structure and responsibility. Also addressed was the forthcoming implementation of issues raised in a 1999 Swedish Report and White Paper on defence. Charles McCathieNevile, World Wide Web Consortium, "An Intelligent Agent-based Security Management Architecture for Enterprise Networks". Charles presented an agent-based approach to security and detection. He looked at networks and their increased complexity and features. The need for new solutions to deal with dynamic networks and systems and their evolving security needs was identified. Required characteristics for such solutions include distribution of activity, autonomy, and communication and cooperation. This can be provided through the development of a multi-agent system for security management with high -level policies to determine actions and events. Terence Love, ECU, "Designing Information Security in Small Businesses: A Qualitative & Quantitative Case Study". Peter Goldschmidt, University of Western Australia, "Dataveillance and Compliance Verification. Knowledge Management of the True and False Positives". Wei-Chi Ku, Fu Jen Catholic University, "ID-Based Key Distribution Protocols for Mail Systems". Wei-Chi began by reviewing existing key distribution protocols and the dispatchment process of secret keys, either centralised or distributed. An ID-based system does not require public key certificates and may be interactive or non-interactive. Security issues with existing protocols was outlined, and then it was shown how the proposed protocol addressed these issues, through the use of a formula that to compromise would be equivalent to the discrete logarithm problem. Lorraine O"Neill Cooper, ECU, "Weaving the Tangled Web - Deception on the Internet, A Travellers Tale?" Lorraine's presentation focused on IW in the travel industry. Based on a preliminary study she developed 3 classification levels: Camouflage atack (perception management), Showing the False (false information, photographs, dishonesty), and Suspect a Scam (online criminals). She stressed the distinction between deception and perception and also pointed out the lack of laws on copyright. The closing session for this day was Winn Schwartau's discussion on Time Based Security. Winn discussed the shift from unidirectional to bidirectional security issues and the cold war mentality of security models (fortress). Some of the modern needs for security include: simplicity, offer utility, be methodological, quantitative, replicable, and mathematical/provable. DAY TWO Kim Forrest of ISA Technologies opened the second day discussing the role of ISA and its links with industry and academia. Kim described ISA's development of the Communications Technology Centre in 1998 and the recent Centre for Information Warfare in 2001. Helen Armstrong, Curtin University, "Denial of Service and Protection of Critical Infrastructure". Vernon Stagg, DU, "A Business Information Infrastructure". My presentation, based on a model of the National Information Infrastructure for providing IW defense. Shermin Voshmgir, Vienna University, "Hackers: Criminals or the Drivers of Open-source?". Craig Valli, ECU, "NIDH - Network Intrusion Detection Hierarchy - A Model for Gathering". The NIDH is a defence mechanism to allow rapid exchange of attack intelligence. It is able to gather attack intelligence from a variety of dispersed hosts and the information stored in RAM as well as hard storage. PKI is used to increase authenticity and the integrity of packets. Jill Slay, University of South Australia, "Culture and Sensemaking in Information Warfare". Senthilkumar Krishnaswamy, Arizona State University, "Stateful Intrusion Detection System". Steve Fall, ECU, "The Role of Security Standards in Electronic Business". Steve looked at the diversity of security products and the need to extend security to all business areas as well as incorporating security awareness into a companies policy and procedures. He compared the ISO17799 and Common Criteria to the TOGAF (a methodology and supporting tools for defining open IT architecture). David Maguire, ECU, "Desktop Warfare in the Data Gridlocked Information age". This discussion looked at the growth of available information, the democritisation of data, and information overload. David pointed out how this overload of information creates a strategic advantage for competitors especially with reduced time for decision making. In the security sector agencies are trying to cope with too much information, too many targets, and technology that is too sophisticated. During the lunchtime break Winn Schwartau regaled us with his "General Abdication Rule". This looks at how control has been lost and the need to determine who is in charge. In looking at solutions to this Winn proposes a return to the '2 man rule' along with Time-based security. Jack Davey, Assistant Director Defence Security Authority, presented an afternoon keynote address on "IW: Another Asymmetric Threat". Jack began by outlining the roles of a number of Australian Defence Departments. He then looked at the ability to handle an incident when it occurs, the issue of operational decisions, how to train IW defenders, and the issues of threat assessments. He discussed problems with traditional measures, considered current trends, and outlined points for required thinking. Matt Warren, DU, presented on behalf of Steven Furnell, University of Plymouth, "The Problem of Categorising Cybercrime and Cybercriminals". He looked at the increasing problem of cybercrime and how the nature of this activity has changed. By considering a variety of categories of computer crime, Steven has developed a taxonomy to help define cybercrime and develop a standardised set of names and definitions. Colin Armstrong, ECU, "Security Culture as a Defence Against Information Warfare" Vernon Stagg and Tyrone Busuttil, DU, held a workshop "The Implication and Impacts of Information Warfare in a Commercial Environment" Matt Warren, DU, "A Duality Security Risk Analysis Method for E-commerce" The final session of the conference was an entertaining workshop held by Winn Schwartau based on his popular "Cyber Survivor Game". ____________________________________________________________________ NewsBits Announcements and correspondence from readers ____________________________________________________________________ Correspondence from Dr. Annie Anton, Department of Computer Science, North Carolina State University: Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us establish an Internet privacy values baseline for correlation with our privacy goal taxonomy to aid policy makers as well as software developers. The URL is: www.theprivacyplace.org/privacySurvey/surveyPage1.php We would be most appreciative if you would consider helping us get the word out about the survey which takes about 5 minutes to complete. The results will be made available this summer via our project website (http://theprivacyplace.org). ____________________________________________________________________ March 8,2002 The National Security Agency (NSA) announces the designation of new Centers of Academic Excellence in Information Assurance Education The NSA designated the following universities as Centers of Academic Excellence in Information Assurance Education for academic years 2002 through 2005. They join the list of twenty-three universities across the country to be awarded this distinction: Air Force Institute of Technology (OH) George Washington University (DC) Indiana University of Pennsylvania (PA) New Mexico Tech (NM) North Carolina State University (NC) Northeastern University (MA) Polytechnic University (NY) State University of New York, Buffalo (NY) State University of New York, Stony Brook (NY) Towson University (MD) University of Maryland, University College (MD) University of Nebraska, Omaha (NE) University of Texas, San Antonio (TX) The program is intended to reduce vulnerabilities in the national information infrastructure by promoting higher education in information assurance and producing a growing number of professionals with information assurance expertise in various disciplines. Additional information about the program may be found at www.nsa.gov/isso/programs/coeiae/index.htm Formal presentations will be made to the universities by the Information Assurance Director, National Security Agency on 4 June 2002, during the annual conference of the National Colloquium for Information Systems Security Education. The conference will be hosted by Microsoft in Redmond, Washington. Additional information on the Colloquium and the annual conference may be found at www.ncisse.org. Universities designated as Centers are eligible to apply for scholarships and grants through both the National Science Foundation SFS program (www.ehr.nsf.gov/due/programs/sfs) and the Department of Defense (www.C3i.osd.mil/iasp) Information Assurance Scholarship Programs. Information assurance education plays a critical role in protecting the national information infrastructure. The Centers are key to having security solutions keep pace with evolving technology now and into the future. The Centers also provide great geographic dispersion of information assurance education across the country, building expertise where the national information infrastructures reside. ____________________________________________________________________ Correspondence from Riccardo Focardi, Dipartimento di Informatica, Universita Ca' Foscari di Venezia: THIRD INTERNATIONAL SCHOOL ON FOUNDATIONS OF SECURITY ANALYSIS AND DESIGN (FOSAD 2002) www.cs.unibo.it/fosad Application Deadline: June 20, 2002 23-27 September 2002, Bertinoro, Italy Security in computer systems and networks is emerging as one of the most challenging research areas for the future. The main aim of the school is to offer a good spectrum of current research in foundations of security, ranging from programming languages to analysis of protocols, that can be of help for graduate students, young researchers from academia or industry that intend to approach the field. The school covers one week (from Monday 23 to Friday 27, September 2002) and alternates monographic courses of about 4/6 hours and short courses of 2 hours. The school offers six main courses, each composed of 2/3 seminars, each seminar of 2 hours. In alphabetic order, the lecturers of the six main courses are the following: - Carlo Blundo and Stelvio Cimato (Univ. of Salerno) Cryptographic Protocols for Internet Services - Michele Bugliesi (Univ. of Venice) and Giuseppe Castagna (ENS, Paris) Security by Typing in Systems of Mobile Agents - Matthew Hennessy (University of Sussex) Types for Resource Access Control and Information Flow - Jonathan K. Millen (SRI International) Constraint Solving for Security Protocol Analysis - David Sands (Chalmers University) Semantic Models of Secure Information flow in Programs - Steve Schneider (Royal Holloway, University of London) Verifying security protocols with rank functions Further short courses will be given by: - Alessandro Aldini (University of Bologna) Non-interference Properties for Probabilistic Processes
- Vladimiro Sassone (University of Sussex)
Capacity-Bounded Computational Ambients In order to be really effective, at most 45 participants will be admitted to the lectures. Prospective participants should send an application to the address below, together with a recommendation letter, by June 20, 2002. Notification of accepted applicants will be posted by July 5, 2002. Registration to the school is due by July 31, 2002. More detailed information on courses will be soon available at URL www.CS.UniBO.it/fosad/. Requests of information on the school and applications should be addressed to fosad@dsi.unive.it, while information on organisation (address, how to reach us, etc...) can be requested by e-mail to cbert@sun1.spfo.unibo.it ____________________________________________________________________ Colleges make cybersecurity pledge In a "Federal Computer Week" article by Megan Lisagor (April 19, 2002, www.fcw.com/fcw/articles/2002/0415/web-cyber-04-19-02.asp), Universities are encouraged to help secure cyberspace. "Colleges and universities have always played a major role in defending our country and keeping our economy healthy," said Richard Clarke, President Bush's cyberspace security adviser, speaking April 18 at a conference on policy affecting information technology in higher education. "So it's not just about protecting research going on at your [university]. It's about protecting your country." The framework the organizations endorsed will serve as a basis for coordinating cybersecurity activities at the campus and national levels. It calls for: * Making IT security a higher and more visible priority in higher education. * Doing a better job with existing security tools, including revising institutional policies. * Developing improved security for future research and education networks. * Raising the level of security collaboration among higher education, industry and government. * Integrating higher education work on security into the broader national effort to strengthen critical infrastructure. Clarke further asked colleges and universities to develop their own strategies to defend "their bit of cyberspace" as the Bush administration works out a national plan. The framework provides a foundation for those strategies. The complete article is at www.fcw.com/fcw/articles/2002/0415/web-cyber-04-19-02.asp ____________________________________________________________________ There has been a growing concern with some IEEE members about the linkage between the IEEE copyright form and the Digital Millennium Copyright Act (DMCA). IEEE no longer requires authors who write for its journals to sign a form promising to abide by the DMCA. See the story in the Chronicle of Higher Education (April 18, 2002) by Dan Carnevale at chronicle.com/free/2002/04/2002041802t.htm. ____________________________________________________________________ ____________________________________________________________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm CASE Center, Syracuse University, Syracuse, NY Visiting SUPRA faculty position www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science, Saarbruecken, Germany Postdoc/Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, critical software. Applications begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html School of Information Sciences and Technology PennState, University Park, PA Full-Time Faculty Positions: Security and Privacy Perspectives ist.psu.edu/jobposts/index2.cfm?pageID=30 Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Talahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders). Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW14) took place June 2001 in Cape Breton, Nova Scotia. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Joshua Guttman for CSFW may be sent to: Joshua Guttman, MS S119 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair and S&P 2002 chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #48, May 20, 2002===========