Subject: Electronic CIPHER, Issue 49, July 18, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 49 July 18, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events 13 new calls added since Cipher E48: - Workshop on Computer Forensics (abstracts due 7/31/02) www.csds.uidaho.edu/workshop/forensics - ACM Workshop on Digital-Rights Management (submissions due 8/1/02) crypto.stanford.edu/DRM2002/ - First ACM Workshop on Scientific Aspects of Cyber Terrorism (submissions due 8/1/02) www.sait.fsu.edu/sactworkshop/sact.html - The Sixth International Workshop on Practice and Theory in Public Key Cryptography (submissions due 8/9/02)www.sait.fsu.edu/pkc2003 - IASTED International Conference on Communications and Computer Networks (submissions due 8/15/02) www.iasted.org/conferences/2002/cambridge/ccn.htm - Workshop on Socially-Informed Design of Privacy-enhancing Solutions in Ubiquitous Computing (submissions due 8/18/02) guir.berkeley.edu/privacyworkshop2002 - ACM Workshop on Privacy in the Electronic Society (submissions due 8/23/02) seclab.dti.unimi.it/~wpes. - 10th Annual network and Distributed System Security Symposium (submissions due 8/30/02) www.isoc.org/isoc/conferences/ndss/03/index.shtml - International Conference on Information Technology: Coding and Computing (submissions due 10/14/02) www.cs.clemson.edu/~srimani/itcc2003/cfp.html - British Computer Society Formal Aspects of Security (submissions due 10/21/02) www.bcs-facs.org/ - First International Conference on Security in Pervasive Computing (submissions due 10/31/02) www.dfki.de/SPC2003 - The Twelfth International World Wide Web Conference, Security & Privacy Track (submissions due 11/15/02) www.www2003.org/ - Workshop on Privacy Enhancing Technologies (submissions due 12/2/02) www.petworkshop.org/ * Commentary and Opinion o Robert Bruen's review of "Counter Hack. A Step-by-Step Guide to Computer Attacks and Effective Defenses" by Ed Skoudis o Robert Bruen's review of "Have You Locked the Castle Gate? Home and Small Business Security" by Brian Shea o NewsBits: Announcements and correspondence from readers o Book reviews from past Cipher issues o Conference Reports and Commentary from past Cipher issues o News items from past Cipher issues * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find book reviews by Robert Bruen and links to several new calls for papers. I'd like to call your attention to the NewsBits column where Carl Landwehr proposes a project to develop a time line marked with important events and work in computer security. You will also find the announcement for the new IEEE Security and Privacy magazine! As always, we are looking for volunteers to write conference and workshop summaries. Please consider contributing; if you are on a conference program committee, we would appreciate help in locating volunteers. Many thanks to our colleagues who contributed to this issue! Best regards, Jim Davis davis@iastate.edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. An asterisk [*] points from the submission date entry to the conference date entry. * 7/23/02: AMS 2002. Edinburgh, UK www.lasr.cs.ucla.edu/AMS_2002 * 7/26/02: LFM '02, Copenhagen, Denmark; www.cs.cmu.edu/~lfm02/ -------------- * 8/ 5/02- 8/ 9/02: USENIX 11, San Francisco, CA www.usenix.org/events/sec02/ * 8/11/02- 8/14/02: ICCC 2002, Mumbai, India; iccc2002.ernet.in/ * 8/13/02-8/15/02: CHES 2002, Redwood City, CA www.chesworkshop.org * 8/14/02- 8/16/02: 7th WCW, Boulder, Colorado; 2002.iwcw.org/ * 8/15/02- 8/16/02: SAC 2002, Newfoundland, Canada www.cs.utah.edu/flux/cipher/cfps/cfp-SAC2002.html * 8/18/02- 8/22/02: CRYPTO 2002, Santa Barbara, CA * 8/19/02- 8/23/02: SIGCOMM '02, Pittsburgh, Pennsylvania www.cs.utah.edu/flux/cipher/cfps/cfp-SIGCOMM02.html * 8/27/02- 8/30/02: ICON 2002, Singapore, icon2002.calendarone.com -------------- * 9/2/02- 9/6/02: Trustbus '02, Aix-en-Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/4/02- 9/ 5/02: Workshop on Trust and Privacy in Digital Business, Aix en Provence, France www.wi-inf.uni-essen.de/~dexa02ws/ * 9/5/02- 9/ 7/02: VII Spanish Meeting on Cryptology and Information Security, Asturias, Espana enol.etsiig.uniovi.es/viirecsi/ * 9/9/02- 9/12/02: IASTED, Malaga, Spain; Conf Web page www.cs.utah.edu/flux/cipher/cfps/cfp-IASTED.html * 9/10/02- 9/13/02: SAFECOMP 2002, Catania, Italy www.dcs.ed.ac.uk/home/safecomp/Download/safecomp2002/ * 9/12/02- 9/13/02: SCN '02, Amalfi, Italy, www.dia.unisa.it/SCN02/ * 9/19/02- 9/21/02: SECI 2002, Tunis, Tunisia; www.epita.fr/~seci02/- * 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html * 9/23/02- 9/26/02: NSPW 2002, Virginia Beach, VA www.nspw.org * 9/23/02- 9/26/02: MobiCom 2002, Atlanta, Georgia; www.acm.org/sigmobile/mobicom/2002/ * 9/26/02- 9/27/02: CMS 2002, Portoroz, Slovenia; www.setcce.org/cms2002/ * 9/28/02: WSNA 2002, Atlanta, GA; wsna02.cs.uga.edu -------------- * 10/ 1/02-10/ 3/02: InfraSec 2002, Bristol, UK; www.infrasec-conf.org * 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands research.microsoft.com/ih/2002/ * 10/14/02-10/16/02: ESORICS 2002, Zurich, Switzerland; www.esorics2002.org/ * 10/14/02: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html * 10/15/02-10/16/02: SREIS 2002, Raleigh, NC; www.sreis.org * 10/22/02-10/24/02: FOUNDATIONS '02, Laurel, MD; www.cs.clemson.edu/~steve/ivandv/ResearchCallv2.pdf * 10/23/02-10/25/02: NGC 2002, Boston, Massachusetts; signl.cs.umass.edu/ngc2002 * 10/28/02-10/29/02: HotNets-I, Princeton, NJ; www.acm.org/sigcomm/HotNets-I * 10/31/02: SPC-2003, Boppard, Germany; www.dfki.de/SPC2003 -------------- * 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop * 11/6/02-11/ 8/02: CW 2002, Tokyo, Japan wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp * 11/12/02-11/15/02: ISSRE 2002, Annapolis, MD; www.issre2002.org * 11/15/02: WWW-SEC-2003, Budapest, Hungary; www.www2003.org * 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan; opnear.utdallas.edu/hsnhome.htm * 11/17/02-11/21/02: CCS, Washington, DC, USA www.acm.org/sigs/sigsac/ccs/ * 11/20/02-11/22/02: CARDIS '02, San Jose, CA; www.usenix.org/events/cardis02/ -------------- * 12/1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France; www.acm.org/sigmm/MM2002/index.html * 12/2/02: WPET 2003, Dresden, Germany; www.petworkshop.org * 12/9/02-12/11/02: OSDI '02, Boston, Massachusetts, www.usenix.org/events/osdi02/cfp/ * 12/9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada; www.acsac.org * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html * 12/16/02-12/18/02: WMN, Hsinchu, Taiwan www.ee.nthu.edu.tw/~PCM2002/ -------------- * 3/12/03- 3/14/03: SPC-2003, Boppard, Germany; www.dkfi.de * 3/26/03- 3/28/03: WPET 2003, Dresden, Germany; www.petworkshop.org -------------- * 4/28/03- 4/30/03: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html -------------- * 5/20/03- 5/24/03: WWW-SEC-2003, Budapest, Hungary; www.www2003.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ Workshop on Computer Forensics, Center for Secure and Dependable Systems, University of Idaho, Moscow, Idaho, USA, September 23-25, 2002. (abstracts due July 31, 2002) This workshop is intended to provide a broad-spectrum approach to Computer Forensics and to increase interactions between Information Security faculty, students and practitioners. Speaker and presentation topics include performing detailed analysis of systems, use of forensic evidence in the legal system, tools available for forensic analysis, international complications, and a corporate perspective. See the workshop web site for details at www.csds.uidaho.edu/workshop/forensics. NORDSEC2002 7th Nordic Workshop on Secure IT Systems, Karlstad University, Sweden, November 7-8, 2002. (submissions due August 1, 2002) The NordSec workshops were started in 1996 with the aim of bringing together researchers and practitioners within computer security in the Nordic countries. The theme of the workshops has been applied security, i.e., all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. A main theme of NordSec 2002, to which a special track within the workshop will be devoted, is Privacy Enhancing Technologies. NordSec 2002 will also specifically address the areas of Software Engineering and Quality of Service in relation to IT security. More information can be found on the conference web page at www.cs.kau.se/nordsec2002. DRM 2002 ACM Workshop on Digital-Rights Management (in conjunction with the 9th Annual ACM CCS Conference), Washington DC, USA, November 18, 2002. (submissions due August 1, 2002) Submissions on all technical, legal, and business aspects of DRM are solicited. Additional information and submission instructions can be found at crypto.stanford.edu/DRM2002/. First ACM Workshop on Scientific Aspects of Cyber Terrorism (in conjunction with the ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002. (submission deadline extended to August 1, 2002) The goal of this workshop is to address scientific contributions to understand cyber terrorism and to fight cyber terrorism. Examples of possible topics of interest include: methods to identify the most critical infrastructures, methods to detect cyber terrorist attacks, methods to protect against cyber terrorism (including survivability, quorum systems, PKI). Submissions should clearly identify the relationship with cyber terrorism. Submissions on cryptography/information security without proper motivation how these can be used to address scientific issues on cyber terrorism will be rejected. Non-scientific talks (such as surveys on efforts by different countries on addressing cyber terrorism) will only be accepted if space permits. Talks about political and non-scientific talks are not the main goal of the workshop. Further details are available at www.sait.fsu.edu/sactworkshop/sact.html. PKC2003 The Sixth International Workshop on Practice and Theory in Public Key Cryptography, Miami, Florida, USA, January 6-8, 2003 (submissions due August 9, 2002) PKC is the main annual workshop focusing on research on all aspects of public key cryptography. PKC 2003 will for the first time be an IACR workshop. Topics of interest and instructions for submitting a paper can be found on the conference web page at www.sait.fsu.edu/pkc2003. CCN 2002 IASTED International Conference on Communications and Computer Networks, Massachusetts Institute of Technology, Cambridge, Massachusetts, USA, November 4-6, 2002.(submissions due August 15, 2002) This conference is an international forum for researchers and practitioners interested in the advances and applications of computers and communications networks including wireless and mobile communications. It is an opportunity to present and observe the latest research, results, and ideas in these areas. CCN 2002 will be held in conjunction with the IASTED International Conference on "Parallel and Distributed Computing and Systems (PDCS 2002)" and "Software Engineering and Applications (SEA 2002)". A complete list of topics along with instructions for submitting a paper or a tutorial proposal can be found on the conference web site at www.iasted.org/conferences/2002/cambridge/ccn.htm. Workshop on Socially-Informed Design of Privacy-enhancing Solutions in Ubiquitous Computing (in conjunction with UBICOMP'2002), GÖTEBORG, Sweden, September 29, 2002. (submissions due August 18, 2002) Privacy-enhancing solutions, both technical and social, are needed to drive development of ubiquitous computing in a socially acceptable direction. The goal of this workshop is to develop an understanding of how social studies can inform the design and evaluation of privacy-enhancing solutions (technical approaches and complementary social mechanisms) in ubicomp. This workshop aims to provide a forum for ubicomp system developers, security researchers, social scientists, legal experts and consumer privacy advocates to collaboratively explore the future of socially-informed privacy-enhancing solutions in ubiquitous computing. Questions from other disciplines other than computer science (e.g., economics, sociology, law, public policy) will also contribute significantly to the workshop. Topics of interest of this workshop include, but are not limited to: Incentives; Contextual Factors; Trust; Metrics and Inspection; and Design Principles and Solutions. More information can be found at guir.berkeley.edu/privacyworkshop2002. WPES ACM Workshop on Privacy in the Electronic Society (in association with 9th ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002 (submissions due August 23, 2002) The increased power and interconnectivity of computer systems available today provide the ability of storing and processing large amounts of data, resulting in networked information accessible from anywhere at any time. It is becoming easier to collect, exchange, access, process, and link information. The goal of this workshop is to discuss the problems of privacy in the global interconnected societies and possible solutions to it. Topics of interest and information about submitting a paper can be found on the conference web site at seclab.dti.unimi.it/~wpes. NDSS'03 The 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 5-7, 2002. (submissions due August 30, 2002) The symposium fosters information exchange among research scientists and practitioners of network and distributed system security services. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation (rather than theory). A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technology. Topics of interest along with details on the conference can be found at www.isoc.org/isoc/conferences/ndss/03/index.shtml. ITCC 2003 International Conference on Information Technology: Coding and Computing, Las Vegas, Nevada, April 28-30, 2003. (submissions due October 14, 2002) The rapid growth in information science and technology in general and the complexity and volume of multimedia data in particular have introduced new challenges for the research community. Of particular interest is the need for a concise representation, efficient manipulation, and fast transmission of multimedia data. Applications such as space science, tele-medicine, military, and robotics deal with large volumes of data which need to be stored and processed in real time. Topics of interest along with more conference information can be found at www.cs.clemson.edu/~srimani/itcc2003/cfp.html. BCS-FACS British Computer Society Formal Aspects of Security, Royal Holloway, University of London, UK, December 19-20, 2002. (submissions due October 21, 2002) To celebrate its 25th Anniversary, the BCS-FACS (British Computer Society - Formal Aspects of Computing) Specialist Group is planning to organize several events over the next two years. The main aim is to highlight the use of formal methods, emphasize their relevance to modern computing, and promote their wider applications. Papers offering research contributions in formal aspects of computer security are solicited for FASec. Topics of and additional conference information can be found at www.bcs-facs.org/. SPC-2003 First International Conference on Security in Pervasive Computing, Boppard, Germany, March 12-14, 2003. (submissions due October 31, 2002) The ongoing compression of computing facilities into small and mobile devices like handhelds, portables or even wearable computers will enhance an ubiquitous information processing. The basic paradigm of such a pervasive computing is the combination of strongly decentralized and distributed computing with the help of diversified devices allowing for spontaneous connectivity via the internet. The objective of this conference is to develop new security concepts for complex application scenarios based on systems like handhelds, phones, smartcards, and smart labels hand in hand with the emerging technology of ubiquitous and pervasive computing. Particular subjects are methods and technology concerning the identification of risks, the definition of security policies, and the development of security measures that are related to the specific aspects of ubiquitous and pervasive computing like mobility, communication, and secure hardware/software platforms. More information can be found on the conference web page at www.dfki.de/SPC2003. WWW2003 The Twelfth International World Wide Web Conference, Security & Privacy Track, Budapest, Hungary, May 20-24, 2003 (submissions due November 15, 2002) The Security and Privacy Track at WWW2003 is soliciting papers on all computer scientific aspects of security and privacy as they relate to the Web in general, or more specifically to Web standards. ("Security and Privacy" is a new track to the International WWW Conference this year; last year this topic area was combined with "E-Commerce" into a single track.) We invite papers describing both theoretical and experimental research. A complete list of topics of interest can be found at www.www2003.org/. Workshop on Privacy Enhancing Technologies 2003, Dresden, Germany, March 26-28, 2003. (submissions due December 2, 2002) Privacy and anonymity are increasingly important in the online world. Corporations and governments are starting to realize their power to track users and their behavior, and restrict the ability to publish or retrieve documents. Approaches to protecting individuals, groups, and even companies and governments from such profiling and censorship have included decentralization, encryption, and distributed trust. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues. As in past years, we will publish proceedings after the workshop. A list of topics of interest are provided on the conference web page at www.petworkshop.org/. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== VERIFY'02 www.ags.uni-sb.de/verification-ws/verify02.html Verification Workshop, in connection with CADE at FLoC 2002, Copenhagen, Denmark, July 25-26, 2002. FCS'02 floc02.diku.dk/FCS/ LICS Satellite Workshop on Foundations of Computer Security, Copenhagen, Denmark, July 26, 2002. sansone.crema.unimi.it/~ifip113. The Sixteenth Annual IFIP WG 11.3 Working Conference on Data and Application Security, King's College, University of Cambridge, UK, July 29-31, 2002. USENIX www.usenix.org/events/sec02/cfp/ The 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002. WTCP'2002 www.cs.odu.edu/~wadaa/ICPP02/WTCP/ Workshop on Trusted Computing Paradigms (in conjunction with ICPP-2002), Vancouver, British Columbia, Canada, August 18-21, 2002. CYRPTO'2002 www.iacr.org/conferences/crypto2002/ The Twenty-Second Annual ICAR Crypto Conference, Santa Barbara, Ca, USA, August 18-22, 2002 WISA2002 icns.ewha.ac.kr/wisa2002 The 3rd International Workshop on Information Security Applications, Jeju Island, Korea, August 28-30, 2002. www.wi-inf.uni-essen.de/~dexa02ws/ Trust and Privacy in Digital Business (on conjunction with DEXA 2002), Aix-en-Provence, France, September 2-6, 2002. IASTED'2002 www.iasted.org and www.iasted.org/conferences/2002/spain/submit-371.htm IASTED Conference on Conference on Communication Systems and Networks, Malaga, Spain, September 9-12, 2002. SCN'02 www.dia.unisa.it/SCN02/ The Third Workshop on Security in Communication Networks, Amalfi, Italy, September 12-13, 2002. ILPF 2002 www.ilpf.org/conference2002 The Annual Internet Law & Policy Forum Conference, Seattle, WA, USA, September 17-19, 2002. ECC2002 www.exp-math.uni-essen.de/~weng/ecc2002.html The 6th Workshop on Elliptic Curve Cryptography, University of Essen, Essen, Waterloo September 23-25, 2002 NSPW2002 www.nspw.org. New Security Paradigms Workshop, Virginia Beach, Virginia, USA, September 23-26, 2002. CMS2002 www.setcce.org/cms2002/ The Seventh IFIP Communications and Multimedia Security Conference, Portoroz, Slovenia, September 26-27, 2002. CNS'02 cs.anu.edu.au/~Chuan.Wu/conference/cns02_cfp.html 2002 International Workshop on Cryptology and Network Security, San Francisco, CA, USA, September 26-28, 2002. www4.in.tum.de/~csduml02/ Critical Systems Development with UML, Dresden, Germany, September 30, 2002. ESORICS 2000 www.esorics2002.org/ 7th European Symposium on Research in Computer Security, Zurich, Switzerland, October 14-16, 2002. SREIS2002 www.sreis.org/ Second Symposium on Requirements Engineering for Information Security, Raleigh, North Carolina, USA, October 15-16, 2002. RAID'2002 www.raid-symposium.org/raid2002/. Fifth International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 16-18, 2002 (Held in conjunction with Esorics 2002). LawTech2002 www.islat.org ISLAT International Conference on Law and Technology, Cambridge, Massachusetts, USA, November 6-8, 2002. IICIS 2002 www.db.cs.ucdavis.edu/IICIS2002/ Fifth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems - New Perspectives from Academia and Industry, Bonn, Germany, November 11-12, 2002. CCS 2002 www.acm.org/sigs/sigsac/ccs/ 9th ACM Conference on Computer and Communication Security, Washington DC, USA, November 17-21, 2002. SACT www.sait.fsu.edu/sactworkshop/sact.html First ACM Workshop on Scientific Aspects of Cyber Terrorism (in conjunction with the ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002. ASIACRYPT 2002 www.sis.uncc.edu/ac02 Queenstown, New Zealand, December 1-5, 2002. ICISC 2002 www.krdl.org.sg/General/conferences/icics/Homepage.html Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. ACSAC2002 www.acsac.org 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 9-13, 2002. HICSS-36 www.cs.uidaho.edu/~krings/HICSS36/HICSS36-cfp.htm Secure and Survivable Software Systems (Part of the Software Technology Track), Big Island, Hawaii, USA, January 6-9, 2003. SAINT2003 www.saint2003.org 2003 Symposium on the Internet and Applications, Orlando Florida, USA, January 27-31, 2003. ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen July 15, 2002 ____________________________________________________________________ Have You Locked the Castle Gate? Home and Small Business Security by Brian Shea. Addison-Wesley 2002. 193 pages. Index, bibliography, 2 appendices (resources, glossary). ISBN 0-201-71955-X $19.99 It is easy to forget about newcomers to security when one spends so much time involved in the heavy issues. The "newbies" can be a bit annoying because they need to have the most basic details explained to them. Who wants to take the time to explain definitions and concepts that just seem obvious after years of working around security professionals? Most security books do not focus on the newcomers, since there are too many important issues and difficult concepts to work on. Now there is a book that you can give the newbie who wants to know the secrets of security. It is not about hacking 101, rather it is about security ideas such as planning, assessing risk and valuing assets. The book is short, therefore does not go into the gory details of each concepts, but that does not mean that important ideas are treated lightly. I feel that they are treated appropriately for the first timers. The main focus is Microsoft security, which for some of us is an oxymoron, but since there are so many desktops with MS sitting on them, it makes for a reasonable place to start. The author has an unusual, although not unheard of, approach to explaining security. He has created a homestead with a family and a village to illustrate the general concepts, such as fences and locks on the door. The home itself is the starting point in the first chapter, but the it expands over the course of the book to a village. The home needs a little fence to keep the foxes out if the chicken coop, but later the village needs to worry about attacking armies. Fortunately, the homestead story is kept to the right size throughout the book, making sure that story does not take over and push security into the background. Checklists are scattered throughout the book, along with tables to make life easier for first timers. Each is preceeded by a readable explanation of the topic. Since Shea has aimed the book at Microsoft users, he includes general Windows security tips, but he also covers Windows NT, 2000 and 2000 Server. His explanation of the Registry, while limited, is a good starting place. The hives are illustrated with just a few important keys giving some insight without being overwhelming. There are some helpful that anyone can use for securing a machine using the registry. As we all know, the Registry is the heart of any Microsoft system. Without knowledge of it, security cannot be done properly, no matter that policies are implemented or active scripting is shut off. A discussion of Web security is as important as a discussion of email security, now that the Web is totally integrated into the lives of most of us. There is a good table for Internet Explorer which shows what happens when the various security levels are selected. It was never a good idea to offer users levels of security, such as high medium and low, with providing clear details of what each level meant. This table shows the reader that MS IE High Security, for example, disables file and font downloads. Microsoft has not made it as clear what the consequence are when each level is selected. It is quite frustrating to select a level, only to discover that some feature you need has been disabled. It is even more frustrating when you do not agree with a particular setting disables a feature that you thought should still be disabled. Mr. Shea's book, coupled with something like the Happy Hacker by Carol Meinel, might be a good starter set for some interested in Microsoft security. They are fun and inexpensive. ____________________________________________________________________ Book Review By Robert Bruen July 15, 2002 ____________________________________________________________________ Counter Hack. A Step-by-Step Guide to Computer Attacks and Effective Defenses by Ed Skoudis. Prentice Hall PTR 2002. 564 pages. Index, glossary. ISBN 0-13-033273-9 $49.99 There are a lot of hacking books available today, so for a new one to get any attention it has to have something to offer that goes beyond the existing books. There are only a few things possible, such as a greatly improved presentation of the material, or perhaps new material. Fortunately for authors and unfortunately for system administrators, there is always new material. The new material is often just attacks or resources, although attacks that are truly new and unique are few and far between. New resources for defenses are appearing more often, but these are generally organizations and memos, not real tools. The new and really good tools are as limited as the really good attacks. This leaves the book itself as the main reason to get attention. Mr. Skoudis has written a book that is worth reading, even if you know about security. This is a technical approach to attacks and defenses, not for management which is looking for risk assessment and policy discussions. A book like this needs to cover certain topics, like TCP/IP, networks, ports, tools, etc, but additional material is important. One of the better features is a chapter describing attacks in story form with each step showing how and why a particular tool is used to achieve the objective. The errors made by the victim that would have prevented the success of the attacks are detailed as well in a manner that is more helpful than just saying "keep up with patches." The newer material of interest concerns kernel-level rootkits. They have been around for a while, but there are not many good explanations in books, so this is useful information. As Linux becomes more popular in the back rooms, attacks become more of a concern. Of course, Linux has been popular as an attack platform for a while. Other Unix systems are in the back room already, such as Solaris - and yes, there similar rootkits for them. The main issue is the Loadable Kernel Module LKM, a very handy feature when managing systems, because kernel level code can be loaded on a running system without requiring a reboot. It means that each location can keep its kernel smaller by not loading things it does not need. This feature is just as handy for the attacker. When the attacker ratchets up the stakes, the defenders respond. There are some free and commercial products available that can help. You might want to consider eliminating LKM support, if possible (not all operating systems allow disabling of LKM). I think this is still up for discussion because the feature is useful. Microsoft email is a great target for virus writers, but we all know that email is not going away. The trick is to make sure that the features of email prevent the spread of the virus. The quantity of knowledge, skill and expertise required of the security professional has reached the point where specialization is the only way to be successful. There seem to be less of the those who have broad and deep knowledge like Skoudis. One must have been around for a while to accumulate the expertise and then keep up with all the new stuff, including the proliferation of new technology. Each new operating system and variants of old ones opens up new opportunities for attackers. Operating systems tend to better security than applications, but as new features are introduced to make them more useful, more vulnerabilities are introduced right along side the usefulness. It is unfortunate that the technical demands of security reach down into the OS when we one also must be concerned that some secretary is using the name of a cat for a password. We can be grateful for authors like Skoudis to help keep us up to date. ____________________________________________________________________ NewsBits Announcements and correspondence from readers ____________________________________________________________________ July 18, 2002 Correspondence from Heather Hinton, General Chair of the 2002 IEEE Symposium on Security and Privacy: IEEE SP02 was (as usual) a success. It was held May 12-15 2002 at the Claremont Resort in Berkeley, California. We had 197 paid attendees and two press attendees. The conference received lots of media attention due to several interesting papers and a five-minute recent research talk. The press from these research results was beneficial - we had lots of attention from organizations such as TechTV, CNet and more. We did not loose money this year, through constant monitoring of expenses, cutbacks on trinkets (there were none), and raising the registration fees. This will likely continue as the Claremont continues to increase its prices. Next year's conference is again over Mother's Day weekend, which if I have read my calendar correctly is May 11-14, 2003 ____________________________________________________________________ July 18, 2002 The 16th IEEE Computer Security Foundations Workshop will be held June 29-July 3, 2003 at Asilomar (Pacific Grove, CA, USA). Watch www.csl.sri.com/programs/security/csfw/index.html for the call-for-papers. ____________________________________________________________________ June 7, 2002 I received a correspondence from Carl Landwehr proposing a fascinating community project whose goal is to develop a timeline with important events and work in computer security. Have a look at the PDF file (www.ieee-security.org/Cipher/PastIssues/2002/E49.July-2002/200205collectedtimelines.pdf) to see the start of that work. here is an excerpt from Carl: "What I am hoping others (students?) might like to do as a community project, would be for someone (or some many) to produce from this a set of database entries of the form: (date, event, reference) that could be used to help construct (or reconstruct) the history of significant events in computer security. There are lots of important events in the history of security/information assurance technology (e.g. creation and development of firewalls, VPNs, public key crypto) that are not to be found anywhere on these charts. These baseline events could be strung together in (probably endless) ways, according to one's prejudices and beliefs, to indicate which events were significant, which influenced what other events, what streams of thought and investigation were pursued, etc. Having the tuples might be a useful place to start. The first of these timelines [see the PDF file] is an updated and abstracted version of the second one; the others are even older and were made for other purposes. I happily place them in the public domain, warts and all." If you have thoughts on this or would like to participate, send a note to me (davis@iastate.edu) or to Carl directly (clandweh@nsf.gov). ____________________________________________________________________ July 2002 IEEE Computer Society introduces a new magazine in Security and Privacy At its June 2002 meeting in Toronto, IEEE's Technical Activities Board approved IEEE Security & Privacy magazine for launch in January 2003 as a bimonthly publication with an annual page budget of 552 pages (92 pages per issue). The magazine, which is to be published by the IEEE Computer Society, will cover a wide range of security and privacy topics in the context of computers, networks, consumer systems, critical infrastructures and other technology domains. Each issue will be a mix of technical, survey and tutorial articles, departments, and columns. The magazine concept was developed by a Task Force which earlier this year published a supplement to IEEE Computer. That supplement and other details about the Task Force can be found at www.computer.org/computer/sp/index.htm. Anyone interested in contributing articles to this exciting new publication should contact George Cybenko at gvc@dartmouth.edu. Subscription to the new publication will be an option on the 2003 IEEE membership renewal forms. Instructions for subscribing will also be listed at the IEEE Computer Society's web site at www.computer.org shortly. ____________________________________________________________________ ____________________________________________________________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm CASE Center, Syracuse University, Syracuse, NY Visiting SUPRA faculty position www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science, Saarbruecken, Germany Postdoc/Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, critical software. Applications begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Tallahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You do NOT have to join either IEEE or the IEEE Computer Society to join the TC, and there is no cost to join the TC. All you need to do is fill out an application form and mail or fax it to the IEEE Computer Society. A copy of the form is included below (to simplify things, only the TC on Security and Privacy is included, and is marked for you). Members of the IEEE Computer Society may join the TC via an https link. The full and complete form is available on the IEEE Computer Society's Web Server by following the application form hyperlink at the URL: computer.org/tcsignup/ IF YOU USE THE FORM BELOW, PLEASE NOTE THAT THE IT IS TO BE RETURNED (BY MAIL OR FAX) TO THE IEEE COMPUTER SOCIETY, >>NOT<< TO CIPHER. --------- IEEE Computer Society Technical Committee Membership Application ----------------------------------------------------------- Please print clearly or type. ----------------------------------------------------------- Last Name First Name Middle Initial ___________________________________________________________ Company/Organization ___________________________________________________________ Office Street Address (Please use street addresses over P.O.) ___________________________________________________________ City State ___________________________________________________________ Country Postal Code ___________________________________________________________ Office Phone Fax ___________________________________________________________ Email Address (Internet accessible) ___________________________________________________________ Home Address (optional) ___________________________________________________________ Home Phone ___________________________________________________________ [ ] I am a member of the Computer Society IMPORTANT: IEEE Member/Affiliate/Computer Society Number: ____________________ [ ] I am not a member of the Computer Society* Please Note: In some TCs only current Computer Society members are eligible to receive Technical Committee newsletters. Please select up to four Technical Committees/Technical Councils of interest. TECHNICAL COMMITTEES [ X ] T27 Security and Privacy Please Return Form To: IEEE Computer Society 1730 Massachusetts Ave, NW Washington, DC 20036-1992 Phone: (202) 371-0101 FAX: (202) 728-9614 _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders) Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW14) took place June 2001 in Cape Breton, Nova Scotia. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Joshua Guttman for CSFW may be sent to: Joshua Guttman, MS S119 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair and S&P 2002 chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #49, July 18, 2002===========