Subject: Electronic CIPHER, Issue 50, September 17, 2002 _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ==================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 50 September 17, 2002 Jim Davis, Editor Hilarie Orman, Assoc. Editor Bob Bruen, Book Review Editor Anish Mathuria, Reader's Guide ==================================================================== http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Call for papers for the 2003 Symposium on Security & Privacy o Upcoming calls-for-papers and events 10 new calls added since Cipher E49: - ASCA Workshop on the Application of Engineering Principles to System Security Design (submissions due September 30, 2002) www.acsac.org/waepssd/cfp.html - Cryptographer's Track, RSA Conference (submissions due October 1, 2002) reg2.lke.com/rs3/rsa2003/crypto.html - Information Resources Management Association International Conference (submissions due October 4, 2002) www.irma-international.org - International Performance, Computing, and Communications Conference (submissions due October 4, 2002) www.ipccc.org - Workshop on Security and Assurance in Ad Hoc Networks (submissions due October 15, 2002) www.sait.fsu.edu/wsaan2003/ - 5th International Conference on Enterprise Information Systems (submissions due October 15, 2002) www.iceis.org - First International Workshop on Information Assurance (submissions due November 1, 2002) www.ieee-tfia.org/iwia2003 - 2003 IEEE Symposium on Security and Privacy (submissions due November 6, 2002) www.ieee-security.org/TC/SP-Index.html - Third World Conference on Information Security Education, and the Workshop on Education in Computer Security (submissions due January 3, 2003) cisr.nps.navy.mil/wise3 - 12th USENIX Security Symposium (submissions due January 27, 2003) www.usenix.org/events/sec03/ o Program for the 2nd Symposium on Requirements Engineering (October 16, 2002, Raleigh, North Carolina, USA) www.sreis.org * Commentary and Opinion o Robert Bruen's review of "Hack Proofing Your Identity in the Information Age" by Teri Bidwell, Michael Cross, and Ryan Russell o Robert Bruen's "review of Biometrics Identity Verification in a Networked World" by Samir Nanavati, Michael Thieme, and Raj Nanavati o NewsBits: Announcements and correspondence from readers o Book reviews from past Cipher issues o Conference Reports and Commentary from past Cipher issues o News items from past Cipher issues * Reader's guide to recent security and privacy literature, by Anish Mathuria (new entries March 15, 2002) * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: We are pleased to bring you another issue of Cipher! In it you will find book reviews by Robert Bruen and links to several new calls for papers, including the 2003 IEEE Symposium on Security and Privacy. The July Cipher contained the exciting news about IEEE's new bimonthly magazine focused on security and privacy, to begin publication January 2003! Have a look at http://computer.org/security/. The search for the first Editor in Chief is under way, with applications closing October 1, 2002. See http://computer.org/pr/Aug02/SP_EIC.htm for more information. The NewsBits column repeats a call to action on a proposal by Carl Landwehr to develop a time line marked with important events and work in computer security. This could make a fascinating class project for a graduate course in security. And so here is my bimonthly plea for volunteers to write conference and workshop summaries. Please consider contributing; if you are on a conference program committee, we would appreciate help in locating a volunteer. Many thanks to our colleagues who contributed to this issue! Best regards, Jim Davis davis@iastate.edu ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at www.ieee-security.org/cfp.html. The Cipher event Calendar is at www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, e-mail for more info. See also Cipher Calls for Papers file (www.ieee-security.org/cfp.html) for details on many of these listings. Also worth a look are the ICL calendar and the IACR site, and several others. An asterisk [*] points from the submission date entry to the conference date entry. * 9/19/02- 9/21/02: SECI 2002, Tunis, Tunisia; www.epita.fr/~seci02/- * 9/23/02- 9/25/02: ECC 2002, University of Essen, Germany www.cacr.math.uwaterloo.ca/conferences/2002/ecc2002/announcement.html * 9/23/02- 9/26/02: NSPW 2002, Virginia Beach, VA www.nspw.org * 9/23/02- 9/26/02: MobiCom 2002, Atlanta, Georgia; www.acm.org/sigmobile/mobicom/2002/ * 9/26/02- 9/27/02: CMS 2002, Portoroz, Slovenia; www.setcce.org/cms2002/ * 9/28/02: WSNA 2002, Atlanta, GA; wsna02.cs.uga.edu -------------- * 10/ 1/02-10/ 3/02: InfraSec 2002, Bristol, UK; www.infrasec-conf.org * 10/ 1/02: CT-RSA 2003, San Francisco, CA; reg2.lke.com/rs3/rsa2003/crypto.html * 10/ 4/02: IRMA 2003, Hershey, PA, USA; www.irma-international.org/ * 10/ 7/02- 10/ 9/02: IH '02, Noordwijkerhout, The Netherlands research.microsoft.com/ih/2002/ * 10/14/02-10/16/02: ESORICS 2002, Zurich, Switzerland; www.esorics2002.org/ * 10/14/02: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html * 10/15/02-10/16/02: SREIS 2002, Raleigh, NC; www.sreis.org * 10/22/02-10/24/02: FOUNDATIONS '02, Laurel, MD; www.cs.clemson.edu/~steve/ivandv/ResearchCallv2.pdf * 10/22/02: SNPA 2003 www.icc2003.com/workshop1.html * 10/23/02-10/25/02: NGC 2002, Boston, Massachusetts; signl.cs.umass.edu/ngc2002 * 10/28/02-10/29/02: HotNets-I, Princeton, NJ; www.acm.org/sigcomm/HotNets-I * 10/31/02: SPC-2003, Boppard, Germany; www.dfki.de/SPC2003 -------------- * 11/ 4/02-11/ 8/02: QUANTUM, Berkeley, CA zeta.msri.org/calendar/workshops/WorkshopInfo/203/show_workshop * 11/6/02-11/ 8/02: CW 2002, Tokyo, Japan wwwcis.k.hosei.ac.jp/CW2002/call_for_pagers.jsp * 11/11/02-11/12/02: IICIS 2002, Bonn, Germany www.db.cs.ucdavis.edu/IICIS2002/ * 11/12/02-11/15/02: ISSRE 2002, Annapolis, MD; www.issre2002.org * 11/15/02: WWW-SEC-2003, Budapest, Hungary; www.www2003.org * 11/17/02-11/21/02: HSN '2002, Taipei, Taiwan; opnear.utdallas.edu/hsnhome.htm * 11/17/02-11/21/02: CCS, Washington, DC, USA www.acm.org/sigs/sigsac/ccs/ * 11/17/02-11/21/02: IETF, Atlanta, GA www.ietf.org/meetings * 11/20/02-11/22/02: CARDIS '02, San Jose, CA; www.usenix.org/events/cardis02/ -------------- * 12/1/02-12/ 5/02: Asiacrypt 2002, Queenstown, New Zealand www.commerce.otago.ac.nz/infosci/asiacrypt/ * 12/1/02-12/ 6/02: ACM-MM 2002, Juan Les Pins, France; www.acm.org/sigmm/MM2002/index.html * 12/2/02: WPET 2003, Dresden, Germany; www.petworkshop.org * 12/ 3/02-12/ 6/02: IPSec, Paris, France www.upperside.fr/ipsec02/ipsec02intro.htm * 12/9/02-12/11/02: OSDI '02, Boston, Massachusetts, www.usenix.org/events/osdi02/cfp/ * 12/9/02-12/12/02: ICICS '02, Singapore. www.krdl.org.sg/General/conferences/icics/Homepage.html * 12/9/02-12/13/02: 18th ACSAC, Las Vegas, Nevada; www.acsac.org * 12/15/02-12/18/02: Indocrypt 2002, Hyderabad, India www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html * 12/16/02-12/18/02: WMN, Hsinchu, Taiwan www.ee.nthu.edu.tw/~PCM2002/ -------------- * 3/12/03- 3/14/03: SPC-2003, Boppard, Germany; www.dkfi.de * 3/26/03- 3/28/03: WPET 2003, Dresden, Germany; www.petworkshop.org -------------- * 4/28/03- 4/30/03: ITCC, Las Vegas, Nevada www.cs.clemson.edu/~srimani/itcc2003/cfp.html -------------- * 5/11/03: SNPA 2003 www.icc2003.com/workshop1.html * 5/18/03- 5/21/03: IRMA 2003, Hershey, PA, USA www.irma-international.org/ * 5/20/03- 5/24/03: WWW-SEC-2003, Budapest, Hungary; www.www2003.org -------------- * 6/26/03- 6/28/03: WISE 3, Monterey, CA, USA cisr.nps.navy.mil/wise3/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers ____________________________________________________________________ ACSA Workshop on the Application of Engineering Principles to System Security Design, Boston, MA, USA, November 6-8, 2003 (submissions due September 30, 2002) The Applied Computer Security Associates (ACSA) is sponsoring a workshop to examine engineering fundamentals, the principles and practice of designing and building secure systems. The workshop will look at where we have been in security engineering (formal methods, Orange book, Common Criteria, penetrate and patch, Certification and Accreditation, Defense in Depth) and where we should go. The goal of the workshop is to begin a process of serious thinking about these important issues. The output of the workshop will be a collection of essays and technical papers on the issues discussed in the workshop, available on-line to the community. More information can be found on the workshop web page at www.acsac.org/waepssd/cfp.html. CT-RSA 2003 Cryptographers' Track RSA Conference 2003, San Francisco, CA, USA, April 13-17, 2003. (submissions due October 1, 2002) Following the success of the two previous editions, the Cryptographers' Track of RSA Conference 2003 (CT-RSA 2003) will be run as an anonymously refereed conference with proceedings. Original research papers pertaining to all aspects of cryptography as well as tutorials or results presented in other conferences are solicited. Submissions may present theory, techniques, applications and practical experience on topics including, but not limited to: fast implementations, secure electronic commerce, network security and intrusion detection, formal security models, comparison and assessment, tamper-resistance, certification and time-stamping, cryptographic data formats and standards, encryption and signature schemes, public key infrastructure, protocols, elliptic curve cryptography, block cipher design, discrete logarithms and factorization techniques, stream ciphers and Boolean functions, lattice reduction and provable security. The program committee invites tutorials and research contributions in the broad area of applications and theory of cryptography. More information can be found at the workshop web page at reg2.lke.com/rs3/rsa2003/crypto.html. IRMA 2003 Information Resources Management Association International Conference, Philadelphia, Pennsylvania, USA, May 18-21, 2003 (submissions due October 4, 2002) The theme of the conference is: Information Technology and Organizations: Trends, Issues, Challenges and Solutions. The conference is made up of 45 tracks and includes an Information Security Management track. Papers may be full length or research-in-progress. Panel, workshop, tutorial, and symposium proposals are also welcomed. Further details on the conference and individual tracks are available at www.irma-international.org. IPCCC'2003 The International Performance, Computing, and Communications Conference, Phoenix, Arizona, USA, April 9-11, 2003 (submissions due October 4, 2002) We encourage submission of high-quality papers reporting original work in both theoretical and experimental research that address the recent advances in algorithms, architectures, protocols, wired and wireless network infrastructure, embedded systems, and distributed and mobile systems and applications. More information can be found on the conference web page at www.ipccc.org. ITCC 2003 International Conference on Information Technology: Coding and Computing, Las Vegas, Nevada, April 28-30, 2003. (submissions due October 14, 2002) The rapid growth in information science and technology in general and the complexity and volume of multimedia data in particular have introduced new challenges for the research community. Of particular interest is the need for a concise representation, efficient manipulation, and fast transmission of multimedia data. Applications such as space science, tele-medicine, military, and robotics deal with large volumes of data which need to be stored and processed in real time. Topics of interest along with more conference information can be found at www.cs.clemson.edu/~srimani/itcc2003/cfp.html. Workshop on Security and Assurance in Ad hoc Networks, held in conjunction with The 2003 International Symposium on Applications and the Internet, Orlando, Florida, USA, January 28, 2003. (submissions due October 15, 2002) This half day workshop aims at providing a forum for the discussion of security and assurance issues related to ad hoc networks as components of the Internet. Technical papers describing original research are solicited. Areas of particular interest include, but are not limited to: - Security and fault tolerant issues in ad hoc networks - Secure routing in ad hoc networks - Applications of mobile agents and autonomous intelligent systems - Tradeoffs between efficiency and security in ad hoc networks - Bounds on efficiency in ad hoc networks - Security protocols for group applications in ad hoc networks - Self configuration in ad hoc networks - Location discovery and management - Timing and synchronization in ad hoc networks - Secure, distributed algorithms for ad hoc networks Please consult the Program Co-Chairs Alec Yasinsac (yasinsac@cs.fsu.edu) or Mike Burmester (burmester@cs.fsu.edu) if you are uncertain whether your paper falls within the scope of the workshop. Workshop information will be posted at www.sait.fsu.edu/wsaan2003/. ICEIS'2003 5th International Conference on Enterprise Information System, Angers, France, April 23-26, 2003. (submissions due October 15, 2002) The purpose of the 5th International Conference on Enterprise Information Systems (ICEIS) is to bring together researchers, engineers and practitioners interested in the advances and business applications of information systems. Four simultaneous tracks will be held, covering different aspects of Enterprise Information Systems Applications, including Enterprise Database Technology, Systems Integration, Artificial Intelligence, Decision Support Systems, Information Systems Analysis and Specification, Internet Computing and Electronic Commerce. Human factors issues in the development of these applications are also considered. ICEIS focuses on real world applications; therefore authors should highlight the benefits of Information Technology for industry and services. Ideas on how to solve business problems, using IT, will arise from the conference. Papers describing advanced prototypes, systems, tools and techniques and general survey papers indicating future directions are also encouraged. Both full research reports and work-in-progress reports are welcome. More information can be found on the conference web site at www.iceis.org. BCS-FACS British Computer Society Formal Aspects of Security, Royal Holloway, University of London, UK, December 19-20, 2002. (submissions due October 21, 2002) To celebrate its 25th Anniversary, the BCS-FACS (British Computer Society - Formal Aspects of Computing) Specialist Group is planning to organize several events over the next two years. The main aim is to highlight the use of formal methods, emphasize their relevance to modern computing, and promote their wider applications. Papers offering research contributions in formal aspects of computer security are solicited for FASec. Topics of and additional conference information can be found at www.bcs-facs.org/. SPC-2003 First International Conference on Security in Pervasive Computing, Boppard, Germany, March 12-14, 2003. (submissions due October 31, 2002) The ongoing compression of computing facilities into small and mobile devices like handhelds, portables or even wearable computers will enhance an ubiquitous information processing. The basic paradigm of such a pervasive computing is the combination of strongly decentralized and distributed computing with the help of diversified devices allowing for spontaneous connectivity via the internet. The objective of this conference is to develop new security concepts for complex application scenarios based on systems like handhelds, phones, smartcards, and smart labels hand in hand with the emerging technology of ubiquitous and pervasive computing. Particular subjects are methods and technology concerning the identification of risks, the definition of security policies, and the development of security measures that are related to the specific aspects of ubiquitous and pervasive computing like mobility, communication, and secure hardware/software platforms. More information can be found on the conference web page at www.dfki.de/SPC2003. The First International Workshop on Information Assurance, Darmstadt, Germany, March 24, 2003. (submissions due November 1, 2002) The IEEE Task Force on Information Assurance is sponsoring a workshop on information assurance in cooperation with the ACM SIGSAC on research and experience in information assurance. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of IA; possible topics include, but are not limited to the following: - Information Warfare and Operations - Network Security - Operating System Security - Storage Security - Intrusion Detection, Prediction, and Countermeasures - Insider Attack Countermeasures - Information Sharing in Coalition Settings - Security Models - Survivability and Resilient Systems - Formal Methods for Security - CCITSE Experience and Methodology - IA Standardization Approaches - Specification, Design, Development, and Deployment of IA Mechanisms Papers with a systems perspective are especially welcome. In addition to the dissemination of new research, another goal of the workshop is to bring together researchers and practitioners from both governmental and civilian areas. More information on the workshop can be found at www.ieee-tfia.org/iwia2003/ . The 2003 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 11-14, 2003. (submissions due November 6, 2002) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2003 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. Topics of interest include, but are not limited to, the following: - Commercial and Industrial Security Electronic Privacy - Mobile Code and Agent Security Distributed Systems Security - Network Security Anonymity - Data Integrity Access Control and Audit - Information Flow Security Verification - Viruses and Other Malicious Code Security Protocols - Authentication Biometrics - Smartcards Peer-to-Peer Security - Intrusion Detection Database Security - Language-Based Security Denial of Service - Security of Mobile Ad-Hoc Networks The full call for papers can be found at www.research.att.com/~smb/oakland03-cfp.html. For any questions, please contact the program chairs, at oakland-chairs03@research.att.com. WWW2003 The Twelfth International World Wide Web Conference, Security & Privacy Track, Budapest, Hungary, May 20-24, 2003 (submissions due November 15, 2002) The Security and Privacy Track at WWW2003 is soliciting papers on all computer scientific aspects of security and privacy as they relate to the Web in general, or more specifically to Web standards. ("Security and Privacy" is a new track to the International WWW Conference this year; last year this topic area was combined with "E-Commerce" into a single track.) We invite papers describing both theoretical and experimental research. A complete list of topics of interest can be found at www.www2003.org/. Workshop on Privacy Enhancing Technologies 2003, Dresden, Germany, March 26-28, 2003. (submissions due December 2, 2002) Privacy and anonymity are increasingly important in the online world. Corporations and governments are starting to realize their power to track users and their behavior, and restrict the ability to publish or retrieve documents. Approaches to protecting individuals, groups, and even companies and governments from such profiling and censorship have included decentralization, encryption, and distributed trust. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues. As in past years, we will publish proceedings after the workshop. A list of topics of interest are provided on the conference web page at www.petworkshop.org/. WISE 3/ WECS 5 Third World Conference on Information Security Education and, Workshop on Education in Computer Security, Naval Postgraduate School, Monterey California, USA, June 26-28, 2003. (submissions due January 3, 2003) IFIP Working Group 11.8 -Information Security Education and the Workshop on Education in Computer Security invite you to contribute to their activities by submitting papers for presentation at their conference to be held at the Naval Postgraduate School in Monterey California, USA. The conference aims to address interested researchers and educators from universities, schools, industry or government. The theme for the conference is Teaching the Role of Information Assurance in Critical Infrastructure Protection. Relevant topics include, but are not limited to the following: - New Programs in Information Security and Privacy Education - Training the Cyberwarrior - Information Security Education in Non-Academic Contexts - Computer Security and Infrastructure Protection - Education of Citizens in Information Security - Information Security Education in Schools - Teaching Cyber Ethics - Education in Computer Forensics and the Law - Education in Electronic Commerce Security - Education of Information Security Professionals - Teaching Information Systems Auditing - International Standards of Security Education - Evaluation of Security Education - Programs to Raise Information Security Awareness - Holistic Approaches in Information Security Education - Practical and Experimental approaches to Information Security Education - Information Security Distance Learning and Web-based teaching The conference web site can be found at cisr.nps.navy.mil/wise3/. USENIX Security 2003 12th USENIX Security Symposium Washington, DC, USA August 4-8, 2003 (submissions due January 27, 2003) The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in security of computer systems. Refereed paper submissions are being solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of malicious code - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Automated tools for source code analysis - Authentication and authorization of users, systems, and applications - Denial-of-service attacks - File and filesystem security - Firewall technologies - Intrusion detection - Privacy preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security in heterogeneous and large-scale environments - Security of agents and mobile code - Security of Internet voting systems - Techniques for developing secure systems - World Wide Web security Since USENIX Security is primarily a systems security conference, papers regarding new cryptographic algorithms or protocols, or electronic commerce primitives, are in general discouraged. ==================================================================== Conferences and Workshops (the call for papers deadline has passed) ==================================================================== NSPW2002 www.nspw.org. New Security Paradigms Workshop, Virginia Beach, Virginia, USA, September 23-26, 2002. CMS2002 www.setcce.org/cms2002/ The Seventh IFIP Communications and Multimedia Security Conference, Portoroz, Slovenia, September 26-27, 2002. CNS'02 cs.anu.edu.au/~Chuan.Wu/conference/cns02_cfp.html 2002 International Workshop on Cryptology and Network Security, San Francisco, CA, USA, September 26-28, 2002. Workshop on Socially-Informed Design of Privacy-enhancing Solutions in Ubiquitous Computing (in conjunction with UBICOMP'2002), GVTEBORG, Sweden, September 29, 2002. guir.berkeley.edu/privacyworkshop2002. Critical Systems Development with UML, Dresden, Germany, September 30, 2002. www4.in.tum.de/~csduml02/ ESORICS 2000 www.esorics2002.org/ 7th European Symposium on Research in Computer Security, Zurich, Switzerland, October 14-16, 2002. SREIS2002 www.sreis.org/ Second Symposium on Requirements Engineering for Information Security, Raleigh, North Carolina, USA, October 15-16, 2002. RAID'2002 www.raid-symposium.org/raid2002/. Fifth International Symposium on Recent Advances in Intrusion Detection, Zurich, Switzerland, October 16-18, 2002 (Held in conjunction with Esorics 2002). CCN 2002 www.iasted.org/conferences/2002/cambridge/ccn.htm. IASTED International Conference on Communications and Computer Networks, Massachusetts Institute of Technology, Cambridge, Massachusetts, USA, November 4-6, 2002. LawTech2002 www.islat.org ISLAT International Conference on Law and Technology, Cambridge, Massachusetts, USA, November 6-8, 2002. NORDSEC2002 www.cs.kau.se/nordsec2002 7th Nordic Workshop on Secure IT Systems, Karlstad University, Sweden, November 7-8, 2002. IICIS 2002 www.db.cs.ucdavis.edu/IICIS2002/ Fifth IFIP TC-11 WG 11.5 Working Conference on Integrity and Internal Control in Information Systems - New Perspectives from Academia and Industry, Bonn, Germany, November 11-12, 2002. CCS 2002 www.acm.org/sigs/sigsac/ccs/ 9th ACM Conference on Computer and Communication Security, Washington DC, USA, November 17-21, 2002. DRM 2002 crypto.stanford.edu/DRM2002/ ACM Workshop on Digital-Rights Management (in conjunction with the 9th Annual ACM CCS Conference), Washington DC, USA, November 18, 2002. SACT www.sait.fsu.edu/sactworkshop/sact.html First ACM Workshop on Scientific Aspects of Cyber Terrorism (in conjunction with the ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002. WPES seclab.dti.unimi.it/~wpes ACM Workshop on Privacy in the Electronic Society (in association with 9th ACM Conference on Computer and Communication Security), Washington, DC, USA, November 21, 2002 ASIACRYPT 2002 www.sis.uncc.edu/ac02 Queenstown, New Zealand, December 1-5, 2002. ICISC 2002 www.krdl.org.sg/General/conferences/icics/Homepage.html Fourth International Conference on Information and Communications Security, Kent Ridge Digital Labs, Singapore, December 9-12, 2002. ACSAC2002 www.acsac.org 18th Annual Computer Security Applications Conference, Las Vegas, Nevada, USA, December 9-13, 2002. PKC2003 www.sait.fsu.edu/pkc2003 The Sixth International Workshop on Practice and Theory in Public Key Cryptography, Miami, Florida, USA, January 6-8, 2003 HICSS-36 www.cs.uidaho.edu/~krings/HICSS36/HICSS36-cfp.htm Secure and Survivable Software Systems (Part of the Software Technology Track), Big Island, Hawaii, USA, January 6-9, 2003. SAINT2003 www.saint2003.org 2003 Symposium on the Internet and Applications, Orlando Florida, USA, January 27-31, 2003. NDSS'03 www.isoc.org/isoc/conferences/ndss/03/index.shtml The 10th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 5-7, 2002. ____________________________________________________________________ NIST System Security Requirements Seminar (in conjunction with SREIS) The Computer Security Division of the National Institute of Standards and Technology (NIST) will host a one-day IT security requirements seminar on October 17, 2002 following the SREIS (see http://www.sreis.org). The purpose of this security seminar is to present: (1) an overview of the current federal IT security certification and accreditation initiative, (2) a detailed description of the proposed new certification and accreditation process and associated security requirements and controls for IT systems, and (3) an overview of NIST supporting publications on risk management, system security planning, and contingency/continuity of operations planning. Here is the SREIS program (also available at http://www.sreis.org/nistinfo.php): 8:30 - 8:45 Introduction and Welcome Director, NIAP Director, ITL 8:45 - 9:00 Keynote Address OMB Invited 9:00 - 9:30 Overview of Security Certification and Accreditation Program R. Ross 9:30 - 10:15 Overview of Draft NIST Special Publication 800-37, Federal Guidelines for the Security Certification and Accreditation of Information Technology Systems Speaker TBD 10:15 - 10:30 Break 10:30 - 11:30 Overview of Draft NIST Special Publication 800-37A, Minimum Security Requirements for Information Technology Systems Speaker TBD 11:30 - 1:00 Lunch 1:00 - 1:45 System Security Planning M. Swanson 1:45 - 2:30 Enterprise Risk Management G. Stoneburner 2:30 - 2:45 Break 2:45 - 3:30 Contingency Planning for IT Systems J. Hash 3:30 - 4:15 Panel Discussion and Q&A Session The Future of Security Certification and Accreditation: Key Issues in Creating More Secure IT Systems and Networks Invited Guests ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at www.ieee-security.org/Cipher/ConfReports.html. ____________________________________________________________________ Book Review By Robert Bruen September 13, 2002 ____________________________________________________________________ Hack Proofing Your Identity in the Information Age by Teri Bidwell, Michael Cross, and Ryan Russell. Syngress 2002. ISBN 1-931836-51-5.370 pages. $29.95. Index. Identity theft is a serious problem today made all the easier by the proliferation of personal information in various databases, as well as more use of digital identification and electronic commerce. It does not help us very much that security is lax at the sites that keep our personal information. Impersonating other people is not a recent development, however the methodologies used in the information are new. In the old days, credit card theft could be accomplished by stealing the physical card or stealing mail The credit card companies have tried to protect themselves by sending several related pieces of mail with the hopes that at least one will get through to alert the victim that a card came in the mail. They have also added a card activation feature, along with use profiles and other techniques. Unfortunately, these techniques are not that effective against identity theft, because the use patterns belong the thief, as does the signature (if it gets checked at all). Armed with a large amount of information gleaned from easily accessible web sites, a ID thief can simply apply for loans, bank accounts, credit cards and whatever using your name. One can even make up fake identification cards using PC technology in the home. Many IDs require a social security number, which is not too difficult to obtain. Several of these fake IDs can get a bank account, which can a real help with the scam when the thief writes a small check that actually clears. A good book on the ins and outs on how this is done, how to protect yourself and what to do about it when it happens to you would be a good thing to have. Unfortunately, this book only has a few chapters directly related this. The subtitle of this book is "Protecting Your Family on the Internet!" which is not quite the same as protecting yourself from identity theft. The first part of the book does in fact deal with basic concepts of identity theft, but it quickly turns a corner towards protecting your children while they use the net and wraps up with a chapter on personal firewalls. The authors provide good introductions to each of the topics, but the book seems disjointed, suffering from a lack of focus. With a little more work, it could be a good book on protecting your PC on the net, but the title would need to be changed. In fact, this title probably should be changed to something involving protection of a home PC to reflect the main focus of the book. In any case, the book is an introductory level attempt with some good information, but a somewhat misleading title. The subject, however, is certainly worth a good book. ____________________________________________________________________ Book Review By Robert Bruen September 13, 2002 ____________________________________________________________________ Biometrics Identity Verification in a Networked World by Samir Nanavati, Michael Thieme, and Raj Nanavati. John Wiley and Sons 2002. ISBN 0471-09945-7. 300 pages. $34.99. Index. Biometrics has become a major watchword since 9-11-02, but it has been around for quite a while. Recent advances have made the topic more interesting, especially with the new demands for public safety and security. The fear of terrorists hiding in a crowd pushes us to accept ideas that were once considered beyond the norms of a free, democratic society. The shining example is, of course, face recognition by cameras watching everyone who comes within sight. Faces are scanned and looked up in a database. There are a number of assumptions present as this takes place, such as the process works correctly. Other assumptions include that the databases only the images of bad guys in them and that the average citizen is not simply having their images stored in some database. The use of biometrics goes back to fingerprints. They are a simple to capture with good reliability. The digital world has made access to large databases possible, companied by fast searches. These databases contain more than just criminal fingerprints since military personnel, security personnel, welfare recipients and others also have their fingerprints captured and stored. If the model for facial recognition is to be the same as the fingerprint model, then we can expect many more faces to be available in database. According to a recent Department of Defense report, facial recognition is not reliable enough to be put in the same category as fingerprinting. Logan Airport in Boston has been experimenting with facial recognition, but the results are not yet conclusive. It has not been shown to be that magic bullet we have been looking for. When trying to understand why there is difficulty with facial recognition, one could read Nanavati's book. It is good introduction into the world of biometrics. It covers the existing biometric techniques without delving into the esoteric possibilities. The coverage is balanced,so that you get the strengths and weaknesses of the various techniques. For example, eye scans have several approaches, all of them suffering from the need to have the cooperation of the subject. One can scan the iris or the retina with good results in terms of individual recognition, but the scan must be close up to get the original image, as well as the comparative image. Most terrorists will not be so helpful. It will work in corporation in which all employees are required to undergo scans upon employment, then perhaps must submit to scans for entrance into restricted areas. This is helpful in understanding how this works. In addition to the technology, Biometrics covers the business side of the house by listing various vendors, as well as explaining markets related to biometrics. it is not clear how well these companies will perform over time. There are competing forces of privacy, technology advancement and law enforcement. In several places where cameras have been set up for traffic control, the value has been questioned to point that the cameras have been taken down. We are in a period of deciding between what we can do and what we should do. I suggest reading books like this one to gain enough background to make an informed decision. ____________________________________________________________________ NewsBits Announcements and correspondence from readers ____________________________________________________________________ June 7, 2002 I received a correspondence from Carl Landwehr proposing a fascinating "community project" whose goal is to develop a timeline with important events and work in computer security. Have a look at the PDF files to see the start of that work. here is an excerpt from Carl: "What I am hoping others (students?) might like to do as a community project, would be for someone (or some many) to produce from this a set of database entries of the form: (date, event, reference) that could be used to help construct (or reconstruct) the history of significant events in computer security. There are lots of important events in the history of security/information assurance technology (e.g. creation and development of firewalls, VPNs, public key crypto) that are not to be found anywhere on these charts. These baseline events could be strung together in (probably endless) ways, according to one's prejudices and beliefs, to indicate which events were significant, which influenced what other events, what streams of thought and investigation were pursued, etc. Having the tuples might be a useful place to start. The first of these timelines [see the PDF files] is an updated and abstracted version of the second one; the others are even older and were made for other purposes. I happily place them in the public domain, warts and all." If you have thoughts on this or would like to participate, send a note to me (davis@iastate.edu) or to Carl directly (clandweh@nsf.gov). ____________________________________________________________________ August 2002 The IEEE Computer Society is seeking applicants, by 1 October, for the position of editor in chief of IEEE Security & Privacy, a new magazine to be launched in January 2003. The first EIC will serve a two-year term, renewable for a second two years. The full call is located at http://computer.org/pr/Aug02/SP_EIC.htm. ____________________________________________________________________ July 26, 2002 Correspondence from reader Susan Gerhart (gerharts@erau.edu): Interactive Instructional Materials Available --- Buffer Overflows, Cryptography, Personnel, Scenarios Please visit http://nsfsecurity.pr.erau.edu Work performed under National Science Foundation Grant 0113627 Embry-Riddle Aeronautical University, Prescott AZ College of Engineering http://coe.pr.erau.edu Buffer Overflow Security Vulnerabilities - -how do buffer overflows occur? -what can be done to prevent and to defend against them? -what was Code Red? (remember, one year ago) Contents: - Java applet simulations of buffer overflow attacks - Instructional tutorials (Macromedia Authorware) - Lecture-ready PPT and PDF presentations - Checklists for programmers and testers - Stimulating quizzes and scavenger hunts - Easy-to-advanced explanations http://nsfsecurity.pr.erau.edu/bom !!! Feedback and evaluation sought !!! Also, cryptography illustrations - Java applets for sample DES functions - explanations of confusion and diffusion Under development:- personnel security, dimensions of security, scenario illustrations of security situations Contact: gerharts@erau.edu ____________________________________________________________________ September 5, 2002 The Computer Security Division of the National Institute of Standards and Technology (NIST) will host a one-day IT security requirements seminar on October 17, 2002 following the SREIS (see http://www.sreis.org). The purpose of this security seminar is to present: (1) an overview of the current federal IT security certification and accreditation initiative, (2) a detailed description of the proposed new certification and accreditation process and associated security requirements and controls for IT systems, and (3) an overview of NIST supporting publications on risk management, system security planning, and contingency/continuity of operations planning. The program is available at http://www.sreis.org/nistinfo.php. ____________________________________________________________________ ____________________________________________________________________ News Bits contains correspondence, interesting links, non-commercial announcements and other snippets of information the editor thought that Cipher readers might find interesting. ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy, by Anish Mathuria ==================================================================== The Reader's Guide from Past issues of Cipher is archived at www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== http://cisr.nps.navy.mil/pages/employment/cipher_employ.htm Information Security Group, Laboratories for Information Technology Singapore Postdoc/Associate Research Staff Cryptography and Information Security Contact email: baofeng@lit.org.sg CASE Center, Syracuse University, Syracuse, NY Visiting SUPRIA faculty position www.ecs.syr.edu/dept/eecs/positions/supria.html Max-Planck Institute for Computer Science, Saarbruecken, Germany Postdoc/Research associate position Areas of particular interest: static program analysis, verification, security, cryptographic protocols, critical software. Applications begin immediately. www.mpi-sb.mpg.de/units/nwg1/offers/positions.html Department of Computer Science James Madison University, Harrisonburg, VA Tenure-Faculty position The James Madison University Department of Computer Science is seeking applications of faculty that specialize in Information Security or closely related areas. www.cs.jmu.edu/faculty_openings.htm Vrije Universiteit Amsterdam, The Netherlands Postdoc/Assistant Professor Internet security. Position is available immediately. www.cs.vu.nl/~ast/jobs Department of Information and Software Engineering George Mason University, Fairfax, VA 1 Tenure-track, 1 visiting position Positions are in security. Areas of particular interest: Computer security, networking, data mining and software engineering. Search will continue until positions are filled. ise.gmu.edu/hire/ Department of Computer Science Purdue University,West Lafayette, IN Emphasis on Assistant Professor Positions, but more senior applicants will be considered. Areas of particular interest: Computer security, and INFOSEC. Positions beginning August 2000. www.cs.purdue.edu/announce/faculty2001.html Department of Computer Science Renesselaer Polytechnic InstituteTroy, NY Tenure Track, Teaching, and Visiting Positions Areas of particular interest: Computer security, networking, parallel and distributed computing and theory. Positions beginning Fall 2000. www.cs.rpi.edu/faculty-opening.html Swiss Federal Institute of Technology Lausanne (EPFL), Switzerland/Eurecom/Telecom Paris General Director Areas of particular interest: Education and research in telecommunications. Applications begin immediately. admwww.epfl.ch/pres/dir_eurecom.html Department of Computer Science Florida State University, Tallahassee, FL Tenure-track positions at all ranks, several positions available. Available (1/00) Areas of particular interest: Trusted Systems, security, cryptography, software engineering, provability and verification, real-time and software engineering, provability and verifications, real-time and safety-critical systems, system software, databases, fault tolerance, and computational/simulation-based design. www.cs.fsu.edu/positions/ -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at www.ieee-security.org/Cipher/NewReports.html and www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe". 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher@issl.iastate.edu (which is NOT automated) with subject line "subscribe postcard". To remove yourself from the subscription list, send e-mail to cipher@issl.iastate.edu with subject line "unsubscribe". Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher@issl.iastate.edu are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at www.ieee-security.org/Cipher/AddressChanges.html ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm. _____________________________________________________________ TC Publications for Sale _____________________________________________________________ Proceedings of the IEEE CS Symposium on Security and Privacy The Technical Committee on Security and Privacy has copies of its publications available for sale directly to you. You may pay for Proceedings by credit card or check. Proceedings of the IEEE Symposium on Security and Privacy Year(s) Format Price 2001 Hardcopy $25.00* 2000 Hardcopy $15.00* 1999 Hardcopy SOLD OUT 1998 Hardcopy $10.00* 2000-2001 CD-ROM $25.00* * Plus shipping charges Payment by Check: Please specify the items and quantities that you wish to receive, your shipping address, and the method of shipping (for overseas orders) Mail your order request and a check, payable to the 2002 IEEE Symposium on Security and Privacy to: Terry L. Hall Treasurer, IEEE Security and Privacy 14522 Gravelle Lane Florissant, Mo 63034 U S A Please include the appropriate amount to cover shipping charges as noted in the table below. Domestic shipping: $4.00 per order for 3 volumes or fewer Overseas surface mail: $6.00 per order for 3 volumes or fewer Overseas air mail: $12 per volume Credit Card Orders: For a limited time, the TC on Security and Privacy can charge orders to your credit card. Send your order by mail to the address above or send email to terry.l.hall2@boeing.com specifying the items and quantities that you wish to receive, your shipping address, method of shipping (surface or air for overseas orders) along with * the name of the cardholder, * credit card number, and * the expiration date. Exact shipping charges will be charged to your credit card and included in your receipt. Shipping charges may approximated from the table above. IEEE CS Press You may also order some back issues from IEEE CS Press at www.computer.org/cspress/catalog/proc9.htm. Right, this now becomes June 2001 in Cape Breton, Nova Scotia Proceedings of the IEEE CS Computer Security Foundations Workshop The most recent Computer Security Foundation Workshop (CSFW14) took place June 2001 in Cape Breton, Nova Scotia. Topics included formal specification of security protocols, protocol engineering, distributed systems, information flow, and security policies. Copies of the proceedings are available from the publications chair for $25 each. Copies of earlier proceedings starting with year 3 (1990) are available at $10. Photocopy versions of year 1 are also $10. Checks payable to Joshua Guttman for CSFW may be sent to: Joshua Guttman, MS S119 The MITRE Corporation 202 Burlington Rd. Bedford, MA 01730-1420 USA guttman@mitre.org ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Mike Reiter Thomas A. Berson Carnegie Mellon University Anagram Laboratories ECE Department P.O. Box 791 Hamerschlag Hall, Room D208 Palo Alto, CA 94301 Pittsburgh, PA 15213 USA (650) 324-0100 (voice) (412) 268-1318 (voice) berson@anagram.com reiter@cmu.edu Vice Chair: Chair,Subcommittee on Academic Affairs: Heather Hinton Cynthia Irvine IBM Software Group - Tivoli U.S. Naval Postgraduate School 11400 Burnett Road Computer Science Department Austin, TX 78758 Code CS/IC (512)436 1538 (voice) Monterey CA 93943-5118 hhinton@us.ibm.com (408) 656-2461 (voice) irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair,Subcomm.on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) (650) 859-2358 (voice) (503) 264-6225 (fax) (650) 859-2844 (fax) awk@ibeam.intel.com millen@csl.sri.com Newsletter Editor: Jim Davis Department of Electrical and Computer Engineering 2413 Coover Hall Iowa State University Ames, Iowa 50011 (515) 294-0659 (voice) davis@iastate.edu BACK ISSUES: Cipher is archived at: www.ieee-security.org/cipher.html ========end of Electronic Cipher Issue #50, September 17, 2002===========