----------------------------------------------------------------------- _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 59 Mar 15, 2004 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Commentary and Opinion o Robert Bruen's review of Security Warrior by Peikari, Cyrus and Anton Chuvakin o Robert Bruen's review of Hacking. The Art of Exploitation by Jon Erikson o Robert Bruen's review of Security Assessment Case Studies for Implementing the NSA IAM by Miles, Greg, Russ Rogers, Ed Fuller, Matthew Hoagberg and Ted Dykstra o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * News o TISSEC Editor in Chief position o NSF Cyber Trust o News from CERT o FreeS/WAN project concludes o NIST announcements, SHS and RNG o Indiana Information Security Week o Voice-over-IP Vulnerabilities o Scattered Glitches as E-Voting Gets Biggest Test o IETF Conference Debates Antispam Proposals o Did Your Vote Count? New Coded Ballots May Prove It Did o Passing Packets Under Ever More Scrutiny * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The big event of the spring for security researchers is the upcoming Security and Privacy Symposium, held at the Claremont Resort in Berkeley, California. The preliminary program and registration information are now available, as described in this Cipher issue. Robert Bruen again has created three interesting book reviews, two about the technology of hacking and one about INFOSEC security assessment. Several people have contributed news items for this issue, and they have my thanks. I've included a letter from the FreeS/WAN foundation about their project's end; FreeS/WAN's goal of providing easily usable data privacy for Internet connections has met with mixed success. Cipher has many subscribers in Spain, and I extend sympathy to them in dealing with the effects of the recent terroristic attacks in their country. There are many good conferences coming up, and I encourage those of you who attend them to write a review for Cipher. We all benefit from news about current research results, and Cipher is an inexpensive way to reach people around the world. Ever seeking information security, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Conference and Workshop Announcements and Upcoming Calls-For-Papers and Events (new since last issue) ==================================================================== The complete Cipher Calls-for-Papers is located at http://vulcan.ee.iastate.edu/~cipher/cfp.html The Cipher event Calendar is at http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html ____________________________________________________________________ Security and Privacy Symposium May 9-12, 2004 Preliminary Program ____________________________________________________________________ 2004 IEEE Symposium on Security and Privacy May 9-12, 2004, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Preliminary Program: Monday MORNING Session: Attacks and Defenses Keyboard Acoustic Emanations Dmitri Asonov, Rakesh Agrawal (IBM Research) Effects of Mobility and Multihoming on Transport-Protocol Security Tuomas Aura (Microsoft Research), Pekka Nikander (Ericsson Research), Gonzalo Camarillo (Ericsson Research) Analysis of an Electronic Voting System Tadayoshi Kohno (UC San Diego), Adam Stubblefield (Johns Hopkins Univ.), Aviel D. Rubin (Johns Hopkins Univ.), Dan S. Wallach (Rice Univ.) Session: Theory of Access Control Access Control By Tracking Shallow Execution History Philip W. L. Fong (U. Regina) A Layered Design of Discretionary Access Controls with Decidable Safety Properties Jon A. Solworth, Robert Sloan (U. Illinois, Chicago) Monday AFTERNOON Invited Talk Session: Cryptography Symmetric encryption in automatic analyses for confidentiality against active adversaries Peeter Laud (Tartu University) Automatic Proof of Strong Secrecy for Security Protocols Bruno Blanchet (Ecole Normale Superieure) 5-minute work-in-progress talks Tuesday MORNING Session: Denial of service An empirical analysis of target-resident DoS filters Michael Collins (CERT), Michael Reiter (CMU) Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Theoretical Foundation Jun Li, Minho Sung, Jun (Jim) Xu (Georgia Tech.), Li (Erran) Li (Bell Labs) An Endhost Capability Mechanism to Mitigate DDoS Flooding Attacks Abraham Yaar, Dawn Song, Adrian Perrig (CMU) Session: Access Control and Privacy Safety in Automated Trust Negotiation William H. Winsborough (George Mason Univ.), Ninghui Li (Purdue Univ.) Securing OLAP Data Cubes Against Privacy Breaches Lingyu Wang, Sushil Jajodia, Duminda Wijesekera (George Mason Univ.) Tuesday AFTERNOON 1:30-2:30 Panel Session: Static Analysis Run-time Principals in Information-flow Type Systems Stephen Tse, Steve Zdancewic (U. Pennsylvania) Formalizing Sensitivity in Static Analysis for Intrusion Detection Henry Hanping Feng (U. Mass., Amherst), Jonathon T. Giffin (U. Wisconsin, Madison), Yong Huang (U. Mass., Amherst), Somesh Jha (U. Wisconsin, Madison), Wenke Lee (Georgia Tech.), Barton P. Miller (U. Wisconsin, Madison) Wednesday MORNING Session: Network Security Fast Portscan Detection Using Sequential Hypothesis Testing Jaeyeon Jung (MIT), Vern Paxson (ICIR), Arthur W. Berger, Hari Balakrishnan (MIT) On-the-Fly Verification of Rateless Erasure Codes for Efficient Content Distribution Maxwell N. Krohn (MIT), Michael J. Freedman, David Mazières (NYU) Multicast Authentication in Fully Adversarial Networks Anna Lysyanskaya, Roberto Tamassia, Nikos Triandopoulos (Brown Univ.) Session: Security Against Physical Attacks An Interleaved Hop-by-Hop Authentication Scheme for Filtering False Data Injection in Sensor Networks Sencun Zhu, Sanjeev Setia, Sushil Jajodia (George Mason Univ.), Peng Ning (NC State Univ.) SWAtt: Software-based Attestation for Embedded Devices Arvind Seshadri, Adrian Perrig (CMU), Leendert van Doorn (IBM and CMU), Pradeep Khosla (CMU) ____________________________________________________________________ IEEE Internet Computing Special Homeland Security Issue November/December 2004. (submissions due April 1, 2004) [posted 02/18/04] Guest Editors Michael Reiter - Carnegie Mellon University Pankaj Rohatgi - IBM T.J. Watson Research Center "Homeland security" is a major concern for governments worldwide, which must protect their populations and the critical infrastructures that support them, including power systems, communications, government and military functions, and food and water supplies. In this special issue, we seek contributions describing the role of Internet and information technologies in homeland security, both as an infrastructure to be protected and as a tool for enabling the defense of other critical infrastructures. On one hand, information technology can be used for mitigating risk and enabling effective responses to disasters of natural or human origin. However, its suitability for this role is plagued by questions ranging from dependability concerns to the risks that some technologies -- surveillance, profiling, information aggregation, and so on -- pose to privacy and civil liberties. On the other hand, information technology is itself an infrastructure to be protected. This includes not only the Internet infrastructure but also the complex systems that control critical infrastructure such as energy, transportation, and manufacturing. While control systems have traditionally been proprietary and closed, the trend toward the use of standard computer and networking technologies coupled with the use of more open networks for communication makes these systems increasingly vulnerable to catastrophic attacks and failures. We invite researchers and information technologists to submit original articles on the use of Internet and information technologies for homeland security and on the protection of critical technology assets. Of particular interest are articles that describe technology within the context of an actual deployment or initiative in homeland security. Indeed, articles focusing on these larger initiatives or the policy debates surrounding them are also welcome, provided that they offer a strong technology component. Articles detailing technology without a compelling application to homeland security are discouraged. Commercial advertisements will be rejected. Relevant topics include, but are not limited to: * Identification, authentication, biometrics, and access Control; * Survivable/rapidly deployable emergency command and control infrastructure; * Risk assessment and recovery planning; * Sensor network based early-warning systems; * Surveillance, data aggregation, and mining technologies and associated privacy issues; * Controlled sharing of sensitive information among organizations; * Information and cybersecurity; * High-availability, resilient, and survivable infrastructure design; and * Detection and response to vulnerabilities and attacks on the Internet and on IT components in critical infrastructure. For more information, please see http://www.computer.org/internet/call4ppr.htm FCS 2004 Foundations of Computer Security Workshop, Turku, Finland, July 12-13, 2004. (submissions due April 2, 2004) [posted 1/25/04] The aim of this workshop is to provide a forum for continued activity in this area, to bring computer security researchers in contact with the LICS'04 and ICALP'04 communities, and to give LICS and ICALP attendees an opportunity to talk to experts in computer security. We are interested both in new results in theories of computer security and also in more exploratory presentations that examine open questions and raise fundamental concerns about existing theories. Topics include, but are not limited to: Composition issues authentication Formal specification availability and denial of service Foundations of verification covert channels Information flow analysis cryptographic protocols Language-based security confidentiality Logic-based design for integrity and privacy Program transformation intrusion detection Security models malicious code Static analysis mobile code Statistical methods mutual distrust Trust management security policies For more details, see: http://www.cs.chalmers.se/~andrei/FCS04/. ICICS 2004 Sixth International Conference on Information and Communications Security, Malaga, Spain, October 27-29, 2004. (submissions due May 31, 2004) [posted 2/18/04] The 2004 International Conference on Information and Communications Security will be the sixth event in the ICICS conference series, started in 1997, that brings together individuals involved in multiple disciplines of Information and Communications Security in order to foster exchange of ideas. Original papers are solicited for submission. Areas of interest include but are not limited to: - Anonymity - Authentication and Authorization - Biometrics - Computer Forensics - Critical Infrastructures Protection - Cryptography and its Applications - Data and Systems Integrity - Design and Analysis of Cryptosystems - Electronic Commerce Security - Fraud Control and Information Hiding - Information and Security Assurance - Intellectual Property Protection - Intrusion Detection and Response - Key Management and Key Recovery - Mobile Communications Security - Network Security - Privacy Protection - Risk Evaluation and Security Certification - Security Models - Security Protocols - Software Protection - Smart Cards - Trust Management - Watermarking For more information, see http://icics04.lcc.uma.es for details. June 2004 WiSe 2004 Workshop on Wireless Security (in conjunction with MobiCom 2004), Philadelphia, PA, USA, October 1, 2004. (submissions due 14 June 2004) [posted 1/19/04] The objective of this workshop is to bring together researchers from research communities in wireless networking, security, applied cryptography, and dependability; with the goal of fostering interaction. With the proliferation of wireless networks, issues related to secure and dependable operation of such networks are gaining importance. Topics of interest include, but are not limited to: - Trust establishment - Key management in wireless/mobile environments - Economic incentives for collaboration - Security modeling and protocol design in the context of rational/malicious adversaries - Light-weight cryptography, efficient protocols and implementations - Intrusion detection, detection of malicious behaviour - Revocation of malicious parties - Secure PHY/MAC/routing protocols - Secure location determination - Denial of service - Privacy (location, contents, actions) - Anonymity, prevention of traffic analysis - Dependable wireless networking - Monitoring and surveillance More information can be found at www.ece.cmu.edu/~adrian/wise2004. ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ http://www.cs.utah.edu/flux/cipher/cipher-hypercalendar.html Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info, email for more info * 3/ 1/04- 3/ 4/04: PKC, Public Key Cryptography '04, Singapore, http://www.i2r.a-star.edu.sg/pkc2004/ * 3/ 1/04: WEIS, Workshop on Economics and Information Security, Minneapolis, MN; ; Submissions are due; weissub@dtc.umn.edu; http://www.dtc.umn.edu/weis2004/ * 3/ 3/04- 3/ 5/04: PRDC, Pacific Rim International Symposium on Dependable Computing, Papeete, Tahiti; http://www.laas.fr/PRCD10 * 3/11/04: WSEG, Brazilian Workshop On Security Of Computing Systems, Gramado, Brazil; ; Submissions are due; paschoal@exatas.unisinos.br; http://www.sbrc2004.ufrgs.br/ * 3/14/04: PerSec, Workshop on Pervasive Computing and Communication Security, Orlando, Florida; http://www.list.gmu.edu/persec * 3/15/04: TheSecConf, The Security Conference, Las Vegas, NV ; Submissions of abstracts are due; gdhillon@vcu.edu; http://www.isy.vcu.edu/~gdhillon/security/ * 3/26/04: ESORICS, European Symposium on Research in Computer Security, French Riviera, France; ; Submissions are due; Refik.Molva@eurecom.fr; http://esorics04.eurecom.fr * 3/29/04- 3/31/04: AINA, International Conference on Advanced Information Networking and Applications, Fukuoka, Japan; http://www.takilab.k.dendai.ac.jp/conf/aina/2004/ * 3/31/04: RAID, Recent Advances in Intrusion Detection, French Riviera, France; ; Submissions are due; molva@eurecom.fr; http://raid04.eurecom.fr * 4/ 1/04: IEEE Internet Computing, Special Issue on Homeland Security, submissions are due; http://www.computer.org/internet/call4ppr.htm * 4/ 2/04: ISC, Information Security Conference, Palo Alto, CA, Submissions are due; isc04inquiry@uncc.edu; http://isc04.uncc.edu * 4/ 2/04: FCS, Foundations of Computer Security, Turku, Finland; submissions are due; http://www.cs.chalmers.se/~andrei/FCS04/ * 4/ 2/04: WOLFASI, Workshop on Logical Foundations of an Adaptive Security Infrastructure, Turku, Finland; ; Submissions are due; marcus@aero.org; http://www.dcs.ed.ac.uk/home/als/lics/lics04/ * 4/ 2/04: WISP, Security Issues with Petri Nets and other Computational Models, Bologna, Italy; ; Submissions are due; busi@cs.unibo.it; http://www.iit.cnr.it/staff/fabio.martinelli/WISP2004cfp.htm * 4/ 5/04- 4/ 7/04: IAS, Information Assurance and Security, Las Vegas, Nevada; http://www.cs.okstate.edu/~aa/itcc04/itcc04.html * 4/ 5/04- 4/ 7/04: ITCC International Conference on Information Technology Coding and Computing, Las Vegas, NV; http://www.isebis.eng.uerj.br/crypto2004.html * 4/ 8/04- 4/ 9/04: IAIW, IEEE International Workshop on Information Assurance, Charlotte, NC; http://iwia.org/2004 * 4/10/04: NSPW, New Security Paradigms Workshop, Nova Scotia, Canada; Submissions are due; carla@atc-nycorp.com; http://www.nspw.org * 4/14/04- 4/17/04: IAWS, Workshop on Information Assurance, Phoenix, Arizona; http://www.tele.pitt.edu/~sais/iaws04 * 4/14/04- 4/15/04: TheSecConf,The Security Conference, Las Vegas, NV; http://www.isy.vcu.edu/~gdhillon/security/ * 4/15/04: ARSPA, Automated Reasoning for Security Protocols Analysis, Cork, Ireland; ; Submissions are due; arspa@avispa-project.org; http://www.avispa-project.org/arspa * 4/16/04: CEAS, Conference on Email and Anti-spam, Mountain View, CA; Submissions are due; information@ceas.cc; http://www.ceas.cc * 5/ 3/04: CCS-11, ACM Conference On Computer And Communications Security, Washington DC, ; Submissions are due; http://www.acm.org/sigsac/ccs/CCS2004 * 5/ 9/04- 5/12/04: IEEE Security and Privacy Symposium, Oakland, CA; http://www.ieee-security.org/TC/SP2004/oakland04.html * 5/10/04: WSEG, Brazilian Workshop On Security Of Computing Systems, Gramado, Brazil; http://www.sbrc2004.ufrgs.br * 5/13/04- 5/14/04: WEIS, Workshop on Economics and Information Security, Minneapolis, MN; http://www.dtc.umn.edu/weis2004/ * 5/14/04- 5/17/04: ICCSA, International Conference On Computational Science And Its Applications, S. Maria degli Angeli, Assisi(PG), Italy; * 5/17/04- 5/22/04: WWW, World Wide Web Conference, New York City, NY; http://www2004.org/ * 5/21/04: LCN, Conference on Local Computer Networks, Tampa, Florida; ; Submissions are due; sjha@cse.unsw.edu.au; http://www.ieeelcn.org * 5/23/04- 5/25/04: IH, Information Hiding Workshop, Toronto, Canada; http://msrcmt.research.microsoft.com/IH2004/CallForPapers.aspx * 5/26/04- 5/28/04: WPET, Workshop on Privacy Enhancing Technologies, Toronto, Canada; http://petworkshop.org/ * 5/31/04: ICICS, International Conference on Information and Communications Security, Malaga, Spain; submissions are due; http://icics04.lcc.uma.es * 5/31/04: FOSAD, School on Foundations of Security Analysis and Design, Bertinoro, Italy ; applications are due; gorrieri@cs.unibo.it; http://www.sti.uniurb.it/events/fosad ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Robert Bruen March 15, 2004 ____________________________________________________________________ Security Warrior by Peikari, Cyrus and Anton Chuvakin O'Reilly 2004. ISBN 0-596-00545-8 531 pages. $44.95 Index, appendix, end of chapter references This book is not for the faint of heart. Although the script kiddies ought to read it, they will most likely not understand it. Security books are gradually moving from the "how to hack" mentality to the region of expertise of how things work. The knowledge required to write real code goes deep. For example, the Security Warrior starts out with lessons in assembly language. If you know assembler, then this is a straightforward description of registers and opcodes. If you are a Visual Basic kind of person who is willing to put in the effort, this is a good place to start learning about the lower levels. The reason for the low level code explanation is that the rest of this section is about reverse engineering. There is some work on reverse engineering (e.g., see the HoneyNet site and their challenge results), but not much. Reverse engineering software takes some work and understanding, so fewer people do it. However, if you are an antivirus professional, you will be doing this almost daily to get into the latest worm or whatever. Besides this obvious legitimate use of reverse engineering, there are other uses by some people, such as researchers (academic or otherwise) or those looking for holes in proprietary code released in binary only form. Whatever your motivation, the reverse engineering software is a part of the expertise required in by software security professionals. The tools for reverse engineering come from several sources. There is a commercial version from IDA, some individual's websites (Flavia) and there are many helpful tools built in *nix, many from GNU. The authors proclaim that the tools for reversing Windows code are at the highest level because Windows is proprietary. The need to write tools for Linux has been less because anyone can read the source code. An example of built in tools for any OS is the debugger, and often a disassembler. A simple learning technique is to write a "Hello World" program in a high level language, then use the debugger. A minor change in the program, followed by the debugger again, can be instructive by finding the change. Lest you think that this book is only about reverse engineering, the other three parts of the book are just as helpful: Network Stalking, Platform Attacks and Advanced Defense. SQL injection is explained very nicely with code, as are topics such as binary log modifications for covering tracks, timestamp fixes and the details on maintaining covert access. I highly recommend this book for anyone who is serious about software security. It goes hand in hand with books like "Exploiting Software," "Building Secure Software," and the Honeypot work. ____________________________________________________________________ Book Review By Robert Bruen March 12, 2004 ____________________________________________________________________ Hacking. The Art of Exploitation by Jon Erikson No Starch Press 2003. ISBN 0-59327-007-0 241 pages. $39.99 Index, references, tools You may not be as familiar with No Starch Press as with the larger publishing houses, but they are responsible for the popular "Steal This Computer Book" and "Hacking the XBox." Jon Erikson has produced a hacking book that stands out from the pack by showing how hacks are developed. This is not about using other hacker's works, but instead shows the details of the code line by line with an explanation of what the line does. These are not just comments, but real explanations. The goal seems to be to teach how to write exploits. The book is is about programming and understanding how to develop programs that take advantage of mistakes in other people's designs and code. The lessons are done in shell code, C, Perl and assembler. The exploits run the gamut from format problems, buffer and stack overflows to reading from and writing to arbitrary memory locations. Like any good book on software security, there is an entry requirement of knowing how to write code at some level. The higher the skill level, the more you will get out of the book. The techniques and targets are not really innovative, but the explanations are clear, coherent and detailed. And yes, you can use the code. The author introduces some new concepts, however. One is his Password Probability Matrix (PPM) and the dissembler from www.phiral.com. The disassembler is a tool that can be used to modify existing shellcode into something a little more interesting. This is a nice lesson in how assembly code can be expressed in printable ASCII characters, as well as how to use registers. This tool has the capability of polymorphism to create output that looks different, but acts the same. It is the kind of thing that signature seeking programs do not like to see. The other idea, the PPM, is an interesting approach to password cracking. The author explains it as a tradeoff between the storage space and computational capacity of a computer. This is an old tradeoff problem which never seems to go away no matter how much storage space or cpu power is available. Two programs are provided, one to generate the matrices and one to use them to crack a password. The passwords are limited to four characters and a two character salt, but the example is just a proof of concept. Many of the standard attacks are defined with example code, such as TCP/IP Hijacking and the FMS attack on WEP. I highly recommend this book. It is written by someone who knows of what he speaks, with usable code, tools and examples. ____________________________________________________________________ Book Review By Robert Bruen March 12, 2004 ____________________________________________________________________ Security Assessment Case Studies for Implementing the NSA IAM by Miles, Greg, Russ Rogers, Ed Fuller, Matthew Hoagberg and Ted Dykstra Syngress 2004. ISBN 1-932266-96-8 429 pages. $69.95 Index, appendix. Security Assessment is a specific approach to security assessment, that of the National Security Agency's Information Assurance Methodology. The NSA created the INFOSEC Assurance Training and Rating Program (IATRP). The courses are taught to anyone who wants to learn the methodology, with an certifying examination at the end for those who want to be providers. Government employees can take the course without cost, but do not get certified. The authors are all from Security Horizon, Inc. The readers who have taken the NSA IAM training course will benefit most. The book augments it with items like staffing and contracts. The book covers the methods in detail. It starts with the customer, certainly not what the hacker books put first. The methodology which the NSA has developed for the government and extends to the business world is less concerned with hacking and viruses than it is with reproducible results built on policy. When an assessment is conducted, it is not a vulnerability assessment or a coverage test. It all starts with policy, but then you look at procedures, the organization and architecture. The questions are about how is it all set up, but keep in mind it stems from bureaucrats, so it will be more detailed the project plans used by researchers. The second step is the evaluation. This step includes analysis of the network security hardware, such as firewalls, IDSs, routers, etc. This is more of what the technical folks are probably used to. This step is documentation with an eye to the future. It is always a good idea to have every device on the network completely documented and evaluated, but all too often, it gets left out as things move forward. The third step is called Red Teaming, a procedure in which a team attacks and tries to penetrate the organization. Not all the difficult attacks will be undertaken, but at least some of the more obvious will be. The technical problems are not as important as the security posture of the organization. Much of the actual implementation of the process involves the legal side of the house, even more than the technical. Generally the introductory courses to the law involve contracts, and it is the same here. Over the past few months, the pen test lists have seen discussions about legal implications of pen test. The contract is basic document that will govern what happens if an error is made or the outcome is not what the organization's managers were expecting. Miles and company spend time on the contract. Nothing will replace a good lawyer in this situation, but it can only help if you are familiar with how the contract should be set up. Conducting the assessment will naturally involve talking to people in an interview setting, where you are the interviewer. There are some very good tips on how to conduct the interview, probably extra helpful if you are a geek with no social skills, but lots of tech savvy. In addition to the process, there are cases which mirror a real setting for context. The case approach is common for management work, as are the plans, the schedules and the reports. This book is recommended for the techies who need to expand their horizons and for those who might be thinking about taking the course. Security assessment is only going to become more popular. ====================================================================== News Items ====================================================================== ______________________________________________________________________ TISSEC Editor-in-Chief Position ______________________________________________________________________ Nominations are invited for the next Editor-in-Chief of ACM Transactions on Information and System Security. Self-nominations are welcome. Candidates should be well-established researchers in Computer Security who have sufficient experience serving on program committees and journal editorial boards. Candidates are asked to send a current curriculum vita and a brief (one to three pages) statement of vision for TISSEC to: Gul Agha, Chair, ACM TISSEC EIC Search Committee, , by April 20, 2004. Nominations received after April 20 will be considered up until the position has been filled. ______________________________________________________________________ NSF Cyber Trust Proposals Due March 31, 2004 ______________________________________________________________________ NSF's Cyber Trust Program will make awards for research towards making networked computers more secure. The deadline for proposals is March 31, 2004. Networked computers reside at the heart of systems on which people now rely, both in critical national infrastructures and in their homes, cars, and offices. Today, many of these systems are far too vulnerable to cyber attacks that can inhibit their function, corrupt important data, or expose private information. See, http://www.cise.nsf.gov/funding/pgm_display.cfm?pub_id=6476 ______________________________________________________________________ News From CERT ______________________________________________________________________ US-CERT is releasing security alerts and tips, rather than the former CERT advisories. See http://www.cert.org/advisories/us-cert-announcement.html for more information. CyLab, the Carnegie Mellon CyberSecurity Lab, was established last year at CMU, as a multi-disciplinary research lab in cooperation with faculty, research staff, and students from the Software Engineering Institute/CERT Coordination Center, the School of Computer Science, Electrical and Computer Engineering, the Department of Statistics, Engineering and Public Policy, and the Heinz School of Business. The Carnegie Mellon CyLab web site can be found at http://www.cylab.cmu.edu. ______________________________________________________________________ FreeS/WAN Project Concludes ______________________________________________________________________ March 1, 2004, FreeS/WAN, http://www.freeswan.org/ending_letter.html Michael Richardson contributed: Dear FreeS/WAN community, After more than five years of active development, the FreeS/WAN project will be coming to an end. The initial goal of the project was ambitious -- to secure the Internet using opportunisitically negotiated encryption, invisible and convenient to the user. (for more, see http://www.freeswan.org/history.html). A secondary goal was to challenge then-current US export regulations, which prohibited the export of strong cryptography (such as triple DES encryption) of US origin or authorship.

Since the project's inception, there has been limited success on the political front. After the watershed Bernstein case (see http://www.eff.org/Privacy/Crypto_export/Bernstein_case/ ) US export regulations were relaxed. Since then, many US companies have exported strong cryptography, without seeming restriction other than having to notify the Bureau of Export Administration for tracking purposes. This comfortable situation has perhaps created a false sense of security. The catch? Export regulations are not laws. The US government still reserves the right to change its export regulations on short notice, and there is no facility to challenge them directly in a court of law. This leaves the US crypto community and US Linux distributions in a position which seems safe, but is not legally protected -- where the US government might at any time *retroactively* regulate previously released code, by prohibiting its future export. This is why FreeS/WAN has always been developed outside the US (in Canada and in Greece), and why it has never (to the best of our knowledge) accepted US patches. If FreeS/WAN has neither secured the Internet, nor secured the right of US citizens to export software that could do so, it has still had positive benefit. With version 1.x, the FreeS/WAN team created a mature, well-tested IPsec VPN (Virtual Private Network) product for Linux. The Linux community has relied on it for some time, and it (or a patched variant) has shipped with several Linux distributions. With version 2.x, FreeS/WAN development efforts focussed on increasing the usability of Opportunistic Encryption (OE), IPSec encryption without prearrangement. Configuration was simplified, FreeS/WAN's cryptographic offerings were streamlined, and the team promoted OE through talks and outreach. However, nine months after the release of FreeS/WAN 2.00, OE has not caught on as we'd hoped. The Linux user community demands feature-rich VPNs for corporate clients, and while folks genuinely enjoy FreeS/WAN and its derivatives, the ways they use FreeS/WAN don't seem to be getting us any closer to the project's goal: widespread deployment of OE. For its part, OE requires more testing and community feedback before it is ready to be used without second thought. The project's funders have therefore chosen to withdraw their funding. Anywhere you stop, a little of the road ahead is visible. FreeS/WAN 2.x might have developed further, for example to include ipv6 support. Before the project stops, the team plans to do at least one more release. Release 2.06 will see FreeS/WAN making a late step toward its goal of being a simple, secure OE product with the removal of Transport Mode. This in keeping with one of Neils Fergusson's and Bruce Schneier's security recommendations, in _A Cryptographic Evaluation of IPsec_ (http://www.counterpane.com/ipsec.pdf). 2.06 will also feature KLIPS (FreeS/WAN's Kernel Layer IPsec machinery) changes to facilitate use with the 2.6 kernel series.

After Release 2.06, FreeS/WAN code will continue to be available for public use and tinkering. Our website will stay up, and our mailing lists at lists.freeswan.org will continue to provide a forum for users to support one another. We expect that FreeS/WAN and its derivatives will be widely deployed for some time to come. It is our hope that the public will one day be ready for, and demand, transparent, opportunistic encryption. Perhaps then some adventurous folks pick up FreeS/WAN 2.x and continue its development, making the project's original goal a reality. Many thanks to the wonderful folks who've been part of the lists.freeswan.org community over the last few years. Thanks to the developers who've created patches and written HOWTOs. Thanks to the volunteers who've donated Web space and time as system administrators. Thanks to the distributors who've puzzled out the fine points of integrating our software with others'. Finally, thanks to the users who've tested our software, shared interoperation success stories, and given others a helping hand. We couldn't have done it without you. Best Regards, Claudia Schmeing for the Linux FreeS/WAN Project ______________________________________________________________________ NIST Announcements ______________________________________________________________________ A new version of Federal Information Processing Standard (FIPS) 180-2, Secure Hash Standard (SHS), is available at http://csrc.nist.gov/publications/fips/index.html. This version contains a change notice that specifies SHA-224 and discusses truncation of the hash function output in order to provide interoperability. NIST is planning a workshop on Random Number Generation to be held from July 19-22, 2004. During this workshop, a draft standard that is being developed as ANSI X9.82 will be presented and discussed. This draft standard consists of three parts. Part 1 contains an overview and basic principles of random number generation. Part 2 discusses non-deterministic random bit generators. Part 3 discusses deterministic random bit generators (also known as pseudorandom number generators). A draft of the standard will be made available on the RNG web page (http://csrc.nist.gov/CryptoToolkit/tkrng.html) a few weeks prior to the workshop. The currently reserved room has a maximum capacity of 75, so attendance will be limited. More information will be available in the future on the RNG web page. For further information, contact Elaine Barker (301-975-2911; ebarker@nist.gov) or John Kelsey (301-975-5101; John.Kelsey@nist.gov). Elaine Barker National Institute of Standards and Technology 100 Bureau Dr., Stop 8930 Gaithersburg, MD 20899-8930 Phone: 301-975-2911 Fax: 301-948-1233 Email: ebarker@nist.gov ______________________________________________________________________ Indiana Information Security Week Contributed by Gene Spafford ______________________________________________________________________ March 22-26 has officially been declared "Indiana Information Security Week" by the Governor and House of Indiana. This is to recognize the various security events being held at CERIAS that week, including our annual security symposium. The public is invited to register to attend the symposium: http://www.cerias.purdue.edu/symposium. Portions of the symposium, including some of the presentations, will be broadcast on the Access Grid. These events will be noted (soon) on the schedule posted online. ______________________________________________________________________ From ACM Tech News ______________________________________________________________________ Scattered Glitches as E-Voting Gets Biggest Test Ten U.S. states used electronic voting systems in the March 2 primary, representing the biggest test of the technology in the country to date. Although machines suffered from technical malfunctions in California, Maryland, and Georgia, most of these glitches were attributed to human ... [read more] http://www.acm.org/technews/articles/2004-6/0303w.html#item1 --------- IETF Conference Debates Antispam Proposals Various proposals to bring spam under control--which are gaining momentum as spam proliferates to epidemic levels--are being discussed at this week's Internet Engineering Task Force conference in Seoul. "The spam issue has created enough urgency and even desperation, so rather than following ... [read more] http://www.acm.org/technews/articles/2004-6/0303w.html#item3 --------- Did Your Vote Count? New Coded Ballots May Prove It Did A truly trustworthy voting system must furnish a voter-verifiable audit trail and maintain the secrecy of ballots, and various systems have been proposed. The "frog" voting system suggested in a working paper from the Caltech/MIT Voting Technology Project in 2001 and modified for an ... [read more] http://www.acm.org/technews/articles/2004-6/0303w.html#item7 --------- Passing Packets Under Ever More Scrutiny The Internet protocol was conceived as a payload-independent method of routing so that intermediary infrastructure did not care about the packet's content; today, floods of spam, viruses, and worms have to be stopped from entering a network, while trade secrets and other information that violates ... [read more] http://www.acm.org/technews/articles/2004-6/0303w.html#item9 ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== From: http://cisr.nps.navy.mil/jobscipher.html National ICT Australia, Formal Methods Program Researcher/Senior Researcher Formal Methods for Computer Security http://nicta.com.au National ICT Australia Program Leader Security and Trust Management Program http://nicta.com.au Florida International University Miami, Florida Four tenure-track positions in Computer Science Evaluation begins January 15, 2004, continues until positions are filled http://www.cs.fiu.edu/news/recruit03_04.php -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html Charles N. Payne, Jr. Member, Technical Staff Adventium Labs 100 Mill Place 111 Third Avenue South Minneapolis, MN 55401 USA www.adventiumlabs.org EMAIL: charles.payne@adventiumlabs.org ______________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy ________________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm _____________________________________________________________ TC Publications for Sale _____________________________________________________________ IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ________________________________________________________________________ TC Officer Roster ________________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine SRI International EL233 U.S. Naval Postgraduate School Computer Science Laboratory Computer Science Department 333 Ravenswood Ave. Code CS/IC Menlo Park, CA 94025 Monterey CA 93943-5118 512-838-0455 (voice) (408) 656-2461 (voice) millen@csl.sri.com irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Intel Corporation SRI International EL233 JF2-74 Computer Science Laboratory 2111 N.E. 25th Ave 333 Ravenswood Ave. Hillsboro OR 97124 Menlo Park, CA 94025 (503) 264-5562 (voice) 512-838-0455 (voice) (503) 264-6225 (fax) millen@csl.sri.com awk@ibeam.intel.com Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Dept of Electrical Engineering Purple Streak, Inc. SMU, Dallas, TX 75275 500 S. Maple Dr. (214) 768-8541 (voice) Salem, UT 84653 http://www.engr.smu.edu/~tchen (801) 423-1052 (voice) cipher-editor@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html