_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 64 January 17, 2005 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen, Book Review Editor, cipher-bookrev @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Commentary and Opinion o Review of the 20th Annual Computer Security Applications Conference (Tucson, AZ, December 6-10, 2004) by Jeremy Epstein o Robert Bruen's review of "The Digital Person: Technology and Privacy in the Information Age" by Daniel Solove o Ross Patel's review of Surviving Security by Amanda Andress and Mandy Andress o Robert Bruen's review of Privacy: What Developers and IT Professionals Should Know, by J. C. Cannon o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Announcements and News o UK Infosec Initiative, contributed by Ross Patel o PITAC Report Released, contributed by Gene Spafford o CERIAS Host New mailing Lists, by Gene Spafford o Air Force Laboratory Seeks Chief Scientist, contributed by Gene Spafford * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: The IEEE Technical Committee on Security and Privacy have long sponsored their major events, the Symposium on Security and Privacy and the Computer Security Foundations Workshop. Last year they agreed to be a technical sponsor of the Conference on Email and Anti-Spam, and they have recently added SecureComm as well. Watch our main webpage, http://www.ieee-security.org, for announcements on these events. Last issue we announced a new look for the Cipher on-line edition, and this issue we announce the redesign of the IEEE TC S&P page just mentioned. The Trojan Horse artwork by Howard David Johnson reiterates the TC theme in modern graphics and determines our new color scheme. This issue of Cipher has Jeremy Epstein's notes on the ACSAC conference last month in Tucson, and I commend it to you as both interesting and illustrative of the value of personal perspectives on conference events. Be Like Jeremy and contribute to Cipher. Cipher depends solely on volunteers, and their efforts are appreciated by readers around the globe. My thanks go to those who have contributed time and effort, and we can use more help as we strive to be more comprehensive and timely. Yong Guan of Iowa State University has been helping to redesign our "Calls-For-Papers" page, he deserves particular thanks for his time and energy. Although it is not feature news in this Cipher issue, the recent disclosure of a compromise in a cell phone company's database of personal messages and pictures is a reminder of the ongoing challenges in computer security practice, and should serve as a spur to invention of more effective protection methods. Gene Spafford is looking to help researchers find funding opportunities, and his new email lists for announcements related to funding is in the "Announcements" section of this newsletter. As you travel to conferences and other security events this winter, think about contributing your comments to Cipher, or contributing a book or software review. Whither goeth the network goest thy data. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ____________________________________________________________________ UK Infosec Initiative from Ross Patel January 14, 2005 ____________________________________________________________________ Former Presidential Cyber Security Advisor, Howard Schmidt, has joined a number of global leaders in the information security community to develop atrusted community for information exchange. UK INFOSEC capabilities are set to be made publicly available shortly and will provide members with access to real-time data on emerging threats, security news, vulnerabilities, viruses and other cyber-crimes, facilitating a unique coherent picture of the current state of the Internet threat. Commenting on the initiative UK INFOSEC founder, Ross Patel, described the focus of the study as the "enabling - in a community setting - of security specialists to stay ahead of threats and concerns specific to their information and infrastructures." Threat intelligence, and ways to protect against those threats make up the core of operational activity and members can submit vulnerability, virus and general notifications for distribution throughout the community. Using this shared data the UK INFOSEC operations staff gathers, analyzes, and disseminates an integrated view of information system vulnerabilities, threats, and incidents. Additional information may be gathered from public and private sources, including semi-private organization like CERT or the publicly funded NIPC, or private organizations. Further details may be found at http://www.ukinfosec.com or by contacting enquiries@ukinfosec.com ____________________________________________________________________ PITAC Report Released from Gene Spafford January 12, 2005 ____________________________________________________________________ On January 12, the President's Information Technology Advisory Committee met in Washington DC (and via the WWW). Presentations were made by several; subcommittees of the PITAC, including one looking at the issue of Cyber Security research funding and support. The whole committee approved the draft report of the subcommittee. There were four major findings presented: 1) The Federal R&D budget provides inadequate funding for basic research in civilian cyber security. 2) The Nation's cyber security research community is too small to adequately support the cyber security research and education programs necessary to protect the United States. 3) The PITAC finds that current cyber security technology transfer efforts are not adequate to successfully transition Federal research investments into civilian sector best practices and products. 4) The Federal cyber security R&D effort is currently unfocused and inefficient because of inadequate coordination and oversight. A number of recommendations are made to address each of these findings. The report is undergoing some final editing and augmentation. It will then be printed and presented to the office of the President. Thereafter, it will be made available to the general public. Presentation materials from the meeting, including more detail on the background, findings, and recommendations are available here: . The home page for the PITAC is here: . ____________________________________________________________________ CERIAS Hosts New Mailing Lists from Gene Spafford January 16, 2005 ____________________________________________________________________ CERIAS is hosting two mailing lists: 1) infosec-faculty is for anyone teaching courses in cybersecurity, information security, information assurance and related at the undergrad or grad level. This is a low volume list for faculty to exchange information and ask questions related to pedagogy and curriculum. To join, send "subscribe" as a message to infosec-faculty-request@cerias.purdue.edu 2) ias-opportunities is a list for people to receive announcements of calls for papers for conferences and journals, and for announcements of funding opportunities, all related to information assurance and security. To join, send "subscribe" as a message to ias-opportunities-request@cerias.purdue.edu Other information is available, including information on how to post to the list, at http://www.cerias.purdue.edu/homes/spaf/ias-opportunities/ ____________________________________________________________________ Air Force Laboratory Seeks Chief Scientist December 22, 2004 from Gene Spafford ____________________________________________________________________ I am passing on information about a position where a person with the right qualifications can make a big difference in computing R&D, including issues of cybersecurity, data collection/fusion, HCI, communications, real-time operating systems, pattern recognition, reliable computing, and a host of other areas. The Air Force Laboratory, Information Directorate, has an opening for its chief scientist. The URL for the official announcement is . I am enclosing a portion of the job description and qualifications, below; see the official announcement for full details. The short form of the job description starts off "Serves as the Air Force principal scientific and primary authority for the technical content of the S&T portfolio related to information systems and science for the advancement and application of information systems science and technology...." (The position is limited to US citizens and nationals by its nature.) I have been involved with the folks in AFRL/IF for several years now. They have some outstanding researchers and facilities, including a great new building and lab space, and they are working on really important (and difficult!) problems that have impacts on national defense, law enforcement, university research and the private sector. The main facility is located in Rome, NY. This is a beautiful area of the country (especially if you enjoy a few months of real winter with skiing, skating, and snowball fights :-) with affordable housing and relaxed surroundings. The position pays well, and is a senior appointment. The job duties description includes the following: The Information Directorate conducts USAF research, exploratory and advanced development activities in knowledge based technologies, computer science and technology, collaborative environments, signal processing, information fusion and exploitation, command & control decision support, aerospace connectivity, networking, information management and cyber operations. The Chief Scientist provides scientific leadership, advice and guidance throughout the Laboratory on research plans and programs in core area and related technologies. The Chief Scientist serves to focus research and development efforts associated with the interrelated group of technologies and strengthen the in-house activities of the laboratory. Conceives, plans, and advocates major research and development activities; consults with the laboratory director, the laboratory chief scientist and the technology director and staff concerning the total research program and results; monitors and guides the quality of scientific and technical resources; and provides expert technical consultation to other AFRL directorates, DOD agencies, universities and industry. Position requires an internationally recognized authority in information systems science and technology with the ability to conceive and conduct advanced research and development. The incumbent must make significant contributions to the advancement of knowledge in the field as evidenced by numerous important scientific publications and by citation of the work by others. Qualifications include the following: The candidate must have at least three years of specialized experience within the broad area of information systems science and technology as applied to areas such as; battlespace awareness, dynamic planning and execution, and global information enterprise with specific research experience in areas that support these broad topics such as information fusion and exploitation, predictive battlespace awareness, information assurance, cyber operations, communications & networks, effects based operations, collaborative enterprises, modeling and simulation, intelligent agents, machine reasoning, information management, or intelligent information systems. At least one year of this research experience must demonstrate that the candidate has leadership experience in planning and executing difficult research activities resulting in outstanding attainments in information systems science and technology; or planning and executing specialized programs of national significance in exploratory and advanced development of information systems science and technology. ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Review of 20th Annual Computer Security Applications Conference Tucson, AZ, December 6-10, 2004 by Jeremy Epstein ____________________________________________________________________ The 20th Annual Computer Security Applications Conference (ACSAC) was held Dec 6-10 in Tucson AZ. This is a three-track conference (two refereed paper tracks and an un-refereed case studies track). Following are my notes, which cover the papers and panels I found most interesting. All papers (and slides for some of the speakers & panelists) are available at www.acsac.org. Distinguished Practitioner -------------------------- The Distinguished Practitioner speech was given by Steve Lipner of Microsoft. Steve is a longtime fixture in the research community, having led development of DEC's A1 operating system among other projects. Steve described Microsoft's development process for building secure software. Among his key points: - New employees, especially those fresh out of college, do not arrive with the ability to develop secure software. Academic training teaches them how to build security features (e.g., crypto algorithms), but not how to build things that operate securely. - Training is a key part of how they operate, including new employee orientation and regular refresher courses. - As has long been known, security can't be bolted on at the end or tested in by penetration testing. Security is part of the design & implementation process. Security does a final review near the end to make sure everything went OK, but that's a final review, not when things start getting looked at. - They try to learn from the security problems that surface in the field, to improve the process by recognizing patterns of failure. - Since implementing the Security Development Lifecycle, they've seen a drop of at least 50% in externally reported vulnerabilities compared to products that don't use SDL. They grade based on externally reported problems since they have no control over those, and it avoids fudging the numbers. - SDL is expensive, but it pays off. Unlike Common Criteria, the focus isn't on paperwork. CC focuses on testing security features, but that's not where attackers look. SDL is much more effective at reducing vulnerabilities than CC. In a Q&A session, Lipner noted that: - If there's not enough money to do everything, threat modeling and static code analysis are the most effective uses of resources. - The quality of code (from a security perspective) anecdotally seems to be improving after developers are trained. - The research community has impacted the SDL by providing good research in static analysis tools. Formal methods has also had an impact, not in doing the full formal methods process, but in cherry-picking the techniques. Session: Intrusion Detection ---------------------------- "An Intrusion Detection Tool for AODV-based Ad hoc Wireless Networks" Giovanni Vigna, Sumit Gwalani, Kavitha Srinivasan, Elizabeth Belding-Royer and Richard Kemmerer, University of California Santa Barbara, USA Intrusion detection in ad hoc wireless networks is much harder than in traditional wired networks because there's no perimeter, all nodes participate in routing, nodes may move in and out of range, etc. They've extended the STAT framework to do detection for wireless networks. They look for both local and distributed scenarios (the latter requiring multiple sensors). To make this real, they've built a testbed with dynamic networks. Since it's hard to simulate the true dynamic nature, they have a simulator that generates packet traces that they then feed into the wireless driver. Attacks can be detected with a relatively small number of false positives. Placement of sensors is much more important than in the static (wired) world; they have to do a baseline and then figure out where to place the sensor. All of the sensors have to trust each other in their architecture. "Automatic Generation and Analysis of NIDS Attacks" Shai Rubin, Somesh Jha and Barton Miller, University of Wisconsin, Madison, USA This paper won both the Outstanding Student Paper and the Outstanding Paper awards. NIDSs miss some attacks; attackers take advantage of this to create attacks that are equivalent to known attacks but differ only in how the attack is represented at a protocol level. The idea of this paper is to build tools that can accept a representation of the attack and create variations, which it then (automatically) launches and checks to see if they're caught (i.e., no false negatives). The tool is based on a formal model of the vulnerability, and is useful to both black hats (who want to generate variants that can't be detected) and white hats (to determine if a given TCP sequence is an attack). The tool includes both transport (TCP) level transformations like fragmentation, retransmission, and packet ordering, as well as application level transformations like padding with innocuous steps and alternate ways to cause the attack. The transforms, which are based on real attack patterns seen in the wild, are simple and preserve semantics. They can also do *backwards* derivation - if you find what looks like an attack, see if it reduces to one of the known attacks. Using the tool they found a handful of bugs in SNORT. They're planning to try it against commercial NIDS to see what variants they can catch, as well as what they miss. Debate: The Relationship of System & Product Specifications & Evaluations ------------------------------------------------------------------------- Debate chair: Marshall Abrams, MITRE, USA Panelists: Stu Katzke, NIST, USA; Jean Schaffer, NSA, USA; Mary Ellen Zurko, IBM, USA; Steve Lipner, Microsoft, USA I missed the introductory position announcements, but here are some points from the Q&A: - Q: Most security problems are due to lack of bounds checking and other implementation bugs. At what EAL level can we expect these will be caught? And if they can't be caught at any level why bother doing an evaluation at all? - A: Vendors should do this before evaluation. Looking at adding hoops before an evaluation that vendors should do on their own to catch these. - A: CC doesn't give any statements about the fundamental system characteristics, which is why CC isn't an effective way to secure products. - Q: Shouldn't we be looking more at process, since this is what we're all pointing to? - A: Looking at adding more process into next version of CC (this summer). - A: Tools (and languages) can take the place of other assurance mechanisms to some extent. HCI has done this - APIs have eliminated the need for programmers to have stacks of documentation on how to build menus. - Q: TCSEC requirements for avoiding things like buffer overflows were at B2/B3 (equivalent to CC EAL5/EAL6). Number of people capable of exploiting that type of flaws was much smaller, and thought commercial world would never have to worry about it. - A: Anticipated threat environment for TCSEC B2/B3 is roughly equal to what we see today for home users on the Internet. - Q: Might it be appropriate to add more requirements to lower levels (EAL2) so it becomes useful? - A: Better approach would be to throw out what we have today and start over. - Q: CMM was looked at and rejected by CC; should we change that? - A: Motorola announced at a recent meeting that they're CMM Level 5, but couldn't guarantee that they hadn't had any buffer overflows. That's not very helpful. - A: Panelist was part of SSE CMM definition effort, and saw that it was just process. For example, if a process said "we never check for buffer overflows" and stick to that, you can be CMM Level 5 (which is focused on repeatability)... and be totally insecure! So not enthralled with CMM as a cure-all. - A: Vendors who go through CMM and CC find that the processes are the same, but CMM is missing "common sense" part (i.e., do the processes meet the requirements for security). - Q: Is there any scientific evidence that CMM or any other process helps with security? - A: No. - Q: Does CC or CMM address vulnerabilities deliberately introduced by developers (i.e., insider threat)? - A: No. An open, collaborative environment tends to reduce the risk, because many people are looking at each other's work. Malware Session --------------- "Using Predators to Combat Worms and Viruses - a Simulation Based Study" Ajay Gupta and Daniel C. DuVarney, Stony Brook University, USA Predators are "benevolent self-propagating code" - worms that have a good intention. There are potential positives (e.g., much faster propagation than relying on patching, and might stop the spread of some attacks even if no patch is available by adjusting firewall settings or turning off vulnerable services) but lots of negatives (including legal/social, as well as risks of malfunction). There are issues how the predator spreads, whether using the same entry point as the worm or having a dedicated "predator port" (which in itself introduces new attack avenues). They've simulated predator behavior using finite state machines to represent actions, and looked at various tuning parameters in predators. Different types of predators include "classic" (do not immunize the machine), "persistent" (do not immunize, but lie in wait for an attacker), and "immunizing" (tries to spread, and closes the door behind it). Depending on the type of predator, the fanout level, the time allowed, etc., you can contain attacks. By limiting the parameters, they can avoid overloading the network. The paper contains nice graphs showing how different settings impact the infection rate and the steady state. Among the problems (besides the risk of malicious predators, which the propose to constrain using code signing) are worms locking the predator out. WIP Session ----------- "Finding Security Errors in Java Applications Using Lightweight Static Analysis" Benjamin Livshits, Stanford University There's lots of static analysis tools that look for problems in C/C++, because the problems come from poor language and API design (buffer overruns happen unless you actively prevent them). By contrast, Java protects from those obvious errors, and leads to deeper errors. They've built a tool that finds two types of errors: bad session stores and SQL injection. In 10 web-based Java apps (mostly blogging tools), each consisting of 10s of KLOC, they found 14 session store problems (and 8 false positives) and 6 SQL injection problems. ----------------- "Access Control for Distributed Health Care Applications" Lillian Røstad, Norwegian University of Science and Technology Norwegian healthcare uses RBAC extensively, with override rules for emergency access. However, the overrides are frequently used when there's no real emergency. They're investigating why people feel the need to bypass, and whether the bypasses are appropriate. ----------------- "Augmenting Address Space Layout Randomization with Island Code" Haizhi Xu, Syracuse University Return-into-libc attacks can be frustrated by moving libc around the address space as a unit, but once an attacker finds it, all the relative positions are unchanged. If there's only 16 bits of randomization in placement, that can be broken in a few minutes. Their idea is to move each entry point individually, rather than all of libc. Even if the attacker finds one, that doesn't help them find anything else. ----------------- "The DETER Testbed" Terry V. Benzel, Information Sciences Institute Goal is to build a testbed to run malicious code to see how preventative technology works. Technology is based on Univ of Utah system. Containment is the key goal, so malicious code doesn't escape to the Internet. To make experiments effective and repeatable, they can do automatic reconfiguration of all of the systems, which allows complete test setup & teardown in 10 minutes. See www.isi.edu/deter for more info. ----------------- "Vertical Sensitivity for the Information Security Health Rating for Enterprises" Arcot Desai Narasimhalu, Singapore Management University S&P and Moody's rate bonds; can we use a scheme similar to that to rate cyber-threats? CxOs are able to understand rating schemes that measure overall risk. He calls the result an INFOSeMM rating, with ratings from DDD to AAA depending on resilience of infrastructure, intelligence, and practices. Invited Essayist ---------------- The invited essayist was Rebecca Mercuri, who is currently at Harvard's Radcliffe Institute, and is best known for her work in electronic voting. Her topic was "Transparency & Trust in Computational Systems". Trust means many things in different contexts; even many of our standard measures (e.g., Orange Book evaluations) don't say anything about how trust is created, only about the rules and metrics (with the implication that following the rules gives trust). There are conflicts between the notions of security by obscurity ("trust me") and open source ("transparency"); she likened the former to moving ICBMs around the country so an attacker wouldn't know where the real ones were vs. making everything available. There's an assumption that transparency is the same as trust, but it's not. Programmers use the word "trust" to mean "control" - if you control the code, then you trust it - but that's not accurate either. Increasing usability increases transparency to people. For example, if you tell the user a task will take a while, then they'll be OK with the delay. Paradoxically, making things *too* easy may make some people distrust the system. And transparency can enhance confidence in inherently untrustworthy products, which isn't the long-term desired goal. Classic papers -------------- "If A1 is the Answer, What was the Question? An Edgy Nai:f's Retrospective on Promulgating the Trusted Computer Systems Evaluation Criteria", Marv Schaefer, Books With a Past presented by Paul Karger, IBM Paul gave a history of the development and motivation of the TCSEC (aka Orange Book). The reason for TCSEC was so procurement staff without technical expertise could write competitive procurements that allow them to buy secure systems. Early in the design of the TCSEC, Ted Lee proposed a "Chinese menu" with many different dimensions of measurement but that was too complex. The Nibaldi study at MITRE came up with a set of seven levels (which eventually became A1, B3, B2, B1, C2, C1, and D), with the notion that B1 and C1 were "training wheels" and were not intended for serious use. Things that went wrong included imprecision in the wording and lack of definitions (e.g., what does it mean to "remove obvious flaws"), over specification and customer naivete' (too many customers decided they wanted the "best thing" so specified A1, even when they didn't need it), and the rush to get the standard out the door. There were "yards deep" comments on the 1983 draft, but the NCSC director insisted on minimal changes before the 1985 final version came out. Interpretation caused "criteria creep", which meant that products evaluated in year N might no longer be evaluatable in year N+1. The Trusted Network Interpretation (TNI) and Trusted Database Interpretation (TDI) were put out prematurely. And the "C2 by 92" mandate was dead on arrival because of slow evaluations. Some requirements were put in strange places (e.g., negative ACLs at B3, simply because they couldn't fit anywhere else). TCSEC fostered research that exposed shortfalls in our knowledge (e.g., John McLean's System Z), problems with automated formal proofs, etc. It also led to more flexible criteria including the German criteria and eventually CC. The result of the flexible criteria is that evaluations aren't comparable, and vendors can make vacuous claims (i.e., can get an EAL4 evaluation of a system that doesn't claim to have any security capabilities). The battle may be lost, because the systems customers demand are far larger and more complex than the systems that were thought to be unsecurable 30 years ago. Paul emphasized several times that the paper in the proceedings is well worth reading, and contains far more than the presentation. ----------------- "A Look Back at 'Security Problems in the TCP/IP Protocol Suite'" Steven M. Bellovin, AT&T Labs -- Research The original paper was one of Steve's first at AT&T, and is his swan song as he prepares to leave AT&T for Columbia University. Steve described many of the vulnerabilities he found in the TCP protocol suite, and gave many anecdotes of what's gone wrong, including the "AS 7007" incident where a small ISP erroneously advertised itself as having the best routing on the internet, and promptly got swamped by the traffic. The earliest email problems were in 1984, but some like phishing are relatively new. The idea behind reserved ports on UNIX systems (ports less than 1024 are "privileged") was a bad idea then and worse now. Lessons learned: - The original internet architecture wasn't designed to be secure, and we're still paying the price. - Cryptography is important, but frequently used as a fig leaf (especially SSL). - Despite all this, most problems on the internet today are due to buggy code or weak passwords, not protocol flaws. Attackers are more likely to attack code than protocols, not because protocols are strong but because code is weak. - Protocols should be analyzed for security during development, not after it's done (unlike WEP, for example) PANEL - The Cyber Enemy Within...Countering The Threat From Malicious Insiders ---------------------------------------------------------------------------- Chair: Dick Brackney, Advanced Research and Development Activity, USA Panelists: Terrance Goan, Stottler, Henke Associates, USA, Shambhu Upadhyaya; University of Buffalo, USA; Allen Ott, Lockheed Martin, Orincon Information Assurance, USA Dick noted that types of damage insiders can cause (eavesdrop, steal/damage information, use information fraudulently, deny access to other authorized users) and noted that a recent DOD Inspector General report claims that 87% of 1000 intruders examined were insiders. Their goal is to reduce the time between defection and detection. They'd like to have anomaly detection algorithms that detect abnormal insider behavior - something that might make you suspicious, but not a single point the way there is where you see a particular attack. Terrance wants to find ways to detect malicious insiders without signature matching or anomaly detection. Finding malicious insiders is hard because they have legitimate access and can do fairly safe probing without it looking strange, including non-cyber events that are part of the attacks. Personal relationships can also help cover things up - Hansen, when confronted, was able to explain away his suspicious behavior. Moves post 9/11 to encourage sharing and efficiency means that "need to know" violations aren't treated seriously. In short, network security personnel may be incapable of identifying suspicious activity because the line between "normal" and "abnormal" is so fuzzy. He advocates identifying the greatest risks and implementing reliable partial solutions - for example, relying on personnel reports to be a "sensor" in finding insider attacks, or providing anomaly reports to information owners who might spot something suspicious that wouldn't be noticed by a system administrator. They've built a system that looks at documents in the system and captures key phrases that it then searches for on Google. If the phrase hits on internet sites, then the document it comes from probably isn't sensitive, but if it only hits on restricted databases then it probably is sensitive. A person sees the matches and validates; the system learns from the results of the searches. This reduces false positives over time. Allen described DAIwatch, which looks for "activities" not signatures. They use AI, fuzzy mapping, etc. to understand what's going on based on input from operating systems, IDSs, focused searches, etc. By correlating different information sources they've seen lots of network router & IP configuration problems, erroneous registry settings, logins from unknown programs & machines, unknown network services, etc. They're in transition to trying this in financial and government sites. In the Q&A session, someone pointed out that Hansen was a system administrator, and therefore had legitimate access. How would any of these systems work against a sysadmin? The conclusion was that you need procedural controls (e.g., "two man rule"). Conference Reception -------------------- The conference reception was held Thursday evening. Addison Wesley generously donated several dozen computer security textbooks which were given out as door prizes. In what some thought was a deliberate plant, Steve Bellovin, a longtime UNIX aficionado, won "The .NET Developer's Guide to Windows Security". Despite some early concerns, there were enough drink tickets for all concerned. New Security Paradigms Workshop Panel ------------------------------------- "Designing Good Deceptions in Defense of Information Systems" They set up a system with lots of fake stuff to entice attackers. To make it convincing, they needed to define a believable policy as to how the system works, and how things don't work. For example, something might fail because the network is down, the system has already been hacked, or the software is a new release. They then try to map suspicion to figure out the attacker's likely moves. Deception can be used as a detector: if the policy causes them to say "the network is down", benign users will go away but malicious users will try to bypass the system. It's a form of "active intrusion detection". ----------------- "A Serial Combination of Anomaly and Misuse IDSes Applied to HTTP Traffic" They put together anomaly and misuse detectors to see whether they agreed or disagreed. They then mapped out different combinations using two real web servers, and tried to figure out which of the combinations are most likely, and whether the combination can be used to reduce the fraction of alerts that have to be examined by a human. Out of 2.2 million events, they reduced the alarm rate from 450K to 20K possible events, or a factor of more than 20. The number of "unknown" events also dropped dramatically. The combination can miss certain types of attacks, but the reduced false positive rate made it more likely that the alerts would be examined. ----------------- "Securing a Remote Terminal Application with a Mobile Trusted Device" The goal is to allow you to safely access your home machine from an internet cafe'. VNC is a good way to start, since the VNC protocol pushes screen images, and doesn't allow queries. They use a PDA to enhance the authentication scheme; the PDA is used to establish a master secret over an SSL link, and that master secret is then used by the public terminal to connect to the home machine. You don't have to trust the public terminal except to pass input through to the home machine and to display frame buffers accurately. Any malware on the public terminal can't fetch files or execute commands on the home system, but the public terminal might keep images in its cache of what you've seen, so there's still trust issues. The overhead involved is relatively small. More information at www.parc.com/csl/projects/usable-security/ ____________________________________________________________________ Book Review By Robert Bruen January 13, 2005 ____________________________________________________________________ The Digital Person Technology and Privacy in the Information Age by Daniel Solove New York University Press 2004. ISBN 0-8147-9846-2 LoC KF1263.C65S668.282 pages. $29.95. Index. Endnotes. The consequences of the integration of digital technology have been in the minds and public words of many people. One did not need to have a crystal ball to see that the capture of information in bits had long reaching tentacles. The state of "Big Brother" from the novel 1984 was clearly on its way. The expectations of the most fearful have shown themselves in many forms, with such government programs as CAPPS. However, not everyone saw that there were others to be feared, for example, the corporations. Big Brother was the government, not a corporation. The model does not quite work. Solove has come up with a new model, taken from a novel by Franz Kafka with the title The Trial from 1937. In it the protagonist is arrested without explanation. The rest of the story details his mind-numbing attempts to navigate the maze of the bureaucracy to find out why the arrest has happened. With Big Brother the enemy was clear, in the Trial nothing is clear but helplessness. It is this new model that is the basis for The Digital Person. We all have a dossier of some kind distributed throughout many databases in governments and in businesses. Our finances are chronicled in IRS and state databases as well as in credit bureaus, credit card companies, phone companies, supermarket discount cards, and on and on. Much of this has been detailed in Simson Garfinkel's "Database Nation." Solove takes it one step further. "The Digital Person" is well documented, as one would expect from a lawyer, with copious endnotes, yet the book is very accessible to the reader. It is not a technical book, but rather about the social implications of technology. And what we should about it. The first step is to understand what is happening using the new model. For those of us who enjoy complaining about the government as it crushes our freedoms really know that it is quite transparent. Secret projects are somewhat limited and we can always bring issues to court. Corporations are not so transparent. Their books are not easily accessible, in fact, often they seem to be above the law. The collected information can be buried very deeply, as can the uses of the information. Just try to get a mistake in your credit report corrected. The second step is architecture, which involves the Constitution, record keeping, and oversight. So all is not lost. Solove presents the argument that if we can understand the problem and use what we have, we can cope with this digital person created by progress of technological development. If we do not structure it correctly we will all end up like Joseph K in the trial, who was executed without ever actually having a trial and never found out why he was arrested. This is not only a book you should read, but you should make sure your friends read it, and if they have not yet done so, have them read "Database Nation" as well. ____________________________________________________________________ Book Review By Ross Patel January 3, 2005 ____________________________________________________________________ Surviving Security by Amanda Andress and Mandy Andress Sams 2001. ISBN 0672321297 As the title implies, "Surviving Security" emphasises the need to understand and integrate the many facets of security, which must interact correctly to create an effective security infrastructure. This book covers ground that is commonly neglected in the field; how to effectively integrate security controls with operational processes. This is a crucial consideration and one that is often skirted over in other tomes. As security practitioners are acutely aware, security is about balance and interests; providing the right balance of control and countermeasure, while acting to maintain the interests of those it affects. Systems can be locked down and restrictive policies implemented to provide the utmost control over permissible and accountable actions. However, this will usually have an adverse effect on the business and create ill feeling among staff and a sense that the only way to get the job done properly is to cut corners, effectively bypassing or disregarding all the security in place. Security must not hinder operational activities, but instead must be implemented as an enabler - a way of doing business as usual in a safer and more structured manner that can ultimately benefit the bottom line. The work covers many spheres of security, from policies and architecture concerns to technical controls such as firewalls, IDSs and OS hardening. For many organisations, the chapters on authentication and safe remote access to company resources will be of particular interest and value. One of the more useful dimensions of the book is the analytical nature of the text, which highlights common misconceptions and pitfalls. The often used analogy of the 'weakest link in the chain' being the shortcoming that compromises the whole security process is a theme that runs throughout this book. "Surviving Security" does well to keep this message in the forefront of the reader's mind while delving into more specialist spheres that are often neglected. From patch management strategies to system log and process monitoring, Andress stresses that the devil is in the detail, and where security is concerned ignorance or lack of attention can have far reaching consequences. With the cost of doing nothing far greater than that of taking action to safeguard information and infrastructures, organisations must take a considered look at the risks and exposures they face. Staying on the right side of this critical curve is essential. Andress's style of writing is insightful and engaging. By basing the text on personal experiences in the field of information assurance, the book swiftly cuts through the theoretical side of security and draws out strategies and techniques that have been proved at the coal-face. Most sections are appended with a 'For more information' box that lists additional points of reference (websites, books, journals etc) where particular issues or concerns are expanded in greater detail. SAMS, the publishers, have also created a complimentary website to the text, which helps keep the reader in step with updates and changes in both threats and Best Practice. Also featured are independent product reviews. This is a particularly useful resource, which for a fast moving industry such as information security is particularly welcome. "Surviving Security" goes further than most books by providing an opportunity to take a Miller styled 'view from the bridge' at the security landscape. In a field full of specialist technical books, this wider perspective is especially valuable. ____________________________________________________________________ Book Review By Robert Bruen January 15, 2005 ____________________________________________________________________ Privacy: What Developers and IT Professionals Should Know by J. C. Cannon Addison-Wesley 2005. ISBN 0-321-22409-4. Index, seven appendices, CD-ROM. 347 pages. $49.99 Most books about privacy today tend to focus on the very real things that threaten our privacy and on legal and social remedies for these ills. This book is slightly different in that it looks at the technical aspects of privacy. It is Microsoft-centric because the author works there and worked with their products for years before joining them. My preference is for vendor neutral books, but this one has enough useful material that it is worth a close look. The privacy battles started back when cameras became available which allowed newspapers to publish invasive pictures of almost anyone. Thus early privacy papers and legal opinions had their birth from technology. As digital technology has progressed, the war over privacy has intensified. Unfortunately rational discussion has been lost due to continued legal struggles, media attention and business opportunities. And yet, technology keeps moving forward. The early newspaper photographers have been replaced by the prospect of every person on the planet with a mobile phone with a camera (still and video) that flashes images everywhere and anywhere. At the same time, developments have also provided privacy aware technology. If the battle is being fought on the technical battlefield, there is not much choice about where we will spend our resources. Organizations like EFF and EPIC can fight the legal battles, but the technical folks need to ramp up their efforts to protect privacy. For example, Digital Rights Management (DRM) is one arena in which a battle has been engaged. Whichever side you enlist with, it is still an important struggle. The more you know about it and understand, the better able you are to deal with the issues surrounding it. Obviously, Microsoft supports DRM because of the products they sell. Piracy is a legitimate problem for them. It also appears to me that this is their philosophical stance. Hence we see in Microsoft's CDROM burning software respect for any DRM that exists on the CD to be copied, where a warning appears, a refusal to copy or a copy which will not play on certain CD players. The technical answer is of course to either get software for your Windows machine that will not block you or use Linux. None of this is enough to end the battle. Reading the chapter in Cannon's book will provide a good background on the current developments in DRM, including language, architecture and other more sophisticated aspects that require consideration. This all looks like the one-oneupmanship game that the crypto guys have been playing for a couple of millennium, but if you take a stand you need to play. If you are going to play, you need to be armed. I recommend Cannon's Privacy because it is an interesting take on the problem and he does a good job. If he is your friend, support him. If he is not then learn all you can about the other side. In any case, it is worth reading. The accompanying CD has source code for building a privacy enabled web service using WS-Privacy. ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Location, web page for more info. 1/17/05: Information Hiding, Barcelona, Spain; submissions are due http://kison.uoc.edu/IH05 1/25/05: Workshop on Security In Information Systems, Miami Beach, FL Submissions are due http://www.iceis.org/workshops/wosis/wosis2005-cfp.html; information: secretariat@iceis.org 1/26/05: Applied Cryptography and Network Security, New York City, NY submissions are due http://acns2005.cs.columbia.edu/cfp.html 1/28/05: 18th Computer Security Foundations Workshop, Aix-en-Provence, France submissions are due http://www.lif.univ-mrs.fr/CSFW18/ information: amadio@cmi.univ-mrs.fr 1/31/05- 2/ 3/05: Australasian Information Security Workshop On Digital Rights Management, Newcastle, Australia http://www.cs.newcastle.edu.au/~acsw05 --------------- 2/ 3/05- 2/ 4/05: Network and Distributed System Security Symposium, San Diego, California http://www.isoc.org/isoc/conferences/ndss/05/index.shtml information: kseo@bbn.com 2/ 3/05- 2/ 4/05: Workshop on Protocols for Fast Long-distance Networks Lyon, France; http://www.ens-lyon.fr/LIP/RESO/pfldnet2005 2/11/05: Australasian Conference on Information Security and Privacy, Brisbane, Australia, http://www.isrc.qut.edu.au/events/acisp2005/ 2/14/05- 2/18/05: RSA Conference, Cryptographers' Track, San Francisco, CA p http://www.rsasecurity.com/rsalabs/node.asp?id=2015 2/25/05: Symposium on Usable Privacy and Security, Pittsburgh, PA submissions are due http://cups.cs.cmu.edu/soups/ 2/25/05: Workshop on the Economics of Information Security, Cambridge, MA http://www.infosecon.net/workshop/index.html 2/28/05- 3/ 3/05: Financial Cryptography and Data Security, Roseau, The Commonwealth Of Dominica; http://www.ifca.ai/fc05/ --------------- 3/ 6/05: Information Assurance Workshop, West Point, NY Submissions are due http://www.itoc.usma.edu/workshop/2005/ information: dodge@usma.edu 3/ 8/05- 3/12/05: Pervasive Computing and Communications, Kauai, HI http://www.percom.org --------------- 3/13/05- 3/17/05: ACM SAC, Track on Trust, Recommendations, Evidence and other Collaboration Know-how, Santa Fe, NM http://www.trustcomp.org/treck/ information: sac.treck.info@trustcomp.org 3/15/05: Conference on Email and Anti-spam, Palo Alto, CA; submissions are due; http://www.ceas.cc information@ceas.cc 3/17/05- 3/22/05: Verification of Infinite State Systems with Application to Security Timisoara, Romania http://vissas.ieat.ro/ 3/22/05: Applications and Services in Wireless Networks, Paris, France http://int-evry.fr/aswn2005/ 3/23/05- 3/24/05: CERIAS Security Symposium, http://www.cerias.purdue.edu 3/31/05- 4/ 1/05: Information Assurance Workshop, Washington, DC http://iwia.org/2005/CfP_WS2005.html 3/31/05: Symposium on Recent Advances in Intrusion Detection, submissions are due; Seattle, Washington http://www.conjungi.com/RAID/ --------------- 4/ 1/05: IEEE Internet Computing Special Issue on P2P and Ad Hoc Nets, submissions are due http://www.computer.org/internet/call4ppr.htm 4/10/05- 4/15/05: USENIX. Anaheim, CA, http://www.usenix.org/events/usenix05/cfp/general.html 4/19/05- 4/21/05: NISTPKI, Gaithersburg, MD http://middleware.internet2.edu/pki05/ --------------- 5/ 3/05- 5/ 5/05: Security and Protection of Information, Brno, Czech Republic http://www.unob.cz/spi 5/ 8/05- 5/11/05: Symposium on Research in Security and Privacy Berkeley/Oakland, CA http://www.ieee-security.org/TC/SP2005/oakland05-cfp.html information srt@cs.unt.edu 5/ 9/05- 5/12/05: Workshop on Information Security and Hiding, Singapore 5/10/05: Cluster Security - The Paradigm Shift, Cardiff, UK http://www.ncassr.org/projects/cluster-sec/ccgrid05/ 5/23/05: Workshop on Security Issues in Concurrency, San Francisco, CA Submissions are due, http://www.zurich.ibm.com/~mbc/secco05/ information: secco05-chairs-public@zurich.ibm.com 5/24/05- 5/25/05: Workshop on Security In Information Systems, Miami Beach, FL http://www.iceis.org/workshops/wosis/wosis2005-cfp.html --------------- 6/ 2/05- 6/ 4/05: Workshop on the Economics of Information Security, Cambridge, MA http://www.infosecon.net/workshop/index.html 6/ 6/05- 6/ 8/05: Workshop on Policies, Stockholm, Sweden http://www.sics.se/policy2005/ 6/ 6/05- 6/ 8/05: Information Hiding Workshop, Barcelona, Spain http://kison.uoc.edu/IH05 6/ 6/05- 6/ 9/05: Workshop on Security in Distributed Computing Systems, Columbus, OH, http://securityworkshop.ece.iastate.edu 6/ 7/05- 6/10/05: Applied Cryptography and Network Security, New York City, NY http://acns2005.cs.columbia.edu/cfp.html 6/13/05: Workshop on Trust, Security and Privacy for Ubiquitous Computing Taormina, Italy; http://www.iit.cnr.it/TSPUC2005/ 6/15/05- 6/17/05: Information Assurance Workshop, West Point, NY http://www.itoc.usma.edu/workshop/2005/ 6/20/05- 6/22/05: 18th Computer Security Foundations Workshop, Aix-en-Provence, France; http://www.lif.univ-mrs.fr/CSFW18/ 6/29/05- 7/ 1/05: Applications and Services in Wireless Networks, Paris, France; http://int-evry.fr/aswn2005/ --------------- 7/ 4/05- 7/ 6/05: Australasian Conference on Information Security and Privacy, Brisbane, Australia; http://www.isrc.qut.edu.au/events/acisp2005/ 7/ 6/05- 7/ 8/05: Symposium on Usable Privacy and Security. Pittsburgh, PA http://cups.cs.cmu.edu/soups/ 7/21/05- 7/22/05: Conference on Email and Anti-spam, Palo Alto, CA http://www.ceas.cc; information@ceas.cc --------------- 8/21/05- 8/22/05: Workshop on Security Issues in Concurrency, San Francisco, CA; http://www.zurich.ibm.com/~mbc/secco05/ --------------- 9/ 7/05- 9/ 9/05: Symposium on Recent Advances in Intrusion Detection, Seattle, Washington; http://www.conjungi.com/RAID/conf web page ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers New since last Cipher issue ____________________________________________________________________ IEEE Journal on Selected Areas in Communications, High-speed Network Security -- Architecture, Algorithms, and Implementation , 4th Quarter 2006. (Submission due 1 September 2005) Guest editors: H. Jonathan Chao (Polytechnic University), Wing Cheong Lau (Qualcomm), Bin Liu (Tsinghua University), Peter Reiher (University of California at Los Angeles), and Rajesh Talpade (Telcordia Technologies) While the recent proliferation of broadband wireline and wireless networking technologies have substantially increased the available network capacity and enabled a wide-range of feature-rich high-speed communication services, security remains a major concern. Large-scale, high-profile system exploits and network attacks have become common recurring events that increasingly threaten the proper functioning and continual success of the communication infrastructure and services. One key aspect of mitigating such increasing threats is to develop new security/defense architectures, systems, methodologies and algorithms which can scale together with the communications infrastructure in terms of operating speed, operational simplicity and manageability, etc. The aim of this issue is to bring together the work done by researchers and practitioners in understanding the theoretical, architectural, system, and implementation issues related to all aspects of security in high-speed networks. We seek original, previously unpublished and completed contributions not currently under review by another journal. Areas of interest include but are not limited to the following topics related to high-speed network security: - High-speed Intrusion Detection, Prevention (IDS/IPS) Systems, and malicious behavior detection - High-speed Distributed Denial of Service (DDoS) attacks, prevention and defense systems - High-speed network monitoring, metering, traceback and pushback mechanisms - High-speed firewall, packet filtering and cross-layer defense coordination - Support of authentication, confidentiality, authorization, non-repudiation in high-speed networks - Security group communications/multicast - Secure and scalable content-delivery networks - Support for automated security policy configuration and realization - Forensic methodologies for high-speed networks - Automated attack characterization and containment in high-speed networks - Testbeds for high-speed network security For more information, please see http://www.argreenhouse.com/society/J-SAC/Calls/network_security.html. ____________________________________________________________________ SDCS 2005 2nd International Workshop on Security in Distributed Computing Systems, Held in conjunction with the 25th International Conference on Distributed Computing Systems (ICDCS-2005), Columbus, OH, USA, June 6-9 , 2005. (Submissions due 10 January 2005) [posted here 12/13/04] In recent years, interest has increased in the field of security of distributed computing systems, since securing a large-scale networked system becomes a great challenge. These include the control mechanisms, mobile code security, denial-of-service attacks, trust management, modeling of information flow and its application to confidentiality policies, system composition, and covert channel analysis. We will focus our program on issues related to important properties of system security, such as measurability, sustainability, affordability, and usability in distributed computing systems. Topics of interest include, but are not limited to: - Distributed Access Control and Trust Management - Key Management and Authentication - Privacy and Anonymity - Benchmark and Security Analysis - Security for Peer to Peer systems and Grid Computing Systems - Secure Multicast and Broadcast - Secure multiparty and two-party computations - Computer and Network Forensics - Denial-of-service Attacks and Countermeasures - Secure E-Commerce/E-Business - Security Verification - Distributed Database Security - Digital Rights Management - Secure Mobile Agents and Mobile Code - ntrusion detection - Viruses, Worms, and Other Malicious Code - Security in ad-hoc and sensor networks - World Wide Web Security For more information, please see http://securityworkshop.ece.iastate.edu ____________________________________________________________________ AusCERT2005 AusCERT2005 Refereed R&D Stream, Gold Coast, Australia, May 22-26, 2005. (Submissions due 21 January 2005) Original papers are solicited for submission to the refereed stream of AusCERT2005 - the AusCERT Asia Pacific Information Technology Security Conference. This stream will run within the regular conference program which is being organised by AusCERT. Full papers submitted to this stream will be refereed by members of the international program committee and published in the conference proceedings. Topics of interest include, but are not limited to: - Intrusion Detection - Network and Wireless Security - Attack Detection / Honeynets - Critical Infrastructure Protection - Legal and Regulatory Issues - Intrusion Forensics - Incident Response For further info, see http://www.isrc.qut.edu.au/events/auscert2005/ ____________________________________________________________________ WOSIS, Third International Workshop on Security In Information Systems, held in conjunction with the 7th International Conference on Enterprise Information Systems (ICEIS 2005), Miami Beach, FL, USA, May 24-25, 2005. (Submissions due 25 January 2005) Information Systems Security is one of the most pressing challenges facing all kind of organizations today. Although many companies have discovered how critical information is to the success of their business or operations, very few have managed to be effective in keeping their information safe, in avoiding unauthorized access, preventing intrusions, stopping secret information disclosure, etc. This workshop will serve as a forum to gather academics, researchers, practitioners and students in the field of security in information systems. The workshop will present new developments, lessons learned from real world cases, and would provide the exchange of ideas and discussion on specific areas. Topics of interest include, but are not limited to: - Methodologies for the development of security information system - Access control techniques - Personal data protection - Information systems risk management and analysis - Security in databases, datawarehouses and web information systems - Secure information systems architectures - Standards for information systems security - Metadata for Web and multimedia security - XML and RDF based metadata for security - Security Engineering - Assessment of security software/hardware - Study, validation and attacks on security protocols - Real world applications analysis - Cryptology: Cryptography and Cryptanalysis - Information hiding: Steganography & Steganalysis - Peer-to-Peer systems - Analysis and design of cryptographic algorithms - Electronic commerce - Wireless communications - RFID privacy and security implications - Anti-Spam techniques - Open source secure development - Emission security - Attacks on copyright marking systems - Reliability of security systems - Disaster recovery - Security of clinical information systems - Cyberterrorism - E-Laws and e-government - PKI technology - VPNs, IPSEC, IPv6 - Economics aspects of security - Electronic Voting - Computer Forensics - Incident response - Privacy and freedom issues - Privacy-preserving Web-mining - Legal aspects of cyber security For more information, please see http://www.iceis.org/workshops/wosis/wosis2005-cfp.html ____________________________________________________________________ CCCT 2005, 3rd International Conference on Computing, Communications and Control Technologies (CCCT '05), Austin, TX, USA, July 24-27, 2005. (Submissions due 9 February 2005) CCCT '05 is an International Conference that will bring together researchers, developers, practitioners, consultants and users of Computer, Communications and Control Technologies, with the aim to serve as a forum to present current and future work, solutions and problems in these fields, as well as in the relationships among them. Consequently, efforts will be done in order to promote and to foster the analogical thinking required by the Systems Approach for interdisciplinary cross-fertilization, "epistemic things" generation and "technical objects" production. Suggested topics in the area of Computing/Information Systems and Technologies include, but are not restricted to: - Databases - Models and Algorithms - Artificial Intelligence - Computer and Systems Security - Mathematical Computing - Programming Languages - Operating Systems - Computer Graphics For more information, please see http://www.iiisconfer.org/ccct05/WebSite/default.asp ____________________________________________________________________ ACISP, 10th Australasian Conference on Information Security and Privacy, Brisbane, Australia, July 4-6, 2005. (Submissions due 11 February 2005) Original papers pertaining to all aspects of information security and privacy are solicited for submission to the 10th Australasian Conference on Information Security and Privacy (ACISP 2005). Papers may present theory, techniques, applications and practical experiences on a variety of topics including: Topics of interest include, but are not limited to: - Cryptology - Mobile communications security - Database security - Authentication and authorization - Secure operating systems - Intrusion detection - Access control - Security management - Security protocols - Network security - Secure commercial applications - Privacy Technologies - Smart cards - Key management and auditing - Mobile agent security - Risk assessment - Secure electronic commerce - Privacy and policy issues - Copyright protection - Security architectures and models - Evaluation and certification - Software protection and viruses - Computer forensics - Distributed system security - Identity management - Biometrics For more information, please see http://www.isrc.qut.edu.au/events/acisp2005/ ____________________________________________________________________ 32nd International Colloquium on Automata, Languages and Programming, Lisboa, Portugal, July 11-15, 2005. (Submissions due 13 February 2005) ICALP'05 innovates on the structure of its traditional scientific program with the inauguration of a new special Track (C). The aim of Track C is to allow a deeper coverage of a particular topic, to be specifically selected for each year's edition of ICALP on the basis of its timeliness and relevance for the theoretical computer science community. This year, Track C subject is Security and Cryptography Foundations. Topics of interest for Track C include, but are not limited to: - Cryptographic Notions, Mechanisms, Systems and Protocols - Cryptographic Proof Techniques, Lower bounds, Impossibilities - Foundations of Secure Systems and Architectures - Logic and Semantics of Security Protocols - Number Theory and Algebraic Algorithms in Cryptography - Pseudorandomness, Randomness, and Complexity Issues - Secure Data Structures, Storage, Databases and Content - Security Modeling: Combinatorics, Graphs, Games, Economics - Specifications, Verifications and Secure Programming - Theory of Privacy and Anonymity - Theory of Security in Networks and Distributed Computing - Quantum Cryptography and Information Theory For more information, please see http://icalp05.di.fct.unl.pt/ ____________________________________________________________________ IAW 2005 6th IEEE SMC Information Assurance Workshop, West Point, NY, USA, June 15-17, 2005 (Submissions due 6 March 2005) The workshop is designed to provide a forum for Information Assurance researchers and practitioners to share their research and experiences. Attendees hail from industry, government, and academia. The focus of this workshop is on innovative, new technologies designed to address important Information Assurance issues. Last year the IEEE IAW added a new track on Honeynet Technologies, sponsored by the Honeynet Project (www.honeynet.org). This will remain a specific focus of the IAW this year. New this year to the technical track are sessions on Security Data Visualization techniques and Biometrics. Other areas of particular interest at this workshop include, but are not limited to: - Innovative intrusion detection and response methodologies - Information warfare - Honeynet technologies (at least one session) - Visualization and data representation (at least one session) - Biometrics (at least one session) - Secure software technologies - Wireless security - Computer forensics - Data Protection - Educational curriculum - Best practices - Information Assurance education and professional development For more information, please see http://www.itoc.usma.edu/workshop/2005/ ____________________________________________________________________ RAID 2005 Eighth International Symposium on Recent Advances in Intrusion Detection, Seattle, Washington, USA, September 7-9, 2005 (Submissions due 31 March 2005) This symposium, the eighth in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss intrusion detection technologies and issues from the research and commercial perspectives. The RAID International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. For RAID 2005 we are expanding our historical scope from a focus on intrusion detection to the broader field of intrusion defense. Of particular interest are intrusion tolerant systems and systems for which detection triggers an adaptive response. As in 2004, we welcome papers that address issues related to intrusion defense, including information gathering and monitoring, as a part of a larger, not necessarily purely technical, perspective. We also invite papers on the following topics, as they bear on intrusion detection and the general problem of information security: - Risk assessment and risk management - Intrusion tolerance - Deception systems and honeypots - Vulnerability Analysis and Management - IDS Assessment - IDS Survivability - Privacy aspects - Data mining techniques - Visualization techniques - Cognitive approaches - Biological approaches - Self-learning - Case studies - Legal issues - Critical infrastructure protection (CIP) For more information, please see http://www.conjungi.com/RAID/ and http://www.raid-symposium.org/ ____________________________________________________________________ ISC 2005 The 8th Information Security Conference, Singapore, 20-23 September 2005. (Submissions due 11 April 2005) ISC'05 will be held in Singapore on 20-23 September, 2005. Original papers on all technical aspects of information security are solicited for submission to ISC'05. Topics of interest include, but are not limited to, the following: - Access Control - Ad Hoc & Sensor Network Security - Applied Cryptography - Authentication and Non-repudiation - Cryptographic Protocols - Denial of Service - E-Commerce Security - Identity and Trust Management - Information Hiding - Insider Threats and Countermeasures - Intrusion Detection & Prevention - Network & Wireless Security - Peer-to-Peer Security - Privacy and Anonymity - Security Analysis Methodologies - Security in Software Outsourcing - Systems and Data Security - Ubiquitous Computing Security For more information, please see http://isc05.i2r.a-star.edu.sg/ ____________________________________________________________________ FloCon 2005 Second Annual FloCon Workshop, New Orleans, Louisiana, USA, September 20-22, 2005. (Submissions due 15 April 2005) FloCon is an open workshop that provides a forum for researchers, operational analysts, and other parties interested in the security analysis of large volumes of traffic to develop the next generation of flow-based analysis. Flow is an abstraction of network traffic in which packets are grouped together by common attributes over time. In security, flow has been used to survey and analyze large networks and long periods of time, but the field is still in its infancy. FloCon 2005 will have an active workshop structure: our goal is to have presentations coupled with working breakout sessions on specific topics. Based on submissions and suggestions, we will develop a three-day track. Appropriate topics include, but are not limited to, the following: - Experience reports in flow analysis - Operational security analysis using flows - Advanced flow analysis techniques - Expanding the flow format for security needs - Integrating flows into other security analyses - Facilitating data sharing/public repositories - Flow collection technologies - Network traffic modeling for security - Alternative traffic abstracts for services For more information, please see http://www.cert.org/flocon/ ____________________________________________________________________ MADNES '05 Secure Mobile Ad-hoc Networks and Sensors workshop, Held in conjunction with the ISC '05 conference, September 20-22, 2005, Singapore. (Submissions due 2 May 2005) The MADNES workshop. co-sponsored by the SAIT Laboratory and the U.S. Army Research Office will feature information about security in mobile and ad-hoc networks. Proceedings will be published as Springer-Verlag, LNCS. Topics of interest include: - Security and fault tolerance - Privacy issues - Security & privacy applications of mobile agents and intelligent autonomous systems - Distributed denial of service attacks and defenses - Mobile code security and verification - Key management and trust infrastructures - Security, privacy and efficiency trade-offs - Secure distributed algorithms - Secure & private protocols for dynamic group applications - Secure location, discovery and authentication of neighbors - Secure timing and synchronization - Secure/private data collection and aggregation - Secure self-configuration - Secure routing - Analysis and simulation of security and privacy properties - Case Studies - Energy efficient cryptography For more information, please see http://www.sait.fsu.edu/madnes/cfp.shtml ____________________________________________________________________ IWAP 2005 The 4th International Workshop for Applied PKI, 21-23 September 2005, Singapore. (Submissions due 16 June 2005) IWAP'05 will be held in Singapore on September 21-23, 2005. Original papers on all aspects of PKI are solicited for submission to IWAP'05. Topics of interest include, but are not limited to, the following: - Authentication & Verification - Bio-PKI & Mobile PKI - Case Studies - Certificates and its Revocation - Cross Certification - Design & Implementation - Interoperability & Standards - Key Management & Recovery - Legal Issues, Policies & Regulations - Modeling & Architecture - Privilege Management Infrastructure - Protocols & Applications - Reliability & Fault-Tolerance - Risk Management & Analysis - Security Analysis & Testing - Signature Validation - Time Stamping - Trust & Privacy For more information, please see http://iwap05.i2r.a-star.edu.sg/ ==================================================================== Reader's Guide to Current Technical Literature in Security and Privacy ==================================================================== The Reader's Guide from Past issues of Cipher is archived at http://www.ieee-security.org/Cipher/ReadersGuide.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== From http://cisr.nps.navy.mil/jobscipher.html The Pennsylvania State University School of Information Sciences and Technology University Park, PA USA Information security, computer and network forensics, trust management, and security management Tenure Track Position (All ranks consider) Review starts December 15 and continues until position filled. http://ist.psu.edu/jobposts/ Kennesaw State University Kennesaw, Georgia, USA Assistant Professor of Information Systems (with emphasis in Information Security) Evaluation begins November 15, 2004, continues until positions are filled http://science.kennesaw.edu/csis/v/is-position-2004.html University College London London & Martlesham, UK Senior Lecturer/Lecturer (all ranks for exceptional candidates) January 31, 2005 http://www.ucl.ac.uk/hr/vacancies/adverts/EE0060.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2004 Symposium proceedings are available for $25 plus shipping and handling. The 2003 proceedings are $20 plus shipping and handling; the 2000 proceedings are $15 plus shipping and handling. The 1998 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Hilarie Orman (see below) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine The MITRE Corporation U.S. Naval Postgraduate School Mail Stop S119 Computer Science Department 202 Burlington Road Rte. 62 Code CS/IC Bedford, MA 01730-1420 Monterey CA 93943-5118 781-271-51 (voice) (831) 656-2461 (voice) jmillen@mitre.org irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Department of Computer Science Purple Streak, Inc. and Engineering 500 S. Maple Dr. School of Engineering Salem, UT 84653 Southern Methodist University (801) 423-1052 (voice) P.O. Box 750122 cipher-editor@ieee-security.org Dallas, TX 75275-0122 (214) 768-8541 (voice) http://www.engr.smu.edu/~tchen ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html