========================================================================== _/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 67 July 18, 2005 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor, Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * Commentary and Opinion o Jason Holt's article on the popularity of Tor, an Onion-Routing System o Gene Spafford's announcement of the CERIAS archives on CD o Upcoming NSF Cyber Trust PI Meeting, September 26, 3005 by Carl Landwehr o Conference notes from DIMVA, Detection of Intrusions, Malware, and Vulnerability Assessment (Vienna, Austria, July 7-8, 2005) by Sven Dietrich o Robert Bruen's review of Windows Server 2003 Security A Technical Reference by Roberta Bragg o Robert Bruen's review of Sockets, Shellcode, Porting and Coding by Foster, James with Mike Price o Robert Bruen's review of Apache Security by Ivan Ristic o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: In these summer doldrums we have a Cipher issue with two reader contributed articles, a conference review, three book reviews, and a hefty calendar of events. As always, the efforts of Cipher contributors are central to its success and greatly appreciated. If you are organizing an event or publication of interest to security researchers, consider advertising it in Cipher. We welcome announcements of academic events, particularly calls-for-papers, and most especially those with peer-reviewed publications. In order to make it easy for our volunteer staff to deal with the announcements, we ask that you send the announcement to us with minimal html formatting, and with the dates, place, url, email address, and topics of interest clearly marked. A pointer to an html page with heavy use of graphics is difficult for us to deal with and increases the chances of a transcription error. Consider writing a conference review or technology overview article for Cipher next time you are stuck at an airport waiting for your flight home. We have thousands of readers eagerly awaiting your insights. Hilarie Orman Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Onion routing application Tor makes PCWorld's top 100 by Jason Holt 07/04/05 ____________________________________________________________________ Roger Dingledine's onion routing implementation of Tor (http://tor.eff.org/) recently made PCWorld's list of top 100 computer products of 2005 (http://www.pcworld.com/reviews/article/0,aid,120763,pg,1,00.asp) Tor is like a remailer network for TCP streams. Instead of wrapping an email message in multiple encryption envelopes which reflect the path of remailers a message should take en route to its destination, onion routing implementations originally worked by creating an onion of envelopes containing session keys and next-hop information for a TCP stream. In its current form, however, Tor uses an incremental or telescoping design, adding each new node to the end of the path, then ultimately using an "exit" node to connect to an arbitrary internet host. This provides several advantages over prior designs, avoiding replay problems and providing perfect forward secrecy for the connection. As with remailer networks, each node only learns the prior and next nodes in the tunnel. And since the tor client implements a socks4a proxy, users can use unmodified web browsers and other traditional applications while keeping their originating IP addresses secret from active and passive attackers. With an application-aware proxy like privoxy, users can also strip out cookies and other application data commonly used to track users. Application-layer proxies can also route DNS lookups through the Tor network, avoiding a potential privacy leak. While onion routing has been implemented before, Tor makes onion routing robust and viable for widespread use. In particular, Tor allows the creation of location-hidden services, in which servers can create a DNS-like address such as (http://6sxoyfb3h2nvok2d.onion/) "6sxoyfb3h2nvok2d.onion" which allows users to contact the server without learning its IP address. Tor is rapidly maturing. On my Debian GNU/Linux system, installing Tor was as easy as "apt-get install tor privoxy". Then I added the line "forward-socks4a / localhost:9050 ." to /etc/privoxy/config, instructing the anonymizing proxy "privoxy" to use Tor, as recommended by the (http://tor.eff.org/cvs/tor/doc/tor-doc.html#client") configuration guide. After setting Mozilla's HTTP proxy to localhost, port 8118 (the port on which privoxy listens), I was ready to surf the web anonymously. Privoxy properly handles DNS resolution for normal addresses as well as the .onion TLD. Tor is also available for (http://tor.eff.org/download.html) Windows, OS X, and most other flavors of Unix. The (http://serifos.eecs.harvard.edu:8000/cgi-bin/exit.pl?sortbw=1) Tor Network Status page currently lists over 100 server nodes with at least 500kbit/sec links, and over 20 servers offering at least 4 Mbit/sec, with more being added every day. Tor's bandwidth management features allow servers to specify the maximum amount of traffic they are willing to pass, and allow clients to choose paths which can offer the bandwidth required by their applications. Consequently, even users with asymmetric bandwidth limits can contribute to the network without unnecessarily limiting the bandwidth available to other users. Administrators estimate that about 30,000 clients currently use the 200 Tor servers now in operation across 5 continents. Tor brings up interesting and important questions regarding online privacy, and creates a platform on which other privacy protecting systems can be built. In particular, constructions based on Chaum's (href="http://www.rsasecurity.com/rsalabs/node.asp?id=2339") Blind Signatures and recent credential systems like (http://isrl.cs.byu.edu/HiddenCredentials.html) Hidden Credentials offer strong protections against traceability, but are problematic to implement on a network in which users can be traced by their IP addresses. On the other hand, (http://www.wikipedia.org) Wikipedia recently blocked most Tor exit nodes as "open proxies" in the ongoing challenge of keeping the site available to the thousands of (semi-)anonymous editors who contribute, while blocking the small percentage of antisocial or vandalizing users who cause problems for others or add spam to articles. These practical issue may spur the development of reputation or pseudonymity systems which will allow access control and anonymity to coexist peacefully. See (http://freehaven.net/) Freehaven's (http://freehaven.net/anonbib/topic.html#Anonymous_20communication) anonymity bibliography for more information on anonymity systems. ____________________________________________________________________ CERIAS Archives on CD by Gene Spafford 07/04/05 ____________________________________________________________________ Since 1990, faculty associated with Purdue's COAST and CERIAS groups have supervised almost 60 PhDs dissertations in the area generally described as "information security" or "cybersecurity." (FYI, we should have over 15 this calendar year.) We have found, when surveying the literature, that many people are unfamiliar with these efforts -- although this is a general problem in the field: researchers seem woefully unfamiliar with anything they can't find via Google. However, that's a rant for another time. :-) In September we will be producing a CD with the 15-year accumulation of these dissertations*, plus some dissertations from CERIAS affiliate programs. We will provide a copy of this CD free of charge to anyone who requests one. There will be a limit of one per department address -- you can make copies for your colleagues. We will also have all of these dissertations on-line in our WWW library. We expect the mailing to occur in late September, after summer graduation is finalized at all the involved institutions. Because of copyright issues, we will be unable to include the conference and journal publications associated with these dissertations -- sorry. If you would like one of these CDs when they are ready, please send me email () with a valid postal address. Put the string "PHD-CD" in the subject line, please. If you have any suggestions on additional content or organization of the CD, please let me know that as well. Also, we welcome any additions of infosec-related theses and papers for our on-line library, assuming the copyright status allows unrestricted dissemination. Please see for details. ____________________________________________________________________ Special Event Upcoming NSF Cyber Trust PI Meeting by Carl Landwehr July 18, 2005 ____________________________________________________________________ The NSF 2005 Cyber Trust PI meeting will be held this fall at the Sutton Place Hotel, Newport Beach, CA. The registration web site will be open shortly at: http://www.ics.uci.edu/~cybrtrst/ The Monday, Sept. 26 sessions are specifically open to the public, and will include talks by Butler Lampson, Distinguished Engineer, Microsoft, Joel Birnbaum, Senior Technical Advisor at HP, and David Brailer, National Coordinator for Health Information Technology at HHS (invited), as well as an extensive poster session displaying progress by Cyber Trust PIs. The first Trusted Computing awards are reaching the end of their three-year terms, and other awards under the Cyber Trust umbrella are also producing significant advances. This meeting offers PIs the opportunity to showcase their results, and it offers industry and government representatives the opportunity to identify research results they can exploit and researchers with whom they can partner. Please visit the registration web site and make plans to come. Thanks to Sharad Mehrotra, Quent Cassen, and staff at UC-Irvine for hosting the event. Carl Landwehr Cyber Trust Program Coordinator NSF ____________________________________________________________________ Review of DIMVA, Detection of Intrusions, Malware, and Vulnerability Assessment Vienna, Austria, July 7-8, 2005 by Sven Dietrich ____________________________________________________________________ Introduction DIMVA 2005, the second installation of this European-focused conference (and for the first time in cooperation with the IEEE Technical Committee on Security and Privacy), took place in beautiful Vienna, Austria. Local chair was Christopher Kruegel at the Technical University (TU) Vienna. Sessions were held in a lecture hall at the TU Vienna, only a five-minute walk from the recommended hotel. The conference was attended by about 85 people, mostly practitioners and industry representatives from German-speaking Europe, but there were a few attendees from Eastern Europe and the US as well as some from universities. After the German Informatics Society Meeting, there was a reception at City Hall on Thursday evening, hosted by the Mayor of Vienna. The mayor himself did not attend, but instead sent a representative from the City Council. DIMVA 2006 will be in Berlin, Germany. Approximate time frame: early July 2006. The papers and the slides for the presentations should be available from the website at some point in the near future. Day 1: July 7, 2005 The conference chair, Klaus Julisch, could not make it to the conference, so he was replaced by local chair Christopher Kruegel. The sessions were held in a circa-1970s/1980s physics/chemistry auditorium, which was very steep, but comfortably held us all. Wireless service had been provided to us courtesy of the TU Vienna, but power outlets were scarce. Breaks were held outside the auditorium, or by quick dashes over to a coffee house (this being Vienna, after all!) at the nearby Naschmarkt or elsewhere. Keynote The Ultimate Honeypot Philip Attfield (Northwestern Security Institute, Seattle, WA, USA) Phil gave a very entertaining keynote speech, describing his role as an analyst in the 1999/2000 FBI case against Ivanov and Goshkov, two Russian consultants/perpetrators. The Russians were lured to the US to show off their hacking skills, which, of course, led to their arrest. Phil very clearly showed the steps involved that led to their discovery by piecing together many tidbits, including information gathered from an FBI honeypot, such as cracking/ tools, code, and other artifacts. Phil's role was mostly that of reverse-engineering the tools. He also mentioned how this gathered information gets into a trial, what the complexity of the investigations and actions are, and how it all is just a game of chess. His comic relief was what he caught (on camera) in his Canadian honeypot: a 400 kg (880 pound) bear. Session 1: Obfuscated Code Detection (Session chair: Engin Kirda) Analyzing Memory Accesses in Obfuscated x86 Executables Michael Venable, Mohamed Chouchane, Md Enamul Karim, and Arun Lakhotia (University of Louisiana at Lafayette, USA) Arun Lakhotia presented Arun explained how this project emerged from a past project of detecting malicious behavior. Here they are taking a new approach using IDA Pro, using model checking. While there had been 50 years of code analysis, it had been mostly for benign purposes. Looking at the typical analysis pipelines, he identified the disassemble/extract procedures, extracting the control and data flow, verifying the properties found and the certification/reject process after a check with a database. The technique is by no means hardened, as there are silent failures. Motivated by obfuscation of malware, there are some techniques to deobfuscate calls (doc) and to reverse self-transformations (unmorph). All results are patent pending. He then described VSA (Value State Analysis?) and Reduced Interval Congruence (RIC), which tracks the states/ranges of memory registers (e.g. eax). The operations supported are add, sub, and mov, but not mul or div, which are considered hard. The tool then annotates obfuscations in IDA Pro, as he showed in one screenshot from his prototype. The current shortcomings are limited memory support, exponential growth for the path to each instruction, the control flow graph grows with each branch, and limited structure exception handling. Hybrid Engine for Polymorphic Shellcode Detection Udo Payer, Peter Teufl, and Mario Lamberger (Institute of Applied Information Processing and Communications, Austria) Udo Payer presented Udo explained that this engine was part of POSITIF (Policy-based security tools and framework), which is funded with European Commission supoort. He presented the detection engine, which is structured in 3 phases, the phase 1 nop zone detection (simple - searches for consecutive nop bytes, taken from admmutate/clet), phase 2 execution chain evaluation (disassembles the bytestream after nop zone, decreases noise, stores encryption keys, ignores junk bytes, and get instructions used by decryption engines), and the phase 3 neural network classfication (29 input neurons - 29 features, 12 hidden layer neurons, and 1 output neuron - training using Levenberg). The neural network classification is done as a snort plugin. They looked at different shellcode engines (XOR, TEA). For results, they trained the engine with 2000 positive examples, and 9 GB of negative data. There were only 24 false positives in 4 months. He claimed that the engine can be trained on new polymorphic shellcode engines without in-depth knowledge, and that it could detect shellcode engines not used during the training process. For further work, they are looking at unsupervised learning, other methods for phase 2, automatic feature selection. Currently this detection engine is implemented as a prototype only. Session 2: Honeypots (Session chair: Bernhard Hammerli) Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities Jedidiah R. Crandall, S. Felix Wu, and Frederic T. Chong (UC Davis, USA) Jedidiah Crandall presented From the Epsilon (Exploit) Gamma (Bogus Control Data) Pi (Payload) model, he presented his findings of working with Minos (MICRO 2004, Crandall et al.) in a Bochs emulation. Minos works with Linux and Windows. The motivation for the EGP model is to discuss polymorphism more clearly and precisely, as attacks are split into three phases since polymorphic techniques are different for each. Minos as a passive honeypot caught a series of attacks (SQL hello, CodeRed II, Slammer, etc.). The authors looked at the multitude of polymorphisms in Pi and Gamma, but intend to look at Epsilon for polymorphism in the future. He also added that they will move to QEMU instead of Bochs, as QEMU can run itself, and attempt to create a more active honeypot seeking passive exploits (P2P, web browser) using Minos. A Pointillist Approach for Comparing Honeypots Fabien Pouget (Institut Eurecom, France) and Thorsten Holz (RWTH Aachen University, Germany) Fabien Pouget presented Fabien brought up the motivations for his talk: what is the modus operandi of the perpetrators, who has the data to validate this, are threats changing, can we tell whether we are dealing with script kiddies or organized crime? In this context, the question arises that darknets or network telescopes provide data, but can this data be extrapolated? Is data extrapolated from one darknet sufficient? Do many honeypot sensors in various location provide a better picture? Fabien pondered about qualitative or quantitative comparison of high-interaction and low-interaction honeypots. He then showed an example of his honeypot mix (low-interaction to lure, high-interaction for confirmation). He described scenarios that showed that dispersed low-interaction honeypots were sufficient sources of data, and that network telescopes do not necessarily provide a good picture. Participation in his honeypot project is encouraged (EURECOM/RENATER provides a CDROM). Session 3: Vulnerability Assessment and Exploit Analysis (Session chair: Giovanni Vigna) Automatic Detection of Attacks on Cryptographic Protocols: A Case Study Ivan Cibrario B., Luca Durante, Riccardo Sisto, and Adriano Valenzano (Politecnico di Torino, Italy) Riccardo Sisto presented Riccardo presented a case study on detection of attacks on cryptographic protocols. He used S^3A, built on Abadi's Spi Calculus (1998). Being untyped, this technique allows the detection of type flaw attacks. The typical goals are secrecy and authenticity, based on testing equivalence verification of spi calculus specifications using state space exploration. There are state transition models, attack information, and intruder specifications. The main features of S^3A are the automatic check, symbolic representation of messages, and the enhanced performance (state space explosion) by reduction based on partial orders and symmetries. Riccardo looked at a reduced version of the Yahalom protocol, where S^3A found a type flaw attack. His verification method finds previously unknown type flaw attacks. S^3A was also able to find other attacks found by the usual suspects (Isabelle, BAN, etc.). S^3A was not used (attendee question) to verify the Needham-Schroeder, or Needham-Schroeder-Lowe protocols). This talk did not quite fit the other talks, being the most theoretical one. Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone Thomas Dübendorfer, Arno Wagner, Theus Hossmann, and Bernhard Plattner (ETH Zurich, Switzerland) Thomas Dübendorfer presented Thomas' motivation for the worm analysis was: a basis for R&D, worm detection, effective countermeasures, and to understand its impact. For this research, worm code was used in testbeds and its flows recorded there and also in the Swiss SWITCH backbone network (AS559). Related to Arno Wagner's DDoSVax project, this project looked at Cisco Netflow v5 information to analyze various stages of the worm (A through E, from initial contact to ultimate infection) and their visibility on the SWITCH network. They were able to identify various multi-stage worm attacks, their success and failure to infect (many graphs were shown), narrow down candidates for a patient zero, and observe delay between internal and external (with respect to the backbone) infection. At 17GB/day and 6TB/year of data, they are looking at long-term analysis (and storage, of course) beyond that of Blaster and Sobig, and at algorithms for worm detection. METAL - A Tool for Extracting Attack Manifestations Ulf Larson, Emilie Lundin-Barse, and Erland Jonsson (Chalmers University of Technology, Sweden) Ulf larson presented Ulf presented a framework for extracting attack manifestations from log data using the METAL tool. Faced with the difficulty of discriminating between benign and malicious activity, they resort to the Lundin-Barse (one of the co-authors) 8-step framework. One of the steps (step 5) requires (human?) comparison between logs of normal operation with logs captured during an attack. METAL automates this step: based on input data (logs, sanitizing rules) and action components (preprocessors, sanitizer, process matcher, extractor), it yields output data (manifestation reports, attack overview, and a relationship tree) that can eventually be used by other frameworks or tools. The types of output data include alternate program flows, use of resources, etc. If a process has been slightly changed, a manifestation is generated. Reduced work that took weeks (manually) to about an hour: found 5 attacks, including 3 that had been extracted manually beforehand. GI SIDAR meetings As the conclusion of the first day, Ulrich Flegel (University of Dortmund, Germany) presented an overview of the German Informatics Society special interest group SIDAR (http://www.gi-fg-sidar.de/), one of the sponsors and organizers of the conference. Day 2: July 8, 2005 Session 4: Anomaly Detection (Session chair: Ulrich Flegel) A Learning-Based Approach to the Detection of SQL Attacks Fredrik Valeur, Darren Mutz, and Giovanni Vigna (UC Santa Barbara, USA) Giovanni Vigna presented Giovanni presented his work on detection of SQL attacks, focusing on user password resetting, parallel password guessing, and cross-site scripting, on a standard LAMP installation (Linux, Apache, MySQL, PHP). Closely related works are: S. Lee, ESORICS 2002 "Learning Fingerprints for a db IDS", Halfond et al, ICSE Workshop on Dynamic Analysis 2005, "Combining Static Analysis and Runtime Monitoring to Counter SQL-injection attacks" and some commercial tools (but difficult to compare since they are not open, such as Imperva's Securesphere). The authors looked at detection models based on: string length, string character distribution, and string prefix, suffix etc. The detection tool was evaluated against a real-world application and real novel attacks. Detection rate and false positive rates are satisfactory (0.37% false positive, lower by customizing). The tool is comparable to appShield, but again difficult to compare since there is no available information on it. Planned work: more testing, and integration with webAnomaly and sysAnomaly. Masquerade Detection via Customized Grammars Mario Latendresse (Volt Services/Northrop Grumman, FNMOC U.S. Navy, USA) Mario presented an algorithm for efficiently detecting a masquerade, an intruder pretending to be a legitimate Unix user. By using the Schonlau datasets (behavioral, 70 users, 50 users as victims, 20 as intruders, 5000 commands for each legitimate user), looked at what is legitimate and what is considered a masquerade, taking into consideration that shared scripts will cause repeated sequences among users. His Sequitur algorithm detects such nestings efficiently (linear complexity), with the highest detection rate on the Schonlau datasets. Computational cost is low, so it can be used in real time. However, the Schonlau data doesn't contain the parameters to the commands, nor does it consider the timings, so the approach is a bit unrealistic for now. He plans to generalize it to system calls. A Prevention Model for Algorithmic Complexity Attacks Suraiya Khan and Issa Traore (University of Victoria, Canada) Issa Traore presented Issa explained that this model is part of the SPIDeR project (network anomaly detectors, host anomaly detectors), with focus on DoS components, in particular the resource exhaustion part, motivated by economic reasons. The goal is to develop a prevention mechanism against complexity attacks, and to improve upon Crosby's work (USENIX Security 2003). For the authors, the impact of this kind of attack is the response time (which is waiting time plus service time). While Gligor has looked at waiting time, Traore wants to look at service time. Possible detection principles rely on input size, the likelihood of the service time, and the temporal density of less likely input. The prevention model works as follows: computer execution time and drop probability in case the request doesn't finish in time. Most likely service times are computed using regression analysis. Detection principle: nonconforming request: test request has consumed more than the conservative most likely time but did not finish yet, then it is a prabable attack. Evaluation was done with a Pentium 350 MHz, Fedora Core, using offline analysis (regression) and runtime analysis (process data), and yielding various results depending on deterministic vs. randomized algorithm, and the respective scenarios. Session 5: Misuse Detection (Session chair: Roland Buschkes) Detecting Malicious Code by Model Checking Johannes Kinder, Stefan Katzenbeisser, Christian Schallhart, and Helmut Veith (Technical University Munich, Germany) Presenter: Johannes Kinder The model extraction for malicious code is done by unpacking, disassembly, control flow graph extraction, and then model creation. The authors used CTRL, a new flavor of CTL (temporal logic, temporal properties of systems), that allows for free variables. Therefore CTRL is useful for specifying assembler code. Specifications are made for system calls, with parameter initialization, based on a malicious code (Klez) sample. Macro-supported CTRL reduces the specification (short and succinct specifications). CTRL model checking is PSPACE-complete. They use a linear algorithm by Clarke and Emerson (CTL), in real world it is exponential in the size of the specification and linear in the size of the model. Different experimental results were shown with various malicious code. In summary, it can formulate a mutation-tolerant detection of malware, as one specification fits a large class of worms, and raises the skill threshold for malware writers (constant race?). For future direction, they are looking at abstraction of assembler code, an extensible macro language, efficient implementation with OBDDs (?), and want to make use of program analysis techniques (data flow, slicing, and interval analysis). Improving the Efficiency of Misuse Detection Michael Meier, Sebastian Schmerl, and Hartmut Koenig (Technical University of Cottbus, Germany) Michael Meier presented Motivated by the increasing performance of networks and end systems (high data volumes) and the increasing complexity of networks and systems (more attack signatures), Michael looked at manifestations of an attack, the signature of an attack, and the signature instance. For modeling complex signatures, he used EDL, an event description language, based on high-level Petri nets, basic concepts being place (system state), transition, events, and tokens. Optimizing signature analysis strategies, they used as a starting point: naive analysis procedure for EDL signatures, checking all transitions, and the performace cost increases. Looking at better strategies, this yielded four approaches: type-based transition indexing, instance-independent condition testing, value-based indexing of tokens, and identification of common sub-expressions. A prototype (Signature Analysis Module - SAM) was created to evaluate the strategies experimentally. Test candidates were STAT, CLIPS-IDS, SAM_6, tested with several attacks (e.g. shell link attack, suid script attack). Their technique exploited the structural properties of signatures. Session 6: Distributed Intrusion Detection and Testing (Session chair: Hartmut Konig) Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context Holger Dreger (Technical University Munich, Germany), Christian Kreibich (University of Cambridge, UK), Vern Paxson (ICSI and LBNL, USA), and Robin Sommer (Technical University Munich, Germany) Robin Sommer presented Motivated by the shortcomings in network-based and host-based intrusion detection systems, the authors propose to combine the two approaches. While a server application can analyze input, the network-based intrusion detection system (NIDS) analyzes all connections. It would be great if the NIDS could verify its findings against the host's, so enable the host to send information to the NIDS. Robin showed an integration of host-based context into Bro, implemented for Apache and Bro. Since Bro and Apache do URL rewriting differently, this allows elimination of uninteresting matches. It has low impact on the server (455 bytes per request), so it scales well. Host context can supplement or replace analysis. The next step will be to instrument sshd, since that allows feeding of unencrypted host-context to the NIDS. TCPtransform: Property-Oriented TCP Traffic Transformation Seung-Sun "Gary" Hong, Fiona Wong, S. Felix Wu (UC Davis, USA), Bjorn Lilja, Tony Y. Jansson, Henric Johnson, and Arne Nelsson (Blekinge Institute of Technology, Sweden) Presented by Gary Hong TCPtransform (offline version of TCPopera), is a trace-based replay tool, motivated by traffic testing for security products, in-line devices, IPS, firewalls, and routers. The goal is to replay traffic captured from the Minos honeypot on DETER, which UC Davis participates in. The design goals are to do property-oriented trace replaying: extract traffic parameters from input trace records, adjust traffic parameters, and feed new traffic parameters to input packet sequences. The TCPtransform components include flow preprocessors, UP flow processors, traffic models, TCP functions, and packet injections/capturing. It was validated using the DARPA IDEVAL99 (first 12 hours of 3/29/99) dataset. In the future, they hope to port it to DETER, adding new TCP/UDP models Session 7: Industry Session (Session chair: Marc Heuse) Note: this session contained presentations only. No papers exist for these. Implementation of Honeytoken Module in DBMS Oracle 9iR2 Enterprise Edition for Internal Malicious Activity Detection Antanas Cenys, Darius Rainys, Lukas Radvilavicius (Informtion Systems Laboratory, Lithuania), and Nikolaj Goranin (Vilnius Gediminas Technical University, Lithuania) Antanas Cenys presented After being (falsely) introduced as being from Louisiana, Antanas gave us an extra overview of Lithuania, information security there (growing interest due to incidents). While his Vilnius research group participates in the EURECOM/Leurre honeypot project, his interest is in "lures" or "honeytokens" used in the context of a database. Use of these "tokens" shows that the database has been compromised. Nothing new here. Function Call Tracing Attacks To Kerberos 5 Julian Rrushi and Emilia Rosti (Universita degli Studi di Milano, Italy) Julian Rrushi presented Julian talked about his experiences in function call tracing, through interposition libraries (binaries were not modified). For Kerberos, one could attach to the Kerberos process. Combining IDS and Honeynet Methods for Improved Detection and Automatic Isolation of Compromised Systems Stephan Riebach, Birger Toedtmann, and Erwin Rathgeb (University Duisburg-Essen, Germany) Stephan Riebach presented Due to the impact of intrusion response (self-inflicted DoS), the authors look at isolating hosts rather than disabling them via an automated mechanism. Later the hosts can he rehabilitated. Current prototype has limitations as it can handle only one system at a time and one broadcast domain. Skype currently produces false positives and can be used to trigger isolations. The conference adjourned. ____________________________________________________________________ Book Review By Robert Bruen 07/12/05 Windows Server 2003 Security A Technical Reference by Roberta Bragg ____________________________________________________________________ Addison-Wesley 2005. ISBN 0-321-30501-9 1142 pages. $54.99. Index. This is not a general book about security or even about Microsoft security; it is about Windows Server 2003 security. It is a book with remarkable depth and real content all the way through. Since it is about a specific platform, and the book takes its content from the implementation of the platform. (The book does not present tricks that could be used to hack into Server 2003.) The book contains good, general background about security principles, but only as they apply to the topics covered. The presentation of how to set up and implement Microsoft strategies is excellent. Many books are available with screenshots and "click here" instructions, but few provide this level and quality of explanation so that you understand why things should happen in a particular way. Microsoft may have made it easier to get things working, but they have made much harder when things go wrong. Ms. Bragg has filled in that gap, at least for Server 2003. Security has many components, one of those is encryption. It is not the only or the most important, but it needs to be part of almost any security architecture. It is a tragedy, for example, that cleartext remote logins are still available, especially since this problem was solved years ago. Microsoft Windows has had encryption available for long enough that it should be used as a standard operating procedure. Think of how much grief could have been avoided by those fifteen of so colleges who had databases stolen containing personal information. Encryption can be used and should be used for sensitive information. Now the Encrypting File System is part of NTFS and is available to ordinary users without being part of a domain or meeting any other special requirements. EFS is simple to use, mainly by clicking in dialog boxes, but there is command window access as well. The author has been very thorough in covering the simple procedures as well as the complex issues. One of the reasons, in my opinion, that PKI in general has not really taken off is because key management is difficult. The same problem pops up in EFS. The recovery agent is a feature meant to address this problem, in part. If you lose your key or you leave the organization, the files that you encrypted can be recovered by the designated recovery agent. Naturally there are a few hidden traps. For example, although Windows 2000 set up the admin as a recovery agent by default, Server 2003 does not, except for the domain controller admin, but only the first one. It would be a nasty surprise to discover this after an upgrade. This book will guide you through this and all of the landmines when setting up, running and troubleshooting EFS. The jury is still out on whether the ability of third parties to recovery such files is a good, because it is both helpful and shows a weakness, but at least you can plan for the difficulties with some confidence. Bragg has produced the reference book for Server 2003 security. Microsoft should be grateful, along with anyone who has to administer a domain with Server 2003 at its heart. Definitely a must-have book. ____________________________________________________________________ Book Review By Robert Bruen 07/14/05 Sockets, Shellcode, Porting and Coding by James Foster with Mike Price ____________________________________________________________________ Syngress 2005. ISBN 1-597490-05-9 667 pages. $49.95. Index. Four appendices, including glossary. Code examples available at www.syngress.com (registration required plus a key from the book). The small, but growing library of excellent books in reverse engineering and shellcode has one more member. As held by common wisdom, writing good exploits is still difficult and not too many people can do it. The difficulty is rooted in the requirement of expertise in architecture and coding. In a point and click world, there is little opportunity to learn how the technical stuff works, especially now that the US is producing less programmers with less skills. You have to make an effort to master several languages, including assembler, and to understand things like memory addressing, stacks and pointers. There are at least two major problems with this scenario, if no one understands how software works, then vendors can sell junk without any complaints. Secondly, if the US continues its decline in expertise, the rest of the world will continue its path toward technical superiority. Fortunately, Mr. Foster is contributing his knowledge for anyone who wishes to take the time and make the effort to learn how it is done. The portability of code is always an issue, both between platforms and between languages. The usual platforms are Windows and some flavor of Unix. In this book the languages run from C, C++, C#, Java, Perl and Python to assembly. Going between platforms and languages can be demanding, especially when networking is involved. Foster seems to be unaffected by the challenges presented by each variant as he seamlessly rewrites code to work under different scenarios. Each line is numbered and explained for each code example, which is very helpful when comparing, for example, how Windows creates a process and how Unix creates a process. The example code is short so that the actual point is made without superfluous code. Of course there are plenty examples of more complex code throughout the book, as well. The book has three full chapters on writing exploits, plus two chapters on writing shellcode. These sections analyze existing exploit code using numerous techniques, such as format string attacks, heap corruption and various buffer overflows. One chapter on writing exploits does a nice job covering the Metasploit Framework. MSF has started to show up as chapters like this, demonstrating a need for its own book. In this chapter the Framework is used in a step by step creation of a buffer overflow for an older version of IIS. First, an analysis is undertaken to show how one determines what needs to be done. It makes me feel better when one thinks about the plan rather than just jumping into the code. How the use of MSF cuts down on the time for developing exploit code is also explained. All of this is valuable to defenders as well as attackers, and to those who write resilient code. This book is highly recommended and will be put on my bookshelf next to "The Shellcoders Handbook" and Eilam's "Reversing". ____________________________________________________________________ Book Review By Robert Bruen 07/12/05 Apache Security by Ivan Ristic ____________________________________________________________________ O'Reilly 2005. ISBN 0-596-00724-8 Index. One Appendix. Apache software is used for the majority of web servers around the world, and with good reason. Besides the fact that it is free and open source, it is high quality software. There have only been a few security problems, all of which were answered quickly. Another great feature is the expectation that other people want to extend and add and modify and improve, and so on, so it has been designed to enable a community to contribute. In spite of the minimal security problems, we all still worry about them. Software can be written to minimize vulnerabilities and it can also be written to allow proactive measures to deal with potential problems. Apache has done both. Ristic has written mod_security for Apache and has written this book to explain security for it and for Apache. While I have a few nitpicks about an index reference or two, I have found this book to be excellent. It is written in a teaching style, covering general security where appropriate, then linking each concept to the specific mutation within the http protocol that underlies web server operation. In order to create security techniques for a process or program, one really needs to understand the program and security. Ristic clearly does. The best part is his writing in a such a way that you learn as you read through the book. I have a special appreciation of techies who can communicate ideas. The web is the main connection to places on the 'net for most people. I am repeatedly astonished at how many people think there is no difference between the World Wide Web, the Internet and their (local) network. Instead of thinking that the web is an important use of the Internet, they think it is the Internet. For those of us who worry about the security of such things, it is straightforward to expect serious work to secure web based interactions. For the rest of us who just want to use it, it is expected that it will just work. Unfortunately, there is also that element that sees the network as place to disrupt others and commit crimes. I expect that most admins would be happier staying off the 11:00pm newscast highlighting how their web site was cracked. A number of attacks over the recent year or two have become more sophisticated by using syntax problems in addition to the old faithfuls buffer overflow and cross-site scripting. The rapid deployment of web sites has contributed to the target rich environment. Not only are there the usual security problems, but also web specific and web language specific issues. The list has become long enough that a book that details them is needed. This book does that, and it provides procedures to cope with them and provides code to help. Mod_security acts like a firewall to filter packets, modifying, for example, those pesky syntax errors that can lead to a compromise. The book has lots of references for more information in every chapter for these issues and most other issues. Apache Security certainly will go on my O'Reilly Apache bookshelf next to "Apache The Definitive Guide" and the "Apache Cookbook". It is a highly recommended book for anyone, but especially for those who run (or want to run) an Apache web server. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Taken from http://cisr.nps.navy.mil/jobscipher.html Gjo/vik University College, Gjo/vik, Norway PhD studentship Position available until filled http://nislab.hig.no/People/Jobs/ Radboud University Nijmegen, Nijmegen, the Netherlands 2 PhD positions Positions available until filled. http://www.sos.cs.ru.nl/group/vacancies/index.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 7/18/05- 7/19/05: FAST, Formal Aspects in Security and Trust Newcastle, UK; www.csr.ncl.ac.uk/fm05/ 7/18/05: WEC, Workshop on Electronic Contracting Munich, Germany, www.hpl.hp.com/personal/Claudio_Bartolini/Wec05.html 7/21/05- 7/22/05: CEAS, Conference on Email and Anti-spam Palo Alto, CA; www.ceas.cc; information@ceas.cc 7/25/05: PEP, Workshop on Privacy-enhanced Personalization Edinburgh, Scotland; www.isr.uci.edu/pep05/ 7/31/05- 8/ 5/05: USENIX Security; Baltimore, MD; www.usenix.org/sec05/progm 8/ 1/05: SKLOIS, Conference on Information Security and Cryptology Beijing, China; www.is.iscas.ac.cn/cisc/index.htm; 8/ 2/05: SAC-TRECK, ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how Dijon, France; www.acm.org/conferences/sac/sac2006/; Submissions are due; info Seigneur@trustcomp.org 8/11/05- 8/12/05: SAC, Selected Areas in Cryptography Ontario, Canada; www.ece.queensu.ca/sac2005/ 8/17/05- 8/19/05: DFRWS, Digital Forensics Research Workshop New Orleans, LA; www.dfrws.org 8/21/05- 8/22/05: SecCo, Workshop on Security Issues in Concurrency. San Francisco, CA www.zurich.ibm.com/~mbc/secco05/ 8/22/05: NDSS, Network and Distributed System Security Symposium San Diego, California; www.isoc.org/isoc/conferences/ndss/06/cfp.shtml; 8/28/05- 9/ 2/05: WiSE, Workshop on Wireless Security Cologne, Germany; www.ee.washington.edu/research/nsl/wise2005 9/ 1/05: JHSN-SpecialIssue-Policy. Journal of High Speed Networking, Special issue on Managing Security Polices: Modeling, Verification and Configuration www.mnlab.cs.depaul.edu/events/JHSN-policy; submissions deadline; info ehab@cs.depaul.edu; 9/ 1/05: SISW, Security in Storage Workshop San Francisco, California; ieeeia.org/sisw/2005/index.htm; Submissions are due; info James_Hughes@StorageTek.com; 9/ 2/05- 9/ 3/05: SDM, VLDB Workshop on Secure Data Management Trondheim, Norway; www.extra.research.philips.com/sdm-workshop/ 9/ 5/05- 9/ 9/05: Securecomm, Conference on Security and Privacy for Emerging Areas in Communication Networks Athens, Greece; www.securecomm.org/ 9/ 5/05- 9/ 9/05: SECOVAL, The Value of Security through Collaboration Athens, Greece (with Securecomm); www.secoval.org/ 9/ 6/05: ISSSE, Internation Symposium on Secure Software Engineering Washington DC; www.jmu.edu/iiia/issse/; Submissions are due; info redwinst@jmu.edu; 9/ 7/05- 9/ 9/05: RAID, Symposium on Recent Advances in Intrusion Detection Seattle, Washington; www.conjungi.com/RAID/>conf web page 9/11/05: UbiComp, Privacy in Context, Tokyo, Japan; www.sims.berkeley.edu/~jensg/Ubicomp2005/ 9/12/05- 9/16/05: AMESP, Appropriate Methodology for Empirical Studies of Privacy Rome, Italy; www.privacymethodologies.tk 9/14/05- 9/16/05: ESORICS, European Symposium on Research in Computer Security Milan, Italy; esorics05.dti.unimi.it/ 9/15/05: QoP, Quality of Protection Workshop Milano, Italy; dit.unitn.it/~qop/ 9/19/05- 9/24/05: FOSAD; School in Foundations of Security Analysis and Design Bertinoro, Italy; www.sti.uniurb.it/events/fosad 9/19/05- 9/21/05: ECC, Workshop on Elliptic Curve Cryptography Essen, Germany 9/19/05- 9/21/05: PBA, Workshop on Protection by Adaptation Kuala Lumpur, Malaysia; www.iiwas.org/workshops/pba-2005/ 9/20/05- 9/23/05: NSPW, New Security Paradigms Workshop Lake Arrowhead, California; www.nspw.org 9/20/05- 9/22/05: FloCon, New Orleans, Louisiana; www.cert.org/flocon 9/20/05: CoALa, Workshop on Contract Architectures and Languages Enschede, The Netherlands; www.dstc.edu.au/Research/Projects/coala/2005/ 9/24/05- 9/28/05: MMM_ACNS, Mathematical Methods, Models and Architectures for Computer Network Security St. Petersburg, Russia; space.iias.spb.su/mmm-acns05/ 9/29/05-10/ 1/05: Mycrypt, International Conference on Cryptology in Malaysia Kuala Lumpur, Malaysia; info rphan@swinburne.edu.my 9/30/05: IJICS-Special-Nature-Computation, Special Issue of the International Journal on Information and Computer Security submissions are due; info jac@cs.york.ac.uk; 10/ 1/05: AsiaCCS, ACM Symposium on Information, Computer and Communications Security Taipei, Taiwan; submissions are due; www.iis.sinica.edu.tw/asiaccs06/ 10/ 1/05: SI-Eurasip-WirelesSec, Journal on Wireless Communications and Networking, special issue on Wireless Network Security www.hindawi.com/journals/wcn/si/wns.html submissions are due 10/ 3/05-10/ 4/05: WSStandz, Workshop on Security Standardization Geneva, Switzerland 10/13/05: WSSEET, Workshop on Secure Software Engineering Education and Training, Turtle Bay, Oahu, HI; www.jmu.edu/iiia/wsseet/; Submissions are due; info redwinst@jmu.edu 10/16/05-10/19/05: ITW, Information Theory Workshop On Theory and Practice in Information-theoretic Security Awaji Island, Japan; imailab-www.iis.u-tokyo.ac.jp/~itw05/ 10/17/05-10/19/05: ICCCN, International Conference on Computer Communications and Networks San Diego, California; icccn.sce.umkc.edu 10/26/05: VizSEC, Workshop on Visualization for Computer Security Minneapolis, Minnesota; www.cs.ucdavis.edu/~ma/VizSEC05/ 10/31/05-11/ 1/05: NIST-CHW, NIST Cryptographic Hash Workshop Gaithersburg, MD; www.nist.gov/hash-function 10/31/05-11/ 2/05: DRMTICS, Digital Rights Management: Technologies, Issues, Challenges and Systems Sydney, Australia; www.titr.uow.edu.au/DRMTICS2005 11/ 1/05: SEC, IFIP TC-11 International Information Security Conference Karlstad University, Sweden; www.sec2006.org; submissions are due; 11/ 7/05: SASN, Security of Ad Hoc and Sensor Networks Alexandria, VA; discovery.csc.ncsu.edu/SASN05 11/11/05: WORM, Workshop on Rapid Malcode Fairfax, VA; www1.cs.columbia.edu/~angelos/worm05/ 11/11/05: FMSE, Workshop on Formal Methods in Security Engineering Alexandria, VA; www.ti.informatik.uni-kiel.de/~kuesters/FMSE05/ 11/11/05: StorageSS, Storage Security and Survivability Workshop Fairfax, VA; www.ncassr.org/projects/storage-sec/storageSS-2005/ 11/28/05: IWIA, Information Assurance Workshop Royal Holloway, UK; iwia.org/2006/; Submissions are due; info SWOLTHUSEN@IEEE.ORG; 12/10/05-12/13/05: ICICS,International Conference on Information and Communications Security Beijing, China; www.icics2005.org/ 12/13/05: SISW, Security in Storage Workshop San Francisco, California; ieeeia.org/sisw/2005/index.htm 12/14/05-12/16/05: CANS, Conference on Cryptology and Network Security Xiamen, Fujian Province, China; math.fjnu.edu.cn/cans 12/15/05-12/17/05: SKLOIS, Conference on Information Security and Cryptology Beijing, China; www.is.iscas.ac.cn/cisc/index.htm 1/10/06: DRM-ICC, Workshop on Digital Rights Management Impact on Consumer Communications, Las Vegas, NV; www.ieee-ccnc.org/2006/conf_program/drm_workshop/index.htm 2/ 2/06- 2/ 3/06: NDSS, Network and Distributed System Security Symposium San Diego, California; www.isoc.org/isoc/conferences/ndss/06/cfp.shtml 3/13/06- 3/15/06: ISSSE, International Symposium on Secure Software Engineering; Washington DC; www.jmu.edu/iiia/issse/ 3/21/06- 3/23/06: AsiaCCS, ACM Symposium on Information, Computer and Communications Security Taipei, Taiwan; www.iis.sinica.edu.tw/asiaccs06/ 4/13/06- 4/14/06: IWIA, Information Assurance Workshop Royal Holloway, UK; iwia.org/2006/ 4/18/06: WSSEET, Workshop on Secure Software Engineering Education and Training, Turtle Bay, Oahu, HI; www.jmu.edu/iiia/wsseet/ 4/23/06- 4/27/06: SAC-TRECK, ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how Dijon, France; www.acm.org/conferences/sac/sac2006/ 5/26/06- 5/24/06: SEC, IFIP TC-11 International Information Security Conference, Karlstad University, Sweden; www.sec2006.org ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E66) ____________________________________________________________________ http://www.argreenhouse.com/society/J-SAC/Calls/network_security.html IEEE Journal on Selected Areas in Communications, High-speed Network Security -- Architecture, Algorithms, and Implementation, 4th Quarter 2006. (Submissions due 1 September 2005) Guest editors: H. Jonathan Chao (Polytechnic University), Wing Cheong Lau (Qualcomm), Bin Liu (Tsinghua University), Peter Reiher (University of California at Los Angeles), and Rajesh Talpade (Telcordia Technologies) While the recent proliferation of broadband wireline and wireless networking technologies have substantially increased the available network capacity and enabled a wide-range of feature-rich high-speed communication services, security remains a major concern. Large-scale, high-profile system exploits and network attacks have become common recurring events that increasingly threaten the proper functioning and continual success of the communication infrastructure and services. One key aspect of mitigating such increasing threats is to develop new security/defense architectures, systems, methodologies and algorithms which can scale together with the communications infrastructure in terms of operating speed, operational simplicity and manageability, etc. The aim of this issue is to bring together the work done by researchers and practitioners in understanding the theoretical, architectural, system, and implementation issues related to all aspects of security in high-speed networks. We seek original, previously unpublished and completed contributions not currently under review by another journal. Areas of interest include but are not limited to the following topics related to high-speed network security: - High-speed Intrusion Detection, Prevention (IDS/IPS) Systems, and malicious behavior detection - High-speed Distributed Denial of Service (DDoS) attacks, prevention and defense systems - High-speed network monitoring, metering, traceback and pushback mechanisms - High-speed firewall, packet filtering and cross-layer defense coordination - Support of authentication, confidentiality, authorization, non-repudiation in high-speed networks - Security group communications/multicast - Secure and scalable content-delivery networks - Support for automated security policy configuration and realization - Forensic methodologies for high-speed networks - Automated attack characterization and containment in high-speed networks - Testbeds for high-speed network security ---------------------------------------------------------------------------- http://www.mnlab.cs.depaul.edu/events/JHSN-policy/ Journal of High Speed Networking, Special issue on Managing Security Polices: Modeling, Verification and Configuration, February/March 2006. (Submissions due 1 September 2005) Guest editors: Ehab Al-Shaer (DePaul University), Clifford Neuman (University of Southern California), Dinesh C Verma (IBM Watson Research Center), Hong Li (Intel IT Research), and Anthony Chung (DePaul University) The importance of effective network security policy management has been significantly increasing in the past few years. Network security perimeter devices such as Firewalls, IPSec gateways, Intrusion Detection and Prevention Systems operate based on locally configured policies. However, the complexity of managing security polices, particularly in enterprise networks that usually have heterogeneous devices and polices, has become a main challenge for deploying effective security. Yet these policies are not necessarily independent as they interact with each other to form the global security policy. It is a common practice to configure security policies on each of the perimeter devices manually and in isolation from each other due to different administrative domains, roles and personnel, among other reasons. As a result, rule conflicts and policy inconsistencies may be introduced in the system, leading to serious security breach and network vulnerability. Moreover, enterprise networks continuously grow in size and complexity, and they are in a constant state of change (in topologies, devices, protocols, and vulnerabilities), resulting in frequent changes in security policies. All these make policy enforcement, modification, verification, and evaluation intractable tasks. This special issue is seeking solutions that offer seamless policy management with provable security in heterogeneous multi-vender network security environments. This special issue solicits original and unpublished contributions addressing security policy management issues. Topics of particular interest are automated policy management, dynamic policy-based security, security policy verification and distribution, and policy unification that improve the state-of-the-art in this area. Examples of selected topics include but are not limited to: - Policy modeling and verification using formal methods Conflict discovery and resolution - High-speed security policy analysis - Frameworks for policy testing, assessment, comparison and evaluation. - Dynamic policy-based security management - Adaptive security polices - Policy visualization - Distributed policy editing, delegation and distribution - Policy translation: from high-to-low level and vice versa - Data mining for policy inspection, evaluation and enhancement - Policy-management for wireless and mobile networks - Novel policy management architectures - Automatic security policy management in heterogonous network environment - Implementation and Case Studies of Security Policy Management System - Management of Interactions between Security Policies and other policies. - Security policy languages and management for multi-device, multi-protocol and multi-vendor - System intelligence to enable automated policy management: monitoring, event/data correlation and root-cause analysis ------------------------------------------------------------------------- http://www.cs.york.ac.uk/security/NatureInspiredSecuritySpecialIssue.html International Journal on Information and Computer Security (IJICS), Special Issue on Nature-Inspired Computation in Cryptology and Computer Security, October 2006. (Submissions due 30 September 2005) Guest editors: John A. Clark (York University, UK) and Julio Cesar Hernandez (Universidad Carlos III de Madrid, Spain) Techniques taken from the field of nature-inspired computation (e.g. Genetic Algorithms, Genetic Programming, Simulated Annealing, and Artificial Immune Systems) are steadily gaining ground in the area of cryptology and computer security. In recent years, nature inspired algorithms have been proposed, for example, for the design and analysis of a number of new cryptographic primitives, ranging from pseudorandom number generators to block ciphers, in the cryptanalysis of state-of-the-art cryptosystems, in the design of security protocols and in the detection of network attack patterns, to name but a few. There is a growing interest from the cryptographic and computer security communities towards nature-inspired techniques. This has occurred partly as a result of these recent successes, but also because the nature of systems is changing in a way which means traditional computer security techniques will not meet the full range of tasks at hand. The increasing distribution, scale, autonomy and mobility of emerging systems is forcing us to seek inspiration from nature to help deal with the challenges ahead. There is a general feeling that the area is ripe for further research, with dedicated conference sessions only beginning to emerge (e.g. the Conference on Evolutionary Computation special sessions in 2003, 2004 and 2005). This special issue of the IJICS solicits the submission of research papers in this general area. Suitable topics include (but are not limited to) the use of nature-inspired techniques for: - Intrusion detection - System security management - Security authentication technologies - The design of cryptographic primitives - The cryptanalysis of stream, block and public key encryption algorithms (and other security-related algorithms, e.g. watermarking algorithms) - The design or analysis of security protocols ------------------------------------------------------------------------- http://www.hindawi.com/journals/wcn/si/wns.html EURASIP Journal on Wireless Communications and Networking, Special Issue on Wireless Network Security, 3rd Quarter, 2006. (Submissions due 1 October 2005) Guest editors: Yang Xiao (University of Memphis), Yi-Bing Lin (National Chiao Tung University, Taiwan), and Ding-Zhu Du (University of Minnesota) Recent advances in wireless network technologies have rapidly developed in recent years, as evidenced by wireless location area networks (WLANs), wireless personal area networks (WPANs), wireless metropolitan area networks (WMANs), and wireless wide area networks (WWANs), that is, cellular networks. A major impediment to their deployment, however, is wireless network security. For example, the lack of data confidentiality in wired equivalent privacy (WEP) protocol has been proven, and newly adopted standards such as IEEE 802.11i robust secruity network (RSN) and IEEE 802.15.3a ultra-wideband (UWB) are not fully tested and, as such, may expose unforeseen security vulnerabilities. The effort to improve wireless network security is linked with many technical challenges including compatibility with legacy wireless networks, complexity in implementation, and cost/performance trade-offs. The need to address wireless network security and to provide timely, solid technical contributions establishes the motivation behind this special issue. This special issue will focus on novel and functional ways to improve wireless network security. Papers that do not focus on wireless network security will not be reviewed. Specific areas of interest in WLANs, WPANs, WMANs, and WWANs include, but are not limited to: - Attacks, security mechanisms, and security services - Authentication - Access control - Data confidentiality - Data integrity - Nonrepudiation - Encryption and decryption - Key management - Fraudulent usage - Wireless network security performance evaluation - Wireless link layer security - Tradeoff analysis between performance and security - Authentication and authorization for mobile service network - Wireless security standards (IEEE 802.11, IEEE 802.15, IEEE 802.16, 3GPP, and 3GPP2) ------------------------------------------------------------------------- http://www.cs.memphis.edu/~yxiao/IJSN_Snesor_Security.html International Journal of Security and Networks (IJSN), Special Issue on Security Issues in Sensor Networks, Middle 2006. (Submissions due 15 October 2005) Guest editors: Yang Xiao (University of Memphis), Xiaohua Jia (City University of Hong Kong, Hong Kong), Bo Sun (Lamar University), and Xiaojiang Du (North Dakota State University) Security in Sensor networks differ from those in other traditional networks with many aspects such as limited memory space, limited computation capability, etc. Therefore, sensor network security has some unique features which do not exist in other networks. The need to address security issues, and provide timely, solid technical contributions of security solutions in sensor networks establishes the motivation behind this special issue. This special issue is dedicated to sensor network security. A paper should have security in sensor networks as the focus. Specific areas of interest include, but not limit to: - Key Managements in sensor networks - Secure Routing in secure networks - Light weight Encryption and authentication in Sensor networks - Attacks and solutions in Sensor networks - Other areas which are related to both security and sensor networks ------------------------------------------------------------------------- http://www.titr.uow.edu.au/DRM2005/ DRM 2005 Workshop on Digital Rights Management, Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Alexandria, VA, USA, November 7, 2005. (Submissions due 18 July 2005) Digital Rights Management (DRM) is an area of pressing interest, as the Internet has become the center of distribution for digital goods of all sorts. The business potential of digital content distribution is huge, as are its economic, legal and social implications. DRM, as a technical interdisciplinary field, is at the heart of controlling the digital content and assuring authorized, user friendly, safe, well-managed, automated, and fraud-free distribution. The field of DRM combines cryptographic technology, software and systems research, information and signal processing methods, legal, social and policy aspects, as well as business analysis and economics. Original papers on all aspects of Digital Rights Management are solicited for submission to DRM 2005, the Fifth ACM Workshop on Digital Rights Management. Topics of interest include but are not limited to: - anonymous publishing architectures for DRM systems - auditing business models for online content distribution - computing environments and platforms for DRM systems - copyright-law issues, including but not limited to fair use digital policy management implementations and case studies - privacy and anonymity - risk management - robust identification of digital content security issues, including but not limited to authorization, encryption, tamper resistance, and watermarking. - software related issues. - supporting cryptographic technology including but not limited to traitor tracing, broadcast encryption, obfuscation. - threat and vulnerability assessment. - concrete software - patent cases - usability aspects of DRM systems. - web services related to DRM systems ------------------------------------------------------------------------- http://ra.crema.unimi.it/sws05/ SWS 2005 Workshop on Secure Web Services, Held in conjunction with the 12th ACM Conference on Computer and Communications Security (CCS 2005), Fairfax, VA, USA, November 11, 2005. (Submissions due 18 July 2005) Basic security protocols for Web Services, such as XML Security, the WS-* series of proposals, SAML, and XACML are the basic set of building blocks enabling Web Services and the nodes of GRID architectures to interoperate securely. While these building blocks are now firmly in place, a number of challenges are still to be met for Web services and GRID nodes to be fully secured and trusted, providing for secure communications between cross-platform and cross-language Web services. Also, the current trend toward representing Web services orchestration and choreography via advanced business process metadata is fostering a further evolution of current security models and languages, whose key issues include setting and managing security policies, inter-organizational (trusted partner) security issues and the implementation of high level business policies in a Web services environment. The SWS workshop explores these challenges, ranging from the advancement and best practices of building block technologies such as XML and Web services security protocols to higher level issues such as advanced metadata, general security policies, trust establishment, risk management, and service assurance. Topics of interest include, but are not limited to, the following: - Web services and GRID computing security - Authentication and authorization Frameworks for managing, establishing and assessing inter-organizational trust relationships - Web services exploitation of Trusted Computing - Semantics-aware Web service security and Semantic Web Secure orchestration of Web services Privacy and digital identities support ------------------------------------------------------------------------- http://www.is.iscas.ac.cn/cisc/index.htm CISC 2005 SKLOIS Conference on Information Security and Cryptology, Beijing, China, December 15-17, 2005. (Submissions due 1 August 2005) The SKLOIS conference on information security and cryptology seeks full papers presenting new research results related to cryptology, information security and their applications. Areas of interest include, but are not limited to: - Access Control - Authentication and Authorization - Biometric Security - Distributed System Security - Database Security - Electronic Commerce Security - Intrusion Detection - Information Hiding and Watermarking - Key Management and Key Recovery - Network Security - Security Protocols and Their Analysis - Security Modeling and Architecture - Provable Security - Multiparty Security Computation - Foundations of Cryptography - Secret Key and Public Key Cryptosystems - Implementation of Cryptosystems - Hash Functions and MAC - Modes of Operation - Intellectual Property Protection - Mobile System Security - Operating System Security - Risk Evaluation and Security Certification - Malicious Codes and Prevention ------------------------------------------------------------------------- http://www.trustcomp.org/treck/ TRECK 2005 21st ACM Symposium on Applied Computing: Trust, Recommendations, Evidence and other Collaboration Know-how Track(TRECK), Dijon, France, April 23-27, 2006. (Submissions due 2 August 2005) Computational models of trust and mechanisms based on the human notion of trust have been gaining momentum. One reason for this is that traditional security mechanisms are challenged by open, large scale and decentralised environments. The use of an explicit trust management component goes beyond security though. The goal of the ACM SAC 2006 TRECK track remains to review the set of applications that benefit from the use of computational trust. Computational trust has been used in reputation systems, risk management, collaborative filtering, social/business networking services, dynamic coalitions and virtual organisations. The TRECK track covers all computational trust applications, especially those used in the real world. The topics of interest include, but are not limited to: - Recommender and reputation systems - Trust-enhanced collaborative applications - Tangible guarantees given by formal models of trust and risk - Trust metrics assessment and threat analysis - Pervasive computational trust and use of context-aware features - Trade-off between privacy and trust - Trust/risk-based security frameworks Automated collaboration and trust negotiation - Trust in peer-to-peer systems - Technical trust evaluation, especially at the identity level - Impacts of social networks on computational trust - Evidence gathering and management - Real-world applications, running prototypes and advanced simulations - Applicability in large-scale, open and decentralised environments - Legal and economic aspects related to the use of trust engines - User-studies and user interfaces of computational trust applications ------------------------------------------------------------------------- http://ieeeia.org/sisw/2005/index.htm SISW 2005 3rd International IEEE Security in Storage Workshop, Held in conjunction with the 4th USENIX Conference on File and Storage Technologies (FAST 2005), San Francisco, CA, USA, December 14-16, 2005. (Submissions due 1 September 2005) The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of designing, building and managing secure storage systems; possible topics include, but are not limited to the following: - Cryptographic Algorithms for Storage Cryptanalysis of Systems and - Protocols Key Management for Sector and File based Storage Systems - Balancing Usability, Performance and Security concerns - Unintended Data Recovery Attacks on Storage Area Networks and - Storage Insider Attack Countermeasures Security for Mobile - Storage Defining and Defending Trust Boundaries in Storage - Relating Storage Security to Network Security Database Encryption - Search on Encrypted Information ------------------------------------------------------------------------- http://www.jmu.edu/iiia/issse/ ISSSE 2006 IEEE International Symposium on Secure Software Engineering, Washington DC, USA, March 13-15, 2006. (Submissions due 6 September 2005) Today, security problems involving computers and software are frequent, widespread, and serious. The number and variety of attacks by persons and malicious software from outside organizations, particularly via the Internet, are increasing rapidly, and the amount and consequences of insider attacks remains serious. Over 90% of security incidents reported to the CERT Coordination Center result from defects in software requirements, design, or code. The Symposium covers all aspects of the processes, techniques, technology, people, and knowledgebase that have or need the capability to contribute to producing (more) secure software including their characteristics, interrelationships, creation, sources, transfer, introduction, use, and improvement. Potential topics include: - Threat modeling and analysis of vulnerabilities - Secure architectures & design - Formal specification, designs, policies, and proofs - Model checking for security - Coding practices - Static analysis and other automated support - Processes for producing secure software - Testing of security in software - Certification and accreditation - Relationships among software correctness, reliability, safety, and security - Market and legal forces - Lessons learned Ethics and human factors - Technology transfer ------------------------------------------------------------------------- http://www.jmu.edu/iiia/issse/> ISPEC 2006 2nd Information Security Practice and Experience Conference, Hangzhou, China, April 11-14, 2006. (Submissions due 15 October 2005) As applications of information security technologies become pervasive, issues pertaining to their deployment and operation are becoming increasingly important. ISPEC is an annual conference that brings together researchers and practitioners to provide a confluence of new information security technologies, their applications and their integration with IT systems in various vertical sectors. Authors are invited to submit full papers presenting new research results related to information security technologies and applications. Areas of interest include, but are not limited to: - Applications of cryptography - Critical infrastructure protection - Digital rights management - Economic incentives for deployment of information security systems - Information security in vertical applications - Legal and regulatory issues - Privacy and anonymity - Risk evaluation and security certification - Resilience and availability - Secure system architectures - Security policy - Security standards activities - Trust model and management - Usability aspects of information security systems /nhttp://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html> SPC 2006 3rd International Conference on Security in Pervasive Computing, York, UK, April 18-21, 2006. (Submissions due 15 October 2005) The security of pervasive computing is a critically important area for commerce, the public sector, academia and the individual citizen. Although pervasive computing presents exciting enabling opportunities, the benefits will only be reaped if security aspects can be appropriately addressed. Threats exploiting vulnerabilities of new kinds of user interfaces, displays, operating systems, networks, and wireless communications give rise to new concerns about loss of confidentiality, integrity, privacy, and availability. How can these risks be reduced to an acceptable level? Original research contributions are sought in all areas relating to the security of pervasive computing. Topic include (but are not restricted to): - Models for access control, authentication and privacy management - Biometric methods in pervasive computing systems - Tradeoffs between security and other criteria (e.g. due to deployment on resource constrained devices) - Protocols for trust management in pervasive computing networks - Analysis of protocols for pervasive computing - Hardware security issues for pervasive computing - Audit and accountability in pervasive systems - Non-technical implications of pervasive computing ----------------------------------------------------------------------- http://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html> SEC 2006 21st IFIP TC-11 International Information Security Conference, Karlstad, Sweden, May 22-24, 2006. (Submissions due 1 November 2005) The IT environment now includes novel, dynamic approaches such as: mobility, wearability, ubiquity, ad hoc use, mind/body orientation, and business/market orientation. This modern environment challenges the whole information security research community to focus on interdisciplinary and holistic disciplines whilst retaining the benefit of previous research efforts. Papers offering research contributions focusing on dynamic environments in addition to other aspects of computer security and privacy are solicited for submission to the 21st IFIP International Information Security Conference. Papers may present theory, applications or practical experiences on security and privacy topics including, but not limited to: - Mobile or Ubiquitous technologies - Wireless or Ad-hoc systems - Changing organizational environments - Implications for virtual organizations - Crossing organizational/national boundaries - Process orientation - New business models - Offshoring/Nearshoring and outsourcing - New markets Marketing and awareness - Biometrics E-applications - DRM & content security - Applications of cryptography - Authentication, Authorization, and Access Control - Data Protection - Multilateral security - Identity management Privacy and Privacy - Enhancing Technologies (PETs) - Computer forensics Internet and web security - Information hiding - Sensor networks - Intrusion detection - Attacks and malware - Systems development - Architectures - Security management - Verification, Assurance, Metrics, and Measurements - Data and system integrity - Information warfare and Critical infrastructure protection - Risk analysis and risk management - Law and ethics - Education ------------------------------------------------------------------------- http://fse2006.iaik.tugraz.at/ FSE 2006 13th annual Fast Software Encryption workshop, Graz, Austria, March 15-17, 2006. (Submissions due 25 November 2005) FSE 2006 is the 13th annual Fast Software Encryption workshop, for the fifth year sponsored by the International Association for Cryptologic Research(IACR). Original research papers on symmetric cryptology are invited for submission to FSE 2006. The workshop concentrates on fast and secure primitives for symmetric cryptography, including the design and analysis of block ciphers, stream ciphers, encryption schemes, analysis and evaluation tools, hash functions, and message authentication codes (MACs). ------------------------------------------------------------------------- http://iwia.org/2006/ IWIA 2006 4th IEEE International Information Assurance Workshop, Royal Holloway, UK, April 13-14, 2006. (Submissions due 28 November 2005) The IEEE Task Force on Information Assurance is sponsoring a workshop on information assurance in cooperation with the ACM SIGSAC on research and experience in information assurance. The workshop seeks submissions from academia, government, and industry presenting novel research, applications and experience, and policy on all theoretical and practical aspects of IA. Possible topics include, but are not limited to the following: - Operating System IA & S - Storage IA & S - Network IA & S - IA Standardization Approaches Information Sharing in Coalition Settings - Security Models - Survivability and Resilient Systems - Formal Methods and Software Engineering for IA - Proactive Approaches to IA - CCITSE Experience and Methodology - Intrusion Detection, Prediction, and Countermeasures - Insider Attack Countermeasures - Specification, Design, Development, and Deployment of IA Mechanisms - Policy Issues in Information Assurance ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2005 Symposium proceedings are available for $25 plus shipping and handling. The 2004 proceedings are $20 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine The MITRE Corporation U.S. Naval Postgraduate School Mail Stop S119 Computer Science Department 202 Burlington Road Rte. 62 Code CS/IC Bedford, MA 01730-1420 Monterey CA 93943-5118 781-271-51 (voice) (831) 656-2461 (voice) jmillen@mitre.org irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Treasurer: Newsletter Editor: Tom Chen Hilarie Orman Department of Computer Science Purple Streak, Inc. and Engineering 500 S. Maple Dr. School of Engineering Salem, UT 84653 Southern Methodist University (801) 423-1052 (voice) P.O. Box 750122 cipher-editor@ieee-security.org Dallas, TX 75275-0122 (214) 768-8541 (voice) http://www.engr.smu.edu/~tchen ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html