_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 69 November 15, 2005 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor, Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Contents: * Letter from the Editor * Commentary and Opinion o Bob Bruen's review of Real Digital Forensics. Computer Security and Incident Response by Jones, Keith, Richard Bejtlich and Curtis Rose o Bob Bruen's review of Security and Usability. Designing Secure Systems That People Can Use. by Cranor, Laurie Faith and Simson Garfinkel o Sven Dietrich's review of Secure Coding in C and C++ by Robert C. Seacord o Eric Rescorla and Russ Housley report on IETF Revisions to the Transport Layer Security Protocol o Elisa Bertino named as the 2005 recipient of the Computer Society's Tsutomu Kanai Award. o Virgil Gligor to Receive NIST/NSA Security Award o ThePrivacyPlace.Org, 2005 Privacy Survey is Underway by Annie Anton o Homeland Security's ARPA Stretches Budget, Information Week o NIST Cryptographic Hash Workshop, program now online o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar listing o New calls-for-papers and events * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Any of you who look at your system logs are aware that there is an incessant and widespread password guessing attack against ssh accounts. I'd guess that it is a botnet, and I wonder why there is so little ability to shut it down. This Cipher issue has a reference to a research project sponsored by the US Department of Homeland Security to combat botnets, and that may offer some help. However, it is puzzling to me that there is not more attention paid to these ongoing attacks. Presumably the people behind this have an ever-increasing army of enslaved machines to draw on. Normally a "take-over" of this scope would arouse international attention and technology resources for stopping it. There has been one recent arrest in California, of a botnet operator, but surely we have the technology to stop these attacks without waiting for identification of the responsible parties. This Cipher issue has an IETF security news article by Eric Rescorla and Russ Housley about recent changes to the ubiquitous TLS protocol. It is interesting because it shows how cryptographic research affects Internet protocols. Standardization can be a slow process, but it is a necessary and ongoing effort. We have book reviews, announcements of awards and surveys, news, and the list of security conferences and new calls-for-papers for researchers. The contributors have my gratitude, both the stalwarts who contribute to every issue (great thanks) and those who take advantage of Cipher's wide readership for their announcements. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Bob Bruen 11/14/05 ____________________________________________________________________ Real Digital Forensics. Computer Security and Incident Response by Jones, Keith, Richard Bejtlich and Curtis Rose Addison-Wesley 2006. ISBN 0-321-24069-3 $49.99. 650 pages; Index; Appendix; DVD. In just a few short years, computer forensics has gone from a few headline grabbing cases to a standard operating procedure for almost every criminal investigation. For just about every arrest, no matter what the crime, a computer is seized. In addition to law enforcement, the private sector has jumped into the game, some offering services and some using forensics within their own organizations. The amount of recorded information in our world today is staggering: from blogs to emails, things we wanted public and things we wanted private. The digital world is treasure trove for discovery. A number of goods books have been published during those few short years, but there is still room for books with new and better approaches. Real Digital Forensics offers cases with real depth and supporting work on a DVD. There are five cases plus several scenarios with binaries which need to be examined. Guardian Software gives away marketing CDs with its forensics product EnCase on it along with a few static data cases. This is clearly helpful when learning about their product because you practice using EnCase with case data. You can not use it to analyze your data, but it is, after all, a free working version of the most court-accepted commercial forensics tool The chapters detailing the cases and the accompanying DVD are even more valuable for practice. The reader is able to follow the thinking of the investigator, discovering why a step was taken or what step should follow that step. The tools cover a wide spectrum, although some are limited in functionality. There is limited version of IDAPro, Red Cliff's Web Historian and several others. If you believe that Windows actually deletes your history of web surfing when you tell it to do so, try the Web Historian for a unpleasant surprise. The chosen tools are a good set. Another good choice by the authors was to include a good balance throughout the book between Unix (*BSD and Linux) and Windows. Several of the later chapters cover reverse engineering in excellent detail. They do not call it reverse engineering, instead it is static analysis or dynamic analysis of a binary. They use the built-in Unix commands and several tools to do the work on both Unix and Windows. In addition, they cover network-based forensics. Given that this a new forensics text it is up to date with several chapters on duplicating and analyzing PDAs and USB drives. EnCase is used in one the chapters. Lastly, there is chapter devoted to choosing a set of tools which will go on your personal Knoppix CD which you can create using their instructions. Whatever good forensics books you may have, this one needs to be read and added to your collection. It is a highly recommended book for the content, as well as the presentation, which one of the best I have seen. ____________________________________________________________________ Book Review By Bob Bruen 11/15/05 ____________________________________________________________________ Security and Usability. Designing Secure Systems That People Can Use. by Cranor, Laurie Faith and Simson Garfinkel O'Reilly 2005. ISBN 0-596-00827-9 $44.95. 714 pages; index. Among books in the security field, there are not many collections of academic papers. I only hedge my bet because I cannot recall one, but I may have missed it. Bruce Schneier's Privacy Papers does not count because the papers are of a different type. In other fields, these sort of collections are common for the simple reason they are of great value. While books by one author, or several, give us the benefit of that author's experience, knowledge and opinion, a collection of essays or research papers on a narrow topic gives us a broader base. We can see viewpoints that are in opposition or complimentary or supportive. We also get the benefit of each of the authors special contribution, especially of the editors have done their job well. Faith and Garfinkel selected an important topic in security and usability. The question of much do you have to give up for security extends to privacy, convenience, money, usability and other areas. Freedom is not free, it comes with a price and we have to struggle daily to keep our liberties. I have always thought the cost would be in the struggle against those who would deny us, not in the struggle with those who would protect us. For many people, it seems a given that there is always a trade-off when security is applied or increased. Now we have a substantial amount of evidence that runs counter to the argument that usability must be sacrificed for security. The editors have selected high quality papers for inclusion in their book. There are 34 papers distributed among six parts. The parts include privacy and systems, as well as a part with papers from vendors. I often feel as though vendors care very little about my personal experience, but these papers prove me wrong, at least in few cases. The paper on the thinking and responsiveness of Firefox's development was particularly instructive. Perhaps this is the explanation of its popularity. It is one thing to become popular because what folks were using had crossed the pain threshold, but it is another to sustain that popularity. The competitor has improved and Firefox has experienced problems, but the thinking behind Firefox's design has made the difference. Some of the topics are controversial, such as the paper by Roger Dingledine and Nick Mathewson on anonymity. These two are principles in Tor and Mixminion, whose purposes are anonymity while using the Internet. The debate is about law enforcement's ability to track down criminal versus an individual's right to speak without fear. Most of us like the idea of being anonymous ourselves, but the other guy, well not so much. Citizens in some countries face death if they are discovered exercising a right we take for granted, such as criticizing the government. On the other hand, few of us want to see thieves and con men stealing money over the 'Net and then vanishing into the shadows. While this debate will not be settled here or even in this book, the topic needs well-done research. Security and Usability is one of those few books that push the security field forward. As much as I enjoy books on hacking stuff, thoughtful work on the impact on society are extremely important. I highly recommend this book, which will become a foundation for others to build upon. The other 32 papers are as good as the two I highlighted. More than likely, any reader will find at least a few papers which will strike home. ____________________________________________________________________ Book Review By Sven Dietrich 11/14/05 ____________________________________________________________________ Secure Coding in C and C++ by Robert C. Seacord The SEI Series in Software Engineering. Foreword by Rich Pethia, CERT Director Addison-Wesley Professional 2005. ISBN 0321335724 Paperback, 368 pages. Secure Coding in C and C++ (http://www.awprofessional.com/title/0321335724) provides practical advice on secure practices in C and C++ programming. Producing secure programs requires secure designs. However, even the best designs can lead to insecure programs if developers are unaware of the many security pitfalls inherent in C and C++ programming. This book provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The book concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. It does not emphasize security issues involving interactions with external systems such as databases and web servers, as these are rich topics on their own. The intent is that this book be useful to anyone involved in developing secure C and C++ programs regardless of the specific application. ___________________________________________________________________________ IETF Revises Transport Layer Security 11/14/05, Special to Cipher by Eric Rescorla and Russ Housley ___________________________________________________________________________ Transport Layer Security (TLS) [1] is probably the most widely used Internet security protocol. TLS provides a generic secure channel abstraction for use by upper layer application protocols. While originally designed for use with HyperText Transfer Protocol (HTTP) [2], it is also used to secure a wide variety of protocols ranging from the Simple Mail Transport Protocol (SMTP) [3] to the Session Initiation Protocol (SIP) [4]. The IETF has revised TLS, creating TLS 1.1 [5], to address some vulnerabilities and to add new functionality: * The initial IETF version of TLS, TLS 1.0, was a revision of the Secure Sockets Layer (SSL) version 3. TLS 1.0 was published in January 1999. TLS 1.1 was approved by the IESG last July, and it is currently in the IETF RFC Editor Queue. TLS 1.1 contains minor improvements to address some recent attacks [6,7] on the Cipher-Block Chaining (CBC) encryption modes used with DES, 3DES, and AES. TLS 1.1 also clarifies a number of interoperability issues. * Addition of Camellia Cipher Suites to Transport Layer Security [8] adds support for the Camellia algorithm, which has been standardized by the NESSIE initiative. * Addition of SEED Cipher Suites to Transport Layer Security [9] adds support for the SEED algorithm, which is a Korean national standard developed by KISA (Korean Information Security Agency). * Pre-Shared Key Ciphersuites for Transport Layer Security [10] allows clients and servers to use a shared symmetric key to authenticate the creation of a TLS connection. This mode is expected to be useful by itself as well as for integration with other authentication protocols. This document is also in the RFC Editor Queue. * The TLS Working Group has finished the specification for the use of Elliptic Curve Cryptography (ECC) with TLS [11]. IETF Last Call of this document will complete on November 22nd, and then the IESG will begin its review. The document might be in the RFC Editor queue before the end of the year. In the wake of the recent attacks on MD5 and SHA-1, the TLS Working Group is begining work on TLS 1.2, which will start the transition away from those one-way hash functions. In addition, the TLS Working Group has recently adopted a work item to develop counter mode (CTR) cipher suites for AES. These cipher suites will allow the security of AES with the same low packet space overhead of the RC4 stream cipher. [1] T. Dierks and C. Allen. "The TLS Protocol Version 1.0." RFC 2246. January 1999. [2] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. "Hypertext Transfer Protocol -- HTTP/1.1." RFC 2616. June 1999. [3] J. Klensin, Ed. "Simple Mail Transfer Protocol." RFC 2821. April 2001. [4] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. "SIP: Session Initiation Protocol." RFC 3261. June 2002. [5] http://www.ietf.org/internet-drafts/ draft-ietf-tls-rfc2246-bis-13.txt [6] S. Vaudenay, "Security Flaws Induced by CBC Padding - Applications to SSL, IPsec, WTLS, ...", In Advances in Cryptology - EUROCRYPT'02, Amsterdam, Netherland, LNCS 2332, pp. 534-545, Springer Verlag, 2002. [7] B. Mueller, "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures." [http://www.openssl.org/~bodo/tls-cbc.txt,2002] [8] S. Moriai, A. Kato, and M. Kanda. "Addition of Camellia Cipher Suites to Transport Layer Security (TLS)." RFC 4132. July 2005. [9] H.J. Lee, J.H. Yoon, and J.I. Lee. "Addition of SEED Cipher Suites to Transport Layer Security (TLS)." RFC 4162. August 2005. [10] http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-09.txt [11] http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-12.txt ___________________________________________________________________________ Elise Bertino Award Announcement Contributed by Gene Spafford ___________________________________________________________________________ Professor Elisa Bertino, CERIAS's Director of Research, has been named as the 2005 recipient of the Computer Society's Tsutomu Kanai Award. The Computer Society of the IEEE makes this award each year. The Tsutomu Kanai Award was created by a generous endowment from Hitachi, Ltd. It recognizes major contributions to state-of-the- art distributed computing systems and their applications. The award consists of a certificate, crystal memento, and a $10,000 honorarium. Previous winners of the award are listed at http://tinyurl.com/74ehv This is a major award for outstanding contributions, and it is very well deserved. ___________________________________________________________________________ Virgil Gligor to Receive NIST/NSA Security Award Award Announcement Contributed by Gene Spafford ___________________________________________________________________________ Dr. Virgil Gligor, one of the country's pioneering figures in computer security, will be presented with the 2006 National Information Systems Security Award by the National Institute of Standards and Technology and the National Security Agency in a ceremony at the 26th Annual Computer Security Applications Conference in Tucson, AZ On Dec. 6, 2005. The award recognizes individuals for scientific or technological breakthroughs, outstanding leadership, highly distinguished authorship, or significant long-term contributions in the computer security field. Gligor, a professor of electrical and computer engineering at the University of Maryland, College Park, MD, will receive the prestigious award for his outstanding contributions to advance computer security technology. Gligor has been a leader in computer security research and education for 30 years in a broad range of areas including access control mechanisms, penetration analysis, denial-of-service protection, cryptographic protocols, and applied cryptography. Previous winners of this award: 1988 Steve Walker 1989 Willis Ware 1990 Jim Anderson 1991 Roger Schell 1992 Walter Tuckman 1993 Robert Courtney 1994 Donn Parker 1995 Dennis Branstad 1996 Whit Diffie, Martin Hellman, & Ron Rivest 1997 David Clark 1998 Butler Lampson 1999 Dorothy Denning 2000 Eugene H. Spafford 2002 Peter G. Neumann 2005 Virgil Gligor ___________________________________________________________________________ ThePrivacyPlace.Org 2005 Privacy Survey is Underway Annie Anton ___________________________________________________________________________ Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and will help us with our investigations of privacy policy expression and user comprehension. The URL is: http://survey.theprivacyplace.org/ We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey which takes about 5 to 10 minutes to complete. The results will be made available in 2006 via our project website http://www.theprivacyplace.org/. There are prizes and IBM sponsored giveaways. ___________________________________________________________________________ Homeland Security's ARPA Stretches Budget for Internet Security http://informationweek.com/story/showArticle.jhtml?articleID=3D173600460 Original article from InformationWeek, by J. Nicholas Hoover Nov. 8, 2005 contributed by Richard Schroeppel ___________________________________________________________________________ "With a shrinking budget, the Advanced Research Projects Agency's cyber-security arm has to leverage internal expertise with that of academia and industry to get research done and have products commercialized." The article mentions the agency's commercialization focus and its ongoing research projects for security-awareness, discovering botnets, secure information repositories about Internet traffic patterns, adding security to the Domain Naming System, and secure Internet routing. Concerns about thin clients for Internet access are also surfaced. ___________________________________________________________________________ NIST Hash Workshop October 31, 2005 - November 1, 2005 ___________________________________________________________________________ The recent NIST workshop on cryptographic hashes was an interesting event with several good talks. NIST is focusing on determining what to use for a hashing standard in place of SHA-1, how fast to move to the next standard, and whether or not the SHA-2 family is sufficiently secure for the future. The discover of the MD5 collisions, Xiaoyun Wang, spoke about progress towards similar attacks on SHA-1, indicating that the work factor may now be as low as 2^64. Cryptographic hash functions age quickly. The papers are online at http://www.csrc.nist.gov/pki/HashWorkshop/program.htm ==================================================================== Conference and Workshop Announcements ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman and Yong Guan 11/14/05-11/16/05: CNIS, The IASTED International Conference on Communication, Network, and Information Security Phoenix, AZ; http://www.iasted.org/conferences/2005/phoenix/cnis.htm 11/15/05: IFMIP, 5th International Forum on Multimedia and Image Processing Special Sessions on Information Security and Hardware Implementations Budapest, Hungary; http://wacong.org; Submissions are due 11/18/05: iTrust, 4th International Conference on Trust Management Pisa, Tuscany, Italy; http://www.iit.cnr.it/iTrust2006/; Submissions are due 11/20/05: SUTC, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan; http://sutc2006.asia.edu.tw/; Submissions are due 11/21/05-11/24/05: Tencon, IEEE International Region 10 Conference Melbourne, Australia; http://www.tencon2005.org/ 11/22/05: WIA, Workshop on Information Assurance, Phoenix, Arizona; http://www.sis.pitt.edu/~lersais/WIA2006/; Submissions are due 11/25/05: FSE, 13th annual Fast Software Encryption workshop Graz, Austria; http://fse2006.iaik.tugraz.at/; Submissions are due 11/27/05: PSDM, Workshop on Privacy and Security Aspects of Data Mining, Houston, TX; http://www.site.uottawa.ca/~zhizhan/ppdmworkshop2005/psdm05 11/28/05: IWIA, Information Assurance Workshop Royal Holloway, UK; iwia.org/2006/; Submissions are due; info SWOLTHUSEN@IEEE.ORG; 11/29/05: WEBIST, 2nd International Conference on Web Information Systems and Technologies Setubal, Portugal; http://www.webist.org/; Submissions are due 11/30/05: Nano-Security, Nano-Security Workshop, Gaithersburg, MD; http://www.csrc.nist.gov/pki/Nano-Security/index.html; Submissions are due 11/30/05-12/ 2/05: AXMEDIS, 1st International Conference on Automated Production of Cross Media Content for Multi-channel Distribution Florence, Italy; http://www.axmedis.org/axmedis2005/call4papers.html --------------- 12/ 4/05: ARES, 1st International Conference on Availability, Reliability and Security, Vienna, Austria; http://www.ifs.tuwien.ac.at/ares2006/; Submissions are due 12/ 6/05-12/ 9/05: ICICS, International Conference on Information and Communications Security Beijing, China; www.icics2005.org/ 12/13/05: SISW, Security in Storage Workshop San Francisco, California; ieeeia.org/sisw/2005/index.htm 12/14/05-12/16/05: CANS, Conference on Cryptology and Network Security Xiamen, Fujian Province, China; math.fjnu.edu.cn/cans 12/15/05: ACIS, Applied Cryptography and Information Security Workshop, Glasgow, UK; http://www.acis06.org/; Submissions are due 12/15/05-12/17/05: SKLOIS, Conference on Information Security and Cryptology Beijing, China; www.is.iscas.ac.cn/cisc/index.htm 12/22/05-12/24/05: ICDCIT, International Conference on Distributed Computing & Internet Technology Bhubaneswar, India; http://www.cse.iitk.ac.in/~rkg/ICDCIT05/ 12/23/05: WITS, 6th International Workshop on Issues in the Theory of Security, Vienna, Austria; http://www4.in.tum.de/~wits06/; Submissions are due 12/28/05: Cluster-Sec, 2nd International Workshop on Cluster Security, Singapore; http://www.ncassr.org/projects/cluster-sec/ccgrid06/; Submissions are due --------------- 1/ 4/06- 1/ 7/06: HICSS-39 Security Minitrack, International Conference on System Sciences Kauai, Hawaii; http://www.cs.uidaho.edu/~krings/HICSS39.htm 1/ 6/06: ETRICS, International Conference on Emerging Trends in Information and Communication Security, Freiburg, Germany; http://www.etrics.org/; Submissions are due 1/10/06: DRM-ICC, Workshop on Digital Rights Management Impact on Consumer Communications, Las Vegas, NV; www.ieee-ccnc.org/2006/conf_program/drm_workshop/index.htm 1/13/06: DIMVA, 3rd GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2006; Submissions are due 1/15/06: ACNS, 4th International Conference on Applied Cryptography and Network Security, Singapore; http://acns2006.i2r.a-star.edu.sg/; Submissions are due 1/16/06- 1/19/06: AISW-NetSec, Australasian Information Security Workshop Hobart, Tasmania, Australia; http://www.titr.uow.edu.au/AISWNS2006/ 1/17/06: USENIX, USENIX Annual Technical Conference Boston, MA; http://www.usenix.org/events/usenix06/index.html; Submissions are due 1/17/06: TSPUC, 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY; http://www.usenix.org/events/usenix06/index.html; Submissions are due 1/31/06: CEC, IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada; http://kolmogorov.seg.inf.uc3m.es/; Submissions are due --------------- 2/ 1/06: USENIX Security, 15th USENIX Security Symposium, Vancouver, B.C., Canada; http://www.usenix.org/events/sec06/; Submissions are due 2/ 2/06- 2/ 3/06: NDSS, Network and Distributed System Security Symposium San Diego, California; www.isoc.org/isoc/conferences/ndss/06/cfp.shtml 2/22/06- 2/23/06: Nano-Security, Nano-Security Workshop, Gaithersburg, MD; http://www.csrc.nist.gov/pki/Nano-Security/index.html 2/27/06-3/ 2/06: FC, 10th International Conference on Financial Cryptography and Data Security, Anguilla, British West Indies; http://fc06.ifca.ai/ --------------- 3/ 1/06: International Journal of Networks and Security (IJSN), Special Issue on Cryptography in Networks; Submissions are due 3/ 1/06- 3/ 3/06: TRIDENTCOM, 2nd International IEEE/Create-Net Conference on Testbeds and Research Infrastructures for the Development of Networks and Communities, Barcelona, Spain; http://www.tridentcom.org/ 3/ 3/06: PET, 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, UK; http://petworkshop.org/2006/; Submissions are due 3/13/06- 3/15/06: ISSSE, International Symposium on Secure Software Engineering; Washington DC; www.jmu.edu/iiia/issse/ 3/15/06: Journal of Machine Learning Research, Special Issue on Machine Learning for Computer Security; Submissions are due 3/15/06- 3/17/06: FSE, 13th annual Fast Software Encryption workshop Graz, Austria; http://fse2006.iaik.tugraz.at/ 3/20/06: WEIS, 5th Workshop on the Economics of Information Security, University of Cambridge, UK; http://www.cl.cam.ac.uk/~twm29/WEIS06/; Submissions are due 3/21/06- 3/23/06: AsiaCCS, ACM Symposium on Information, Computer and Communications Security Taipei, Taiwan; www.iis.sinica.edu.tw/asiaccs06/ 3/25/06- 3/26/06: WITS, 6th International Workshop on Issues in the Theory of Security, Vienna, Austria; http://www4.in.tum.de/~wits06/ --------------- 4/ 4/06- 4/ 6/06: PKI R&D Workshop, 5th Annual PKI R&D Workshop: Making PKI Easy to Use, Gaithersburg, MD; http://middleware.internet2.edu/pki06 4/10/06- 4/12/06: WIA, Workshop on Information Assurance, Phoenix, Arizona; http://www.sis.pitt.edu/~lersais/WIA2006/ 4/10/06- 4/13/06: WEBIST, 2nd International Conference on Web Information Systems and Technologies Setubal, Portugal; http://www.webist.org/ 4/11/06- 4/14/06: ISPEC 2006 2nd Information Security Practice and Experience Conference, Hangzhou, China; http://ispec2006.i2r.a-star.edu.sg 4/13/06- 4/14/06: IWIA, Information Assurance Workshop Royal Holloway, UK; iwia.org/2006/ 4/18/06: WSSEET, Workshop on Secure Software Engineering Education and Training, Turtle Bay, Oahu, HI; www.jmu.edu/iiia/wsseet/ 4/18/06- 4/20/06: SNDS, 2nd International Workshop on Security in Networks and Distributed Systems, Vienna, Austria; http://www.comp.polyu.edu.hk/SNDS06 4/18/06- 4/21/06: SPC, 3rd International Conference on Security in Pervasive Computing, York, UK; http://www.cs.york.ac.uk/security/spc-2006/spc-2006-cfp.html 4/20/06- 4/22/06: ARES, 1st International Conference on Availability, Reliability and Security, Vienna, Austria; http://www.ifs.tuwien.ac.at/ares2006/ 4/23/06- 4/27/06: SAC-TRECK, ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how Dijon, France; www.acm.org/conferences/sac/sac2006/ --------------- 5/ 8/06- 5/11/06: ACIS, Applied Cryptography and Information Security Workshop, Glasgow, UK; http://www.acis06.org/ 5/16/06: iTrust, 4th International Conference on Trust Management Pisa, Tuscany, Italy; http://www.iit.cnr.it/iTrust2006/ 5/16/06- 5/19/06: Cluster-Sec, 2nd International Workshop on Cluster Security, Singapore; http://www.ncassr.org/projects/cluster-sec/ccgrid06/ 5/21/06- 5/24/06: Oakland, the 2006 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA; http://www.ieee-security.org/TC/SP2006/oakland06-cfp.html 5/22/06- 5/24/06: SEC, IFIP TC-11 International Information Security Conference, Karlstad University, Sweden; www.sec2006.org 5/22/06- 5/24/06: I-NetSec, 4th Working Conference on Privacy and Anonymity in Networked and Distributed Systems, Karlstad, Sweden; http://www.sec2006.org/index.php?INETWS=true 5/30/06- 6/ 3/06: USENIX, USENIX Annual Technical Conference Boston, MA; http://www.usenix.org/events/usenix06/index.html --------------- 6/ 5/06- 6/ 7/06: SUTC, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan; http://sutc2006.asia.edu.tw/ 6/ 6/06- 6/ 9/06: ETRICS, International Conference on Emerging Trends in Information and Communication Security, Freiburg, Germany; http://www.etrics.org/ 6/ 6/06- 6/ 9/06: ACNS, 4th International Conference on Applied Cryptography and Network Security, Singapore; http://acns2006.i2r.a-star.edu.sg/ 6/26/06: TSPUC, 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY; http://www.usenix.org/events/usenix06/index.html 6/26/06- 6/28/06: WEIS, 5th Workshop on the Economics of Information Security, University of Cambridge, UK; http://www.cl.cam.ac.uk/~twm29/WEIS06/ 6/28/06- 6/30/06: PET, 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, UK; http://petworkshop.org/2006/ --------------- 7/13/06- 7/14/06: DIMVA, 3rd GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Berlin, Germany; http://www.dimva.org/dimva2006 7/16/06- 7/21/06: CEC, IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada; http://kolmogorov.seg.inf.uc3m.es/ 7/25/06- 7/28/06: IFMIP, 5th International Forum on Multimedia and Image Processing, Special Sessions on Information Security and Hardware Implementations, Budapest, Hungary; http://wacong.org 7/31/06- 8/ 4/06: USENIX Security, 15th USENIX Security Symposium, Vancouver, B.C., Canada; http://www.usenix.org/events/sec06/ ==================================================================== New Call-for-Papers (since Cipher E68) ==================================================================== International Journal of Networks and Security (IJSN), Special Issue on Cryptography in Networks, December 2006. (Submission due 1 March 2006) http://www.uow.edu.au/~ymu/ijsn/ Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Guang Gong (University of Waterloo, Canada), Atsuko Miyaji (JAIST, Japan), Phi Joong Lee (Pohang Univ. of Science & Technology, Korea), Yi Mu (Univ. of Wollongong, Australia), David Pointcheval (Ecole Normale Sup?ieure, France), Josef Pieprzyk (Macquarie Univ., Australia), Tsuyoshi Takagi (Future Univ. - Hakodate, Japan), Jennifer Seberry (Univ. of Wollongong, Australia), Willy Susilo (Univ. of Wollongong, Australia), and Huaxiong Wang (Macquarie Uni., Australia) Cryptography plays a key role in network security. Advances of cryptography can make computer networks more secure. Computer technologies have been pushing forward computer networks for high speed and broad bandwidth. Therefore, new cryptographic methods and tools must follow up in order to adapt to these new technologies. Recent attacks on computer networks, especially on IEEE 802.11 and IEEE 802.15, are increasing, since underlying radio communication medium for wireless network provides serious exposure to attacks against wireless networks. Security must be enforced to suit the emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in network security. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Ad hoc network security - Anonymity in networks - Authentication in network and wireless systems - Cryptographic algorithms and their applications to network security - Cryptanalysis of network security schemes - Encryption in network and wireless systems - Email security - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography in network and mobile applications - IP security - Key management - Multicast security - Mobile and wireless system security - Privacy protection - Security group communications - Security in internet and WWW - Security in Peer-to-Peer networks - Secure routing protocols - Security in sensor networks ------------------------------------------------------------------------- Journal of Machine Learning Research, Special Issue on Machine Learning for Computer Security, 2006. (Submission due 15 March 2006) http://www.cs.fit.edu/~pkc/mlsec/ Guest editors: Philip Chan (Florida Tech) and Richard Lippmann (MIT Lincoln Lab) As computers have become more ubiquitous and connected, their security has become a major concern. Of interest to this special issue is research that demonstrates how machine learning (or data mining) techniques can be used to improve computer security. This includes efforts directed at improving security of networks, hosts, and individual applications or computer programs. Research can have many goals including, but not limited to, authenticating users, characterizing the system being protected, detecting known or unknown vulnerabilities that could be exploited, using software repositories as training data to find software bugs, preventing attacks, detecting known and novel attacks when they occur, analyzing recently detected attacks, responding to attacks, predicting attacker actions and goals, performing forensic analysis of compromised systems, and analyzing activities seen in honey pots and network "telescopes" or "black holes." Of special interest are studies that use machine learning techniques, carefully describe their approach, evaluate performance in a realistic environment, and compare performance to existing accepted approaches. Studies that use machine learning techniques or extend current techniques to address difficult security-related problems are of most interest. It is expected that studies will have to address many classic machine learning issues including feature selection, feature construction, incremental/online learning, noise in the data, skewed data distributions, distributed learning, correlating multiple models, and efficient processing of large amounts of data. ------------------------------------------------------------------------- IFMIP 2006 5th International Forum on Multimedia and Image Processing, Special Sessions on Information Security and Hardware Implementations, Budapest, Hungary, July 25-28, 2006. (Submissions due 15 November 2005) http://wacong.org This special session is within the Multimedia and Image Processing Track (5th International Forum on Multimedia and Image Processing, IFMIP 2006). The IFMIP is going to take place in the World Automation Congress. The scope of this special session is on all views of communication security, and cryptography implementations. The call is addressed to scientists and engineers, who design, develop, and implement information security and cryptography subsystems. We encourage scientists and engineers from both academic and industrial environments to submit their works in order to enhance the knowledge, expertise, and experience of the whole community in information security, cryptography and hardware implementations. The subject areas include, but are not limited to, the following: - Security for mobile devices and 3G applications - Reconfigurable processors in cryptography - Smart cards security - Computer architectures for public-key and secret-key cryptosystems - Crypto-Processors for wireless networks - Cryptography for pervasive computing (e.g., RFID, Bluetooth, etc.) - True and pseudo random number generators - Identification and authentication - New encryption algorithms - Cryptography and cryptanalysis - Case studies, surveys - Architectural optimizations of security schemes and ciphers for wireless communications - Modular and Galois field arithmetic architectures for security applications ----------------------------------------------------------------------- iTrust 2006 4th International Conference on Trust Management, Pisa, Tuscany, Italy, May 16-19, 2006. (Submissions due 18 November 2005) http://www.iit.cnr.it/iTrust2006/ The iTrust international Conference looks at trust from multidisciplinary perspectives: economic, legal, psychology, philosophy, sociology, as well as information technology. Building upon the work of the IST iTrust working group (http://www.itrust.uoc.gr) and the success of the three previous iTrust International conferences, the aims of iTrust'2006 are to attract a critical mass of experts from industry, government, and academia with a keen interest in the area of trust management. Full technical papers contributing to the issue of trust management are solicited in relevant areas, including but not limited to: - The legal notion of trust in computer science and engineering - Requirements and methodologies to ensure that the user can reasonably trust the functioning of software systems - Trust management frameworks for secure collaborations in dynamic Virtual Organisations - Design of trust-based architectures and decision-making mechanisms for e-community and e-service interactions - Trust specification, analysis and reasoning - Dynamics of trust dispositions and relations - Realization of prototypes of software architectures and applications - Trust elements in contract negotiation, execution monitoring, re-negotiation and arbitration - Legal contribution to trust in technological infrastructures and interactions: the on-line identification of subjects, the evaluation of their reliability, data protection, security, privacy and, confidentiality, commercial transactions, the resolution of disputes, software agents, and management of access to source code - Trust in interaction and cooperation mediated through computer and network, and the balance of control and intervention - Research in on-line trust, the trust of the consumer towards the web sites of distribution companies - Analysis of the relationship between trust and such notions as Confidence, distrust, diffidence, expectation, risk, and reliance ----------------------------------------------------------------------- SUTC 2006 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Taichung, Taiwan, June 5-7, 2006. (Submissions due 20 November 2005) http://sutc2006.asia.edu.tw/ The IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC2006) is an international forum for researchers to exchange information regarding advancements in the state of the art and practice of sensor networks, ubiquitous and trustworthy computing, as well as to identify the emerging research topics and define the future of sensor networks, ubiquitous and trustworthy computing. The technical program of SUTC2006 will consist of invited talks, paper presentations, and panel discussions. Submissions of high quality papers describing mature results or on-going work are invited. Topics for submission include but are not limited to: - Sensor network architecture and protocols - Operating systems - Routing protocols - Data storage - Ubiquitous computing and Ad Hoc networking - Ubiquitous intelligence and smart spaces - Embedded chips, sensor, and actuator - Self-adaptive and self-healing systems - Topology construction and coverage maintenance - Energy and mobility management - Context and location aware applications - Data gathering, fusion, and dissemination - Distributed coordination algorithms - Complexity analysis of algorithms - QoS, security, privacy, reliability, and social issues - Trust establishment, negotiation, and management - Authentication and access control - Intrusion detection and tolerance - Design and programming methodologies for wireless systems - Formal methods for analysis of wireless systems - Performance evaluation and modeling of mobile and wireless networks - Simulation languages and systems for wireless systems - Testing and debugging techniques for wireless systems - Personel Area Networks - Database management systems and mobile computing - User interface technologies - Applications of wireless sensor networks ----------------------------------------------------------------------- WIA 2006 Workshop on Information Assurance, Held in conjunction with the 25th IEEE International Performance Computing and Communications Conference (IPCCC), Phoenix, Arizona, April 10-12, 2006. (Submissions due 22 November 2005) http://www.sis.pitt.edu/~lersais/WIA2006/ We seek papers that address theoretical, experimental, systems-related and work in-progress in the area of Information Assurance at the network and system levels. We expect to have three types of sessions - the first related to survivability and fault tolerance, the second related to security, and the third related to the interactions between security and survivability. Papers should describe original, previously unpublished work, not currently under review by another conference, workshop, or journal. Papers accepted for presentation will be published in the IPCCC conference proceedings. The workshop will also include invited papers. Topics of interest include, but are not limited to: - Authorization and access-control - Web services security - Database and system security - Risk analysis and security management - Security verification/validation - Wireless LAN Security - Restoration techniques for networks - Reliability/Availability of IP networks - Digital Rights Management - DoS protection for the Internet - Cryptographic protocols and Key management - Intrusion Detection Techniques - Ad hoc and sensor network security - Models and architectures for systems security and survivability - Security and survivability in optical networks - E/M-commerce security and survivability architectures - Public policy issues for security and survivability ----------------------------------------------------------------------- FSE 2006 13th annual Fast Software Encryption workshop, Graz, Austria, March 15-17, 2006. (Submissions due 25 November 2005) http://fse2006.iaik.tugraz.at/ FSE 2006 is the 13th annual Fast Software Encryption workshop, for the fifth year sponsored by the International Association for Cryptologic Research(IACR). Original research papers on symmetric cryptology are invited for submission to FSE 2006. The workshop concentrates on fast and secure primitives for symmetric cryptography, including the design and analysis of block ciphers, stream ciphers, encryption schemes, analysis and evaluation tools, hash functions, and message authentication codes (MACs). ------------------------------------------------------------------------- IWIA 2006 4th IEEE International Information Assurance Workshop, Royal Holloway, UK, April 13-14, 2006. (Submissions due 28 November 2005) http://iwia.org/2006/ The IEEE Task Force on Information Assurance is sponsoring a workshop on information assurance in cooperation with the ACM SIGSAC on research and experience in information assurance. The workshop seeks submissions from academia, government, and industry presenting novel research, applications and experience, and policy on all theoretical and practical aspects of IA. Possible topics include, but are not limited to the following: - Operating System IA & S - Storage IA & S - Network IA & S - IA Standardization Approaches Information Sharing in Coalition Settings - Security Models - Survivability and Resilient Systems - Formal Methods and Software Engineering for IA - Proactive Approaches to IA - CCITSE Experience and Methodology - Intrusion Detection, Prediction, and Countermeasures - Insider Attack Countermeasures - Specification, Design, Development, and Deployment of IA Mechanisms - Policy Issues in Information Assurance ------------------------------------------------------------------------- WEBIST 2006 2nd International Conference on Web Information Systems and Technologies, Setual, Portugal, April 10-13, 2006. (Submissions due 29 November 2005) http://www.webist.org/ The purpose of the 2nd International Conference on Web Information Systems and Technologies (WEBIST-2006) is to bring together researchers, engineers and practitioners interested in the technological advances and business applications of web-based information systems. The conference has four main track, covering different aspects of Web Information Systems, including Internet Technology, Web Interfaces and Applications, Society, e-Communities, e-Business and, last but not least, e-Learning. WEBIST focuses on real world applications; therefore authors should highlight the benefits of Web Information Systems and Technologies for industry and services, in addition to academic applications. Possible topics include, but are not limited to the following: AREA 1 - INTERNET TECHNOLOGY - XML and data management - Web Security and Privacy - Intrusion Detection and Response - Authentication and Access Control - Grid Computing - Web Services and Web Engineering - System Integration - Databases and Datawarehouses - Wireless Applications - Distributed and Parallel Applications - Protocols and Standards - Network systems, proxies and servers AREA 2 - WEB INTERFACES AND APPLICATIONS - Multimedia and User interfaces - Accessibility issues and Technology - User Modeling - Web Personalization - Usability and Ergonomics - Personalized Web Sites and Services - Portal strategies - Searching and Browsing - Ontology and the Semantic Web - Metadata and Metamodeling - Web mining - Digital Libraries AREA 3: SOCIETY, e-COMMUNITIES and e-BUSINESS - e-Business and e-Commerce - e-Payment - B2B, B2C and C2C - Knowledge Management - Social Networks and Organizational Culture - Social Information Systems - Communities of practice - Communities of interest - Social & Legal Issues - Tele-Work and Collaboration - e-Government AREA 4: e-LEARNING - e-Learning standards and tools - Web-based Education - Web-based Teaching and Learning Technologies - Designing Learning Activities - Content-based and Context-based Learning - Learning Materials Development - Intelligent Tutoring Systems - Virtual Learning Communities - Case-studies and applications - Competition and Collaboration - Software tools for e-Learning ------------------------------------------------------------------------- Nano-Security 2006 Nano-Security Workshop, Gaithersburg, MD, USA, February 22-23, 2006. (Submissions due 30 November 2005) http://www.csrc.nist.gov/pki/Nano-Security/index.html As the promise of nanotechnology is realized, researchers at the National Institute of Standards and Technology (NIST) and Southern Methodist University (SMU) recognize the importance of understanding the security issues associated with fabrication and deployment of nano-devices. The focus of the workshop is to: (1) identify new security applications enabled with the availability of nanotechnology components and (2) characterize special security threats and requirements at the nanoscale. The workshop? main goals include: (1) Characterizing the role of nanoscale components in securing IT systems, (2) Formulating security threats and requirements for nanoscale devices and their applications, and (3) Defining nanosecurity metrology to enable fabrication of secure reliable devices. NIST solicits papers, presentations, case studies, panel proposals, and participation from any interested parties, including researchers, systems architects, vendors, and users. General topics for submissions include, but are not limited to, the following: - Security applications that use nanotechnology - Security requirements for nanotechnology applications - Security characteristics of IT systems involving nanoscale components - Security implications of nanotechnology - Potential metrics for nanosecurity ------------------------------------------------------------------------- ARES 2006 1st International Conference on Availability, Reliability and Security, Vienna, Austria, April 20-22, 2006. (Submissions due 4 December 2005) http://www.ifs.tuwien.ac.at/ares2006/ ARES 2006 aims at a full and detailed discussion of the research issues of dependability as an integrative concept that covers amongst others availability, safety, confidentiality, integrity, maintainability and security in the different fields of applications. Topics of interest include, but are not limited to: - Secure Enterprise Architectures - (Process based) Security Models/Methods - Risk planning, analysis & awareness - Availability and Reliability - Reliability Models - Failure Prevention - Dependability Assessment - Standards, Guidelines and Certification - Common Criteria Protocol - Security in Distributed Systems / Distributed Databases - Dependability in Open Source Software - Authorization and Authentication - Dependability Requirement Engineering - Network Security - Software Security - Dependability Modelling and Prediction - Cryptographic protocols - Intrusion Detection and Fraud Detection - Privacy-enhancing technologies - Security and privacy issues for sensor networks, wireless/mobile devices and applications - Security and Trust Management in P2P and Grid applications - Survivability of Computing Systems - Interoperability aspects - Security as Quality of Service. - Information Flow Control - Dependability Modelling and Prediction - Tools for Dependable System Design and Evaluation - Temporal Aspects of Dependability - Dependability administration - Dependability Measurement and Analysis - Dependability Benchmarking - Trust Models and Trust Management - Fault/Bug Tolerant Aspects - Internet Dependability - E-Commerce Dependability - Safety Critical Systems - Software Engineering of Dependable Systems - Dependability Aspects of Mobile Government (m-Government) - Dependability Aspects of Electronic Government (e-Government) - Effectivity of Biometrics - Security in Electronic Voting - Security Issues for Ubiquitous Systems - Availability of Pervasive Computing Systems - Dependability Aspects for Special Applications (e.g ERP-Systems, Logistics) - Designing Business Models with security requirements - Security for Biometrics Applications - Security in Electronic Payments - Incident Response and Prevention - Mobile Resources/Services - Mobile Security - VOIP/wireless Security - Web Security - RFID Security and Privacy - User Interfaces and Dependability - Legal issues - IPR of Security Technology ------------------------------------------------------------------------- ACIS 2006 Applied Cryptography and Information Security Workshop, Held in conjunction with International Conference on Computational Science and its Applications (ICCSA 2006) Glasgow, UK, May 8-11, 2006. (Submissions due 15 December 2005) http://www.acis06.org/ Applied Cryptography and Information Security are essential elements in this digital era. Commerce activities, business transactions and government services have been, and more and more of them will be, conducted and offered over open computer and communication networks such as Internet. The role of applied cryptography and information security thus becomes more and more important in computer science. Academic research in these two areas often draws the interest from various industries since it carries over the confidence found in the physical world to the electronic world. ACIS '06 provides a platform for researchers, scholars and practitioners to exchange new ideas for solving various open problems in this area. Topics of relevance include but are not limited to the following areas: - Accountability and audit trail - Anonymity and pseudonymity - Authentication and access control - Data confidentiality and integrity - Delegation of authority - Identity-based cryptography - Pairing-based cryptography - PKI and its alternatives - Block ciphers - Cryptographic primitives - Hash functions and MAC - Secure model and protocol - Digital signature - Key exchange protocol - Public key encryption - Time stamping - Exposure-resilient cryptography - Privacy-enhancing technology - Provable security - Applications security and malicious codes - Computer forensics and cybercrime - Electronic commerce and democracy ------------------------------------------------------------------------- WITS 2006 6th International Workshop on Issues in the Theory of Security, Vienna, Austria, March 25-26, 2006. (Submissions due 23 December 2005) http://www4.in.tum.de/~wits06/ WITS is the official workshop organised by the IFIP WG 1.7 on "Theoretical Foundations of Security Analysis and Design", established to promote the investigation on the theoretical foundations of security, discovering and promoting new areas of application of theoretical techniques in computer security and supporting the systematic use of formal techniques in the development of security related applications. The members of the WG hold their annual workshop as an open event to which all researchers working on the theory of computer security are invited. This is the sixth meeting of the series, and is organized in cooperation with ACM SIGPLAN and the German Computer Society (GI) working group FoMSESS. Suggested submission topics include: - formal definition and verification of security aspects, in articular of new properties arising in novel applications - new techniques for the formal analysis and design of cryptographic protocols and their namifold applications (e.g., electronic commerce) - information flow modelling and its application to the theory of confidentiality policies, composition of systems, and covert channel analysis - formal techniques for the analysis and verification of code security, including mobile code security - formal analysis and design for prevention of denial of service - security in real-time/probabilistic systems - language-based security - formal foundations of policy languages ------------------------------------------------------------------------- Cluster-Sec 2006 2nd International Workshop on Cluster Security, Held in conjunction with the Sixth IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGrid), Singapore, May 16-19, 2006. (Submissions due 28 December 2005) http://www.ncassr.org/projects/cluster-sec/ccgrid06/ After successful Internet attacks on HPC centers worldwide, there has been a paradigm shift in cluster security strategies. Clusters are no longer thought of as just a collection of individual computers but rather as an integrated single unit in which any breach may result in a "class break" compromise of the entire cluster. Furthermore, it has also been shown that clusters communicating via grids create dependent risks between clusters such that any cluster compromise may cascade to effect an entire grid. This workshop focuses on stimulating new ideas in order to reshape cluster protection strategies. Papers with demonstrated results will be given priority. A list of potential topics includes but is not limited to the following: - secure on-demand computing (single machine) - secure multi-cluster computing (a single job spread across clusters) - cluster security as an emergent property - analysis of cluster attacks - new techniques to protect clusters - virtualization approach for secure cluster computing - visualizing cluster security - commercial grade cluster security - high availability clusters - reliability enhancement techniques for large clusters - fault detection in clusters - cluster rejuvenation - cluster failover - cluster survivability/recoverability - cluster-specific intrusion detection - the relationship between cluster security and grid security - cluster security vulnerabilities - cluster security best practices - storage clusters - storage security on clusters - storage survivability on clusters ------------------------------------------------------------------------- ETRICS 2006 International Conference on Emerging Trends in Information and Communication Security, Freiburg, Germany, June 6-9, 2006. (Submissions due 6 January 2006) http://www.etrics.org/ Protecting information and communication systems and services from malicious use is essential for their deployment and acceptance. In addition to applying techniques from traditional security research and security engineering, it is necessary to take into account the vulnerabilities originating from increased mobility at application level and the integration of security requirements into business processes. ETRICS solicits research contributions focusing on emerging trends in security and privacy. Submissions may present foundational research in security and privacy, report experiences from novel applications of security technologies, as well as discuss their changing impact on society and economy. Topics of interest include but are not limited to: - Access control and secure audit - Analysis of security protocols - Anonymity services - Cryptographic primitives - Electronic payment systems - Enforcement of security policies - Language-based security - Privacy and identity management - Secure mobile code - Secure operating systems - Security requirements engineering - Security verification - Vulnerability and threat analysis ------------------------------------------------------------------------- DIMVA 2006 3rd GI SIG SIDAR Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Berlin, Germany, July 13-14, 2006. (Submissions due 13 January 2006) http://www.dimva.org/dimva2006 The special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI) organizes DIMVA as an annual conference that brings together experts from throughout and outside of Europe to discuss the state of the art in the areas of intrusion detection, malware detection, and vulnerability assessment. The scope of DIMVA is broad and includes, but is not restricted to the following areas: Vulnerability Assessment: - Vulnerabilities and exploitation techniques - Vulnerability detection - Avoidance of vulnerabilities and software testing - Reverse engineering - ROI on vulnerability assessment and management Intrusion Detection: - Intrusion techniques - Intrusion detection and event correlation - Intrusion response and intrusion prevention - Benchmarking of intrusion detection and prevention systems - Incident management and response Malware: - Malware techniques - Malware detection - Malware prevention - Benchmarking of malware detection and prevention systems - Computer and network forensics ------------------------------------------------------------------------- ACNS 2006 4th International Conference on Applied Cryptography and Network Security , Singapore, June 6-9, 2006. (Submissions due 15 January 2006) http://acns2006.i2r.a-star.edu.sg/ Original papers on all technical aspects of cryptology and network security are solicited for submission to ACNS'06, the 4th annual conference on Applied Cryptography and Network Security. There are two tracks for ACNS: an academic track and an industrial track. The latter has an emphasis on practical applications. The PC will consider moving submissions between tracks if the PC feels that a submission is more appropriate for that track (with author permission). Topics of relevance include but are not limited to: - Applied cryptography, cryptographic constructions - Cryptographic applications: payments, fair exchange, time-stamping, auction, voting, polling - Denial of service: attacks and countermeasures - Email security, spam prevention - Fundamental services on network and distributed systems: authentication, data integrity, confidentiality, authorization, non-repudiation, and availability - Implementation, deployment and management of network security policies - Integrating security in Internet protocols: routing, naming, TCP/IP, multicast, network management - Integrating security services with system and application security facilities and protocols: message handling, file transport/access, directories, time synchronization, database management, boot services, mobile computing - Intellectual property protection: protocols, implementations, metering, watermarking, digital rights management - Intrusion avoidance, detection, and response: systems, experiences and architectures - Network perimeter controls: firewalls, packet filters, application gateways - Public key infrastructure, key management, certification, and revocation - Securing critical infrastructure: routing protocols, and emergency communication - Security and privacy for emerging technologies: sensor networks, wireless/mobile (and ad hoc) networks, bluetooth, 802.11, and peer-to-peer systems - Security of limited devices: light-weight cryptography, efficient protocols and implementations - Security modeling and protocol design in the context of rational and malicious adversaries - Usable security and deployment incentives for security technology - Virtual private networks - Web security and supporting systems security, such as databases, operating systems, etc. ------------------------------------------------------------------------- USENIX 2006 USENIX Annual Technical Conference, Boston, MA, USA, May 30-June 3, 2006. (Submissions due 17 January 2006) http://www.usenix.org/events/usenix06/index.html The 2005 USENIX Annual Technical Conference General Session Program Committee seeks original and innovative papers that further the knowledge and understanding of modern computing systems, with an emphasis on practical implementations and experimental results. We encourage papers that break new ground or present insightful results based on experience with computer systems. The USENIX conference has a broad scope, and we encourage papers in a wide range of topics in systems, including: - Architectural interaction - Benchmarking - Deployment experience - Distributed and parallel systems - Embedded systems - Energy/power management - File and storage systems - Networking and network services - Operating systems - Reliability, availability, and scalability - Security, privacy, and trust - Self-managing systems - Usage studies and workload characterization - Virtualization - Web technology - Wireless and mobile systems ------------------------------------------------------------------------- TSPUC 2006 2nd International Workshop on Trust, Security and Privacy for Ubiquitous Computing , Buffalo, NY, USA, June 26, 2006. (Submissions due 17 January 2006) http://www.iit.cnr.it/TSPUC2006/ This workshop aims at focussing the attention of the research community on the increasing complexity and relevance of trust, privacy and security issues in ubiquitous computing. Papers may present theory, applications or practical experiences on topics including, but not limited to: - key establishment and key distribution - access control models, policies and mechanisms - trust and reputation management - privacy and identity management - digital assets management - context/location aware computation - self-organizing networks and communities - intrusion and anomaly detection - secure user-device interfaces - distributed consensus in the presence of active adversaries - analysis/simulation/validation techniques - handling emergent properties - phishing - attacks and countermeasures - case studies ------------------------------------------------------------------------- CEC 2006 IEEE CEC 2006 Special Session on Evolutionary Computation in Cryptology and Computer Security, Vancouver, BC, Canada, July 16-21, 2006. (Submissions due 31 January 2006) http://kolmogorov.seg.inf.uc3m.es/ Techniques taken from the field of Evolutionary Computation (especially Genetic Algorithms, Genetic Programming, Artificial Immune Systems, but also others) are steadily gaining ground in the area of cryptology and computer security. The special session encourages the submission of novel research at all levels of abstraction (from the design of cryptographic primitives through to the analysis of security aspects of "systems of systems"). ------------------------------------------------------------------------- USENIX Security 2006 15th USENIX Security Symposium, Vancouver, B.C., Canada, July 31-August 4, 2006. (Submissions due 1 February 2006) http://www.usenix.org/events/sec06/ The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. The Symposium will span five days: a training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions. New in 2006, a workshop, titled Hot Topics in Security (HotSec '06), will be held in conjunction with the main conference. More details will be announced soon on the USENIX Web site. ------------------------------------------------------------------------- PET 2006 6th Workshop on Privacy Enhancing Technologies, Robinson College, Cambridge, United Kingdom, June 28 - June 30, 2006. (Submissions due 3 March 2006) http://petworkshop.org/2006/ Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. This 6th workshop addresses the design and realization of such privacy services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Censorship resistance - Pseudonyms, identity management, linkability, and reputation - Data protection technologies - Location privacy - Privacy in Ubiquitous Computing Environments - Policy, law, and human rights relating to privacy - Privacy and anonymity in peer-to-peer architectures - Economics of privacy - Fielded systems and techniques for enhancing privacy in existing systems - Protocols that preserve anonymity/privacy - Privacy-enhanced access control or authentication/certification - Privacy threat models - Models for anonymity and unobservability - Attacks on anonymity systems - Traffic analysis - Profiling and data mining - Privacy vulnerabilities and their impact on phishing and identity theft - Deployment models for privacy infrastructures - Novel relations of payment mechanisms and anonymity - Usability issues and user interfaces for PETs - Reliability, robustness and abuse prevention in privacy systems ------------------------------------------------------------------------- WEIS 2006 5th Workshop on the Economics of Information Security, University of Cambridge, England, June 26-28, 2006. (Submissions due 20 March 2006) http://www.cl.cam.ac.uk/~twm29/WEIS06/ One of the most exciting and rapidly-growing fields at the boundary between technology and the social sciences is the economics of information security. Many security and privacy failures are not purely technical: for example, the person best placed to protect a system may be poorly motivated if the costs of system failure fall on others. Many pressing problems, such as spam, are unlikely to be solved by purely technical means, as they have economic and policy aspects too. Building dependable systems also raises questions such as open versus closed systems, the pricing of vulnerabilities and the frequency of patching. The `economics of bugs' are of growing importance to both vendors and users. Original research papers are sought for the Fifth Workshop on the Economics of Information Security. Topics of interest include the dependability of open source and free software, the interaction of networks with crime and conflict, the economics of digital rights management and trusted computing, liability and insurance, reputation, privacy, risk perception, the economics of trust, the return on security investment, and economic perspectives on spam. ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== New listings: o University College London London & Martlesham, UK Senior Lecturer/Lecturer January 16, 2006 http://www.ucl.ac.uk/hr/vacancies/adverts/EEA3.html o Northern Kentucky University Highland Heights, KY 41099 Assistant/Associate Professor of Computer Science in the following areas - Information Security, Secure Software Development, Computer Forensics, Database and/or Networking with a preference for Networking and Security Applications will be accepted until the position is filled. http://www.nku.edu/~csc/positions.html Full list at http://cisr.nps.navy.mil/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2005 Symposium proceedings are available for $25 plus shipping and handling. The 2004 proceedings are $20 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Heather Hinton Mike Reiter IBM Software Group - Tivoli Carnegie Mellon University 11400 Burnett Road ECE Department Austin, TX 78758 Hamerschlag Hall, Room D208 + 1 512 838 0455 (voice) Pittsburgh, PA 15213 USA hhinton@us.ibm.com (412) 268-1318 (voice) reiter@cmu.edu Vice Chair: Chair, Subcommittee on Academic Affairs: Jonathan Millen Prof. Cynthia Irvine The MITRE Corporation U.S. Naval Postgraduate School Mail Stop S119 Computer Science Department 202 Burlington Road Rte. 62 Code CS/IC Bedford, MA 01730-1420 Monterey CA 93943-5118 781-271-51 (voice) (831) 656-2461 (voice) jmillen@mitre.org irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org SRSP Conference Treasurer: Newsletter Editor & 2006 SRSP General Chair: Terry Benzel Hilarie Orman USC ISI Purple Streak, Inc. 4676 Admiralty Way 500 S. Maple Dr. Marina Del Rey, CA 90292 Salem, UT 84653 tbenzel@isi.edu cipher-editor@ieee-security.org (310) 822-1511 (310) 823-6714 (fax) ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html