_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ========================================================================== Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 71 March 15, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Bob Bruen Yong Guan Book Review Editor, Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ========================================================================== The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year This issue has 1795 lines Contents: * Letter from the Editor * News o IEEE Computer Society Symposium on Security and Privacy, program o NIST issues 2 drafts on cryptographic methods, requests comments and issues on final FIPS on key establishment o Email signature verification bug in GNU Privacy Guard o US Navy lab wins network-centric warfare award o Cryptologia announces undergraduate paper competition o US Air Force lab seeks information assurance leader * Commentary and Opinion o Robert Bruen's review of Hands-On Ethical Hacking and Network Defense by Simpson, Michael o Robert Bruen's review of Penetration Tester's Open Source Toolkit by Long, Johnny et al. o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This issue of Cipher has the list of papers accepted for the venerable IEEE Computer Society Symposium on Security and Privacy, often known as "Oakland". This year's program features several short papers and a full program of regular length papers. Attendees will receive a CD with several years of past proceedings and the usual ambiance of the Claremont Resort. I am seeking a volunteer reporter become famous by writing a Cipher article about the Symposium --- arms will be twisted. Bob Bruen has contributed two book reviews, Yong Guan has continued his great work in keeping the Calls-for-Papers pages up-to-date, and there are several news articles. I found myself completely bemused by the End User License Agreement for a well-known software product that protects communication using cryptography. It has an audit clause requiring the user to open up his computers to on-site inspection twice a year. Yes, your communication may be safe from the eyes of governments, but the vendor gets free access to your home. This is a definition of privacy with which I am not familiar. Still searching for security and privacy, Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== News Briefs ==================================================================== ------------------------------------------------------------------- Symposium on Security and Privacy Program ------------------------------------------------------------------- The Symposium will be held May 21-24 at the Claremont Resort in Berkeley, California. See http://www.ieee-security.org/TC/SP2006/oakland06.html Session: Signature Generation (Christopher Kruegel) Towards Automatic Generation of Vulnerability-Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha Carnegie Mellon University, USA, and University of Wisconsin, USA Misleading Worm Signature Generators Using Deliberate Noise Injection Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif University of Cagliari, Italy, and Georgia Institute of Technology, USA Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian Chavez Northwestern University, USA Session: Detection (Robert Cunningham) Dataflow Anomaly Detection Sandeep Bhatkar, Abhishek Chaturvedi and R. Sekar Stony Brook University, USA Towards a Framework for the Evaluation of Intrusion Detection Systems Alvaro A. Cardenas, Karl Seamon and John S. Baras University of Maryland, USA Siren: Detecting Evasive Malware (Short Paper) Kevin Borders, Xin Zhao and Atul Prakash University of Michigan, USA Session: Privacy (Carl Landwehr) Fundamental Limits on the Anonymity Provided by the MIX Technique Dakshi Agrawal, Dogan Kesdogan, Vinh Pham, Dieter Rautenbach IBM T J Watson Research Center, USA, RWTH Aachen, Germany, and University of Bonn, Germany Locating Hidden Servers Lasse O/verlier and Paul Syverson Norwegian Defence Research Establishment, Norway, Gjøvik University College, Norway, and Naval Research Laboratory, USA Practical Inference Control for Data Cubes (Extended Abstract) Yingjiu Li, Haibing Lu and Robert H. Deng Singapore Management University, Singapore Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks Philippe Golle, Xiaofeng Wang, Markus Jakobsson and Alex Tsow Palo Alto Research Center, USA, and Indiana University, Bloomington, USA New Constructions and Practical Applications for Private Stream Searching (Extended Abstract) John Bethencourt, Dawn Song and Brent Waters Carnegie Mellon University, USA, and SRI International, USA 5-minute Work-in-Progress Talks Session: Formal Methods (Susan Landau) A Computationally Sound Mechanized Prover for Security Protocols Bruno Blanchet CNRS, Ecole Normale Supe'rieure, Paris, France A Logic for Constraint-based Security Protocol Analysis Ricardo Corin, Ari Saptawijaya and Sandro Etalle University of Twente, The Netherlands, and University of Indonesia, Indonesia Simulatable Security and Concurrent Composition Dennis Hofheinz and Dominique Unruh CWI, The Netherlands, and University of Karlsruhe, Germany Session: Analyzing and Enforcing Policy (Tuomas Aura) Privacy and Contextual Integrity: Framework and Applications Adam Barth, Anupam Datta, John C. Mitchell and Helen Nissenbaum Stanford University, USA, and New York University, USA FIREMAN: A Toolkit for FIREwall Modeling and ANalysis Lihua Yuan, Jianning Mai, Zhendong Su, Hao Chen, Chen-Nee Chuah and Prasant Mohapatra University of California, Davis, USA Retrofitting Legacy Code for Authorization Policy Enforcement Vinod Ganapathy, Trent Jaeger and Somesh Jha University of Wisconsin-Madison, USA, and Pennsylvania State University, USA Session: Analyzing Code (Doug Tygar) Deriving an Information Flow Checker and Certifying Compiler for Java Gilles Barthe, David A. Naumann and Tamara Rezk INRIA Sophia-Antipolis, France, and Stevens Institute of Technology, USA Discovering Malicious Disks with Symbolic Execution Paul Twohey, Junfeng Yang, Can Sar, Cristian Cadar, and Dawson Engler Stanford University, USA Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel and Engin Kirda Vienna University of Technology, Austria Cobra: Fine-grained Malware Analysis using Stealth Localized-Executions Amit Vasudevan and Ramesh Yerraballi University of Texas Arlington, USA Session: Authentication (Paul Van Oorschot) Integrity (I) codes: Message Integrity Protection and Authentication Over Insecure Channels Mario Cagalj, Srdjan Capkun, Ramkumar Rengaswamy, Ilias Tsigkogiannis, Mani Srivastava and Jean-Pierre Hubaux École Polytechnique Fédérale de Lausanne (EPFL), Switzerland, Technical University of Denmark, Denmark, and University of California, Los Angeles, USA Cognitive Authentication Schemes Safe Against Spyware Daphna Weinshall Hebrew University of Jerusalem, Israel Cache Cookies for Browser Authentication (Extended Abstract) Ari Juels, Markus Jakobsson and Tom N. Jagatic RSA Laboratories, USA, RavenWhite Inc., USA, and Indiana University, USA Secure Device Pairing based on a Visual Channel Nitesh Saxena, Jan-Erik Ekberg, Kari Kostiainen and N. Asokan University of California, Irvine, USA, and Nokia Research Center, Finland Session: Attacks (Kevin Fu) SubVirt: Implementing malware with virtual machines Samuel T. King, Peter M. Chen, Yi-Min Wang, Chad Verbowski, Helen J. Wang, Jacob R. Lorch University of Michigan, USA, and Microsoft Research, USA Practical Attacks on Proximity Identification Systems (Short Paper) Gerhard P. Hancke University of Cambridge, UK On the Secrecy of Timing-Based Active Watermarking Trace-Back Techniques Pai Peng, Peng Ning and Douglas S. Reeves North Carolina State University, USA Session: Systems (Helen Wang) A Safety-Oriented Platform for Web Applications Richard S. Cox, Jacob Gorm Hansen, Steven D. Gribble, and Henry M. Levy University of Washington, USA, and University of Copenhagen, Denmark Tamper-Evident, History-Independent, Subliminal-Free Data Structures on PROM Storage -or- How to Store Ballots on a Voting Machine (Extended Abstract) David Molnar, Tadayoshi Kohno, Naveen Sastry and David Wagner University of California, Berkeley, USA, and University of California, San Diego, USA Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas and Tzachy Reinman Hebrew University, Israel, Haifa University, Israel, and Safend, Israel The Final Nail in WEP's Coffin Andrea Bittau, Mark Handley and Joshua Lackey University College London, UK, and Microsoft, USA ------------------------------------------------------------------- NIST Issues 2 Drafts and One Final FIPS on Cryptographic Standards http://csrc.nist.gov/publications/drafts.html March 13, 2006 ------------------------------------------------------------------- Elaine Barker wrote: A draft of Federal Information Processing Standard (FIPS) 186-3, Digital Signature Standard (DSS), is available for public comment as announced in the Federal Register. The draft is available at http://csrc.nist.gov/publications/drafts.html. Please submit comments to ebarker@nist.gov with "Comments on Draft 186-3" in the subject line. The comment period closes on June 12, 2006. A draft of an accompanying document to the proposed FIPS 186-3, NIST Special Publication (SP) 800-89, Recommendation for Obtaining Assurances for Digital Signature Applications, is also available for public comment at http://csrc.nist.gov/publications/drafts.html. Please submit comments to ebarker@nist.gov with "Comments on SP 800-89" in the subject line. The comment period closes on April 28, 2006. NIST Special Publication (SP) 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography, has been posted as a final document at http://csrc.nist.gov/publications/nistpubs/index.html Elaine Barker National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899-8930 301-975-2911 ------------------------------------------------------------------- GNU Privacy Guard Signature Bug March 9, 2006 forwarded by Rich Schroeppel ------------------------------------------------------------------- The GNU Privacy Guard is an implementation of the OpenPGP standard for secure email. Recently it was noticed that given a signed email you can change the message to prepend and append arbitrary data to the message without disturbing the signature verification report to the user. It appears this bug has existed for years without anybody finding it. The bug arises from the complexity of parsing the message formats while preserving backward compatibility with older implemenations. http://lists.gnupg.org/pipermail/gnupg-announce/2006q1/000216.html ------------------------------------------------------------------- Cryptologia Offers Undergraduate Paper Competition Press Release February 16, 2006 ------------------------------------------------------------------- Undergraduate Paper Competitions: Cash Prizes and Publication Cryptologia is the only scholarly journal dealing with the history and technology of communications intelligence with specific attention to the mathematics of cryptology. The journal sponsors two undergraduate paper competitions in cryptology, each with a $300 cash prize and publication of the winning article. The journal's articles have broken many new paths in technical and mathematical cryptology as well as areas such as intelligence history by fostering the study of all aspects of cryptology -- technical as well as historical and cultural. Editor-in-Chief Brian Winkel, Dept of MathSci, United States Military Academy at West Point, and a renowned international editorial board of the world's foremost scholars in cryptology plan to disseminate papers of lasting appeal to mathematicians, security specialists, computer scientists, historians, political scientists, and teachers. For more information, please visit the journal's website at http://tandf.co.uk/journal/titles/01611194.asp. Starting in 2006, Cryptologia will be published by Taylor & Francis. ------------------------------------------------------------------- Navy Lab Wins Network-Centric Warfare Award Press Release February 6, 2006 ------------------------------------------------------------------- Charleston, SC, (February 6, 2006) - The Test and Validation Lab of the Net Centric Programs Office at SPAWAR Systems Center Charleston was honored recently by the Institute for Defense and Government Advancement (IDGA) with a 2006 Net Centric Warfare Award for outstanding contributions to the development of network centric warfare theory. According to IDGA Executive Director Megan Knapp, IDGA's Network Centric Warfare (NCW) Awards were established to "honor, recognize and promote initiatives in the US Department of Defense, Coalition Governments, and Defense Industry that exemplify the principles of networkcentric warfare and support information age transformation. A panel of respected defense sector leaders evaluated the nominees and determined the winners. Randall Shirley, Director of the Net Centric Programs Office, said As this award signifies, the Test and Validation Lab exemplifies the best in current initiatives and sets new standards of excellence for incorporating an innovative concept into future work for the Department of Defense. The innovative methods developed by the Test and Validation Lab have supported development of network-centric warfare theory by enabling developers to integrate computer network defensive principles to create robust and secure Service Oriented Architecture (SOA) functionality in a minimal amount of time. As an SOA Center of Excellence for Engineering Services, the Test and Validation Lab will use its experience to help other developers of network centric warfare release their tested, certified, and accredited applications rapidly into the battlefield. For more information on IDGA and the annual NCW Awards and Conference, visit www.idga.org or www.ncwawards.com. ------------------------------------------------------------------- Air Force Lab Seeks Information Assurance Leader February 24, 2006 Contributed by Gene Spafford ------------------------------------------------------------------- The position is for a new senior-level position in Information Assurance (IA) at the Air Force Research Laboratory, Information Directorate (AFLR/IF). The search is not yet officially open, but informal inquiries can be directed to the chief scientist of the lab at this location, John Bay john.bay@rl.af.mil ------------------------------------------------------------------- News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Robert Bruen March 14, 2006 ____________________________________________________________________ Hands-On Ethical Hacking and Network Defense by Simpson, Michael Thomson Course Technology 2006. ISBN: 0-619-21709-1 Index, glossary, 3 appendices, Bootable CDRom Textbooks get reviewed primarily by trade publications, but every now and then I review choose to review an exceptional textbook. Some security professionals teach in an academic environment and it has been difficult to find good textbooks for their security courses. The run-of-the-mill textbooks contain the usual content, often presented somewhat better than the trade equivalent because of the pedagogical slant. Sadly, a number of them have been dumbed down to meet the needs of the current crop of college students. When done well, textbooks are gems because the standard fare for them includes lots of extras that just do not appear in trade books. The teacher looking to reduce the burden of preparation is happy because presentation slides are included, along with review questions, projects for students, detailed chapter summaries and lots of definitions. Nothing is taken for granted, even in the middle of a chapter you find activities than can run for 10 minutes to 30 minutes to make sure that you understand the related concept. This particular book extensively uses the work of several organizations, including the Institute for Security and Open Methodologies (ISECOM) and the Independent Computer Consultants Associations (ICCA). With many of the community colleges looking more like a certification organization, these organizations are important. As the field of hacking becomes mainstream, customers want to be assured that the professional being hired will not end up in prison for unethical behavior. Trust is important as is the use of standards with meaning. Simpson and ISECOM adhere to the Open Source Security Testing Methodology Manual. The security students in college today were born about the same time as the Morris worm and were in grammar school when Netscape changed the World Wide Web forever. They are coming of age at time when law enforcement is struggling to keep up with a cyber crimes environment that is out of control. They need to have good technical resources, ethical standards and a sense of grounding in a virtual world. This textbook aims at the advanced student who has, perhaps, a couple of public keys with certificates, a good understanding of networks and the elements of computer security. If you need a hacking textbook, this is it. ____________________________________________________________________ Book Review By Robert Bruen March 14, 2006 ____________________________________________________________________ Penetration Tester's Open Source Toolkit by Long, Johnny et al. Syngress 2006. ISBN 1-59749-021-0 $59.95 ($35.97 at www.syngress.com), bootable CDRom with many tools), index, 704 pages. Books with useful penetration testing information are still few and far between. Although there are several good ones available, some are four years old now. I am always happy to see good books come out in areas which need more. This book is an all-inclusive tutorial for almost everything you need to know about "pen testing." The chapters really show you step-by-step instructions for making things work. If you are new to pen testing, then this is a valuable resource. If you are experienced you should still find some new tidbits. The chapters breakdown into several groups. The first few explain what the business is all about and what you do, starting with the basics: reconnaissance, enumeration and scanning. The standard Unix commands are demonstrated, such as "whois", "host" and "dig", as well standard tools like "NMap" and "Sam Spade." In addition, the free BiLE (Bi-Directional Link Extractor) Software Suite from Sense Post is given a lot of attention. It is a set of Perl scripts that can be used to gain information from web sites. Unfortunately, at the time of this writing, Sense Post no longer provides the suite. On the other hand, http://www-remote-exploit.org still does offer the Auditor CD iso image. Auditor is the collection of open source tools that forms the basis of the book. The latest collection is large, close to 200 titles, none of which is the BiLE suite. The value of a collection comes in saving you the time and effort of collecting them all yourself. Sometimes even good tools are not well known so you miss them in your search. The other value is a book with good instructions for using the tools. The next chapter group is about the specific targets, databases, web servers and wireless. The wireless set has really grown from the early days of the Netstumbler tool to software which will grab latitude and longitude of a wireless signal which can then be fed into a digital map with an overlay of the signal range. The last part is the group of chapters that cover tools in depth. There is also a chapter on writing code for your own tools. I thank the authors for including a chapter to encourage people to write code and I was happy to see the Java IDE Eclipse highlighted. Eclipse is a big piece of software with its own book, but the brief introduction here is helpful Nessus and Metasploit get the most coverage for individual tools. The Nessus version in the book is an older version, but for the beginner it is still worthwhile and it can be run from the CD. The explanation and instructions are good enough to get it installed and working. Metasploit deserves whatever publicity it can get, so my apologies to HDM [Ed. try Google]. The last two chapters are a good introduction to Metasploit, although not to the latest version. This book generally does a very good job of detailing the usage of the tools, especially if you are just starting out or need to expand your knowledge. In spite of a few problems, I recommend purchasing the book for the broad coverage, free tools and detailed instructions. ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 3/15/06: Machine Learning for Computer Security, Journal Special Issue, http://www.cs.fit.edu/~pkc/mlsec/ submissions are due 3/15/06- 3/17/06: Fast Software Encryption (FSE), Graz, Austria http://fse2006.iaik.tugraz.at/ 3/20/06: Workshop on the Economics of Information Security (WEIS), University of Cambridge, England; Submissions are due; http://www.cl.cam.ac.uk/~twm29/WEIS06/, 3/21/06- 3/23/06: ACM Symposium on Information, Computer and Communications Security (AsiaCCS), Taipei, Taiwan; http://www.iis.sinica.edu.tw/asiaccs06/ 3/23/06: Conference on Email and Anti-Spam (CEAS), Mountain View, California; http://www.ceas.cc, Submissions are due; info: information@ceas.cc 3/26/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany; http://www.nspw.org, submissions are due 3/30/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado; http://www.isi.edu/sensys2006/, submissions are due 3/30/06: Workshop on Web Services Security (WSSS), Berkeley, CA; (no proceedings); Submissions are due; info: info: singhal@nist.gov 3/31/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany; http://www.raid06.tu-harburg.de/, Submissions are due; info info: diego@tu-harburg.de 3/31/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany; http://www.esorics06.tu-harburg.de/, submissions are due ------ 4/ 1/06: Journal of Computer Security (JCS), Special Issue on Security of Ad Hoc and, Sensor Networks (JCS-SI-AdHoc-Sensor-Nets), submissions are due; http://discovery.csc.ncsu.edu/JCS-SASN06/ 4/ 1/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA; http://www.securecomm.org Submissions are due; info baras@isr.umd.edu 4/ 2/06: Security Issues in Adaptive Distributed Systems (SIADS), Orlando, Florida; peer review, printed proceedings; submissions are due; 4/ 4/06- 4/6/04: NIST PKI, Gaithersburg, MD, USA http://middleware.internet2.edu/pki06/ 4/ 5/06: International Journal of Information and Computer Security, Special Issue on Security and Privacy Aspects of Data Mining, Journal special issue, submissions are due http://www.site.uottawa.ca/~zhizhan/psdmspecialissue2006/index.htm 4/ 5/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France; http://www.iaria.org/conferences/ICNS06.html, Submissions are due; info: petre@iaria.org 4/10/06- 4/12/06: Workshop on Information Assurance (WIA), Phoenix, AZ http://www.sis.pitt.edu/~lersais/WIA2006 4/13/06- 4/14/06: Information Assurance Workshop (IWIA), Royal Holloway, UK; http://iwia.org/2006/ 4/15/06: Workshop on the Value of Security through Collaboration (SECOVAL), Baltimore, MD; http://www.securecomm.org, Submissions are due; info secoval@trustcomp.or 4/16/06: Workshop on Formal and Computational Cryptography (WFCC), Venice, Italy; http://www.lsv.ens-cachan.fr/FCC2006/, Submissions are due; info fcc2006@lsv.ens-cachan.fr 4/18/06: Workshop on Secure Software Engineering Education and Training (WSSEET), Turtle Bay, Oahu, HI; http://www.jmu.edu/iiia/wsseet/ 4/20/06- 4/22/06: Availability, Reliability and Security (ARES), Vienna, Austria; http://www.ares-conf.org 4/20/06: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI); San Jose, CA; http://www.usenix.org/events/sruti06/, submissions are due 4/20/06- 4/22/06: Dependability Aspects on Data WArehousing and Mining Applications (DAWAM), Vienna, Austria; http://www.ares-conf.org/?q=dawam 4/23/06- 4/27/06: ACM Symposium on Applied Computing, Track: Trust, Recommendations, Evidence and other Collaboration Know-how (SAC-TRECK), Dijon, France; http://www.acm.org/conferences/sac/sac2006/ 4/23/06: Privacy and HCI: Methodologies for Studying Privacy Issues (P&HCI), Montreal, Canada; http://www.privacymethodologies.tk ------ 5/ 1/06: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; http://www.cms.livjm.ac.uk/acsf1/, Submissions are due; info: Haggerty@ljmu.ac.uk 5/ 1/06: Thread Verification (TV), Seattle, Washington; http://www.cs.utah.edu/tv06, submissions are due 5/12/06: NIST Cryptographic Hash Workshop (NIST-CHW2), Santa Barbara, CA; http://www.nist.gov/hash-function, submissions are due 5/16/06- 5/19/06: Conference on Trust Management (iTrust), Pisa, Tuscany, Italy; http://www.iit.cnr.it/iTrust2006 5/16/06- 5/19/06: Workshop on Cluster Security (ClusterSec), Singapore; http://www.ncassr.org/projects/cluster-sec/ccgrid06/ 5/21/06: Workshop on Web Services Security (WSSS), Berkeley, CA; info: singhal@nist.gov 5/21/06: Workshop on Web Services Security (WSSS),Berkeley, CA 5/21/06- 5/24/06: Symposium on Security and Privacy (S&P), Berkeley/Oakland, California; http://www.ieee-security.org/TC/SP2006/oakland06.html 5/22/06- 5/24/06: IFIP TC-11 International Information Security Conference (SEC), Karlstad University, Sweden; http://www.sec2006.org 5/28/06- 6/01/06: IACR Eurocrypt, St. Petersburg, Russia http://www.iacr.org/conferences/eurocrypt2006/ 5/29/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany; http://www.crysys.hu/ESAS2006, submissions are due 5/31/06: School on Foundations of Security Analysis and Design (FOSAD), Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad06, applications are due ------ 6/ 3/06: USENIX Annual Technical Conference, Boston, Massachusetts; http://www.usenix.org/events/usenix06/cfp/papers.html 6/ 4/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/2006/cfp_2006.pdf, submissions are due 6/ 5/06- 6/ 7/06: Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC), Taichung, Taiwan; http://SUTC2006.asia.edu.tw/ 6/ 5/06- 6/ 7/06: Workshop on Policies for Distributed Systems and Networks (PDSN); London, Ontario, Canada; http://www.csd.uwo.ca/Policy2006 6/ 6/06- 6/ 9/06: Applied Cryptography and Network Security (ACNS), Singapore; http://acns2006.i2r.a-star.edu.sg/ 6/10/06: Programming Languages and Analysis for Security (PLAS), Ottawa, Canada; http://www.cis.upenn.edu/~stevez/plas06.html 6/19/06- 6/20/06: European PKI workshop: theory and practice (EuroPKI), Torino, Italy; http://security.polito.it/europki2006 6/26/06- 6/28/06: Workshop on the Economics of Information Security (WEIS), Cambridge, England; http://www.cl.cam.ac.uk/~twm29/WEIS06/ 6/26/06: Workshop on Trust, Security and Privacy for Ubiquitous Computing (TSPUC), Niagra-Falls, NY http://www.ieee-security.org/Calendar/cfps/cfp-TSPUC2006.html 6/28/06- 6/30/06: Privacy Enhancing Technologies (PET), Robinson College, Cambridge, UK; http://petworkshop.org/2006/ ------ 7/ 3/06- 7/ 5/06: Australasian Conference on Information Security and Privacy (ACISP), Melbourne, Australia; http://acisp2006.it.deakin.edu.au/ 7/ 6/06- 7/ 7/06: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI), San Jose, CA; http://www.usenix.org/events/sruti06/ 7/ 9/06: Workshop on Formal and Computational Cryptography (WFCC), Venice, Italy ;http://www.lsv.ens-cachan.fr/FCC2006/ 7/10/06- 7/12/06: Information Hiding (IH), Old Town Alexandria, Virginia, info: ih2006@jjtc.com 7/13/06- 7/14/06: Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Berlin, Germany; http://www.dimva.org/dimva2006 7/13/06- 7/14/06: Advances in Computer Security and Forensics (ACSF), Liverpool, UK; http://www.cms.livjm.ac.uk/acsf1/ 7/20/06- 7/23/06: Security Issues in Adaptive Distributed Systems (SIADS), a session at CITSA, Orlando, Florida; peer review, printed proceedings 7/27/06- 7/28/06: Conference on Email and Anti-Spam (CEAS), Mountain View, CA; http://www.ceas.cc 7/3106- 8/ 4/06: USENIX Security Symposium (USENIX-Security), Vancouver, BC, Canada; http://www.usenix.org/sec06/cfpc/, info: sec06chair@usenix.org ------ 8/ 1/06- 8/ 4/06: Workshop on Security in Ubiquitous Computing Systems (SecUbiq), Seoul, Korea; http://www.sitacs.uow.au/secubiq06/ 8/ 6/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; http://wesii.econinfosec.org/, submissions are due 8/ 7/06- 8/10/06: Conference on Security and Cryptography (SECRYPT), Setubal, Portugal http://www.secrypt.org/ 8/21/06- 8/27/06: Symposium on formal methods (FM), Ontario, Canada; http://fm06.mcmaster.ca/ 8/21/06- 8/22/06: Thread Verification (TV), Seattle, Washington; http://www.cs.utah.edu/tv06 8/20/06- 8/23/06: IACR CRYPTO, Santa Barbara, CA http://www.iacr.org/conferences/crypto2006/ 8/24/06- 8/25/06: NIST Cryptographic Hash Workshop (NIST-CHW2), Santa Barbara, CA; http://www.nist.gov/hash-function 8/27/06- 8/29/06: Internet Surveillance and Protection (ICISP); Cote d'Azur, France; http://www.iaria.org/conferences/ICNS06.html 8/28/06- 9/ 1/06: Workshop on the Value of Security through Collaboration (SECOVAL); Baltimore, MD; http://www.securecomm.org 8/30/06- 9/ 2/06: Information Security Conference (ISC), Pythagoras, Greece; http://www.aegean.gr/ISC06 ------ 9/10/06- 9/16/06: School on Foundations of Security Analysis and Design (FOSAD); Bertinoro, Italy; http://www.sti.uniurb.it/events/fosad06 9/11/06- 9/15/06: Security and Privacy for Emerging Areas in Communication Networks (SecureComm), Baltimore/Washington, USA; http://www.securecomm.org 9/18/06- 9/21/06: New Security Paradigms Workshop (NSPW), Schloss Dagstuhl, Germany; http://www.nspw.org 9/18/06- 9/20/06: Workshop on Elliptic Curve Cryptography (ECC), Toronto, Canada http://www.ieee-security.org/Calendar/cfps/cfp-ECC2006.html 9/18/06- 9/20/06: European Symposium On Research In Computer Security (ESORICS), Hamburg, Germany; http://www.esorics06.tu-harburg.de/ 9/20/06- 9/22/06: Recent Advances in Intrusion Detection (RAID), Hamburg, Germany; http://www.raid06.tu-harburg.de/ 9/20/06- 9/21/06: Workshop on Security and Privacy in Ad hoc and Sensor Networks (ESAS), Hamburg, Germany; http://www.crysys.hu/ESAS2006 ------ 10/23/06-10/24/06: The Workshop on the Economics of Securing the Information Infrastructure (WESII), Arlington, VA; http://wesii.econinfosec.org/ ------ 11/ 1/06-11/ 3/06: Embedded Networked Sensor Systems (SenSys), Boulder, Colorado; http://www.isi.edu/sensys2006/ ------ 12/11/06-12/15/06: Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida; http://www.acsac.org/2006/cfp_2006.pdf ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E70) ____________________________________________________________________ http://www.cs.fit.edu/~pkc/mlsec/ Journal of Machine Learning Research, Special Issue on Machine Learning for Computer Security, 2006. (Submission due 15 March 2006) Guest editors: Philip Chan (Florida Tech) and Richard Lippmann (MIT Lincoln Lab) As computers have become more ubiquitous and connected, their security has become a major concern. Of interest to this special issue is research that demonstrates how machine learning (or data mining) techniques can be used to improve computer security. This includes efforts directed at improving security of networks, hosts, and individual applications or computer programs. Research can have many goals including, but not limited to, authenticating users, characterizing the system being protected, detecting known or unknown vulnerabilities that could be exploited, using software repositories as training data to find software bugs, preventing attacks, detecting known and novel attacks when they occur, analyzing recently detected attacks, responding to attacks, predicting attacker actions and goals, performing forensic analysis of compromised systems, and analyzing activities seen in honey pots and network "telescopes" or "black holes." Of special interest are studies that use machine learning techniques, carefully describe their approach, evaluate performance in a realistic environment, and compare performance to existing accepted approaches. Studies that use machine learning techniques or extend current techniques to address difficult security-related problems are of most interest. It is expected that studies will have to address many classic machine learning issues including feature selection, feature construction, incremental/online learning, noise in the data, skewed data distributions, distributed learning, correlating multiple models, and efficient processing of large amounts of data. ------------------------------------------------------------------------- http://discovery.csc.ncsu.edu/JCS-SASN06 Journal of Computer Security (JCS), Special Issue on Security of Ad Hoc and Sensor Networks, 2006. (Submission Due April 1, 2006) Guest editors: Peng Ning (NC State University) and Wenliang Du (Syracuse University) Ad hoc and sensor networks are expected to become an integral part of the future computing landscape. However, these networks introduce new security challenges due to their dynamic topology, severe resource constraints, and absence of a trusted infrastructure. This Journal of Computer Security (JCS) special issue seeks submissions from academia and industry presenting novel research on all aspects of security for ad hoc and sensor networks, as well as experimental studies of fielded systems. Topics of interest include, but are not limited to, the following as they relate to mobile ad hoc networks or sensor networks: - Security under resource constraints (e.g., energy, bandwidth, memory, and computation constraints) - Performance and security tradeoffs - Secure roaming across administrative domains - Key management - Cryptographic Protocols - Authentication and access control - Intrusion detection and tolerance - Trust establishment, negotiation, and management - Secure location services - Secure clock distribution - Privacy and anonymity - Secure routing - Secure MAC protocols - Denial of service - Prevention of traffic analysis ------------------------------------------------------------------------- http://www.uow.edu.au/~ymu/ijsn/ International Journal of Networks and Security (IJSN), Special Issue on Cryptography in Networks, December 2006. (Submission due 1 April 2006) Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Guang Gong (University of Waterloo, Canada), Atsuko Miyaji (JAIST, Japan), Phi Joong Lee (Pohang Univ. of Science & Technology, Korea), Yi Mu (Univ. of Wollongong, Australia), David Pointcheval (Ecole Normale Supe'rieure, France), Josef Pieprzyk (Macquarie Univ., Australia), Tsuyoshi Takagi (Future Univ. - Hakodate, Japan), Jennifer Seberry (Univ. of Wollongong, Australia), Willy Susilo (Univ. of Wollongong, Australia), and Huaxiong Wang (Macquarie Uni., Australia) Cryptography plays a key role in network security. Advances of cryptography can make computer networks more secure. Computer technologies have been pushing forward computer networks for high speed and broad bandwidth. Therefore, new cryptographic methods and tools must follow up in order to adapt to these new technologies. Recent attacks on computer networks, especially on IEEE 802.11 and IEEE 802.15, are increasing, since underlying radio communication medium for wireless network provides serious exposure to attacks against wireless networks. Security must be enforced to suit the emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in network security. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Ad hoc network security - Anonymity in networks - Authentication in network and wireless systems - Cryptographic algorithms and their applications to network security - Cryptanalysis of network security schemes - Encryption in network and wireless systems - Email security - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography in network and mobile applications - IP security - Key management - Multicast security - Mobile and wireless system security - Privacy protection - Security group communications - Security in internet and WWW - Security in Peer-to-Peer networks - Secure routing protocols - Security in sensor networks ------------------------------------------------------------------------- http://www.site.uottawa.ca/~zhizhan/psdmspecialissue2006/index.htm International Journal of Information and Computer Security, Special Issue on Security and Privacy Aspects of Data Mining, 2006. (Submission Due April 5, 2006) Guest editors: Stan Matwin (University of Ottawa, Canada), LiWu Chang (Naval Research Laboratory, USA), Rebecca N. Wright (Stevens Institute of Technology, USA), and Justin Zhan (University of Ottawa, Canada) Rapid growth of information technologies nowadays has brought tremendous opportunities for data sharing and integration, and also demands for privacy protection. Privacy-preserving data mining, a new multi-disciplinary field in information security, broadly refers to the study of how to assure data privacy without compromising the confidentiality and quality of data. Although techniques, such as random perturbation techniques, secure multi-party computation based approaches, cryptographic-based methods, and database inference control have been developed, many of the key problems still remain open in this area. Especially, new privacy and security issues have been identified, and the scope of this problem has been expanded. How does the privacy and security issue affect the design of information mining algorithm? What are the metrics for measuring privacy? What impacts will this research impose on diverse areas of counter-terrorism, distributed computation, and privacy law legislation? This special issue aims to provide an opportunity for presenting recent advances as well as new research directions in all issues related to privacy-preserving data mining. This special issue is inviting original contributions that are not previously published or currently under review by other journals. We welcome both theoretical and empirical research using quantitative or qualitative methods. Areas of interest include but not limited to: - Access control techniques and secure data models - Privacy-preserving data mining - Privacy-preserving Information Retrieval - Trust management for information mining - Inference/disclosure related information mining - Privacy enhancement technologies in web environments - Privacy guarantees and usability of perturbation and randomization techniques - Analysis of confidentiality control methods - Privacy policy analysis - Privacy-preserving data integration - Privacy policy infrastructure - Privacy-preserving query systems - Identify theft protection - Privacy-aware access control - Privacy policy languages and enforcement mechanisms ------------------------------------------------------------------------- http://www.cl.cam.ac.uk/~twm29/WEIS06/ WEIS 2006 5th Workshop on the Economics of Information Security, University of Cambridge, England, June 26-28, 2006. (Submissions due 20 March 2006) One of the most exciting and rapidly-growing fields at the boundary between technology and the social sciences is the economics of information security. Many security and privacy failures are not purely technical: for example, the person best placed to protect a system may be poorly motivated if the costs of system failure fall on others. Many pressing problems, such as spam, are unlikely to be solved by purely technical means, as they have economic and policy aspects too. Building dependable systems also raises questions such as open versus closed systems, the pricing of vulnerabilities and the frequency of patching. The `economics of bugs' are of growing importance to both vendors and users. Original research papers are sought for the Fifth Workshop on the Economics of Information Security. Topics of interest include the dependability of open source and free software, the interaction of networks with crime and conflict, the economics of digital rights management and trusted computing, liability and insurance, reputation, privacy, risk perception, the economics of trust, the return on security investment, and economic perspectives on spam. ------------------------------------------------------------------------- http://www.ceas.cc/2006/cfp.html CEAS 2006 3rd Conference on Email and Anti-Spam, Mountain View, CA, USA, July 27-28, 2006. (Submissions due 23 March 2006) The Conference on Email and Anti-Spam (CEAS) invites short and long paper submissions on research results pertaining to a broad range of issues in email and Internet communication. Submissions may address issues relating to any form of electronic messaging, including traditional email, instant messaging, mobile telephone text messaging, and voice over IP. Issues of interest include the analysis and abatement of abuses (such as spam, phishing, identity theft, and privacy invasion) as well as enhancements to and novel applications of electronic messaging. ------------------------------------------------------------------------- http://www.securecomm.org SecureComm 2006 2nd IEEE Communications Society/CreateNet International Conference on Security and Privacy for Emerging Areas in Communication Networks, Baltimore/Washington area, USA, Sept 11-15, 2006. (Submissions due 24 March 2006) The scope of Securecomm 2006 has been broadened since the inaugural 2005 event. Topics of interest encompass research advances in ALL areas of secure communications and networking. Topics in other areas (e.g., formal methods, database security, secure OS/software, theoretical cryptography, e-commerce) will be considered only if a clear connection to privacy and/or security in communication/networking is demonstrated. Presentations reporting on cutting-edge research results are supplemented by panels on controversial issues and invited talks on timely and important topics. Areas of interest include, but ARE NOT limited to, the following: - Security & Privacy in Wired, Wireless, Mobile, Hybrid, Sensor, Ad Hoc networks - Network Intrusion Detection and Prevention, DoS Countermeasures - Firewalls, Routers, Filters and Malware detectors - Public Key Infrastructures and Other Security Architectures - Secure Web Communication - Communication Privacy and Anonymity - Secure/Private E-commerce - Secure Routing, Naming/Addressing, Network Management - Security & Privacy in Pervasive and Ubiquitous Computing, e.g., RFIDs ------------------------------------------------------------------------- http://www.ieee-security.org/Calendar/cfps/cfp-WSSS.html WSSS 2006 IEEE Workshop on Web Services Security, Held in conjunction with the 2006 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May 21, 2006. (Submissions due 30 March 2006) The advance of Web Services technologies promises to have far reaching effects on the Internet and enterprise networks. Web services based on eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP) and related open standards in the area of Service Oriented Architectures (SOA) allow data and applications to interact without human intervention through dynamic and adhoc connections. However, the security challenges presented by the Web Services approach are formidable. Many of the features that make Web Services attractive are at odds with traditional security models and controls. This workshop will explore the challenges in the area of Web Services Security ranging from security issues in XML, SOAP and UDDI to higher level issues such as advanced metadata, general security policies and service assurance. Topics of interest include, but are not limited to the following: - Web services and GRID computing security - Authentication and authorization - Integrity and transaction management for Web Services - Use of Web Services in Trusted Computing Platform - Semantic aware Web Services security - Privacy and digital identity - Trust negotiation for Web Services - Secure web service composition and workflows ------------------------------------------------------------------------- http://www.esorics06.tu-harburg.de/ ESORICS 2006 11th European Symposium On Research In Computer Security, Hamburg, Germany, September 18-20, 2006. (Submissions due 31 march 2006) Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Eleventh European Symposium on Research in Computer Security (ESORICS 2006). Topics include, but are not limited to: - access control - accountability - applied cryptography - authentication - covert channels - cryptographic protocols - cybercrime - data and application security - denial of service attacks - digital rights management - distributed trust management - formal methods in security - identity management - inference control - information assurance - information dissemination controls - information flow controls - information warfare - intellectual property protection - intrusion tolerance - language-based security - network security - peer-to-peer security - privacy-enhancing technology - secure electronic commerce - security as quality of service - security evaluation - security management - security models - security requirements engineering - smartcards - subliminal channels - system security - trust models - trustworthy user devices ------------------------------------------------------------------------- http://www.iwsec.org/ IWSEC 2006 1st International Workshop on Security, Kyoto, Japan, October 23-24, 2006. (Submissions due 14 April 2006) Information society based on a cyber space is facing now to the diverse threats due to the complexity of its structure in terms of networking, middleware, agents, P2P applications and ubiquitous computing with such diverse as commercial, personal, communal and public usage. What is needed with security research is to look at the issues from the interdisciplinary viewpoints. Papers may present theory, applications or practical experiences on topics including, but not limited to: - Fundamental Tools for Information Security - Network and Distributed Systems Security - Privacy Enhancing Technology - Secure Living and Working Environments - Security in Commerce and Government - Security Management - Software and System Security - Protection of Critical Infrastructures - Testing, Verification and Certification - Law, Policy, Ethics and Related Technologies ------------------------------------------------------------------------- http://www.etrics.org/workshop_mosids.php MOSIDS 2006 Workshop on Management of Security in Dynamic Systems, Held in conjunction with the International Conference on Emerging Trends in Information and Communication Security (ETRICS?6), Freiburg, Germany, June 6-9, 2006. (Submissions due 15 April 2006) This workshop focuses primarily on modern, outstanding approaches to provide security guarantees in dynamic systems, as well as practical experiences on deploying secure ubiquitous computing applications. Thematically, this workshop focuses on, but is not restricted to: - Scenarios and applications for dynamic systems - Security architectures and mechanisms for dynamic systems - Policy languages for changing requirements - Mapping changing requirements into IT - Service engineering for secure dynamic systems - Dependability in spite of change ------------------------------------------------------------------------- http://www.lsv.ens-cachan.fr/FCC2006/ FCC 2006 Workshop on Formal and Computational Cryptography, Venice, Italy, July 9, 2006. (Submissions due 16 April 2006) Cryptographic protocols are small distributed programs that add security services, like confidentiality or authentication, to network communication. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are black boxes. The workshop focuses on the relation between the symbolic (Dolev-Yao) model and the computational (complexity-theoretic) model. Recent results have shown that in some cases the symbolic analysis is sound with respect to the computational model. A more direct approach which is also investigated considers symbolic proofs in the computational model. Research that proposes formal models sound for quantum security protocols are also relevant. The workshop seeks results in any of these areas. ------------------------------------------------------------------------- http://www.nspw.org NSPW 2006 New Security Paradigms Workshop, Schloss Dagstuhl, Germany, Sept 18-21, 2006. (Submissions due 20 April 2006) NSPW is a unique workshop that is devoted to the critical examination of new paradigms in security. Each year, since 1995, we examine proposals for new principles upon which information security can be rebuilt from the ground up. We conduct extensive, highly interactive discussions of these proposals, from which we hope both the audience and the authors emerge with a better understanding of the strengths and weaknesses of what has been discussed. NSPW aspires to be the philosophical and intellectual breeding ground from which a revolution in the science of information security will emerge. We solicit and accept papers on any topic in information security subject to the following caveats: - Papers that present a significant shift in thinking about difficult security issues are welcome. - Papers that build on a recent shift are also welcome. - Contrarian papers that dispute or call into question accepted practice or policy in security are also welcome. - We solicit papers that are not technology-centric, including those that deal with public policy issues and those that deal with the psychology and sociology of security theory and practice. - We discourage papers that represent established or completed works as well as those that substantially overlap other submitted or published papers. - We discourage papers which extend well-established security models with incremental improvements. - We encourage a high level of scholarship on the part of contributors. Authors are expected to be aware of related prior work in their topic area, even if it predates Google. In the course of preparing an NSPW paper, it is far better to read an original source than to cite a text book interpretation of it. ------------------------------------------------------------------------- http://www.dfrws.org DFRWS 2006 6th Annual Digital Forensic Research Workshop, Lafayette, Indiana, USA, August 14-16, 2006. (Submissions due 21 April 2006) The purpose of this workshop is to bring together researchers, practitioners, and educators interested in digital forensics. We welcome the participation of people in industry, government, law enforcement, and academia who are interested in advancing the state of the art in digital forensics by sharing their results, knowledge, and experiences. The accepted papers will be published in printed proceedings. We are looking for research papers, demo proposals, and panel proposals. Major areas of interest include, but are not limited to, the following topics: - Incident response and live analysis - OS and application analysis - Multimedia analysis - File system analysis - Memory analysis - Network analysis - Data hiding and recovery - Event reconstruction - Large-scale investigations - Data mining techniques - Automated searching - Tool testing and development - Digital evidence storage formats - Digital evidence and the law - Traceback and attribution - Physical media analysis - Case studies and trend reports - Non-traditional approaches to forensic analysis ------------------------------------------------------------------------- http://www.unisantos.br/sbseg2006/english/ SBSEG 2006 6th Brazilian Symposium on Information and Computer Systems Security, Santos, Brazil, August 28 - September 01, 2006. (Submissions due 24 April 2006) The 6th Brazilian Symposium on Information and Computer System Security is an annual event promoted by the Brazilian Computer Society (SBC). Its main goal is to provide a forum for presenting new research ideas and other relevant activities in the area of information systems security. Topics of interest for SBSeg 2006 include but are not limited to the following: - cryptographic algorithms and techniques - legal aspects of data and systems security - audit and system security assessment - biometry - software assurance - electronic commerce - computational forensics - mobile devices, embedded systems and wireless networks - cryptographic hardware, RFID devices, smart cards - public-key infrastructure - data integrity and data confidentiality - contingency planning and disaster recovery - autentication techniques - access control models and techniques - digital TV, and multimedia content - standardization - software piracy - security policy - security protocols - security in grids, P2P and overlay networks - security in middleware (Java RMI, J2EE, CorbaSec, .Net) - security in web services (WS-Security, SOAP, XML, XACML) - distributed systems security - operating systems security - secure systems development techniques - firewall technology - intrusion detection and other vulnerabilities - electronic voting - virus, worms and malicious codes ------------------------------------------------------------------------- http://www.acm.org/sigs/sigcomm/sigcomm2006/php/?lsad LSAD 2006 ACM SIGCOMM workshop on Large Scale Attack Defense, Held in conjunction with ACM SIGCOMM 2006, Pisa, Italy, September 11, 2006. (Submissions due 30 April 2006) In recent years, we have seen an increasing number of large-scale attacks, such as severe worms and DDoS attacks, threatening our systems and networks. Especially, fast spreading attacks present a serious challenge to today's attack defense systems. Speed, frequency, and damage potential of these attacks call for automated response systems. Research in automated defense systems for Internet-wide attacks is focused on large-scale monitoring infrastructures, such as network telescopes and honeynets; intrusion detection approaches, such as memory tainting, network anomaly detection, automated defense strategies, such as signature generation distribution; and identification and analysis of future threats, such as obfuscation methods and novel spreading techniques. The goal of this one day workshop is to explore new directions in monitoring, analysis, and automated defense systems for existing and future large-scale attacks. We invite experts from academia and industry, to discuss and exchange ideas in a broad range of topics. We are soliciting original papers on topics (including, but not limited to) listed below. - Automated attack detection and classification - Monitoring and measurement studies - Anomaly detection - Reactive and proactive defense systems - Modelling and analysis of propagation dynamics - Future challenges for attack defense systems - Vulnerability assessment methods - Countermeasure evaluation methods - Honeypot infrastructures - Honeypot detection and counter-detection - Forensics - Malcode analysis ------------------------------------------------------------------------- http://www.acm.org/sigs/sigsac/ccs/CCS2006/ CCS 2006 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, October 30 - November 3, 2006. (Submissions due 3 May 2006) The conference seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of computer security, as well as case studies and implementation experiences. Papers should have practical relevance to the construction, evaluation, application, or operation of secure systems. Theoretical papers must make convincing argument for the practical significance of the results. Theory must be justified by compelling examples illustrating its application. The primary criterion for appropriateness for CCS is demonstrated practical relevance. CCS may therefore reject perfectly good papers that are appropriate for theory-oriented conferences. Topics of interest include: - anonymity - access control - secure networking - accounting and audit - trust models - key management - intrusion detection - authentication - smartcards - security location services - data and application security - privacy-enhancing technology - inference/controlled disclosure - intellectual property protection - digital rights management - trust management policies - phishing and countermeasures - commercial and industry security - security management - database security - applied cryptography - peer-to-peer security - security for mobile code - cryptographic protocols - data/system integrity - information warfare - identity management - security in IT outsourcing ------------------------------------------------------------------------- http://www.cdcju.org.in/iciss2006/ ICISS 2006 2nd International Conference on Information Systems Security, Kolkata, India, December 17-21, 2006. (Submissions due 8 May 2006) ICISS conference presents a forum for disseminating the latest research results in Information Systems Security and related areas. Topics of interest include but are not limited to: - Authentication and Access Control - Mobile Code Security - Key Management and Cryptographic Protocols - E-Business / E-Commerce Security - Privacy And Anonymity - Intrusion Detection and Avoidance - Security Verification - Database and Application Security and Integrity - Digital Rights Management - Security In P2P, Sensor and Ad Hoc Networks - Secure Web Services - Fault Tolerance and Recovery Methods For Security Infrastructure - Threats, Vulnerabilities and Risk Management - Commercial and Industrial Security ------------------------------------------------------------------------- http://www.nist.gov/hash-function NIST-CHW 2006 2nd Cryptographic Hash Workshop, Santa Barbara, California, USA, August 24-25, 2006. (Submissions due 12 May 2006) In response to the SHA-1 vulnerability that was announced in Feb. 2005, NIST held a Cryptographic Hash Workshop on Oct. 31-Nov. 1, 2005 to solicit public input on its cryptographic hash function policy and standards. NIST continues to recommend a transition from SHA-1 to the larger approved hash functions (SHA-224, SHA-256, SHA-384, and SHA-512). In response to the workshop, NIST has also decided that it would be prudent in the long-term to develop an additional hash function through a public competition, similar to the development process for the block cipher in the Advanced Encryption Standard (AES). Before initiating the competition, NIST plans to host several more public workshops that will focus on hash function research. The next workshop will be held on August 24-25, 2006, in conjunction with Crypto 2006, with the following goals: - Explore potential mathematical principles and structures that can provide the foundation for cryptographic hash functions; - Foster accelerated research on the analysis of hash functions, especially the SHA-2 hash functions; - Survey the uses of hash functions, and investigate the properties that are assumed, used, or needed. Identify and articulate the required or desirable properties for future hash functions. Topics for submissions should include, but are not limited to, the following: Mathematical Foundations - Iterative structures, i.e., Damgaard-Merkle or alternatives - Compression function constructions, e.g. Davies-Meyer - Hashing modes, e.g. randomized hashing or keyed hashing - Formal properties Analysis and Design - Analysis and design of hash functions and their components - New cryptanalytic techniques against hash functions - Security report on existing hash functions, especially SHA-2 - Tools for designing and analyzing compression functions - Provable properties of compression functions, e.g., reductions to hard problems. Practical Uses and Pitfalls - Uses of hash functions in applications and protocols - Properties of hash functions that are assumed, required, or obtained in practice - Vulnerabilities of hash functions caused by unexpected properties or misuse - Desirable properties for future hash functions ------------------------------------------------------------------------- http://events.iaik.tugraz.at/RFIDSec06/CfP/index.htm RFIDSec 2006 Workshop on RFID Security, Graz, Austria, July 12-14, 2006. (Submissions due 22 May 2006) The Workshop on RFID Security 2006 focuses on approaches to solve security issues in advanced contactless technologies like RFID systems. It stresses implementation aspects imposed by resource constraints. Topics of the workshop include but are not limited to: - New applications for secure RFID systems - Privacy-enhancing techniques for RFID - Cryptographic protocols for RFID (Authentication, Key update, Scalability issues) - Integration of secure RFID systems (Middleware and security, Public-key Infrastructures) - Resource-efficient implementation of cryptography (Small-footprint hardware, Low-power architectures) ------------------------------------------------------------------------- http://www.crysys.hu/ESAS2006/ ESAS 2006 3rd European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany, September 20-21, 2006. (Submissions due 29 May 2006) The vision of ubiquitous computing has generated a lot of interest in wireless ad hoc and sensor networks. However, besides their potential advantages, these new generations of networks also raise some challenging problems with respect to security and privacy. The aim of this workshop is to bring together the network security, cryptography, and wireless networking communities in order to discuss these problems and to propose new solutions. The third ESAS workshop seeks submissions that present original research on all aspects of security and privacy in wireless ad hoc and sensor networks. Submission of papers based on work-in-progress is encouraged. Topics of interest include, but are not limited to the following: - Privacy and anonymity - Prevention of traffic analysis - Location privacy - Secure positioning and localization - Secure MAC protocols - Secure topology control - Secure routing - Secure context aware computing - Secure in-network processing - Attack resistant data aggregation - Cooperation and fairness - Key management - Trust establishment - Embedded security - Cryptography under resource constraints - Distributed intrusion detection ------------------------------------------------------------------------- http://www.ida.liu.se/conferences/nordsec06/ NordSec 2006 11th Nordic Workshop on Secure IT-systems, Linkoping, Sweden, October 19-20, 2006. (Submissions due 10 June 2006) The NordSec workshops started in 1996 with the aim of bringing together researchers and practitioners within computer security in the Nordic countries. The theme of the workshop has been applied security, i.e. all kinds of security issues that could encourage interchange and cooperation between the research community and the industrial/consumer community. Possible topics include, but are not limited to the following: - Anonymity and Privacy - Applied Cryptography - Computer Crime - Information Warfare - E-and M-Business Security - Inter/Intra/Extranet Security - Intrusion Detection - Language-Based Security - New Firewall Technologies - New Ideas and Paradigms for Security - Operating System Security - Phishing and Anti-Phishing - PKI and Key Escrow - Privacy-Preserving Data-Mining - Security Education and Training - Security Evaluations and Measurements - Security Management and Audit - Security of Commercial Products - Security Models - Security Protocols - Smart Card Applications - Software Security - Web Services Security - Wireless Communication Security - Trust and trust management ------------------------------------------------------------------------- http://cis.sjtu.edu.cn/cans2006/index.htm CANS 2006 5th International Conference on Cryptology and Network Security, Suzhou, China, December 8-10, 2006. (Submissions due 20 June 2006) The main goal of this conference is to promote research on all aspects of network security and cryptology. It is also the goal to build a bridge between research on cryptography and network security. So, we welcome scientific and academic papers that focus on this multidisciplinary area. Areas of interest for CANS '06 include, but are not limited to, the following topics: - Ad Hoc Network Security - Access Control for Networks - Anonymity and internet voting - Cryptology - Denial of Service - Fast Cryptographic Algorithms - Information Hiding - Intrusion Detection - IP Security - Multicast Security - PKI - Phishing - Router Security - Secure E-Mail - Secure protocols (SSH, SSL, ...) - Spam - Spyware - Scanning ------------------------------------------------------------------------- http://wesii.econinfosec.org/ WESII 2006 The Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA, October 23-24, 2006. (Submissions due 6 August 2006) Our information infrastructure suffers from decades-old vulnerabilities, from the low-level algorithms that select communications routes to the application-level services on which we are becoming increasingly dependent. Are we investing enough to protect our infrastructure? How can we best overcome the inevitable bootstrapping problems that impede efforts to add security to this infrastructure? Who stands to benefit and who stands to lose as security features are integrated into these basic services? How can technology investment decisions best be presented to policymakers? We invite infrastructure providers, developers, social scientists, computer scientists, legal scholars, security engineers, and especially policymakers to help address these and other related questions. Suggested topics (not intended to be comprehensive): - The economics of deploying security into: The Domain Name System (DNS), BGP & routing infrastrucure, Email & spam prevention, Programming languages, Legacy code bases, User interfaces, and Operating systems - Measuring the cost of adding security - Models of deployment penetration - Empirical studies of deployment - Measuring/estimating damages - Code origin authentication - Establishing roots of trust - Identity management infrastructure - Data archival and warehousing infrastructure - Securing open source code libraries - Adding security to/over existing APIs - Liability and legal issues - Internet politics - Antitrust Issues - Privacy Issues ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Vrije Universiteit Amsterdam, The Netherlands Several postdoc positions Deadline: 01 April 2006 http://www.cs.vu.nl/~ast/jobs/postdoc.html -------------- The full list of positions is at http://cisr.nps.navy.mil/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Interesting Links and Reports Available via FTP and WWW ==================================================================== "Reports Available" links from previous issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewReports.html and http://www.ieee-security.org/Cipher/InterestingLinks.html ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2005 Symposium proceedings are available for $25 plus shipping and handling. The 2004 proceedings are $20 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Past Chair: Jonathan Millen Heather Hinton The MITRE Corporation IBM Software Group - Tivoli Mail Stop S119 11400 Burnett Road 202 Burlington Road Rte. 62 Austin, TX 78758 Bedford, MA 01730-1420 + 1 512 838 0455 (voice) 781-271-51 (voice) hhinton@us.ibm.com jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org 2006 SRSP Conference Treasurer: Newsletter Editor & 2006 SRSP General Chair: Terry Benzel Hilarie Orman USC ISI Purple Streak, Inc. 4676 Admiralty Way 500 S. Maple Dr. Marina Del Rey, CA 90292 Salem, UT 84653 tbenzel@isi.edu cipher-editor@ieee-security.org (310) 822-1511 (310) 823-6714 (fax) ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year