_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 74 September 18, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Robert Bruen Yong Guan Book Review Editor Calendar Editor cipher-bookrev @ ieee-security.org cipher-cfp @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Bob Bruen's review of "Hacking the Cable Modem" by DerEngel o Review of USENIX Security (Vancouver, BC, Canada, 7/31 - 8/4/06) by Jeremy Epstein o Short review of the Detection of Intrusions and Malware & Vulnerability Assessment Conference (DIMVA) 2006 (Berlin, Germany, July 13-16, 2006) by Sven Dietrich o Richard Austin's review of "Securing Storage: A Practical Guide to SAN and NAS Security" by Himanshu Dwivedi o News items: Spoofing some RSA signatures; NIST's 2nd Cryptographic Hash Workshop; AOL's Privacy Offense; Spam and Internet Route Spoofing o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website www.ieee-security.org/cipher.html * Conference and Workshop Announcements o Calendar of events o Upcoming calls-for-papers * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: This issue marks the exodus of our book review editor, Bob Bruen, who has served Cipher for 10 years. Bob is an avid reader and has shared his impressions, good and bad, of books ranging over the huge spectrum of our field. After having done over 100 reviews, he is taking leave of us, and I'll certainly miss his contributions. This leaves a marvelous opening in our newsletter staff. If you are in the habit of reading one security relevant book a month, consider becoming a book reviewer for Cipher. It's fun, it's easy, and you'll reach a couple of thousand people with each issue. Send email with a sample review to cipher-editor @ ieee-security.org if you are interested. Volunteers like Bob are the foundation of this newsletter's existence. For example, we have a book review from Richard Austin, and two conference reviews this month by Sven Dietrich and Jeremy Epstein, reporting on DIVMA and USENIX Security respectively. Personal viewpoints on conference papers and panels our a great way to expand the influence of the conferences to those who don't travel to every event. Yong Guan is our Calendar Editor, and his timely updates to the Calls-for-Papers have continued to make this a valuable resource for the security research community. I had a glitch in the process for getting the CFP updates onto the website, and if your CFP was late in being posted, I apologize. To really screw things up you need a computer, but a computer and a human acting at cross-purposes can beat all other possibilities hands down. Speaking of CFPs, the one for the next Security and Privacy Symposium (aka Oakland) is now available. This newsletter and the Symposium are operated under the auspices of the IEEE Computer Society's Technical Committee on Security and Privacy, and as a member of that committee I commend the conference to you as an excellent venue for the best research in the field. Watch out for exponent 3 in public keys, and don't tell your innermost secrets to your search engine. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Bob Bruen 9/14/06 ____________________________________________________________________ Hacking the Cable Modem by DerEngel No Starch Press 2006. ISBN 1-59327-101-8 290 pages; 4 Appendices; Index Just when I thought the old style tradition of hacking was lost forever, I was thrilled to discover "Hacking the Cable Modem." The security industry has moved towards defense, public descriptions of vulnerabilities, policy making and other characteristics of a fairly mature industry. This is not a criticism, but rather an acknowledgment that the world has changed, resulting in a loss of innocence when it comes to exploring new technology for the sake of understanding it. The word "hacking" has taken on a pejorative connotation which belongs to the little used term "cracker." The struggle between those who want to understand systems has moved into the war between law enforcement and criminals. The war also encompasses legal battles between organizations like the Electronic Frontier and the federal government and the certain segments of industry. The escalation has taken the fun out of playing with technology. Thus it is refreshing to see a book written by a next generation hacker who works in the old tradition. It is also satisfying to see the thoroughness of his work. The entire process of hacking a cable modem is described in teaching-style format with illustrations, photos and screenshots. And I mean the entire process, from hardware through software to hacking. Starting with hardware, there are instructions on building cables, opening up the cable modem, soldering and unsoldering, accompanied by schematics and a parts list. Even if you were not interested in cable modems per se, this is a great introduction to working with hardware. The software side covers several areas. The assembly language for cable modems is not the same as for the ubiquitous ix86 architecture, so you get to learn about cross-compilers. As an expert hacker, DerEngel also explains about how and why SNMP and MIBs matter to cable modems. The next area of software is the software he and his associates have developed for hacking the cable modems. The software is generally available at www.tcnsio.net, although some of it requires registration. The software ranges from sniffers to firmware changers and hex editors and configuration file editors. The collection is definitely worth investigating. Clearly, this is all about reverse engineering the hardware and software of the cable modems, but it is also about the standards for cable modems, Data Over Cable Service Interface Specification (DOCSIS) is public, even if the specs for the particular modem may not be. The history of specification development generally is sordid, even though it eventually works itself out. The DOCSIS specification is no exception and the implementation of the specs are not always well done, hence the backdoors, buffer overflows and so forth. With about 100 million cable modems out there connecting various pieces of the Internet, it seems obvious that they need to be researched. If you use one of the cable modems, you need to read this book. One of the many great features of the book is a product review of modems with ratings, hackability, prices and description. This is a really informative, well done book and highly recommended. And I even used the book to poke around in my own cable modem. Thanks RH. ------------------------------------------------------------------------ This is my last book review for Cipher. My first was in November 1996 and ten years is seems to be a good marker. I am grateful to have had the opportunity to read lots of books and write about the best of them. It was especially gratifying to do this while the industry was going through amazing changes. I was lucky to have great editors from day one until now. My hope is that I was of use to at least some of you. bob bruen ____________________________________________________________________ Review of USENIX Security Vancouver, BC, Canada, 7/31 - 8/4/06 by Jeremy Epstein ____________________________________________________________________ USENIX Security 2006 was held in Vancouver BC. Having fled the 95 degree heat of the east coast, the 20 degree temperatures of Vancouver were a welcome change. The fact that 95 was Fahrenheit and 20 was Celsius made it even more pleasant. On Tuesday, I attended Metricon 1.0, an invitational workshop to discuss metrics for information security. This workshop, put on by an ad hoc group of people involved in a discussion on www.securitymetrics.org, was intended to stimulate discussions, which it did. Whether it came up with any results is another question still to be determined. The key results are that many groups are trying to do security measurements, but at this point it's unclear which measurements actually correlate to security. Organizations (both vendors & end-users) are reluctant to disclose their actual metrics. One of the big debates is whether metrics should be top-down (figure out what we want to know, and go out to measure it) vs. bottom-up (figure out what we *can* measure, and see how this correlates to security). This is an area with plenty of research left to be done. One of the more interesting presentations was about how the US Department of Homeland Security allocates funding to cities for (non-cyber) threats, by creating a 2x2 matrix of effectiveness vs. risk, and then allocating funds primarily based on those facilities that are high risk *and* high effectiveness. There are two outliers - New York and Washington, which both have very high risk - New York didn't get much because it "deserved" all of the pot, and Washington didn't get much because of lack of effectiveness. Thus the widely reported results that small towns in Nebraska got more money than NYC or DC. A detailed report from Dan Geer will be in an upcoming issue of USENIX ";login:". **editorial comments by Epstein** Most of the talks at the conference were quite interesting. However, I believe that publishing papers on yet another way to prevent buffer overrun attacks (or other similar sorts of things which we know how to solve - e.g., by using type-safe languages) is an inappropriate use of both research funding and conference space. So even though some of the techniques are quite clever, I propose that conferences (and USENIX Security is the biggest offender in my mind) should simply reject papers that purport to provide another way to solve problems that can be solved by switching to type-safe languages. Just because it's novel doesn't mean it's appropriate. **end editorial** Among the more interesting talks in the conference itself: Richard Clarke, CEO of Good Harbor Consulting and former presidential advisor gave a non-technical talk about how little progress has been made since 9/11. His speech was a top-to-bottom criticism of how the Bush administration has focused its energy and spent money on security over the past five years. As examples, he criticized the efforts to kill al Qaeda leaders without changing the underlying worldview (which has allowed al Qaeda to transform from a hierarchical organization to a group of loosely affiliated terrorist groups). He made the analogy to the French experience in Algeria in the 1950s, where the French tactics alienated Algerian public, causing a new generation of terrorists, so even when the French killed the leaders, it had no long-term impact since there were replacements ready. Clarke argued that the metrics of success in Iraq should be things like economy, stability, etc. - but unemployment is >30%, and oil output & electricity below where they were under Saddam. He then talked about what's happened in specific areas of homeland security: o Rail systems - working with ABC News, they left backpacks (which could have been filled with explosives) in train systems everywhere in the US, and none were looked at (the put cameras in the backpacks so they could tell whether there was an examination). o Chemical plants - 123 plans in the US that have lethal chemicals (mostly for water treatment plans) and have 1M people within 5 miles (if one were attacked, would expect 17K casualties) - Congress is still debating what to do. o GAO released report showing that staffers (unsure if GAO employees or contractors) entered US over Mexican border using false IDs - in many cases, they were not asked for any ID at all!!! (Reverse profiling - they "looked OK"). o Red/yellow/green homeland security alert system disappeared abruptly after presidential election. Turning to cybersecurity, Clarke commented that in his tenure they released the national strategy for security cyberspace - but almost none of it has been implemented. The strategy said that government should fund research for more resilient systems, which used to be paid for by DARPA, but Secretary Rumsfeld took that charter away from DARPA and put into DHS, where spending has been declining. The President's commission on science issued "scathing" report on cyber security, including underfunding of research. Clarke called for regulation for critical infrastructure where needed, such as regulation for cybersecurity of electric power systems - the Federal Electric Regulatory Commission (FERC) has authority to do regulation, but is ideologically opposed to regulation. Similarly, the FCC has refused to regulate ISPs to force a cybersecurity standard, online banking, etc. His talk was definitely worth reading/watching; so far I haven't been able to find a recording, but I know it was recorded. ------------ Sonja Chiasson, Carleton University - Usability Study & Critique of Two Password Managers This presentation compared two tools (PwdHash (USENIX Security 2005) and Password Multiplier (WWW2005)) for usability by non-expert users. While the sample sizes were small, they found relatively little difference in usability between the two - unfortunately, finding that neither was particularly usable. Users didn't try to bypass the security provided, but did it anyway because it wasn't obvious when to type their "real" password and when to type the "fake" password. Not surprisingly, the problems were increased because users did not read the provided instructions. Yingjui Li, Singapore Management University - On the Release of CRLs in Public Key Infrastructure The essence of this presentation is that certificates do not "decay" at a constant rate. In fact, the rate is exponential - if a certificate isn't revoked within a relatively short time of issuance, it's unlikely to ever get revoked. This was determined by an empirical study of certificates issued by VeriSign (by looking at their public CRLs). The reasons why this happens are a matter of conjecture. They present some formulas to argue how often certificate issuers should update CRLs. Not addressed by the authors (but the real meat of the matter to me) is what this means for CRL caching - if I get a certificate and it's more than days old, then I can rely on an old CRL with high probability, while if it's less than days old I always want to get the newest CRL. Also not addressed is whether this is universal, or unique to VeriSign issued certificates. [My hunch is that the pattern is different for DoD issued certificates.] There's also what felt like a bad assumption - that issuing a CRL costs US$10K - but no justification where they came up with that cost. Usable Security: Quo Vadis? (Panel) Tina Whalen, Dalhousie University: We've made some progress in making security usable. We're less likely to say human security errors are due to users being stupid - less blaming the victim. There's more recognition in the security community of the need to involve user studies. What's being neglected is that we're not seeing many ideas being deployed, especially alternate password schemes - people are doing the same things they've already done. There's little in the larger context of security deployment, such as ethnographic studies. Studies aren't as nuanced as other areas of HCI - less attention is paid to user types. We need to take user study seriously - be careful not to do just "any" study and call it good. Additionally, there are the tensions of interdisciplinary research - can one person have enough expertise & time to perform well in both spheres? We need to have mixed teams of specialists. Research that's weak on one side can sneak in via non-expert reviewers on other side (e.g., bad HCI work may be accepted into security conferences, and vice versa). What we don't need more of is more of alternate password schemes (e.g., graphical schemes) unless they're particularly certain to be deployed or are brilliant research. And we definitely don't need any more paper titles involving the word "Johnny"! Dirk Balfanz, PARC: The most interesting part was what he doesn't want to see in terms of security & HCI research: (1) systems the author isn't even using, (2) systems that require a global PKI (clearly not going to happen), (3)"flexible" access control systems without a UI - if it can have time-based access, etc., can the user understand what's really going on, and (4) systems that teach users (as opposed to systems informed by users) - we need to build systems based on what users do, not what we want them to do; example is Graffiti for Palm (which had to teach users) vs. handwriting analysis. Paul van Oorschot, Carleton University: Paul tried to answer the question why hasn't there been more HCISec research? His answers: (1) lack of (true) recognition of importance, (2) perception - outside scope of security research, (3) unclear how to get started, (4) suitable venues for publishing results, (5) unclear what the interesting open problems are, (6) interdisciplinary research is hard - can't learn HCI you need in a day, or security in a day, and (7) methods, techniques, and metrics for measuring results. He suggested that an interesting topic is misconfiguration of firewalls, others Andy Ozment, MIT Lincoln Labs - Milk or Wine: Does Software Security Improve with Age This is a study that looked at whether software improves with age (like wine) or turns sour (like milk) as measured by the number of vulnerabilities detected in a piece of software over a long period of time - that is, whether the number of bugs converges. They looked at OpenBSD over more than a decade, and sorted out those bugs that were originally there but took time to find versus those that were introduced as new features were added. There are many simplifying assumptions in the study, but it was still *slightly* encouraging - but it took six years to find half the known vulnerabilities. Given the rate of increase in software complexity, this doesn't seem very hopeful. Further, because their study focused on a piece of code that had long been focused on security, the results probably would have been worse with most other products. There's been no attempt to correlate vulnerabilities with authors, to see if there are some people who just write better code (from a security perspective). Ben Cox, Univ of Virginia - A Deterministic Approach to Software Randomization They try to introduce artificial diversity by having a sack full of changes they can make, and then comparing the results of running several instances. This is harder than it sounds, because if all of the instances (for example) are updating an external database, the versions can interfere with each other. Additionally, it's not effective to compare the results of every instruction, so they provide wrappers around system calls and compare the states at system call times. The wrappers differ in how they operate - read() causes the data to be read once and shared among the instances, while setuid() has to be done for every instance. The instances have to be kept synchronized, so overall performance is the slowest of the instances. Under light load, they saw a 17% performance hit, while for heavy load, the performance hit was about 2 - 3 times. Some system calls can't be effectively handled, like mmap(), since each instance that modifies a memory mapped file is modifying the same file. They hadn't considered whether this sort of artificial diversity would work for Java code. Panel: Major Security Blunders of the Past 30 Years Matt Blaze, Univ of Pennsylvania: Matt talked about how bank alarm systems can be subverted through non-technical means, by simply deliberately setting off the alarm, waiting for the police to respond and discover that nothing is wrong, set of the alarm again, etc., until the police stop responding, at which point the actual attack takes place. This is an example of where people *are* paying attention to security, but can be defeated through false positives. His favorite bug was an implementation of telnet that used 56-bit DES to encrypt the session - when they upgraded to a new version of the crypto library that properly enforced the parity bits in DES, it silently failed open (because the parity was wrong 255/256 times - 8 parity bits out of 64 total bits). So an improvement to security (properly implementing the DES standard) dramatically weakened security. Virgil Gligor, Univ of Maryland: Virgil offered three blunders: (1) The Morris worm (first tangible exploit of a buffer overflow; the concept had been known but ignored), but we're still making the same mistakes. (2) Multi Level Secure operating systems and database systems, which sucked up all of the research funding for years, even though there was no actual market for MLS (even in the military); the stronger the MLS system, the more things it broke. "MLS is the way of the future and always will be". [I'd substitute "PKI" and say that's equally true!] (3) Failed attempts at fast authenticated encryption in one pass; this one was obscure for me, but he said it led to numerous methods and papers, all of which proved to be breakable. The lessons from this are many - among them, don't invent your own crypto! Dick Kemmerer, Univ of California Santa Barbara: Not to be outdone, Dick offered five blunders. (0) Aggressive CD DRM, such as the Sony-BMG CD DRM which backfired not only technically but also in the market. (1) Use of a 56 bit key for DES, when Lucifer (the IBM inspiration for DES) had a 128 bit key. (2) US export laws on cryptography, which totally failed and cost US companies an estimated $50-65 billion dollars in lost sales - the rules (still) don't make sense, and if you get them wrong you go to jail. (3) Kryptonite Evolution 2000 and the BIC pen - the locks came with an insurance policy against the lock being *broken*, but since it was picked not broken, they wouldn't pay. (4) The Australian raw sewage dump, where a disgruntled former employee attacked a system from the outside - lesson learned is to pay attention to SCADA systems and insider threats. "Don't piss anyone off or you'll be knee deep in shit". Peter Neumann, SRI International: "We seek strength in depth, but we have weakness in depth." (1) Propagation blunders, where a failure in one part of a system drags other parts with it (1980 ARPANET collapse, 1990 AT&T Long Lines collapse, widespread power outages in 1965, 1977, 1984, 1996, 2003, 2006; all could have been exploited by adversaries. (2) Backup & recovery failures, such as the air traffic control, train system failure, other systems. (3) Software flaws, such as buffer/stack overflows and other flaw types which are ubiquitous - Multics prevented buffer overflows by having non-executable stack, type-safe language (PL/1), etc. 30 years ago. (4) Election systems, which have been implemented without consideration of security. There were many more examples provided from the floor. A few selections: - IPsec (thought if we were at the bottom of the stack that would solve everything) - Willingness of consumers to buy software written in C/C++ - Use of signature-based methods for anti-virus and IDS Matt Blaze offered one of my favorite comments with respect to the Sony executive's comment that people don't know what a rootkit is and so they don't care whether they have one, "most people don't know what their pancreas is, but don't want it to get cancer". Ed Felten, Princeton - DRM Wars: The Next Generation DRM itself is an Orwellian term - not controlling, just "managing", even though it helps the supplier not the consumer. There have been proposals, but nothing is happen - which is a success for those skeptical of legal support for DRM - "not going to defeat the opponent on the battlefields of Washington & Ottawa, but waiting for it to collapse of its own weight". We're in the early stages of a realignment - in 5 or 10 years ago things will look very different. The 2002 Microsoft paper on why DRM doesn't help was a revelation by lawyers & public policy people, while technical folks thought it was just a well explained version of what was widely known. As a result, doubt is now sinking in among lawyers, movie industry executives, etc. - they're catching on to this point that promises are broken by DRM vendors. The other argument against DRM is the Sony/BMG "rootkit" episode - it showed that DRM is not all that effective and causes undesirable side-effects. So advocates for DRM are changing their rationale, moving away from anti-piracy, and towards price discrimination. DRM can prevent resale - tether copies to buyers, or create different version (e.g., high-res / low-res, or limited time copy). This benefits the seller (who can make more money) and sometimes benefits society - this is why there's lobbying in favor of DRM policies that allow price discrimination - and works even if DRM isn't totally effective. The scholarly community has been arguing this for years; lobbyists are now starting to make the argument too. Platform locking is the other argument - Apple wants to lock users into iPod and iTunes, and DRM provides a way to do it. Even if the DRM can be broken, DMCA means that no one can sell a competing product - it's weak enough to satisfy consumers, but strong enough to satisfy your lawyers. As a result, DRM has hurt the music companies, and helped Apple!!! Finally, Ed proposed (somewhat tongue in cheek) that with Moore's law helping us, we could (theoretically) have the same linkage of products as in the Lexmark case (where they use DRM to ensure that you can't use a non-Lexmark toner cartridge in a Lexmark printer) - someday your shoes might not work without approved shoelaces, or your pen won't work without approved paper. ____________________________________________________________________ Review of Detection of Intrusions and Malware & Vulnerability Assessment Conference 2006 Berlin, Germany, July 13-16, 2006 by Sven Dietrich ____________________________________________________________________ The Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2006 conference took place in Berlin July 13-14, 2006 at the Berlin-Brandenburg Academy of Sciences and Humanities conference center right in the middle of Berlin. It was attended by 80 or so participants (including researchers, practitioners, and students) from all over the world, at one of the busiest times for Berlin: between the Soccer World Cup and the Love Parade. There was a full program for two days, covering topics in Code Analysis, Intrusion Detection, Threat Protection and Response, Malware and Forensics, Deployment Scenarios, and Best Practices. Roland Bueschkes was the Program Chair and Pavel Laskov was the General Chair. The program is available at http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/dimva2006/ together with the papers (eventually), the slides, and some photos of the presenters. This includes the keynote speeches by John McHugh (Dalhousie University), "Reaction: The Internet security paradox," and Michael Behringer (Cisco Systems), "Security Management: 5000 events/sec, half an engineer and automation discouraged." On Thursday night, the dinner speech during the boat trip on the river Spree and the adjacent canals was given by Stefan Grosse, German Federal Ministry of the Interior. There was a rump session held on Friday with a mix of humorous and serious short talks, chaired by yours truly. Those who were there might still be a bit puzzled, even though we cleared up the mystery... No, folks, OntoSec is not for real, no matter how realistic it may have sounded. Really. There was a Capture the Flag contest running in parallel during the second day of the conference, entitled CIPHER2 (yes, we know, slight name conflict here). For more info, please visit: http://cipher-ctf.org/cipher2.php Conference attendees were able to follow the CIPHER2 scoreboard live during the presentations in the conference room up to the conclusion on Friday afternoon. All in all, it was a successful conference, with a lot of hallway track opportunities, whether the hallway was on solid ground or moving through locks while ducking before the low bridges. We hope to see your submissions to DIMVA 2007 (Call for Papers is at http://www.dimva.org/dimva2007/ or use http://www.icir.org/robin/dimva07 for now) and your participation in Lucerne, Switzerland, July 12-13, 2007. Program Chair will be Robin Sommer (LBNL/ICSI) and General Chair will be Bernhard Haemmerli (HTA Lucerne). See you in Lucerne! ____________________________________________________________________ Book Review By Richard Austin 01/17/06 ____________________________________________________________________ Securing Storage: A Practical Guide to SAN and NAS Security by Himanshu Dwivedi Upper Saddle River: Addison-Wesley 2006. ISBN 0-32-134995-4 Amazon.com $49.99, Bookpool.com $38.95 Enterprises are reportedly growing their storage requirements and budgets at double digit rates under the twin whammy of a rapacious appetite for data and looming regulatory mandates. To cope with the burgeoning masses of data and flat or decreasing budgets for personnel, the data is increasingly being migrated to some form of networked storage. Which surprisingly enough brings us to security. Dwivedi is no stranger to the subject of storage security and has given presentations at the BlackHat conferences on security issues in both fibre channel and iSCSI protocols. This book is a technical security book devoted almost entirely to the technical issues in SANs and their applicable technical controls. Matters of policy and the fit between storage security and the overall information security program are given a miss. The book covers the trio of current networked storage technologies: Fibre channel SANs NAS (both NFS and CIFS) iSCSI The book is clearly written for the most part but would have benefited from a good copy editor -- I am still mystified by this sentence at the top of page 346: "It should be noted that if the challenge message does not become stale or if it is reflected across connections, DH-CHAP is a very secure method to perform authentication, especially over WWN authorization security." Grammar issues, spelling mistakes, etc, detract from the quality of the presentation. Some background on the protocols is required to understand the attacks and defenses -- I found myself reaching for Kembel's "red books" on fibre channel more than once and I earn my bread and cheese doing storage security on a fibre channel network. Attack scenarios are quite realistic and easy to follow. For example, reconnaissance of a fibre channel SAN is clearly presented using nmap to scan a management network segment to locate on-board web servers for fibre channel switches and then using their web interfaces to retrieve a wealth of information. Common open source tools such as Cain and Abel, Ethereal, etc, are used to demonstrate how management connections can be sniffed and spoofed. Exotic attacks such as man-in-the-middle are illustrated using IP networks and then mapped to fibre channel in discussion. WWN and iQN (for iSCSI) spoofing is presented in a clear and understandable fashion that clearly demonstrates the risks to segregation of data based on zoning. There are some issues with the presentation, though. In the CIFS section, for example, much use is made of enumeration through "null sessions" which are typically disabled in most hardened Windows deployments. Protocol experts will take issue with items such as the "vulnerability" of iSCSI to dictionary attacks as the specification itself calls attention to this fact and the necessity for strong secrets (thanks to an iSCSI protocol expert for pointing this out). Some items of advice in the chapters on hardening devices will be questioned as well such as the advice to disable cut-through switching on Cisco's MDS series switches to preclude an attack on zoning that is actually not possible given how zoning rules are processed (thanks to a Cisco CCIE for giving me this peek under the proverbial kimono). The chapter on regulatory compliance is good but illustrates the problem of restricting the book to "technical security." That is, without a threat model and overall policy framework, it is difficult to judge or justify the adequacy of any specific control. This being said, the chapter is quite useful in presenting the broad tapestry of considerations that make up compliance in the context of storage security. In summary, this is an excellent book for introducing the challenges that exist in current implementations of storage networks from a security perspective and offers guidance to security professionals and storage administrators alike in some of the ways such challenges can be met. The important caveat is to assess the presented risks in the light of the specific technological and vendor environment as well as in the context of the overall security posture of the organization before implementing any of the technical controls. Eschew the temptation to treat this book as a "tweak-o-matic" that will somehow make your organization's storage networks secure (whatever that means)! -------- Richard Austin is a resident curmudgeon at a Fortune 100 company who, for reasons that mystify both him and his therapist, wages a continuing battle with a tottering tower of new security books. He occasionally emerges from the fray, more or less unscathed, to opine upon the latest tome to transit from the "to be read" pile onto the "to be shelved" stack and can be reached at rda7838 @ kennesaw.edu ==================================================================== Security Related News ==================================================================== ____________________________________________________________________ Forging some RSA signatures with pencil and paper August 22, 2006 ____________________________________________________________________ Presenter: Daniel Bleichenbacher Place: Crypto 2006 Rump Session Bleichenbacher showed that incorrect parsing of the padding in signatures can result in easy forgeries for signatures based on RSA with exponent 3. Unfortunately, the OpenSSL library has this error. This means that many applications that depend on OpenSSL are vulnerable. See http://www.openssl.org/news/secadv_20060905.txt One vulnerable application is the Domain Name Service (DNS) resolver based on the widely used BIND software. BIND uses OpenSSL and inherits the vulnerability. Because the error in in the verifier, security-conscious administrators will want to make sure that they do not use a signing key based on exponent 3. ____________________________________________________________________ NIST Second Cryptographic Hash Workshop August 14, 2006 ____________________________________________________________________ A tentative timeline of the development of new hash functions has been posted on the Hash Workshop web site: http://www.nist.gov/hash-function" This topic was discussed in the Second Cryptographic Hash Workshop. Details about the workshop and a program are available at the same web site listed above. Sincerely, The Hash Workshop Program Committee NIST ---------------------------------------------- Paul Hoffman and Arjen Lenstra ran a panel at the Workshop, and they collated notes from several attendees: http://lookit.typepad.com/lookit/2006/09/hash_functions_.html ____________________________________________________________________ AOL's Privacy Offense ____________________________________________________________________ Publication: money.cnn.com URL: http://money.cnn.com/2006/08/21/news/companies/aol.reut/index.htm Date: August 21 2006, 3:55 PM EDT "Security and Privacy" is a common term, and the brouhaha about AOL's attempt to help researchers shows why privacy remains an elusive goal in a world of increasing Internet use. We've known for a long time that large collections of information can yield surprising inferences when properly collated, but the amazing insights into the personal lives of AOL users was astonishing. Caveat espicator. ____________________________________________________________________ Spam and Route Spoofing ____________________________________________________________________ Source: Georgia Institute of Technology Date: September 13, 2006 URL: http://www.sciencedaily.com/releases/2006/09/060912225242.htm Contributed by: Richard Schroeppel Spam Filter Design To Benefit From Internet Routing Data Research conducted at the Georgia Institute of Technology's College of Computing identified two additional techniques for combating spam: improving the security of the Internet's routing infrastructure and developing algorithms to identify computers' membership in "botnets". Nick Feamster, a Georgia Tech assistant professor of computing and his Ph.D. student Anirudh Ramachandran will present their findings on Sept. 14, 2006 in Pisa, Italy, at the Association for Computing Machinery's annual flagship conference of its Special Interest Group on Data Communication (SIGCOMM). From 18 months of Internet routing and spam data the researchers learned that * Internet routes are being hijacked by spammers; * they can identify many narrow ranges within Internet protocol (IP) address space that are generating only spam, and * and they can identify the Internet service providers (ISP) from which spam is coming. "We know route hijacking is occurring," Feamster said. "It's being done by a small, but fairly persistent and sophisticated group of spammers, who cannot be traced using conventional methods." ==================================================================== Conference and Workshop Announcements Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 9/18/06- 9/20/06: ESORICS, 11th European Symposium On Research In Computer Security, Hamburg, Germany; http://www.esorics06.tu-harburg.de/ 9/18/06- 9/19/06: ACEIS, 1st Annual Conference on Education in Information Security, Ames, IA, USA; http://www.aceis.org/ 9/18/06- 9/21/06: NSPW, New Security Paradigms Workshop, Schloss Dagstuhl, Germany; http://www.nspw.org 9/20/06: STM, 2nd International Workshop on Security and Trust Management, Held in conjunction with ESORICS 2006, Hamburg, Germany; http://www.hec.unil.ch/STM06 9/20/06- 9/21/06: ESAS, 3rd European Workshop on Security and Privacy in Ad hoc and Sensor Networks, Held in conjunction with the European Symposium on Research in Computer Security (ESORICS 2006), Hamburg, Germany; http://www.crysys.hu/ESAS2006/ 9/23/06: SAC-CF, 22nd Annual ACM Symposium on Applied Computing, Computer Forensics Track; Seoul, Korea; http://comp.uark.edu/~bpanda/sac-cf.htm; Submissions are due 9/24/06- 9/28/06: SETA, 4th International Conference on Sequences and Their Applications, Beijing, China; http://www.is.iscas.ac.cn/seta06/ 9/25/06- 9/28/06: VietCrypt, 1st International Conference on Cryptology in Vietnam, Hanoi, Vietnam; http://www.vietcrypt.org; 9/28/06- 9/29/06: SKM, 2nd Secure Knowledge Management Workshop, Brooklyn, NY, USA; http://www.cs.stonybrook.edu/skm2006 9/29/06: WiSe, ACM Workshop on Wireless Security, Held in conjunction with ACM MobiCom 2006, Los Angeles, CA, USA; http://www.ee.washington.edu/research/nsl/wise2006 9/29/06- 9/30/06: ICS, Workshop on Information and Computer Security, Held in conjunction with the 8th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC 2006), Timisoara, Romania; http://ics.ieat.ro/ 9/29/06: IAMCOM, 1st Workshop on Information Assurance Middleware for COMmunications, Bangalore, India; http://www.iamcom.org/; Submissions are due 10/ 1/06: IFIP-DF, 3rd Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA; http://www.cis.utulsa.edu/ifip119/Conferences/WG11-9CallForPapers.asp; Submissions are due 10/ 1/06: ASIACCS, ACM Symposium on InformAtion, Computer and Communications Security, Singapore; http://asiaccs07.i2r.a-star.edu.sg/; Submissions are due 10/ 9/06: FC, 11th International Conference on Financial Cryptography and Data Security, Scarborough, Trinidad and Tobago; http://fc07.ifca.ai/; Submissions are due 10/ 9/06-10/12/06: WSNS, 2nd International Workshop on Wireless and Sensor Networks Security, Held in conjunction with the 3rd IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS 2006), Vancouver, Canada; http://www.cs.wcupa.edu/~zjiang/wsns06.htm 10/18/06-10/19/06: IMF, International Conference on IT-Incident Management & IT-Forensics, Stuttgart, Germany; http://www.imf-conference.org/ 10/19/06-10/20/06: NordSec, 11th Nordic Workshop on Secure IT-systems, Linkoping, Sweden; http://www.ida.liu.se/conferences/nordsec06/ 10/19/06-10/21/06: CMS, 10th Joint IFIP TC6 and TC11 Open Conference on Communications and Multimedia Security, Heraklion, Greece; http://www.ics.forth.gr/cms06 10/20/06: WWW-SPRE, 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada; http://www2007.org/cfp-SPaE.php; Submissions are due 10/22/06: PKI R&D, 6th Annual PKI R&D Workshop, Gaithersburg, MD, USA; http://middleware.internet2.edu/pki07/; Submissions are due 10/23/06-10/24/06: IWSEC, 1st International Workshop on Security, Kyoto, Japan; http://www.iwsec.org/ 10/23/06-10/24/06: WESII, Workshop on the Economics of Securing the Information Infrastructure, Arlington, VA, USA; http://wesii.econinfosec.org/ 10/30/06-11/ 3/06: CCS, 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA; http://www.acm.org/sigs/sigsac/ccs/CCS2006/ 10/30/06: QOP, 2nd Workshop on Quality of Protection, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://dit.unitn.it/~qop/ 10/30/06: WPES, 5th Workshop on Privacy in the Electronic Society, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://freehaven.net/wpes2006/ 10/30/06: DRM, 6th Workshop on Digital Rights Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://www.titr.uow.edu.au/DRM2006/ 10/30/06: SASN, 4th ACM Workshop on Security of Ad Hoc and Sensor Networks, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://www.cse.psu.edu/~szhu/SASN2006/ 10/30/06: StorageSS, 2nd Workshop on Storage Security and Survivability, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://www.storagess.org/ 11/ 1/06: IFIP-SEC, 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa; http://www.sbs.co.za/ifipsec2007/; Submissions are due 11/ 3/06: DIMACS-ISE, DIMACS Workshop on Information Security Economics, Rutgers University, Piscataway, NJ, USA; http://dimacs.rutgers.edu/Workshops/InformationSecurity/; Submissions are due 11/ 3/06: WORM, 4th Workshop on Recurring Malcode, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA; http://www.eecs.umich.edu/~farnam/worm2006.html 11/ 3/06: FMSE, 4th Workshop on Formal Methods in Security Engineering: From Specifications to Code, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS-13), Fairfax, VA, USA; http://www.cs.chalmers.se/~dave/FMSE06/ 11/ 3/06: STC, 1st Workshop on Scalable Trusted Computing, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; http://www.cs.utsa.edu/~shxu/stc06/ 11/ 3/06: VizSEC, 3rd Workshop on Visualization for Computer Security, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; http://www.projects.ncassr.org/sift/vizsec/vizsec06/ 11/ 3/06: DIM, 2nd Workshop on Digital Identity Management, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; http://www2.pflab.ecl.ntt.co.jp/dim2006/ 11/ 3/06: SWS, 1st Workshop on Secure Web Services, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), FairFax, VA, USA; http://sws06.univ-pau.fr/ 11/ 5/06: USEC, Workshop on Usable Security, Held in conjunction with the 11th Conference on Financial Cryptography and Data Security (FC 2007), Lowlands, Scarborough, Trinidad/Tobago; http://www.usablesecurity.org/; Submissions are due 11/10/06: Oakland, The 2007 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html; Submissions are due 11/15/06: IFIP-CIP, 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA; http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp; Submissions are due 11/15/06: FIRST, 19th FIRST Global Computer Security Network conference, Seville, Spain; http://www.first.org/conference/2007/papers/; Submissions are due 11/17/06-11/20/06: TrustCol, Workshop on Trusted Collaboration, Atlanta, GA, USA; http://www.trustcol.org/ 11/20/06: ICDCS, 27th International Conference on Distributed Computing Systems, Toronto, Canada; http://www.eecg.utoronto.ca/icdcs07/; Submissions are due 11/30/06: StorageSS, 2nd Workshop on Storage Security and Survivability, Held in conjunction with the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA, USA; http://www.storagess.org/ 11/30/06-12/ 1/06: WATC, 2nd Workshop on Advances in Trusted Computing, Tokyo, Japan; http://www.trl.ibm.com/projects/watc/ 12/ 4/06-12/ 7/06: ICICS, 8th International Conference on Information and Communications Security, Raleigh, NC, USA; http://discovery.csc.ncsu.edu/ICICS06/ 12/ 8/06-12/10/06: CANS, 5th International Conference on Cryptology and Network Security, Suzhou, China; http://cis.sjtu.edu.cn/cans2006/index.htm 12/14/06: ACNS, 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/; Submissions are due 12/15/06: Elsevier Computer Communications Journal, Special Issue on Security on Wireless Ad Hoc and Sensor Networks; http://authors.elsevier.com/journal/comcom; Submissions are due 12/17/06-12/21/06: ICISS, 2nd International Conference on Information Systems Security, Kolkata, India; http://www.cdcju.org.in/iciss2006/ 1/ 3/07- 1/ 6/07: HICSS-HTC, 40th Annual Hawaii International Conference on System Sciences, Highly Trustworthy computing (HTC) mini-track, Waikoloa, Hawaii, USA; http://cisr.nps.edu/HICSS/ 1/ 3/07- 1/ 6/07: HICSS-SSADIA, 40th Annual Hawaii International Conference on System Sciences, Secure Software Architecture, Design, Implementation and Assurance(SSADIA) Minitrack, Waikoloa, Hawaii, USA; http://www.sei.cmu.edu/community/hicss/ 1/ 3/07- 1/ 6/07: HICSS-CTER, 40th Annual Hawaii International Conference on System Sciences, Cyber-Threats and Emerging Risks Minitrack, Waikoloa, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_40/fincfp.htm#Cyber-Threats %20and%20Emerging%20Risks 1/12/07: IAMCOM, 1st Workshop on Information Assurance Middleware for COMmunications, Bangalore, India; http://www.iamcom.org/ 1/15/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; http://www.security-conference.org; Submissions are due 1/18/07- 1/19/07: DIMACS-ISE, DIMACS Workshop on Information Security Economics, Rutgers University, Piscataway, NJ, USA; http://dimacs.rutgers.edu/Workshops/InformationSecurity/ 1/29/07- 1/31/07: IFIP-DF, 3rd Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA; http://www.cis.utulsa.edu/ifip119/Conferences/WG11-9CallForPapers.asp 2/ 9/07: DIMVA, 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland; http://www.dimva.org/dimva2007; Submissions are due 2/11/07- 2/15/07: FC, 11th International Conference on Financial Cryptography and Data Security, Scarborough, Trinidad and Tobago; http://fc07.ifca.ai/ 2/15/07: PAIRING, 1st International Conference on Pairing-based Cryptography, Tokyo, Japan; http://www.pairing-conference.org/; Submissions are due 2/15/07- 2/16/07: USEC, Workshop on Usable Security, Held in conjunction with the 11th Conference on Financial Cryptography and Data Security (FC 2007), Lowlands, Scarborough, Trinidad/Tobago; http://www.usablesecurity.org/ 2/28/07- 3/ 2/07: NDSS, 14th Annual Network and Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/07/cfp.shtml 3/11/07- 3/15/07: SAC-TRECK, 22nd Annual ACM Symposium on Applied Computing, Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) Track, Seoul, Korea; http://www.acm.org/conferences/sac/sac2007/ 3/11/07- 3/15/07: SAC-CLAT, 22nd Annual ACM Symposium on Applied Computing, Computer-aided Law and Advanced Technologies Track, Seoul, Korea; http://www.clat.unibo.it/ 3/11/07- 3/15/07: SAC-CF, 22nd Annual ACM Symposium on Applied Computing, Computer Forensics Track, Seoul, Korea; http://comp.uark.edu/~bpanda/sac-cf.htm 3/19/07- 3/21/07: IFIP-CIP, 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA; http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp 3/20/07- 3/22/07: ASIACCS, ACM Symposium on InformAtion, Computer and Communications Security, Singapore; http://asiaccs07.i2r.a-star.edu.sg/ 4/11/07- 4/12/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; http://www.security-conference.org 4/17/07- 4/19/07: PKI R&D, 6th Annual PKI R&D Workshop, Gaithersburg, MD, USA; http://middleware.internet2.edu/pki07/ 5/ 1/07: Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System; http://www.sitacs.uow.edu.au/jucs/; Submissions are due 5/ 8/07- 5/12/07: WWW-SPRE, 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada; http://www2007.org/cfp-SPaE.php 5/14/07- 5/16/07: IFIP-SEC, 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa; http://www.sbs.co.za/ifipsec2007/ 5/20/07- 5/23/07: Oakland, The 2007 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html 6/ 5/07- 6/ 8/07: ACNS, 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/ 6/17/07- 6/22/07: FIRST, 19th FIRST Global Computer Security Network Conference, Seville, Spain; http://www.first.org/conference/2007/papers/ 6/25/07- 6/29/07: ICDCS, 27th International Conference on Distributed Computing Systems, Toronto, Canada; http://www.eecg.utoronto.ca/icdcs07/ 7/ 2/07- 7/ 4/07: PAIRING, 1st International Conference on Pairing-based Cryptography, Tokyo, Japan; http://www.pairing-conference.org/ 7/12/07- 7/13/07: DIMVA, 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland; http://www.dimva.org/dimva2007 ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers (new since Cipher E72) ____________________________________________________________________ ------------------------------------------------------------------------- http://comp.uark.edu/~bpanda/sac-cf.htm SAC-CF 2007 22nd Annual ACM Symposium on Applied Computing, Computer Forensics Track, Seoul, Korea, March 11 - 15, 2007. (Submissions due 23 September 2006) With the exponential growth of computer users, the number of criminal activities that involves computers has increased tremendously. The field of Computer Forensics has gained considerable attention in the past few years. It is clear that in addition to law enforcement agencies and legal personnel, the involvement of computer savvy professionals is vital for any digital incident investigation. Unfortunately, there are not many well-qualified computer crime investigators available to meet this demand. An approach to solve this problem is to develop state-of-the-art research and development tools for practitioners in addition to creating awareness among computer users. The primary goal of this track will be to provide a forum for researchers, practitioners, and educators interested in Computer Forensics in order to advance research and educational methods in this increasingly challenging field. We expect that people from academia, industry, government, and law enforcement will share their previously unpublished ideas on research, education, and practice through this track. We solicit original, previously unpublished papers in the following general (non-exhaustive) list of topics: - Incident Response and Live Data Analysis - Operating System and Application Analysis - File System Analysis - Network Evidence Collection - Forensic Profiles - Network Forensics - Data Hiding and Recovery - Event Reconstruction and Tracking - Legal, Ethical and Privacy Issues ------------------------------------------------------------------------- http://www.iamcom.org/ IAMCOM 2007 1st Workshop on Information Assurance Middleware for COMmunications, Bangalore, India, January 12, 2007. (Submissions due 29 September 2006) The goal of IAMCOM workshop is to offer a focused forum to discuss the on-going research in the area of middleware for dependable communications. Middleware for dependable communications addresses the issues of providing sustainable guarantees on session-level QoS, performance, integrity, availability and security through a repertoire of generic software/hardware tools and models. Papers are solicited on middleware topics pertaining to the communication layers of a distributed network system. Topics of interest include, but not limited to: - QoS assurance architectures - Network state fusion, monitoring - Tools for detecting DOS attacks - Utility-based QoS adaptation - Communication security: authentication, confidentiality - Adaptive encryption techniques - Capacity provisioning - Network survivability - Dynamic bandwidth allocations - Traffic engineering - Distributed consensus/voting - Self-healing networks - Topology management - Failure detectors - Diversity management and control ------------------------------------------------------------------------- http://www.cis.utulsa.edu/ifip119/Conferences/WG11-9CallForPapers.asp IFIP-DF 2007 3rd Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, Florida, USA, January 29-31, 2007. (Submissions due 1 October 2006) The IFIP Working Group 11.9 on Digital Forensics is an active international community of scientists, engineers and practitioners dedicated to advancing the state of the art of research and practice in the emerging field of digital forensics. Technical papers are solicited in all areas related to the theory and practice of digital forensics. Areas of special interest include, but are not limited to: - Theories, techniques and tools for extracting, analyzing and preserving digital evidence - Operating system and file system forensics - Network forensics - Portable electronic device forensics - Digital forensic processes and workflow models - Digital forensic case studies - Legal, ethical and policy issues related to digital forensics ------------------------------------------------------------------------- http://asiaccs07.i2r.a-star.edu.sg/ ASIACCS 2007 ACM Symposium on InformAtion, Computer and Communications Security, Singapore, March 20-22, 2007. (Submissions due 1 October 2006) To build on the success of ACM Conference on Computer and Communications Security (CCS) and ACM Transactions on Information and System Security (TISSEC), the ACM Special Interest Group on Security, Audit, and Control (SIGSAC) formally established the annual ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS) in 2005. Papers representing original research in both the theory and practice concerning information, computer and communications security are solicited. Topics of interest include, but are not limited to: - Access control and authorization - Applied cryptography - Authentication, biometrics, smartcards - Data integrity and audit - Database security - Digital Rights Management - Distributed systems security - E-commerce and mobile e-commerce - Electronic privacy, anonymity - Formal verification and testing - Hardware design - High speed networks - Information flow - Intrusion detection and survivability - Mobile code and mobile agent security - P2P & ad hoc networks - RFID applications - Security protocols - Viruses and other malicious codes - Watermarking and data hiding - Wireless communications - Wireless sensor networks ------------------------------------------------------------------------- http://fc07.ifca.ai/ FC 2007 11th International Conference on Financial Cryptography and Data Security, Scarborough, Trinidad and Tobago, February 11 - 15, 2007. (Submissions due 9 October 2006) At its 11th year edition, Financial Cryptography and Data Security (FC'07) is a well established and major international forum for research, advanced development, education, exploration, and debate regarding security in the context of finance and commerce. Original papers, surveys and presentations on all aspects of financial and commerce security are invited. Submissions must have a strong and visible bearing on financial and commerce security issues, but can be interdisciplinary in nature and need not be exclusively concerned with cryptography or security. Possible topics for submission to the various sessions include, but are not limited to: - Anonymity and Privacy - Auctions - Audit and Auditability - Authentication and Identification, including Biometrics - Certification and Authorization - Commercial Cryptographic Applications - Commercial Transactions and Contracts - Digital Cash and Payment Systems - Digital Incentive and Loyalty Systems - Digital Rights Management - Financial Regulation and Reporting - Fraud Detection - Game Theoretic Approaches to Security - Identity Theft, Physhing and Social Engineering - Infrastructure Design - Legal and Regulatory Issues - Microfinance and Micropayments - Monitoring, Management and Operations - Reputation Systems - RFID-Based and Contactless Payment Systems - Risk Assessment and Management - Secure Banking and Financial Web Services - Securing Emerging Computational Paradigms - Security and Risk Perceptions and Judgments - Security Economics - Smart Cards and Secure Tokens - Trust Management - Trustability and Trustworthiness - Underground-Market Economics - Voting system security ------------------------------------------------------------------------- http://www2007.org/cfp-SPaE.php WWW-SPRE 2007 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada, May 8-12, 2007. (Submissions due 20 October 2006) The flexibility and richness of the Web architecture have come at the price of increasing complexity and lack of a sound overall security architecture. The movement toward Web-based services, and the increasing dependency on the Web, have also made reliability a first-rate security concern. From malware and spyware, drive-by downloads, typo squatting, denial of service attacks, to phishing and identity theft, a variety of threats make the Web an increasingly hostile and dangerous environment. By undermining user trust, these problems are hampering e-commerce and the growth of online communities. This track promotes the view that security, privacy, reliability, and sound guiding ethics must be part of the texture of a successful World Wide Web. In addition to devising practical tools and techniques, it is the duty of the research community to promote and guide business adoption of security technology for the Web and to help inform related legislation. We seek novel research (both theoretical and practical) in security, privacy, reliability, and ethics as they relate to the Web, including but not limited to the following areas: - Authentication, authorization, and auditing on the web - Availability and reliability of web servers and services - Intrusion detection and honeypots - The Insider threat - Privacy-enhancing technologies, including anonymity, pseudonymity and identity management, specifically for the web - Phishing and pharming, and countermeasures - User interfaces and usability as they relate to use of cryptography and online scams such as phishing and pharming - Applications of cryptography to the web, including PKI and supporting concepts like digital signatures, certification, etc. - Electronic commerce, particularly security mechanisms for e-cash, auctions, payment, and fraud detection - Electronic fraud and attack vectors - Economic / business analysis of Web security and privacy - Legal and legislative approaches to issues of Web security and privacy - Secure and robust management of server farms - Dealing with client-side risks - Security for new web services (blogs, RSS, wikis, etc.) - Wireless web security (including RFID, sensors, and mobile phones) - Content protection and abuse on the web (DRM, web/blog spam, etc.) ------------------------------------------------------------------------- http://middleware.internet2.edu/pki07/ PKI R&D 2007 6th Annual PKI R&D Workshop, Gaithersburg, Maryland, USA, April 17-19, 2007. (Submissions due 22 October 2006) This workshop considers the full range of public key technology used for security decisions and supporting functionalities, including authentication, authorization, identity management, federation, and trust. This year's focus is striking the proper balance to permit users to easily complete tasks requiring security while exposing the appropriate security details through all layers of software. We solicit papers, case studies, panel proposals, and participation from researchers, systems architects, vendor engineers, and users. Suggested topics include but are not limited to: - Reports of real-world experience with the use and deployment of applications that leverage PKI, how best to integrate such usage into legacy systems, and future research directions - Federated versus Non-Federated trust models - Standards related to PKI and security decision systems, such as X.509, SPKI/SDSI, PGP, XKMS, XACML, XRML, XML signatures, and SAML - Identity management (Shibboleth, Liberty, Higgins, InfoCard, etc.) - Cryptographic and alternative methods for supporting security decisions, including the characterization and encoding of data - Intersection of policy-based systems and PKI - Human-Computer Interaction (HCI) advances that improve usability of PKI for users and administrators - Privacy protection and implications - Use of PKI in emerging technologies (e.g., sensor networks) - Scalability and performance of PKI systems - Security of the components of PKI systems - Security infrastructures for constrained environments - Improved human factor designs for security-related interfaces, including authorization and policy management, naming, signatures, encryption, use of multiple private keys, and selective disclosure - New paradigms in PKI architectures ------------------------------------------------------------------------- http://www.sbs.co.za/ifipsec2007/ IFIP-SEC 2007 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa, May 14-16, 2007. (Submissions due 1 November 2006) Information is now the most important commodity in a global market. Individuals, businesses and governments are dependable on information embedded in secure, privacy aware and trustworthy IT infrastructures. Classical information security services such as authentication and authorization urgently demand a re-design and improved implementation to ensure security, privacy and trust features in today's integrated and complex information rich environments. Papers offering research contributions focusing on security, privacy and trust are solicited for submission to the 22nd IFIP TC-11 International Information Security Conference. Papers may present theory, applications or practical experiences including, but not limited to: - Applications of cryptography, key management and PKI - Architectures for Information Security, Privacy and Trust - New approaches to Fraud Management Systems in Advanced Network Infrastructures - New approaches to classical Information Security Services such as Identification, Authentication, Authorization, Integrity and Non-repudiation - Information Security culture including ethics and social issues - Change Management Systems for implementing Security, Privacy and Trust in organizational environments - Information security as part of Corporate Governance - Digital Forensics and Forensic Auditing - Security, Privacy and Trust for advanced application infrastructures - Incorporating Security, Privacy and Trust in educational activities - New approaches for enhancing security, privacy and trust in E-mail environments - Firewalls for the next generation networks - Future visions for Information Security Management - Designing / re-designing Human Computer Interaction for Security, Privacy and Trust - Identity theft and management - New applications for steganography - Information warfare and critical infrastructure protection - Security, Privacy and Trust in RFID and Sensor networks - New approaches for Intrusion detection - Security, Privacy and Trust for Wireless environments - New requirements for international Information Security Standards - Privacy Enhancing Technologies (PETs) - Risk analysis and risk management for complex environments - Standards, Certification, Accreditation and Evaluation of Information Security in companies - Incorporating Security, Privacy and Trust in System development methodologies - Trust Models and Management - Information Security Metrics - Vulnerability Assessments for integrated environments ------------------------------------------------------------------------- http://dimacs.rutgers.edu/Workshops/InformationSecurity/ DIMACS-ISE 2007 DIMACS Workshop on Information Security Economics, Rutgers University, Piscataway, New Jersey, USA, January 18 - 19, 2007. (Submissions due 3 November 2006) The DIMACS Workshop on Information Security Economics aims at enlarging the interest in this area by bringing together researchers already engaged in the field with other scientists and investigators in disciplines such as economics, business, statistics, and computer science. We encourage researchers and industry experts to submit manuscripts with original work to the workshop; we especially encourage collaborative and interdisciplinary research from authors in multiple fields. Topics of interest include (but are not limited to) empirical and theoretical works on the economics of: - vulnerabilities and malicious code - spam, phishing, and identity theft - privacy, reputation, and trust - DRM and trusted computing - cyber-insurance, returns on security investments, and security risk management - security risk perception at the firm and individual levels ------------------------------------------------------------------------- http://www.usablesecurity.org/ USEC 2007 Workshop on Usable Security, Held in conjunction with the 11th Conference on Financial Cryptography and Data Security (FC 2007), Lowlands, Scarborough, Trinidad/Tobago, February 15-16, 2007. (Submissions due 5 November 2006) Some of the most challenging problems in designing and maintaining secure systems involve human factors. A great deal remains to be understood about users' capabilities and motivations to perform security tasks. Usability problems have been at the root of many widely reported security failures in high-stakes financial, commercial and voting applications. USEC'07 seeks submissions of novel research from academia and industry on all theoretical and practical aspects of usable security in the context of finance and commerce. ------------------------------------------------------------------------- http://www.ieee-security.org/TC/SP2007/oakland07.html Oakland 2007 The 2007 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, California, USA, May 20-23, 2007. (Submissions due 10 November 2006) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Previously unpublished papers offering novel research contributions in any aspect of computer security or electronic privacy are solicited for submission to the 2007 symposium. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. The 2007 Symposium is open to submissions not only of full-length papers but also short papers (extended abstracts) describing less mature work. It is also open to the submission of co-located half-day or one-day workshops. See below for these and other program elements. Topics of interest include, but are not limited to, the following: - Access control and audit - Anonymity and pseudonymity - Application-level security - Biometrics - Cryptographic protocols - Database security - Denial of service - Distributed systems security - Formal methods for security - Information flow - Intrusion detection and prevention - Language-based security - Malicious code prevention - Network security - Operating system security - Peer-to-peer security - Privacy - Risk analysis - Secure hardware and smartcards - Security engineering - Security policy - User authentication ------------------------------------------------------------------------- http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp IFIP-CIP 2007 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA, March 19-21, 2007. (Submissions due 15 November 2006) The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of special interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Infrastructure protection case studies - Legal, ethical, economic and policy issues related to critical infrastructure protection - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- http://www.eecg.utoronto.ca/icdcs07/ ICDCS 2007 27th International Conference on Distributed Computing Systems, Toronto, Canada, June 25-29, 2007. (Submissions due 20 November 2006) The conference provides a forum for engineers and scientists in academia, industry and government to present their latest research findings in any aspects of distributed and parallel computing. Topics of particular interest include, but are not limited to: - Algorithms and Theory - Autonomic Computing - Data Management - Fault-Tolerance and Dependability - Internet Computing and Applications - Network Protocols - Operating Systems and Middleware - Parallel, cluster and GRID Computing - Peer to Peer - Security - Sensor Networks and Ubiquitous Computing - Wireless and Mobile Computing ------------------------------------------------------------------------- http://www.i2r.a-star.edu.sg/icsd/acns2007/ ACNS 2007 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China, June 5-8, 2007. (Submissions due 14 December 2006) ACNS'07, the 5th International Conference on Applied Cryptography and Network Security, brings together industry and academic researchers interested in the technical aspects of cryptology and the latest advances in the application of crypto systems. Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS '07. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection: metering, watermarking, and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- http://authors.elsevier.com/journal/comcom Elsevier Computer Communications Journal, Special Issue on Security on Wireless Ad Hoc and Sensor Networks, 3rd Quarter of 2007. (Submission Due 15 December 2006) Guest editors: Sghaier Guizani (University of Moncton, Canada), Hsiao-Hwa Chen (National Sun Yat-Sen University, Taiwan), Peter Mueller (IBM Zurich Research Laboratory, Switzerland) The increase of wireless and mobile devices and the recent advancement in wireless and mobile ad hoc and sensor networks technologies/applications in a large variety of environments, such as homes, business places, emergency situations, disaster recoveries and people on the move is unprecedented. These activities over different network systems have brought security concerns on an unprecedented scale. Security is an important issue for wireless and mobile ad hoc and sensor networks (MANETs) especially for the security-sensitive applications such as in military, homeland security, financial institutions and many other areas. Such security threats take advantage of protocol weaknesses as well as operating systems' vulnerabilities to attack Internet applications. Theses attacks involve, for example, distributed denials of services, buffer overflows, viruses, and worms, where they cause an increasingly greater technical and economic damage. With regard to such cyber security aspects, there is an increasing demand for measures to guarantee and fully attain the authentication, confidentiality, data integrity, privacy, access control, non repudiation, and availability of system services. This Special Issue will serve as a venue for both academia and industry individuals and groups working in this fast-growing research area to share their experiences and state-of-the-art work with the readers. The topics of interest include, but are not limited to: - Novel and emerging secure architecture - Study of attack strategies, attack modelling - Security analysis methodologies - Wireless and mobile security - Key management - Commercial and industrial security - Broadcast authentication - Secure routing protocols - Secure location discovery - Secure clock synchronization - Novel and emerging secure architectures - Cryptographic algorithms and applications - Study of attack strategies, attack modelling - Study of tradeoffs between security and system performance - Security management, emergency contingency planning, identify theft - Access control, wireless access control, broadband access control - Protection, risk, vulnerabilities, attacks, authorization/authentication - Security and trust in web-services-based applications - Denial of service attacks and prevention - Secure group communication/multicast - Implementations and performance analysis - Distributed security schemes ------------------------------------------------------------------------- http://www.security-conference.org ASC 2007 6th Annual Security Conference, Las Vegas, Nevada, USA, April 11-12, 2007. (Submissions due 15 January 2007) With the development of more complex networking systems and the rapid transition to the e-world, information security has become a real concern for many individuals and organizations. Advanced safeguards are required to protect the information assets of not only large but also small and distributed enterprises. New approaches to information security management, such as policies and certifications, are now being required. The security of strategic corporate information has become the foremost concern of many organizations, and in order to assure this security, methods and techniques must be conceptualized for small enterprises both from a functional and technical viewpoint. Recommended topics (but not limited to) include: - E-Commerce security - Biometrics - Smart Cards - Secure small distribution applications - Security of intelligent tokens - Methodologies for security of small to medium size enterprises - Methodologies and techniques for certification and accreditation - Evaluation of Information Security in companies - Information security surveys and case studies - International standards for Information Security Management ------------------------------------------------------------------------- http://www.dimva.org/dimva2007 DIMVA 2007 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland, July 12-13, 2007. (Submissions due 9 February 2007) The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA particularly encourages papers that discuss the integration of intrusion, malware, and vulnerability detection in large-scale operational communication networks. DIMVA's scope includes, but is not restricted to the following areas: Intrusion Detection - Approaches - Implementations - Prevention and response - Result correlation - Evaluation - Potentials and limitations - Operational experiences - Evasion and other attacks - Legal and social aspects Malware - Techniques - Detection - Prevention - Evaluation - Trends and upcoming risks - Forensics and recovery Vulnerability Assessment - Vulnerabilities - Vulnerability detection - Vulnerability prevention ------------------------------------------------------------------------- http://www.pairing-conference.org/ PAIRING 2007 1st International Conference on Pairing-based Cryptography, Tokyo, Japan, July 2-4, 2007. (Submissions due 15 February 2007) Since the introduction of pairings in constructive cryptographic applications, an ever increasing number of protocols have appeared in the literature: identity-based encryption, short signature, and efficient broadcast encryption to mention but a few. An appropriate mix of theoretical foundations and practical considerations is essential to fully exploit the possibilities offered by pairings: number theory, cryptographic protocols, software and hardware implementations, new security applications, etc. Authors are invited to submit papers describing original research on all aspects of pairing-based cryptography, including, but not limited to the following topics: Novel cryptographic protocols - ID-based cryptosystem - broadcast encryption - short signatures - ring or group signatures - aggregate or multi signatures - undeniable signatures - key agreement protocol - authenticated encryption Mathematical foundation - Weil, Tate, Eta, and Ate pairings - security consideration of pairing - generation of pairing friendly curves - (hyper-) elliptic curve cryptosystem - number theoretic algorithms SW/HW implementation - secure operating system - efficient software implementation - FPGA or ASIC implementation - smartcard implementation - side channel attack - fault attack Applied security - novel security applications - secure ubiquitous computing - security management - grid computing - PKI model - application to network security ------------------------------------------------------------------------- http://www.sitacs.uow.edu.au/jucs/ Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System, February 2008. (Submission Due 1 May 2007) Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Ed Dawson (Queensland University of Technology, Australia), Xuejie Lai (Shanghai Jiao Tong University, China), Masahiro Mambo (Tsukuba University, Japan), Atsuko Miyaji (JAIST, Japan), Yi Mu (University of Wollongong, Australia), David Pointcheval (Ecole Normale Sup?ieure, France), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Nigel Smart (Bristol University, UK), Willy Susilo (University of Wollongong, Australia), Huaxiong Wang (Macquarie University, Australia), and Duncan Wong (City University of Hong Kong, China) Cryptography has been playing an important role to ensure the security and reliability of modern computer systems. Since high speed and broad bandwidth have been becoming the keywords for modern computer systems, new cryptographic methods and tools must follow up in order to adapt to these new and emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in computer systems. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Authentication - Cryptographic algorithms and their applications - Cryptanalysis - Email security - Electronic commerce - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography - IP security - Key management - Multicast security - Computer network security - Privacy protection - Security in Peer-to-Peer networks - Security in sensor networks - Smartcards ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== No new positions this issue. http://cisr.nps.edu/jobscipher.html -------------- This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2006 Symposium proceedings and 11-year CD are sold out. The 2005 Symposium proceedings are available for $20 plus shipping and handling. The 2004 proceedings are $15 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Hilarie Orman The MITRE Corporation Purple Streak, Inc. Mail Stop S119 500 S. Maple Dr. 202 Burlington Road Rte. 62 Salem, UT 84653 Bedford, MA 01730-1420 oakland06-chair@ieee-security.org 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2007 General Chair: and Technical Committee Treasurer: Deborah Shands Hilarie Orman The Aerospace Corporation Purple Streak, Inc. El Segundo, CA 500 S. Maple Dr. oakland07-chair@ieee-security.org Salem, UT 84653 cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year