_/_/_/_/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/_/ _/_/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/_/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/ ============================================================================ Newsletter of the IEEE Computer Society's TC on Security and Privacy Electronic Issue 75 November 20, 2006 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org Yong Guan Calendar Editor Book Reviews cipher-cfp @ ieee-security.org cipher-bookrev @ ieee-security.org ============================================================================ The newsletter is also at http://www.ieee-security.org/cipher.html Cipher is published 6 times per year Contents: * Letter from the Editor * Commentary and Opinion o Richard Austin's review of Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich o Review of the FloCon Workshop (Vancouver, WA, October 10-12, 2006) by Tim Shimeall o Book reviews, Conference Reports and Commentary and News items from past Cipher issues are available at the Cipher website * Conference and Workshop Announcements o Upcoming calls-for-papers and events * Reader's guide to recent security and privacy literature, * List of Computer Security Academic Positions, by Cynthia Irvine * Staying in Touch o Information for subscribers and contributors o Recent address changes, Jonathan Herzog * Interesting Links and New reports available via FTP and WWW * Links for the IEEE Computer Society TC on Security and Privacy o Becoming a member of the TC o TC Officers o TC publications for sale ==================================================================== Letter from the Editor ==================================================================== Dear Readers: Little in the way of spectacular new security vulnerabilities has come to my attention in the last 60 days, though I did have occasion to deal with voting machines as a poll worker. They are as bad as one would imagine any computer would be when setup by lightly trained personnel under time pressure. There was even a surprising physical injury sustained while removing the "security seals" from the machines. Man vs. machine, all over again. We have a new face in the book review department this month. Richard Austin has responded to the call for reviewers with a review of a book on "Extrusion Detection." This sounds like plastics, but it is really about the unintended outflow of confidential information from an organization. Tim Shimeall of CERT chimes in with a review of the FloCon Workshop (can flow analysis detect extrusion?). Also, I am told that a review of the New Security Paradigms Workshop will appear in the Usenix publication ";login" sometime soon. Yong Guan continues his excellent attention to our calls-for-papers section, and his reduction of those to calendar entries for the newsletter is an invaluable service. Hilarie Orman cipher-editor @ ieee-security.org ==================================================================== Commentary and Opinion ==================================================================== Book reviews from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/BookReviews.html, and conference reports are archived at http://www.ieee-security.org/Cipher/ConfReports.html ____________________________________________________________________ Book Review By Richard Austin November 20, 2006 ____________________________________________________________________ Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich Upper Saddle River: Addison-Wesley 2006. ISBN 0-321-34996-2 Amazon.com $32.99. Bookpool.com $31.50 We've been told for years (and alas, had it proved repeatedly to our collective chagrin) that we have to maintain situational awareness of attacks arising from outside our networks and this has created a plethora of tools, vendors and service providers devoted to intrusion detection and prevention. Bejtlich then asks a perceptive question: "What do we know about the traffic leaving our networks?" A typical answer might be, "Uh, well, we filter URL's, block employees from inappropriate sites, install some proxies here or there. What do you mean anyway? Bejtlich answers quite reasonably that while the Internet is a wild jungle where almost anything goes, our internal networks are under our control and we should have a pretty decent idea of the types of traffic that should be flowing. Why hasn't it occurred to us before that we should be watching traffic flowing out of our networks to identify signs of a successful intrusion? He goes on to observe that once an intruder is inside our defended networks, s/he is too often usually pretty much free to make whatever outgoing connections are required to download additional tools, register as a zombie with a botnet network, deliver pilfered information and so on. Since these extrusions originate inside our networks, we should be much better able to detect them against the background of the types of traffic that should be flowing. From that starting point, he describes extrusion detection using many of the concepts described in his previous book "The Tao of Network Security Monitoring" reviewed by Bob Bruen in the September, 2004 issue of IEEE-Cipher). After a thorough presentation of detecting an extrusion, he devotes a substantial amount of material to the critical process of responding to an extrusion, beginning with stopping the extrusion by blocking the victim systems' access to the network and going on through to the steps of collecting and preserving the evidence of the extrusion for use in a criminal investigation or other legal proceedings. As in his other books, the tools he presents are largely Open Source and will therefore be widely available for experimentation and use. This is a technical book and the detailed network traces and other minutiae that warm the cockles of an engineer's heart will put off many a technical manager who would benefit from understanding the important concepts Bejtlich presents. I definitely encourage network and security managers to read the portions of this book that deal with the concepts of network extrusion, planning for incident response and the processes for collecting and preserving evidence. Richard Austin is a resident curmudgeon at a Fortune 100 company who continues to wage a battle with a tottering tower of new security tomes. Periodically he has been known to take a break and share his opinion of the latest book to migrate from the tower to the shelf. He can be reached at rda7838@kennesaw.edu ____________________________________________________________________ Review of FloCon Vancouver, WA, October 10-12, 2006 by Tim Shimeall, CERT ____________________________________________________________________ The CERT (reg tm) Network Situational Awareness group at Carnegie Mellon University's Software Engineering Institute sponsored the third Annual FloCon Workshop. This workshop was held on October 10 through 12, 2006 near Portland, OR (in Vancouver, WA). The workshop and its proceedings are described on the workshop web page: http://www.cert.org/flocon/ FloCon is an open workshop that provides a forum for researchers, operational analysts, and other parties interested in the security analysis of large volumes of traffic to develop the next generation of flow-based analysis. Flow is an abstraction of network traffic in which packets are grouped together by common attributes over time. Being a traffic abstraction, use of flow makes tractable analyses over broad reaches of both time and network cardinality. By summarizing, rather than recording content, flow aids in respecting the privacy of network participants. In security, flow has been used to survey and analyze large networks over long periods of time, but the field is still in its infancy. A number of software systems (e.g., flowtools, Argus, and the System for Internet-Level Knowledge[SiLK]) support flow-based analysis. FloCon 2006 was an active workshop for discussing flow and network security analysis, and improving these technologies. The workshop structure with presentations, moderated discussion panels, and birds-of-a-feather (BoF) sessions supported frank and productive discussion on ideas submitted by attendees. In order to promote discussion and brainstorming, presenters submitted a short paper discussing current or proposed work in flow analysis. The program committee reviewed these submissions and approved them for presentation. These submissions are published as proceedings via the workshop web page. The first day of FloCon 2006 lead off with a keynote speech by Prof. John McHugh of Dalhousie University, who cited several challenges in the future of flow-based analysis, based on long experience in this form of analysis. A series of presentations followed this speech, discussing the efforts of the IETF Standard for Flow data exchange (IPFIX, together with visualization tools and hardware support for flow processing. Presentations were made by a mix of researchers, practitioners and infrastructure providers. IPFIX was further discussed in depth during a moderated panel and a BoF session. A panel discussion on flow analysis methods lead to two BoF sessions on security analyses using flow (one on analytical tools, the other on multistage analytical techniques). The open and interactive BoF sessions set the tone for the second day of the workshop. The second day of FloCon 2006 focused on security analyses using flow via presentations by researchers and by operational practitioners of real-world network defense. These presentations discussed scalability of flow analysis, the use of flows for identifying anomalous network traffic, sampling methods to produce unbiased analysis from flows in environments where complete flow capture is not achievable, attribution and aggregation issues and the use of flow-based analysis in small-scale networks. The third day of FloCon 2006 focused around efforts to support and extend the community of security researchers and practioners using flow-based information. A number of productive insights were shared, and several efforts are currently underway based on these insights. Planning for FloCon 2007, to be held in the second or third quarter of 2007 at an East coast location, is currently in its preliminary stages. The FloCon program committee for 2006 was: Timothy Shimeall, CERT NetSA group, Carnegie Mellon University, chair Anukool Lakhina, Boston University Colleen Shannon, CAIDA Troy Thompson, PNNL Arno Wagner, ETH Bill Yurcik, NCSA ==================================================================== Conference and Workshop Announcements ==================================================================== ==================================================================== Upcoming Calls-For-Papers and Events ==================================================================== The complete Cipher Calls-for-Papers is located at http://www.ieee-security.org/CFP/Cipher-Call-for-Papers.html The Cipher event Calendar is at http://www.ieee-security.org/Calendar/cipher-hypercalendar.html ____________________________________________________________________ Cipher Event Calendar ____________________________________________________________________ Calendar of Security and Privacy Related Events maintained by Hilarie Orman Date (Month/Day/Year), Event, Locations, web page for more info. 11/15/06: IFIP-CIP, 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA; http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp Submissions are due 11/15/06: FIRST, 19th FIRST Global Computer Security Network conference, Seville, Spain; http://www.first.org/conference/2007/papers/; Submissions are due 11/17/06-11/20/06: TrustCol, Workshop on Trusted Collaboration, Atlanta, GA, USA; http://www.trustcol.org/ 11/20/06: WWW-SPRE, 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada; http://www2007.org/cfp-SPaE.php; Submissions are due 11/29/06: ICDCS, 27th International Conference on Distributed Computing Systems, Toronto, Canada; http://www.eecg.utoronto.ca/icdcs07/ Submissions are due 11/30/06: SADFE, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA; http://conf.ncku.edu.tw/sadfe; Submissions are due 11/30/06: NETCRI, 1st International Workshop on Research Challenges in Next Generation Networks for First Responders and Critical Infrastructures, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.cs.umd.edu/~sharno/NetCri07 Submissions are due 11/30/06: WIA, 3rd International Workshop on Information Assurance, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.sis.pitt.edu/~lersais/WIA2007/ Submissions are due 11/30/06-12/ 1/06: WATC, 2nd Workshop on Advances in Trusted Computing, Tokyo, Japan; http://www.trl.ibm.com/projects/watc/ ---------- 12/ 4/06-12/ 7/06: ICICS, 8th International Conference on Information and Communications Security, Raleigh, NC, USA; http://discovery.csc.ncsu.edu/ICICS06/ 12/ 8/06-12/10/06: CANS, 5th International Conference on Cryptology and Network Security, Suzhou, China; http://cis.sjtu.edu.cn/cans2006/index.htm 12/10/06: Policy, 8th IEEE International Workshop on Policies for Distributed Systems and Networks, Bologna, Italy; http://www.policy-workshop.org/2007 Submissions are due 12/14/06: ACNS, 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/; Submissions are due 12/15/06: Elsevier Computer Communications Journal, Special Issue on Security on Wireless Ad Hoc and Sensor Networks; http://authors.elsevier.com/journal/comcom Submissions are due 12/15/06: GPC, Workshop on Grid and Pervasive Computing Security, Held in conjunction with the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE 2007), Seoul, Korea; http://www.sersc.org/MUE2007/contents/page/GPCS07.html Submissions are due 12/17/06-12/21/06: ICISS, 2nd International Conference on Information Systems Security, Kolkata, India; http://www.cdcju.org.in/iciss2006/ 12/17/06: SecSE, 1st International Workshop on Secure Software Engineering, Vienna, Austria; http://www.ares-conference.eu/conf/ Submissions are due ---------- 1/ 3/07- 1/ 6/07: HICSS-HTC, 40th Annual Hawaii International Conference on System Sciences, Highly Trustworthy computing (HTC) mini-track, Waikoloa, Hawaii, USA; http://cisr.nps.edu/HICSS/ 1/ 3/07- 1/ 6/07: HICSS-SSADIA, 40th Annual Hawaii International Conference on System Sciences, Secure Software Architecture, Design, Implementation and Assurance(SSADIA) Minitrack, Waikoloa, Hawaii, USA; http://www.sei.cmu.edu/community/hicss/ 1/ 3/07- 1/ 6/07: HICSS-CTER, 40th Annual Hawaii International Conference on System Sciences, Cyber-Threats and Emerging Risks Minitrack, Waikoloa, Hawaii, USA; http://www.hicss.hawaii.edu/hicss_40/fincfp.htm#Cyber-Threats%20and%20Emerging%20Risks 1/12/07: IFIP-SEC, 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa; http://www.sbs.co.za/ifipsec2007/ Submissions are due 1/12/07: IAMCOM, 1st Workshop on Information Assurance Middleware for COMmunications, Bangalore, India; http://www.iamcom.org/ 1/15/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; http://www.security-conference.org Submissions are due 1/18/07- 1/19/07: DIMACS-ISE, DIMACS Workshop on Information Security Economics, Rutgers University, Piscataway, NJ, USA; http://dimacs.rutgers.edu/Workshops/InformationSecurity/ 1/29/07- 1/31/07: IFIP-DF, 3rd Annual IFIP WG 11.9 International Conference on Digital Forensics, Orlando, FL, USA; http://www.cis.utulsa.edu/ifip119/Conferences/WG11-9CallForPapers.asp ---------- 2/ 1/07: USENIX-SECURITY, 16th USENIX Security Symposium, Boston, MA, USA; http://www.usenix.org/events/sec07/ Submissions are due 2/ 5/07: CSFW, 20th IEEE Computer Security Foundations Workshop, Venice, Italy; http://www.cs.chalmers.se/~andrei/CSFW07/cfp.html Submissions are due 2/ 9/07: DIMVA, 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland; http://www.dimva.org/dimva2007 Submissions are due 2/11/07- 2/15/07: FC, 11th International Conference on Financial Cryptography and Data Security, Scarborough, Trinidad and Tobago; http://fc07.ifca.ai/ 2/15/07: PAIRING, 1st International Conference on Pairing-based Cryptography, Tokyo, Japan; http://www.pairing-conference.org/ Submissions are due 2/15/07- 2/16/07: USEC, Workshop on Usable Security, Held in conjunction with the 11th Conference on Financial Cryptography and Data Security (FC 2007), Lowlands, Scarborough, Trinidad/Tobago; http://www.usablesecurity.org/ 2/23/07: PET, 7th workshop on Privacy Enhancing Technologies, Ottawa, Canada; http://petworkshop.org/2007/ Submissions are due 2/28/07- 3/ 2/07: NDSS, 14th Annual Network and Distributed System Security Symposium, San Diego, CA, USA; http://www.isoc.org/isoc/conferences/ndss/07/cfp.shtml ---------- 3/ 1/07: EURASIP Journal on Information Security, Special Issue on Signal Processing in the Encrypted Domain; http://www.hindawi.com/GetPage.aspx?journal=is&page=SPED Submissions are due 3/ 2/07: SOUPS, Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA; http://cups.cs.cmu.edu/soups/2007/cfp.html Submissions are due 3/11/07- 3/15/07: SAC-TRECK, 22nd Annual ACM Symposium on Applied Computing, Trust, Recommendations, Evidence and other Collaboration Know-how (TRECK) Track, Seoul, Korea; http://www.acm.org/conferences/sac/sac2007/ 3/11/07- 3/15/07: SAC-CLAT, 22nd Annual ACM Symposium on Applied Computing, Computer-aided Law and Advanced Technologies Track, Seoul, Korea; http://www.clat.unibo.it/ 3/11/07- 3/15/07: SAC-CF, 22nd Annual ACM Symposium on Applied Computing, Computer Forensics Track, Seoul, Korea; http://comp.uark.edu/~bpanda/sac-cf.htm 3/19/07- 3/21/07: IFIP-CIP, 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, NH, USA; http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp 3/20/07- 3/22/07: ASIACCS, ACM Symposium on InformAtion, Computer and Communications Security, Singapore; http://asiaccs07.i2r.a-star.edu.sg/ ---------- 4/10/07- 4/12/07: SADFE, 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA; http://conf.ncku.edu.tw/sadfe 4/10/07- 4/13/07: SecSE, 1st International Workshop on Secure Software Engineering, Vienna, Austria; http://www.ares-conference.eu/conf/ 4/11/07- 4/12/07: ASC, 6th Annual Security Conference, Las Vegas, Nevada, USA; http://www.security-conference.org 4/11/07- 4/13/07: NETCRI, 1st International Workshop on Research Challenges in Next Generation Networks for First Responders and Critical Infrastructures, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.cs.umd.edu/~sharno/NetCri07 4/11/07- 4/13/07: WIA, 3rd International Workshop on Information Assurance, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA; http://www.sis.pitt.edu/~lersais/WIA2007/ 4/13/07: IWSEC, 2nd International Workshop on Security, Nara, Japan; http://www.iwsec.org/; Submissions are due 4/17/07- 4/19/07: PKI R&D, 6th Annual PKI R&D Workshop, Gaithersburg, MD, USA; http://middleware.internet2.edu/pki07/ 4/26/07- 4/28/07: GPC, Workshop on Grid and Pervasive Computing Security, Held in conjunction with the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE 2007), Seoul, Korea; http://www.sersc.org/MUE2007/contents/page/GPCS07.html ---------- 5/ 1/07: Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System; http://www.sitacs.uow.edu.au/jucs/ Submissions are due 5/ 8/07- 5/12/07: WWW-SPRE, 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada; http://www2007.org/cfp-SPaE.php 5/14/07- 5/16/07: IFIP-SEC, 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa; http://www.sbs.co.za/ifipsec2007/ 5/20/07- 5/23/07: Oakland, The 2007 IEEE Symposium on Security and Privacy, The Claremont Resort, Berkeley/Oakland, CA, USA; http://www.ieee-security.org/TC/SP2007/oakland07.html ---------- 6/ 5/07- 6/ 8/07: ACNS, 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China; http://www.i2r.a-star.edu.sg/icsd/acns2007/ 6/13/07- 6/15/07: Policy, 8th IEEE International Workshop on Policies for Distributed Systems and Networks, Bologna, Italy; http://www.policy-workshop.org/2007 6/17/07- 6/22/07: FIRST, 19th FIRST Global Computer Security Network Conference Seville, Spain; http://www.first.org/conference/2007/papers/ 6/20/07- 6/22/07: PET, 7th workshop on Privacy Enhancing Technologies, Ottawa, Canada; http://petworkshop.org/2007/ 6/25/07- 6/29/07: ICDCS, 27th International Conference on Distributed Computing Systems, Toronto, Canada; http://www.eecg.utoronto.ca/icdcs07/ ---------- 7/ 2/07- 7/ 4/07: PAIRING, 1st International Conference on Pairing-based Cryptography, Tokyo, Japan; http://www.pairing-conference.org/ 7/ 6/07- 7/ 8/07: CSFW, 20th IEEE Computer Security Foundations Workshop, Venice, Italy; http://www.cs.chalmers.se/~andrei/CSFW07/cfp.html 7/12/07- 7/13/07: DIMVA, 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland; http://www.dimva.org/dimva2007 7/18/07- 7/20/07: SOUPS, Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA; http://cups.cs.cmu.edu/soups/2007/cfp.html ---------- 8/ 6/07- 8/10/07: USENIX-SECURITY, 16th USENIX Security Symposium, Boston, MA, USA; http://www.usenix.org/events/sec07/ ---------- 10/29/07-10/31/07: IWSEC, 2nd International Workshop on Security, Nara, Japan; http://www.iwsec.org/ ____________________________________________________________________ Journal, Conference and Workshop Calls-for-Papers Maintained by Yong Guan, Calendar Editor ____________________________________________________________________ IFIP-CIP 2007 1st Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection, Hanover, New Hampshire, USA, March 19-21, 2007. (Submissions due 15 November 2006) http://www.cis.utulsa.edu/ifip1110/Conferences/WG11-10CallForPapers.asp The IFIP Working Group 11.10 on Critical Infrastructure Protection is an active international community of researchers, infrastructure operators and policy-makers dedicated to applying scientific principles, engineering techniques and public policy to address current and future problems in information infrastructure protection. Papers are solicited in all areas of critical infrastructure protection. Areas of special interest include, but are not limited to: - Infrastructure vulnerabilities, threats and risks - Security challenges, solutions and implementation issues - Infrastructure sector interdependencies and security implications - Infrastructure protection case studies - Legal, ethical, economic and policy issues related to critical infrastructure protection - Distributed control systems/SCADA security - Telecommunications network security ------------------------------------------------------------------------- FIRST 2007 19th FIRST Global Computer Security Network conference, Seville, Spain, June 17-22, 2007. (Submissions due 15 November 2006) http://www.first.org/conference/2007/papers/ Privacy is the genie in the bottle for all data-holding organizations. Once out, whether through crime or carelessness, private and personal information is out for ever, and has a power to do harm which is almost incalculable. In the wake of losses and thefts which have exposed millions of customers to fraud and identity theft, states in America and governments in many other countries are legislating or plan to legislate to compel corporate and other data-holders to report publicly all violations of digital privacy. The impact on reputation for those "named and shamed" may be catastrophic, and the risk to revenues and even to survival will be profound. New threats to privacy are emerging every day, and at the same time, tensions are rising between governments who want to harvest and store data about individual citizens and use it to oversee and steer behavior, and corporate who collect data from and about citizens who are also customers. Already, brands which have been exposed by the media for "shopping" customers or "blocking" behavior have suffered serious blows to their reputations. Understanding these complex issues and being adequately prepared in case of exposure will be crucial if organizations are to navigate successfully all the trials that digital privacy is posing. The FIRST program committee solicits original contributions on network security for refereed paper presentations, tutorials, invited talks, and panel discussions. Past topics have included creating and managing CSIRTs, computer vulnerability, threat detection, computer forensics, and case studies. ------------------------------------------------------------------------- WWW-SPRE 2007 16th International World Wide Web Conference, Security, Privacy, Reliability and Ethics (SPRE) Track, Banff, Alberta, Canada, May 8-12, 2007. (Submissions due 20 November 2006) http://www2007.org/cfp-SPaE.php The flexibility and richness of the Web architecture have come at the price of increasing complexity and lack of a sound overall security architecture. The movement toward Web-based services, and the increasing dependency on the Web, have also made reliability a first-rate security concern. From malware and spyware, drive-by downloads, typo squatting, denial of service attacks, to phishing and identity theft, a variety of threats make the Web an increasingly hostile and dangerous environment. By undermining user trust, these problems are hampering e-commerce and the growth of online communities. This track promotes the view that security, privacy, reliability, and sound guiding ethics must be part of the texture of a successful World Wide Web. In addition to devising practical tools and techniques, it is the duty of the research community to promote and guide business adoption of security technology for the Web and to help inform related legislation. We seek novel research (both theoretical and practical) in security, privacy, reliability, and ethics as they relate to the Web, including but not limited to the following areas: - Authentication, authorization, and auditing on the web - Availability and reliability of web servers and services - Intrusion detection and honeypots - The Insider threat - Privacy-enhancing technologies, including anonymity, pseudonymity and identity management, specifically for the web - Phishing and pharming, and countermeasures - User interfaces and usability as they relate to use of cryptography and online scams such as phishing and pharming - Applications of cryptography to the web, including PKI and supporting concepts like digital signatures, certification, etc. - Electronic commerce, particularly security mechanisms for e-cash, auctions, payment, and fraud detection - Electronic fraud and attack vectors - Economic / business analysis of Web security and privacy - Legal and legislative approaches to issues of Web security and privacy - Secure and robust management of server farms - Dealing with client-side risks - Security for new web services (blogs, RSS, wikis, etc.) - Wireless web security (including RFID, sensors, and mobile phones) - Content protection and abuse on the web (DRM, web/blog spam, etc.) ------------------------------------------------------------------------- ICDCS 2007 27th International Conference on Distributed Computing Systems, Toronto, Canada, June 25-29, 2007. (Submissions due 29 November 2006) http://www.eecg.utoronto.ca/icdcs07/ The conference provides a forum for engineers and scientists in academia, industry and government to present their latest research findings in any aspects of distributed and parallel computing. Topics of particular interest include, but are not limited to: - Algorithms and Theory - Autonomic Computing - Data Management - Fault-Tolerance and Dependability - Internet Computing and Applications - Network Protocols - Operating Systems and Middleware - Parallel, cluster and GRID Computing - Peer to Peer - Security - Sensor Networks and Ubiquitous Computing - Wireless and Mobile Computing ------------------------------------------------------------------------- SADFE 2007 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering, Seattle, Washington, USA, April 10-12, 2007. (Submissions due 30 November 2006) http://conf.ncku.edu.tw/sadfe SADFE promotes systematic approaches to cyber crime investigation, by furthering the advancement of digital forensic engineering as a disciplined practice. Unlike ad-hoc computer forensics, digital forensic engineering is characterized by the application of scientific and mathematical principles to the investigation and establishment of facts or evidence, either for use within a court of law or to aid understanding of cyber crimes or cyber-enabled crimes. Advancing digital forensics engineering requires the expertise of technologists, analysts, and legal experts to produce sound computer systems and sound forensic practices which will meet the needs of courtroom presentation as well as minimizing negative effects on the cyber-system's original purpose. This workshop brings together top digital forensic researchers, advanced tool/product builders, and expert law enforcement representatives from around the world for information exchange and R&D collaboration. Topics of interest include, but not limited to: Digital Evidence Management: advanced digital evidence discovery, collection, and storage - Identification and collection of digital evidence - Post-collection handling of evidence - Evidence preservation and storage - Forensic-enabled architectures and processes - Managing geographically, politically and/or jurisdictionally dispersed data Principle-based Digital Forensic Processes: systematic engineering processes supporting digital evidence management which are sound on both technical and legal grounds - Legal and technical aspects of admissibility and evidence tests - Examination environments for digital data - Courtroom expert witness and case presentation - Case studies illustrating privacy, legal and legislative issues - Forensic tool validation: legal implications and issues Digital Evidence Analytics: advanced digital evidence analysis, correlation, and presentation - Advanced search, analysis, and presentation of digital evidence - Progressive cyber crime scenario analysis and reconstruction technology - Legal case construction & digital evidence support - Cyber-crime strategy analysis & modeling - Combining digital and non-digital evidence - Supporting qualitative or statistical evidence Forensic-support technologies: forensic-enabled and proactive monitoring/response - Forensics of embedded or non-traditional devices (e.g. digicams, cell phones, SCADA) - Innovative forensic engineering tools and applications - Forensic-enabled support for incident response - Forensic tool validation: methodologies and principles - Legal and technical collaboration - Digital Forensics Surveillance Technology and Procedures ------------------------------------------------------------------------- NetCri 2007 1st International Workshop on Research Challenges in Next Generation Networks for First Responders and Critical Infrastructures, Held in conjunction with IEEE IPCCC 2007, New Orleans, Louisiana, USA, April 11-13, 2007. (Submissions due 30 November 2006) http://www.cs.umd.edu/~sharno/NetCri07 As advances in pervasive computing, wireless communication and sensor networks continue, more opportunities are open to first responders and critical infrastructures to benefit from these technologies. Providing first responders with the best possible technology, infrastructure and services help save the lives of the general public and the first responders as well. One of the main challenges to the operations of first responders and critical infrastructures is to deploy a communication network that is dependable, secure, and rapidly deployable. In order to operate effectively, the deployed network supports services such as location determination, audio and video communication, and in site and remote sensing. Another key feature for first responders and critical infrastructures networks is to support interactions among multiple heterogeneous networks. This workshop provides a forum for researchers, industry, and government agencies to discuss the challenges facing the design, deployment and operational issues for next generation network support for first responders and critical infrastructure. The workshop will identify and define fundamental concepts and techniques, resolve conflicts between different approaches in the area, and provide a common ground for an advanced research and development agenda. Topics of interest include, but are not limited to: - Smart environments (buildings, roads, vehicles, etc.) - Fast roaming in heterogonous network environment - Localization and time synchronization - Rapidly deployable and self configuring services and networks - Security, dependability, privacy, and performance trade-offs - QoS in heterogeneous wireless networks - Sensor and actuator networks for information gathering and real-time control - Network and system support for augmented reality and visual analytics - Simulation studies of first responders and critical infrastructure networks - Novel and adaptive communication protocols to support first responders and critical infrastructure operation - Resource management and allocation - Power control management - Admission, load and flow control - Performance analysis and experimentation of heterogeneous wireless networks - Security techniques and methods for heterogeneous wireless networks - Interoperability among WLANs, Cellular, WSN and wired networks - Metrics and measurements on heterogeneous networks - Mobility models and traffic patterns in disaster areas - Cross-layer design - Testbeds ------------------------------------------------------------------------- WIA 2007 3rd International Workshop on Information Assurance, Held in conjunction with the 26th IEEE International Performance Computing and Communications Conference (IPCCC 2007), New Orleans, Louisiana, USA, April 11-13, 2007. (Submissions due 30 November 2006) http://www.sis.pitt.edu/~lersais/WIA2007/ Information Assurance (IA) is defined as the operations undertaken to protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and non-repudiation. Availability implies that networks and systems must be survivable and fault tolerant - they should possess redundancies to operate under failures or security breaches. For example, networks should be designed with sufficient spare and working capacity, efficient traffic restoration protocols, alarms and network management. Security encompasses the other aspects of IA, namely integrity, access-control, authentication, confidentiality and non-repudiation as they apply to both networks and systems. The increasing reliance of business-to-business and business-to-consumer applications on networked information systems dramatically magnifies the consequence of damage resulting from even simple system faults and intrusions, making the task of assuring confidentiality, availability and integrity of information difficult. Although several piecemeal solutions address concerns related to the security and fault tolerance of various components of such networked information systems, there is a growing need to leverage the synergy between security and survivability to provide a higher level of information assurance in the face of faults and attacks. We seek papers that address theoretical, experimental, systems-related and work in-progress in the area of Information Assurance at the network and system levels. We expect to have three types of sessions - the first related to survivability and fault tolerance, the second related to security, and the third related to the interactions between security and survivability. Papers should describe original, previously unpublished work, not currently under review by another conference, workshop, or journal. Papers accepted for presentation will be published in the IPCCC conference proceedings. The workshop will also include invited papers. Topics of interest include, but are not limited to: - Authorization and access control - Web services security - Database and system security - Risk analysis and security management - Security verification/validation - Wireless Security & Survivability - Network Restoration techniques - Network Reliability/Availability - Digital Rights Management - DoS protection for the Internet - Cryptographic protocols and Key management - Intrusion Detection Techniques - Ad hoc sensor network security - Models and architectures for systems security and survivability - Security / survivability in optical networks - E/M-commerce security and survivability architectures - Public policy issues for security and survivability - Botnets detection and response - Trust negotiation/management - Privacy models and mechanisms ------------------------------------------------------------------------- Policy 2007 8th IEEE International Workshop on Policies for Distributed Systems and Networks, Bologna, Italy, June 13-15, 2007. (Submissions due 10 December 2006) http://www.policy-workshop.org/2007 Policy 2007 aims to bring together researchers and practitioners working on policy-based management across a wide range of application domains including networks, security and privacy, storage, and databases. This year, the workshop will have a special focus on the Semantic Web. The Semantic Web provides promising technologies for policy-based management both for the Web and other distributed systems such as the pervasive environments, grid computing, and multi-agent systems. Submitted papers will be evaluated for technical contribution, originality, and significance. Topics of interest include, but are not limited to the following: Policy Models and Languages: - Abstract models and languages for policy specification - Policy standards, their extensions and refinements - Formal semantics of policies - Relationships between policies, both going vertically from policies for IT processes to policies for IT devices, and crossing horizontally through multiple application domains - Methodologies and tools for discovering, specifying, analyzing, and refining policy - Models of policy negotiation - Representation of belief, trust, and risk in policies - Systems and tools for the management of policies Policy Applications: - Case studies of applying policy-based management in different application domains - Application of policies for resource allocation, autonomic computing, systems management, QoS adaptation, security. - Application of policies for identity and privacy management - Policy based networking, including active networks, pervasive computing, and mobile systems - Business rules and organizational modeling - Risk adaptive policy systems - Database policies - Policy applications in on-demand, utility based computing - Resource virtualization and policy-based collaboration Semantic Web Policies --- special focus track - Representing policies in XML, RDF, and OWL - SW rule languages (such as N3Logic, SWRL, Rule-ML, RIF) for policy reasoning - Policy conflict management - Case studies for policy management using semantic web technologies - Network routing - Storage management - Grid computing - Mobile computing - Information filtering - Digital rights management - Collaboration - Access control models for the Web/Semantic Web - Privacy and accountability on the Web - Identity management - Policy authoring based on SW languages - Modeling belief and trust using SW technologies - Web services security - Analysis of or systems based on proposed policy standards (such as WS-Policy, WSPL, and XACML) - Semantic Web and eGovernment management ------------------------------------------------------------------------- ACNS 2007 5th International Conference on Applied Cryptography and Network Security, Zhuhai, China, June 5-8, 2007. (Submissions due 14 December 2006) http://www.i2r.a-star.edu.sg/icsd/acns2007/ ACNS'07, the 5th International Conference on Applied Cryptography and Network Security, brings together industry and academic researchers interested in the technical aspects of cryptology and the latest advances in the application of crypto systems. Original papers on all aspects of applied cryptography and network security are solicited for submission to ACNS '07. Topics of relevance include but are not limited to: - Applied cryptography and provably-secure cryptographic protocols - Design and analysis of efficient cryptographic primitives: public-key and symmetric-key cryptosystems, block ciphers, and hash functions - Network security protocols - Techniques for anonymity; trade-offs between anonymity and utility - Integrating security into the next-generation Internet: DNS security, routing, naming, denial-of-service attacks, TCP/IP, secure multicast - Economic fraud on the Internet: phishing, pharming, spam, and click fraud - Email and web security - Public key infrastructure, key management, certification, and revocation - Security and privacy for emerging technologies: sensor networks, mobile (ad hoc) networks, peer-to-peer networks, bluetooth, 802.11, RFID - Trust metrics and robust trust inference in distributed systems - Security and usability - Intellectual property protection: metering, watermarking, and digital rights management - Modeling and protocol design for rational and malicious adversaries - Automated analysis of protocols ------------------------------------------------------------------------- GPC 2007 Workshop on Grid and Pervasive Computing Security, Held in conjunction with the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE 2007), Seoul, Korea, April 26-28, 2007. (Submissions due 15 December 2006) http://www.sersc.org/MUE2007/contents/page/GPCS07.html Grid and Pervasive Computing (GPC) are emerging technologies that enable access to a pervasive flow of information, data and services anytime and anywhere. As the security is of paramount importance to the design and deployment of GPC, the benefits of GPC will only be fully realized if security aspects can be appropriately addressed. The goal of this symposium is to take the grid and pervasive security significantly forward through analyses of new security and privacy issues arising from the novel architecture of Grid and pervasive systems and to propose solutions to safely deploy services and appliances. To this end, we solicit original high quality submissions on topics in security in computational/data grids and pervasive computing: - Novel and emerging secure architectures - Self-protecting and healing systems - Analyses of new security and privacy issues - Study of attack strategies, attack modeling - Security in sensor networks - Trust Models and Management - Implementations and performance analysis - Privacy-preserving techniques - Key management - Malicious code prevention - Denial-of-service attacks and countermeasures - Intrusion and anomaly detection and prevention - Network infrastructure security - Wireless and pervasive/ubiquitous computing security - Data protection technologies ------------------------------------------------------------------------- Elsevier Computer Communications Journal, Special Issue on Security on Wireless Ad Hoc and Sensor Networks, 3rd Quarter of 2007. (Submission Due 15 December 2006) http://authors.elsevier.com/journal/comcom Guest editors: Sghaier Guizani (University of Moncton, Canada), Hsiao-Hwa Chen (National Sun Yat-Sen University, Taiwan), Peter Mueller (IBM Zurich Research Laboratory, Switzerland) The increase of wireless and mobile devices and the recent advancement in wireless and mobile ad hoc and sensor networks technologies/applications in a large variety of environments, such as homes, business places, emergency situations, disaster recoveries and people on the move is unprecedented. These activities over different network systems have brought security concerns on an unprecedented scale. Security is an important issue for wireless and mobile ad hoc and sensor networks (MANETs) especially for the security-sensitive applications such as in military, homeland security, financial institutions and many other areas. Such security threats take advantage of protocol weaknesses as well as operating systems' vulnerabilities to attack Internet applications. Theses attacks involve, for example, distributed denials of services, buffer overflows, viruses, and worms, where they cause an increasingly greater technical and economic damage. With regard to such cyber security aspects, there is an increasing demand for measures to guarantee and fully attain the authentication, confidentiality, data integrity, privacy, access control, non repudiation, and availability of system services. This Special Issue will serve as a venue for both academia and industry individuals and groups working in this fast-growing research area to share their experiences and state-of-the-art work with the readers. The topics of interest include, but are not limited to: - Novel and emerging secure architecture - Study of attack strategies, attack modelling - Security analysis methodologies - Wireless and mobile security - Key management - Commercial and industrial security - Broadcast authentication - Secure routing protocols - Secure location discovery - Secure clock synchronization - Novel and emerging secure architectures - Cryptographic algorithms and applications - Study of attack strategies, attack modelling - Study of tradeoffs between security and system performance - Security management, emergency contingency planning, identify theft - Access control, wireless access control, broadband access control - Protection, risk, vulnerabilities, attacks, authorization/authentication - Security and trust in web-services-based applications - Denial of service attacks and prevention - Secure group communication/multicast - Implementations and performance analysis - Distributed security schemes ------------------------------------------------------------------------- SecSE 2007 1st International Workshop on Secure Software Engineering, Vienna, Austria, April 10-13, 2007. (Submissions due 17 December 2006) http://www.ares-conference.eu/conf/ In our modern society, software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and so the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but this is no longer sufficient. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for engineering secure software. Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Static analysis for security - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering ------------------------------------------------------------------------- IFIP-SEC 2007 22nd IFIP TC-11 International Information Security Conference, Theme: New approaches for Security, Privacy and Trust in Complex Environments, Sandton Convention Centre Sandton, South Africa, May 14-16, 2007. (Submissions due 12 January 2006) http://www.sbs.co.za/ifipsec2007/ Information is now the most important commodity in a global market. Individuals, businesses and governments are dependable on information embedded in secure, privacy aware and trustworthy IT infrastructures. Classical information security services such as authentication and authorisation urgently demand a re-design and improved implementation to ensure security, privacy and trust features in today's integrated and complex information rich environments. Papers offering research contributions focusing on security, privacy and trust are solicited for submission to the 22nd IFIP TC-11 International Information Security Conference. Papers may present theory, applications or practical experiences including, but not limited to: - Applications of cryptography, key management and PKI - Architectures for Information Security, Privacy and Trust - New approaches to Fraud Management Systems in Advanced Network Infrastructures - New approaches to classical Information Security Services such as Identification, Authentication, Authorization, Integrity and Non-repudiation - Information Security culture including ethics and social issues - Change Management Systems for implementing Security, Privacy and Trust in organizational environments - Information security as part of Corporate Governance - Digital Forensics and Forensic Auditing - Security, Privacy and Trust for advanced application infrastructures - Incorporating Security, Privacy and Trust in educational activities - New approaches for enhancing security, privacy and trust in E-mail environments - Firewalls for the next generation networks - Future visions for Information Security Management - Designing / re-designing Human Computer Interaction for Security, Privacy and Trust - Identity theft and management - New applications for steganography - Information warfare and critical infrastructure protection - Security, Privacy and Trust in RFID and Sensor networks - New approaches for Intrusion detection - Security, Privacy and Trust for Wireless environments - New requirements for international Information Security Standards - Privacy Enhancing Technologies (PETs) - Risk analysis and risk management for complex environments - Standards, Certification, Accreditation and Evaluation of Information Security in companies - Incorporating Security, Privacy and Trust in System development methodologies - Trust Models and Management - Information Security Metrics - Vulnerability Assessments for integrated environments ------------------------------------------------------------------------- ASC 2007 6th Annual Security Conference, Las Vegas, Nevada, USA, April 11-12, 2007. (Submissions due 15 January 2007) http://www.security-conference.org With the development of more complex networking systems and the rapid transition to the e-world, information security has become a real concern for many individuals and organizations. Advanced safeguards are required to protect the information assets of not only large but also small and distributed enterprises. New approaches to information security management, such as policies and certifications, are now being required. The security of strategic corporate information has become the foremost concern of many organizations, and in order to assure this security, methods and techniques must be conceptualized for small enterprises both from a functional and technical viewpoint. Recommended topics (but not limited to) include: - E-Commerce security - Biometrics - Smart Cards - Secure small distribution applications - Security of intelligent tokens - Methodologies for security of small to medium size enterprises - Methodologies and techniques for certification and accreditation - Evaluation of Information Security in companies - Information security surveys and case studies - International standards for Information Security Management ------------------------------------------------------------------------- USENIX-SECURITY 2007 16th USENIX Security Symposium, Boston, MA, USA, August 6–10, 2007. (Submissions due 1 February 2007) http://www.usenix.org/events/sec07/ The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. Refereed paper submissions are solicited in all areas relating to systems and network security, including: - Adaptive security and system management - Analysis of network and security protocols - Applications of cryptographic techniques - Attacks against networks and machines - Authentication and authorization of users, systems, and applications - Automated tools for source code analysis - Cryptographic implementation analysis and construction - Denial-of-service attacks and countermeasures - File and filesystem security - Firewall technologies - Forensics and diagnostics for security - Intrusion and anomaly detection and prevention - Malicious code analysis - Network infrastructure security - Operating system security - Privacy-preserving (and compromising) systems - Public key infrastructure - Rights management and copyright protection - Security architectures - Security in heterogeneous and large-scale environments - Security of agents and mobile code - Security policy - Self-protecting and healing systems - Techniques for developing secure systems - Technologies for trustworthy computing - Voting systems analysis and security - Wireless and pervasive/ubiquitous computing security - World Wide Web security ------------------------------------------------------------------------- CSFW-20 20th IEEE Computer Security Foundations Workshop, Venice, Italy, July 6-8, 2007. (Submissions due 5 February 2007) http://www.cs.chalmers.se/~andrei/CSFW07/cfp.html The IEEE Computer Security Foundations Workshop (CSFW) series brings together researchers in computer science to examine foundational issues in computer security. Over the past two decades, many seminal papers and techniques have been presented first at CSFW. New theoretical results in computer security are welcome. Also welcome are more exploratory presentations, which may examine open questions and raise fundamental concerns about existing theories. Panel proposals are welcome as well as papers. Possible topics include, but are not limited to: - Authentication - Information flow - Security protocols - Anonymity and Privacy - Electronic voting - Network security - Resource usage control - Access control - Trust and trust management - Security models - Intrusion detection - Data and system integrity - Database security - Distributed systems security - Security for mobile computing - Executable content - Decidability and complexity - Formal methods for security - Language-based security ------------------------------------------------------------------------- DIMVA 2007 4th GI International Conference on Detection of Intrusions & Malware, and Vulnerability Assessment, Lucerne, Switzerland, July 12-13, 2007. (Submissions due 9 February 2007) http://www.dimva.org/dimva2007 The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. DIMVA particularly encourages papers that discuss the integration of intrusion, malware, and vulnerability detection in large-scale operational communication networks. DIMVA's scope includes, but is not restricted to the following areas: Intrusion Detection - Approaches - Implementations - Prevention and response - Result correlation - Evaluation - Potentials and limitations - Operational experiences - Evasion and other attacks - Legal and social aspects Malware - Techniques - Detection - Prevention - Evaluation - Trends and upcoming risks - Forensics and recovery Vulnerability Assessment - Vulnerabilities - Vulnerability detection - Vulnerability prevention ------------------------------------------------------------------------- PAIRING 2007 1st International Conference on Pairing-based Cryptography, Tokyo, Japan, July 2-4, 2007. (Submissions due 15 February 2007) http://www.pairing-conference.org/ Since the introduction of pairings in constructive cryptographic applications, an ever increasing number of protocols have appeared in the literature: identity-based encryption, short signature, and efficient broadcast encryption to mention but a few. An appropriate mix of theoretical foundations and practical considerations is essential to fully exploit the possibilities offered by pairings: number theory, cryptographic protocols, software and hardware implementations, new security applications, etc. Authors are invited to submit papers describing original research on all aspects of pairing-based cryptography, including, but not limited to the following topics: Novel cryptographic protocols - ID-based cryptosystem - broadcast encryption - short signatures - ring or group signatures - aggregate or multi signatures - undeniable signatures - key agreement protocol - authenticated encryption Mathematical foundation - Weil, Tate, Eta, and Ate pairings - security consideration of pairing - generation of pairing friendly curves - (hyper-) elliptic curve cryptosystem - number theoretic algorithms SW/HW implementation - secure operating system - efficient software implementation - FPGA or ASIC implementation - smartcard implementation - side channel attack - fault attack Applied security - novel security applications - secure ubiquitous computing - security management - grid computing - PKI model - application to network security ------------------------------------------------------------------------- PET 2007 7th workshop on Privacy Enhancing Technologies, Ottawa, Canada, June 20 - June 22, 2007. (Submissions due 23 February 2007) http://petworkshop.org/2007/ Privacy and anonymity are increasingly important in the online world. Corporations, governments, and other organizations are realizing and exploiting their power to track users and their behavior. Approaches to protecting individuals, groups, but also companies and governments from profiling and censorship include decentralization, encryption, distributed trust, and automated policy disclosure. The 7th workshop on Privacy Enhancing Technologies addresses the design and realization of such privacy services for the Internet and other communication networks by bringing together anonymity and privacy experts from around the world to discuss recent advances and new perspectives. The workshop seeks submissions from academia and industry presenting novel research on all theoretical and practical aspects of privacy technologies, as well as experimental studies of fielded systems. We encourage submissions from other communities such as law and business that present their perspectives on technological issues. Suggested topics include but are not restricted to: - Anonymous communications and publishing systems - Censorship resistance - Pseudonyms, identity management, linkability, and reputation - Data protection technologies - Location privacy - Privacy in Ubiquitous Computing Environments - Policy, law, and human rights relating to privacy - Privacy and anonymity in peer-to-peer architectures - Economics of privacy - Fielded systems and techniques for enhancing privacy in existing systems - Protocols that preserve anonymity/privacy - Privacy-enhanced access control or authentication/certification - Privacy threat models - Models for anonymity and unobservability - Attacks on anonymity systems - Traffic analysis - Profiling and data mining - Privacy vulnerabilities and their impact on phishing and identity theft - Deployment models for privacy infrastructures - Novel relations of payment mechanisms and anonymity - Usability issues and user interfaces for PETs - Reliability, robustness and abuse prevention in privacy systems ------------------------------------------------------------------------- EURASIP Journal on Information Security, Special Issue on Signal Processing in the Encrypted Domain, 4th Quarter, 2007. (Submissions Due 1 March 2007) http://www.hindawi.com/GetPage.aspx?journal=is&page=SPED Guest editors: Alessandro Piva (University of Florence, Italy) and Stefan Katzenbeisser (Philips Research Europe, The Netherlands) Recent advances in digital signal processing enabled a number of new services in various application domains, ranging from enhanced multimedia content production and distribution to advanced healthcare systems for continuous health monitoring. At the heart of these services lies the ability to securely manipulate "valuable" digital signals in order to satisfy security requirements such as intellectual property management, authenticity, privacy, and access control. This special issue solicits papers exploring the application of signal processing to encrypted content, both from a theoretical and practical point of view. Topics of interest include, among others: - Cryptographic primitives and protocols for signal processing operations - Secure matching and analysis of signals - Searching on encrypted signals - Cryptographic techniques for real-valued or fuzzy data - Secure watermark embedding and detection - Next-generation secure content management - Privacy through secure signal processing - Transcoding of encrypted content - Design and evaluation of encryption schemes specifically tailored towards signals ------------------------------------------------------------------------- SOUPS 2007 Symposium On Usable Privacy and Security, Carnegie Mellon University, Pittsburgh, PA, USA, July 18-20, 2007. (Submissions due 2 March 2007) http://cups.cs.cmu.edu/soups/2007/cfp.html The 2007 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). We invite authors to submit original papers describing research or experience in all areas of usable privacy and security. Topics include, but are not limited to: - innovative security or privacy functionality and design, - new applications of existing models or technology, - field studies of security or privacy technology, - usability evaluations of security or privacy features or security testing of usability features, and - lessons learned from deploying and using usable privacy and security features ------------------------------------------------------------------------- IWSEC 2007 2nd International Workshop on Security, Nara, Japan, October 29-31, 2007. (Submissions due 13 April 2007) http://www.iwsec.org/ The complex structure of networks, middleware, agents, P2P applications and ubiquitous computing for commercial, personal, communal and public use, brought forth the advent of information society in the cyberspace. However the system poses new and diverse threats to the world. It is imperative for the security researchers to look into the issues from an interdisciplinary perspective. Papers may present theory, applications or practical experiences on topics including, but not limited to: - Fundamental Tools for Information Security - Network and Distributed Systems Security - Privacy Enhancing Technology - Secure Living and Working Environments - Security in Commerce and Government - Security Management - Software and System Security - Protection of Critical Infrastructures - Testing, Verification and Certification - Law, Policy, Ethics and Related Technologies ------------------------------------------------------------------------- Security Journal of Universal Computer Science (JUCS), Special Issue on Cryptography in Computer System, February 2008. (Submission Due 1 May 2007) http://www.sitacs.uow.edu.au/jucs/ Guest editors: Liqun Chen (Hewlett-Packard Labs, UK), Ed Dawson (Queensland University of Technology, Australia), Xuejie Lai (Shanghai Jiao Tong University, China), Masahiro Mambo (Tsukuba University, Japan), Atsuko Miyaji (JAIST, Japan), Yi Mu (University of Wollongong, Australia), David Pointcheval (Ecole Normale Supe'rieure, France), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Nigel Smart (Bristol University, UK), Willy Susilo (University of Wollongong, Australia), Huaxiong Wang (Macquarie University, Australia), and Duncan Wong (City University of Hong Kong, China) Cryptography has been playing an important role to ensure the security and reliability of modern computer systems. Since high speed and broad bandwidth have been becoming the keywords for modern computer systems, new cryptographic methods and tools must follow up in order to adapt to these new and emerging technologies. This Special Issue aims to provide a platform for security researchers to present their newly developed cryptographic technologies in computer systems. Areas of interest for this special journal issue include, but are not limited to, the following topics: - Authentication - Cryptographic algorithms and their applications - Cryptanalysis - Email security - Electronic commerce - Data integrity - Fast cryptographic algorithms and their applications - Identity-based cryptography - IP security - Key management - Multicast security - Computer network security - Privacy protection - Security in Peer-to-Peer networks - Security in sensor networks - Smartcards ==================================================================== News Briefs ==================================================================== News briefs from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/NewsBriefs.html ==================================================================== Listing of academic positions available by Cynthia Irvine ==================================================================== Iowa State University Department of Electrical and Computer Engineering Iowa State University Ames, IA 50011 ASSISTANT OR ASSOCIATE OR FULL PROFESSOR To guarantee consideration, application must be received by 2/10/2007. URL: http://www.ece.iastate.edu/jobs.html and http://www.iastatejobs.com -------------- http://cisr.nps.edu/jobscipher.html This job listing is maintained as a service to the academic community. If you have an academic position in computer security and would like to have in it included on this page, send the following information: Institution, City, State, Position title, date position announcement closes, and URL of position description to: irvine@cs.nps.navy.mil ==================================================================== Information on the Technical Committee on Security and Privacy ==================================================================== ____________________________________________________________________ Information for Subscribers and Contributors ____________________________________________________________________ SUBSCRIPTIONS: Two options, each with two options: 1. To receive the full ascii CIPHER issues as e-mail, send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe". OR send a note to cipher-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) 2. To receive a short e-mail note announcing when a new issue of CIPHER is available for Web browsing send e-mail to cipher-admin@ieee-security.org (which is NOT automated) with subject line "subscribe postcard". OR send a note to cipher-postcard-request@mailman.xmission.com with the subject line "subscribe" (this IS automated - thereafter you can manage your subscription options, including unsubscribing, yourself) To remove yourself from the subscription list, send e-mail to cipher-admin@ieee-security.org with subject line "unsubscribe" or "unsubscribe postcard" or, if you have subscribed directly to the xmission.com mailing list, use your password (sent monthly) to unsubscribe per the instructions at http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher or http://mailman.xmission.com/cgi-bin/mailman/listinfo/cipher-postcard Those with access to hypertext browsers may prefer to read Cipher that way. It can be found at URL http://www.ieee-security.org/cipher.html CONTRIBUTIONS: to cipher @ ieee-security.org are invited. Cipher is a NEWSletter, not a bulletin board or forum. It has a fixed set of departments, defined by the Table of Contents. Please indicate in the subject line for which department your contribution is intended. Calendar and Calls-for-Papers entries should be sent to cipher-cfp @ ieee-security.org and they will be automatically included in both departments. To facilitate the semi-automated handling, please send either a text version of the CFP or a URL from which a text version can be easily obtained. For Calendar entries, please include a URL and/or e-mail address for the point-of-contact. For Calls for Papers, please submit a one paragraph summary. See this and past issues for examples. ALL CONTRIBUTIONS CONSIDERED AS PERSONAL COMMENTS; USUAL DISCLAIMERS APPLY. All reuses of Cipher material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy, publications using Cipher material should obtain permission from the contributors. ____________________________________________________________________ Recent Address Changes ____________________________________________________________________ Address changes from past issues of Cipher are archived at http://www.ieee-security.org/Cipher/AddressChanges.html Jonathan Herzog Associate Professor Department of Computer Science Naval Postgraduate School Glasgow Hall East Building 305, Room # GE-236 1411 Cunningham Rd. Monterey, CA 93943 USA Phone: 831.656.3990 jcherzog@nps.edu http://www.nps.navy.mil/cs/jcherzog _____________________________________________________________________ How to become <> a member of the IEEE Computer Society's TC on Security and Privacy _____________________________________________________________________ You may easily join the TC on Security & Privacy by completing the on-line for at IEEE at http://www.computer.org/TCsignup/index.htm ______________________________________________________________________ TC Publications for Sale ______________________________________________________________________ IEEE Security and Privacy Symposium The 2006 Symposium proceedings and 11-year CD are sold out. The 2005 Symposium proceedings are available for $20 plus shipping and handling. The 2004 proceedings are $15 plus shipping and handling; the 2003 proceedings are $15 plus shipping and handling. A CD of the 2000-2001 proceedings is $15 plus shipping and handling. Shipping is $4.00/volume within the US, overseas surface mail is $7/volume, and overseas airmail is $11/volume, based on an order of 3 volumes or less. The shipping charge for a CD is $1 per CD (no charge if included with a hard copy order). Send a check made out to the IEEE Symposium on Security and Privacy to the TC treasurer (see officers, below) with the order description, including shipping method, and send email to Deborah Shands (shands@aero.org) with the shipping address, please. IEEE CS Press Back issues of TC publications may be available; contact Jonathan Millen for information about the Computer Security Foundations Workshop. ______________________________________________________________________ TC Officer Roster ______________________________________________________________________ Chair: Security and Privacy Chair Emeritus: Jonathan Millen Hilarie Orman The MITRE Corporation Purple Streak, Inc. Mail Stop S119 500 S. Maple Dr. 202 Burlington Road Rte. 62 Salem, UT 84653 Bedford, MA 01730-1420 oakland06-chair@ieee-security.org 781-271-51 (voice) jmillen@mitre.org Vice Chair: Chair, Subcommittee on Academic Affairs: Prof. Cynthia Irvine Prof. Cynthia Irvine U.S. Naval Postgraduate School U.S. Naval Postgraduate School Computer Science Department Computer Science Department Code CS/IC Code CS/IC Monterey CA 93943-5118 Monterey CA 93943-5118 (831) 656-2461 (voice) (831) 656-2461 (voice) irvine@cs.nps.navy.mil irvine@cs.nps.navy.mil Chair, Subcommittee on Standards: Chair, Subcomm. on Security Conferences: David Aucsmith Jonathan Millen Microsoft Corporation The MITRE Corporation One Microsoft Way Mail Stop S119 Redmond, WA 98052 202 Burlington Road Rte. 62 425-706-9225 (voice) Bedford, MA 01730-1420 425-936-7329 (fax) 781-271-51 (voice) awk@microsoft.com jmillen@mitre.org Security and Privacy Symposium Newsletter Editor 2007 General Chair: and Technical Committee Treasurer: Deborah Shands Hilarie Orman The Aerospace Corporation Purple Streak, Inc. El Segundo, CA 500 S. Maple Dr. oakland07-chair@ieee-security.org Salem, UT 84653 cipher-editor@ieee-security.org, treasurer@ieee-security.org ________________________________________________________________________ BACK ISSUES: Cipher is archived at: http://www.ieee-security.org/cipher.html Cipher is published 6 times per year